FBI Tracked Colonial Pipeline Ransom for Recovery (Dreamstime)
By Theodore Bunker | Friday, 11 June 2021 10:58 AM
The FBI managed to track most of the cryptocurrency that Colonial Pipeline used to pay a ransom to hackers who accessed their computer systems, which allowed them to recover most of the money, The Wall Street Journal reports.
An FBI special agent monitored a publicly visible bitcoin ledger, which showed that on May 27, 63.7 of the 75 bitcoins paid to hackers were transferred into a virtual address that the agency was able to gain access to, which allowed them to recover about $2.3 million of the $4.4 million Colonial paid to the hacker group DarkSide. (The value of a Bitcoin has dropped over the past month.)
"You can’t hide behind cryptocurrency," Elvis Chan, assistant special agent at FBI’s San Francisco field office working the cyber branch, told the Journal.
Chan said during a conference call with the press on Monday that he could not provide details about the FBI’s tactics in case they’re needed again.
"I don’t want to give up our tradecraft in case we want to use this again for future endeavors," he told CNBC.
While cryptocurrency storage accounts, called wallets, allow some privacy for users and freedom from regulations and tax oversight in certain countries, according to the newspaper, in order to move funds between addresses users rely on a public ledger called a blockchain, which public officials can monitor and track.
"We’ve effectively developed a map of hundreds of millions of bitcoin addresses associated with illicit actors all around the world," said David Carlisle, the director of policy and regulatory affairs at Elliptic, a blockchain analytics firm.
Victims of ransomware attacks are told to transfer cryptocurrency to the hackers, who then use various methods of redistributing the money, either to others involved in the scam or to money launderers to covert the funds into clean currency.
Colonial Pipeline gave the bitcoin address where they paid the ransom to federal authorities, according to court records, and discovered that the hackers had shifted the money between half a dozen different accounts the day after it was received. Less than a week later, the group DarkSide announced to its affiliates that authorities had seized its servers and other infrastructure, but did not provide details. Court records show that on May 27, about two weeks after the group announced the seizures, about 64 bitcoins were traced from the Colonial ransom to a single address, which the FBI seized this week.
"Following the money remains one of the most basic, yet powerful tools we have," Deputy Attorney General Lisa O. Monaco said in a statement earlier this week. "Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide."