The United States has recovered much of the ransom payment that the Russian hacker group DarkSide extorted from Colonial Pipeline earlier this year, the Department of Justice said Monday.
The announcement details a rare disruption of the cryptocurrency payment systems favored by hackers, that have enabled ransomware efforts around the world.
The FBI was able to seize control of DarkSide’s proceeds by gaining access to a central bitcoin account holding about 63.7 bitcoin, worth around $2.3 million, FBI Deputy Director Paul Abbate said. The court document said the FBI was able to access the “private key,” or password, for one of the gang’s bitcoin wallets. It was unclear how that key was compromised.
DarkSide hacked into Colonial in April as part of a monthslong crime spree, leading the company to shut down operations. The group demanded a $4.4 million ransom, which the company quickly paid. DarkSide’s decryptor program was so slow that Colonial ended up not using it, and instead restored their system from old backup files.
The pipeline’s systems came back online five days after the initial hack.
“Today, we turned the tables on DarkSide,” Deputy Attorney General Lisa Monaco said in a press conference.
“Ransomware attacks are always unacceptable but when they target critical infrastructure, we will spare no effort in our response,” she said.
Ransomware gangs have been responsible for more than 1,000 hacks worldwide this year, mostly in the U.S., according to figures prepared for NBC News by Allan Liska, an analyst at the cybersecurity company Recorded Future.
Most attacks are on smaller targets, but the Colonial hack was the first to have direct effect on everyday American life. The threat of a major pipeline shutdown led to the U.S. issuing an emergency order for truckers to work overtime delivering fuel, and some gas stations reported shortages as drivers rushed to the pumps.
Colonial CEO Joseph Blount, who oversaw the company’s response to DarkSide, praised the FBI, saying in a statement that “we are grateful for their swift work and professionalism in responding to this event.”
“Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature,” he said.
Jen Ellis, a coauthor of a landmark Ransomware Task Force report studying how to slow the pace of ransomware attacks, praised the Justice Department’s announcement as “fantastic news.”
“This kind of collaboration between victims and law enforcement is exactly what we need to see,” she said.
“Hopefully if we see actions like this continue, it will encourage other victims to disclose attacks to law enforcement, and also make it harder for ransomware attackers to realize a pay day,” Ellis said.
The recovered payment that the Justice Department announced Monday is still a small fraction of what DarkSide has been able to steal since the gang became active around October 2020, said Tom Robinson, CEO of Elliptic, a British company that tracks bitcoin payments. The gang had been paid at least $90 million since it became active, he said in an email.
Ken Dilanian contributed.