The DOJ’s recovery effort was carried out alongside the FBI and Colonial Pipeline, and began shortly after the ransom was paid to the DarkSide criminal enterprise group, which is believed to have connections to Russia.
The seizure announced on Monday was conducted by a recently launched ransomware and digital extortion task force, which was able to track bitcoin transactions. It was the group’s first operation of this kind, investigators said during a press conference on Monday. It is not, however, the first time the government has been able to recover digital currencies paid as ransom to cybercriminals.
Colonial Pipeline CEO Joseph Blount first said during an interview with The Wall Street Journal that about $4.4 million in cryptocurrency was paid to free the company’s systems.
About 63.7 bitcoins have been recovered, with an estimated value of about $2.3 million, according to the DOJ. The company paid about 75 bitcoins in ransom, according to authorities.
U.S. officials said that cooperating with law enforcement will increase the chances that ransom money paid to criminals is recovered, but they could not guarantee that efforts would be successful in every instance.
The pipeline was shut down on May 7, crippling supply to East Coast retailers, some of which rely heavily on Colonial Pipeline’s fuel. The company says it provides roughly half of fuel supplies for the East Coast.
It took nearly a week for pipeline operations to fully resume, during which time some regions in the U.S. experienced fuel shortages, and the price of gasoline climbed.
"When Colonial was attacked on May 7, we quietly and quickly contacted the local FBI field offices in Atlanta and San Francisco, and prosecutors in Northern California and Washington D.C. to share with them what we knew at that time," Colonial Pipeline's Blount said in a statement on Monday. "The Department of Justice and FBI were instrumental in helping us to understand the threat actor and their tactics. Their efforts to hold these criminals accountable and bring them to justice are commendable."
FOX Business confirmed with Mandiant, a cybersecurity firm that worked with Colonial Pipeline on its response to the ransomware attack, that criminals accessed its systems through a virtual private network account. The account was used to access the company’s systems on April 29.
The password to the account was discovered alongside other leaked data on the dark web, the company said, though it is not clear how hackers obtained the password or the username.
Blount is expected to testify before lawmakers this week about the incident.