US Authorities Recover Majority of Colonial Pipeline Ransom

The US Department of Justice has announced that law enforcement successfully recovered 63.7 out of 75 bitcoins (worth $4.4 million) that Colonial Pipeline paid to hackers from the DarkSide group in early May. This marks the first time the US government has publicly stated that it has recovered a ransom paid to cybercriminals.

Background

In mid-May 2021, Colonial Pipeline, the largest pipeline operator in the United States responsible for transporting fuel, was hit by a ransomware attack carried out by the DarkSide group. The attack disrupted the supply of gasoline, diesel, jet fuel, and other petroleum products, leading to a state of emergency in several states.

The incident forced Colonial Pipeline to temporarily halt operations. The company transports petroleum products between refineries on the Gulf Coast and markets in the southern and eastern US. Its pipeline, stretching 5,500 miles, carries up to 2.5 million barrels per day—about 45% of all fuel consumed on the US East Coast.

Within a few days, Colonial Pipeline managed to restore normal operations, and fuel deliveries resumed at regular volumes. Media reports began circulating that the company had paid nearly $5 million in ransom to the attackers. Initially, these claims were based on anonymous sources, but soon after, Colonial Pipeline CEO Joseph Blount officially confirmed that the company paid $4.4 million in bitcoin to the hackers.

According to Blount, the payment was necessary to recover quickly from the ransomware attack, which had impacted critical energy infrastructure. He described the ransom payment as “the right thing to do for the country.”

The attack on Colonial Pipeline drew the attention of experts, intelligence agencies, and media worldwide. In response, members of the DarkSide hacker group claimed they had lost control of their web servers and the funds received from ransom payments, and announced they were shutting down operations. Many experts noted that by this point, US authorities likely had not yet taken any action against the group, and the hackers may have intentionally locked down their own infrastructure and disappeared with the money—a classic “exit scam.”

Ransom Recovery

According to the US Department of Justice, law enforcement was able to gain control over the cryptocurrency wallet where the DarkSide operators stored the ransom received from Colonial Pipeline. In sworn testimony, an FBI agent stated that authorities tracked the movement of the ransom across several bitcoin addresses and eventually managed to obtain the private key to the wallet in question.

It remains unclear exactly how the FBI gained access to the criminals’ private wallet key. It may be related to the fact that on May 14, DarkSide operators reported losing access to one of their payment servers, with their funds subsequently transferred to an unknown destination. If the private key was stored on the server (for example, to send payments to the group’s “partners”), it’s possible that FBI specialists were able to recover it after seizing the server.

As a result, law enforcement recovered 63.7 out of 75 bitcoins. Due to recent fluctuations in the bitcoin-to-dollar exchange rate, the recovered cryptocurrency is now worth about $2.1 million, even though it was valued at $4.4 million at the time the ransom was paid.