• B Vrettos and M Bacina

Colonial Pipeline ransomware recovered

Updated: Jun 15


The Colonial Pipeline cyberattack was reportedly the largest cyber attack on the American energy system and caused multiple US states to feel the shockwaves of surged gas prices and gas shortages. Now the US Department of Justice says it has "recovered" millions of dollars in cryptocurrency paid to hackers to mitigate the disruption.


The Colonial Pipeline company which operates a 5,500 mile pipeline transporting gas and diesel from Texas to New Jersey succumbed to the cyber attack on 7 May 2021 and, against recommendations, paid USD$4.4 million in ransom to the Eastern European hacking group known as Darkside. Joseph Blount, Colonial Pipeline's CEO, told the Wall Street Journal that he authorized the ransom payment because executives were unsure how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back. Tom Robinson, co-founder of cryptocurrency tracking firm Elliptic, reported that the ransom was paid the day after the hackers had locked the Colonial Pipeline network (as readers will recall, Bitcoin's blockchain publicly records all transactions, so tracking payments is not difficult).

The DoJ has said it has "recovered" USD$2.3 million in Bitcoin of the ransom paid. Deputy Attorney General Lisa Monaco said that the DoJ had found and recaptured a majority of the ransom, saying:

Following the money remains one of the most basic, yet powerful tools we have

The DoJ's approach consisted of identifying the wallet that Darkside had used to collect the payments, tracking the payments to a wallet with a private key "controlled by hte FBI" then lodging a warrant to seize the funds in that wallet and secure court approval from a judge in the Northern District of California.


According to the Sydney Morning Herald, the operation to recover the ransomware is the first feat of the specialised ransomware task force created by the Biden administration. The perception that cryptocurrency is anonymous and cannot be traced is refuted time and time again. Somehow it continues to persist in the financial press, in close correlation to authors skeptical or critical of digital currencies. Go figure.


The question of how the DoJ "recovered" the funds is one which has caused angst in CryptoTwitter, as there is minimal information from the Court documents filed as to whether:


1. The DoJ or FBI had compromised private keys of wallets used by the hackers (which, if true, would render every transaction using Bitcoin vulnerable to reversal); or

2. If DarkSide did a deal with the DoJ/FBI (which seems far more likely); or

3. If the DoJ/FBI threatened DarkSide with the full force and fury of the United States and Darkside sensibly returned everything they could (which seems to us the most likely explanation).


There has been no word on whether the US taskforce is collaborating with private digital currency tracing companies such as Elliptic or Chainalysis with whom the DoJ has collaborated with previously in relation to high profile takedowns.


A few interesting points from the affidavit filed in support:

  • The digital wallets referred to in the affidavit were partly obscured, but the DoJ left enough characters in the wallets to identify the whole wallets with the most basic of blockchain knowledge (rookie mistake?), so for your viewing pleasure you too can see where the Bitcoin went on it's journey to the FBI controlled wallet at address bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq

  • The last transaction involves 24 different addresses depositing various (mostly small) amounts to the FBI controlled wallet, which could be indicative of a crude mixer and an attempt to obscure the earlier source of the funds (albeit not a particularly sophisticated mixer). The transaction is here.

  • There is no reference in any Court material whatsoever to how the FBI or DoJ either compromised the wallet in question or "persuaded" the hackers to transact and send the funds to the FBI controlled wallet, but given the attempts at obscuring the delivery, a sensible inference is that the hackers were making the transfer voluntarily but with some attempt at preserving secrecy (which failed).

Given the above, headlines praising the DoJ and FBI are indeed warranted, but it's unclear whether this was a case of Darkside returning some funds under an undisclosed deal, or a genuine infiltration of the group or wallets by FBI white-hat hackers. We may never know the truth, but the example will stand to show that blockchain and digital currency remains a terrible way for criminals to transfer value, unless they want to get caught (or in this case return most of the money).