$2.3M Recovered From Colonial Pipeline Extortion Group DarkSide

ALPHARETTA, GA — The Department of Justice seized $2.3 million paid as ransom to a group known as DarkSide, which shut down the Colonial Pipeline.

The Department of Justice seized 63.7 bitcoins, which are currently valued at $2.3 million. These funds were used as ransom payment to DarkSide, which targeted the Colonial Pipeline. The hack resulted in critical infrastructure being taken out of operation, ultimately causing a gas shortage across the Southeast.

Colonial Pipeline, based in Alpharetta, Georgia, is "the largest refined products pipeline in the United States, transporting more than 100 million gallons of fuel daily to meet the energy needs of consumers from Houston, Texas to the New York Harbor," according to its website. The company has customers and markets throughout the Southern and Eastern United States through a pipeline system that spans more than 5,500 miles. Roughly 45 percent of all fuel consumed on the East Coast comes from the Colonial Pipeline, providing products to more than 50 million Americans.

The Colonial Pipeline was the victim of a ransomware attack, resulting in the company taking portions of its infrastructure out of operation. The pipeline told the FBI that its computer network was accessed by an organization named DarkSide and that it had received and paid a ransom demand for 75 bitcoins.

As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoins and identify the 63.7 bitcoins used as ransom payment that had been transferred to an address to which the FBI has the “private key,” or the rough equivalent of a password needed to access that specific Bitcoin address.

"Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature," said Colonial Pipeline Co. President and CEO Joseph Blount. "The private sector also has an equally important role to play, and we must continue to take cyber threats seriously and invest accordingly to harden our defenses.

"Our goal is to help our peers in the critical infrastructure space strengthen their cyber defenses and to collaborate across industry so that we can thwart these types of attacks before they happen. Together, through intelligence sharing and lessons learned, we can work to better protect our nation, its people, and our most critical assets."

Following the money remains one of the most basic yet powerful tools, according to Deputy Attorney General Lisa O. Monaco for the U.S. Department of Justice.

“Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises," Monaco said. "We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide.”

The Special Prosecutions Section and Asset Forfeiture Unit of the U.S. Attorney’s Office for the Northern District of California is handling the seizure, with assistance from the Department of Justice Criminal Division’s Money Laundering and Asset Recovery Section and Computer Crime and Intellectual Property Section, and the National Security Division’s Counterintelligence and Export Control Section.

Related: Cybersecurity Attack Halts GA-Based Gas Pipeline Operations