Federal Officials Recover Bitcoin Ransom From Colonial Pipeline Attack

Colonial paid $4.4 million in bitcoin after its systems fell victim to a ransomware attack last month.

AccessTimeIconJun 7, 2021 at 6:50 p.m. UTC
Updated Sep 14, 2021 at 1:07 p.m. UTC

Federal officials have recovered $2.3 million in bitcoin that Colonial Pipeline paid to a criminal outfit during a ransomware attack, the Department of Justice announced Monday.

Colonial Pipeline paid about $4.4 million in bitcoin to the attackers, linked to the Darkside ransomware group, after its payment systems were frozen last month. The company had to halt fuel transportation across the East Coast of the U.S., sparking fears of a gas shortage in a dozen states. Deputy Attorney General Lisa Monaco said Monday that the company contacted law enforcement, allowing federal agents to track and seize a bitcoin wallet.

"The Department of Justice has found and recovered the majority of the ransom paid," Deputy Attorney General Lisa Monaco said in a press briefing.

An affidavit filed by an FBI agent provided further details. According to public court documents, the agent, whose name was redacted, tracked the bitcoin Colonial sent to Darkside across several transactions recorded on the bitcoin ledger, using a block explorer.

About 63.7 BTC was sent to an address controlled by the FBI.

The bitcoin appears to come from the affiliate that deployed Darkside's ransomware, not Darkside itself, said Tom Robinson, chief scientist at Elliptic. He told CoinDesk the funds appear to have been seized at 1:40 p.m. ET.

In a blog post, Robinson said 15% of the total payment went to Darkside itself.

"The private key for the Subject Address is in the possession of the FBI in the Northern District of California," the affidavit said.

FBI Deputy Director Paul Abbate said federal officials had seized a bitcoin wallet that held the proceeds from the Colonial attack. It appears that the perpetrators still have about $2 million in crypto.

"Victim funds were seized from that wallet, preventing Darkside actors from using them," he said.

The funds were seized as part of a ransomware task force created by the DOJ.

"The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st century challenge. But the old adage 'follow the money' still applies. And that's exactly what we do," Monaco said.

CNN first reported the news.

Ransomware attacks have been on the rise recently, with a number of high-profile and critical infrastructure firms falling victim to the cyberattack. In her opening remarks, Monaco warned companies to take steps immediately to secure their systems or risk falling victim.

The U.S. Department of Justice did not immediately share further details.

UPDATE (June 7, 2021, 22:03 UTC): Updated with details from DOJ officials and additional commentary.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.