DOJ seizes millions in ransom paid by Colonial Pipeline

The Justice Department recovered some of the ransom paid to DarkSide actors.

June 7, 2021, 3:25 PM

The Justice Department on Monday announced it has successfully seized millions of dollars in cryptocurrency Colonial Pipeline paid to the cyber criminal group DarkSide following last month's ransomware attack that led the pipeline to briefly shut down its operations, according to a seizure warrant unsealed Monday afternoon.

"Earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the DarkSide network in the wake of last month's ransomware attack. Ransomware attacks are always unacceptable -- but when they target critical infrastructure, we will spare no effort in our response," Deputy Attorney General Lisa Monaco said at a news conference.

"Today, we turned the tables on DarkSide," she said. "By going after the entire ecosystem that fuels ransomware and digital extortion attacks, including criminal proceeds in the form of digital currency, we will continue to use all of our tools, and all of our resources to increase the cost and the consequences of ransomware attacks and other cyber-enabled attacks."

PHOTO: United States Deputy Attorney General Lisa Monaco talks about the Justice Department's seizure of ransom money paid by Colonial Pipeline to hackers after a ransomware attack, June 7, 2021.
United States Deputy Attorney General Lisa Monaco talks about the Justice Department's seizure of ransom money paid by Colonial Pipeline to hackers after a ransomware attack, June 7, 2021.
ABC News

The Colonial Pipeline hack was carried out by DarkSide actors, the FBI said in brief statement days after the attack.

At the time of the attack, President Joe Biden said the hackers were based in Russia, but were not part of the Russian government.

PHOTO: The entrance of Colonial Pipeline Company in Charlotte, N.C., May 12, 2021. A ransomware hack disrupted gas supplies in several states after the company was targeted.
The entrance of Colonial Pipeline Company in Charlotte, N.C., May 12, 2021. A ransomware hack disrupted gas supplies in several states after the company was targeted.
Chris Carlson/AP, FILE

Colonial transports approximately 45% of all fuel consumed on the East Coast. The company was up and running within days, but the slowdown meant delays still remained in the aftermath of the attack.

In May, the company admitted it paid million ransom in Bitcoin cryptocurrency.

"We needed to do everything in our power to restart the system quickly and safely. The decision was made to pay the ransom," the company said. "This decision was not made lightly, however, one that had to be made. Tens of millions of Americans rely on Colonial -- hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the traveling public. Our focus remains on continued operations to safely deliver refined products to communities we serve.”

The company's CEO said last month in an interview that he authorized a payment of $4.3 million to the DarkSide group only hours after the company learned of the attack because executives were not sure how long it might take to bring the pipeline back on.

The full amount of the seizure from DarkSide, DOJ officials said Monday, was 63.7 bitcoins valued at approximately $2.3 million.

News of the seizure was first reported by CNN.

Asked by ABC News whether the seizure would really operate as a deterrent for other hacking groups given it only amounts to roughly half of what Colonial paid in ransom and, given the group operates out of Russia, will not likely face criminal consequences for the attack -- Monaco said she "wouldn't get ahead of the investigative efforts and full consequences associated with the ongoing investigation.

"The message today is we will bring all of our tools to bear, to go after these criminal networks, including the ecosystem and the illicit and the abuse, frankly, of the online infrastructure that they use in terms of the digital currency to perpetrate these schemes," she said.

Monaco also used Monday's announcement to urge companies to take preemptive action.

"In this heightened threat landscape, we all have a role to play in keeping our nation safe. No organization is immune. So today I want to emphasize to leaders of corporations and communities alike, the threat of severe ransomware attacks pose a clear and present danger to your organization, to your company, to your customers, to your shareholders, and to your long-term success," she warned.

"So pay attention now. Invest resources now. Failure to do so could be the difference between being secure now, or a victim later," she said.

In an effort to get more cooperation from companies, the Department of Homeland Security announced shortly after Colonial Pipeline was hacked that it will mandate that all pipeline companies report a cyber incident hours after it happens.

The directive came from the Transportation Security Administration, an arm of DHS known for protecting the skies that also oversees pipeline security.

Companies will be mandated to report pipeline related cyberattacks to the Cybersecurity and Infrastructure Security Administration within 12 hours of the breach; put in place a 24/7 cyber coordinator who can respond to incidents and coordinate with the TSA; and fix the breached pipeline within 30 days and outline a plan to proceed.