Go to listing page

How the FBI Recovered Bitcoin Ransom Paid to Darkside Ransomware Gang

How the FBI Recovered Bitcoin Ransom Paid to Darkside Ransomware Gang
The DOJ has seized approximately $2.3 million ransom amount in BTC paid to DarkSide by Colonial Pipeline last month. The FBI used a bitcoin private key to prevent the transaction.

Here’s how it happened

On May 7, Colonial Pipeline suffered a major ransomware attack. Experts traced the origin of the attack back to an Eastern European hacking group, Darkside. The victim approached the FBI while agreeing to pay the ransom.
  • The FBI followed the bitcoin public ledger to an address that received two bitcoin payments on May 8, right when Colonial decided to pay.
  • From there, the FBI accessed the funds by leveraging a private key linked to the bitcoin address.
  • The agency, however, claimed to come into possession of the private key but said nothing about how it obtained the key.
  • However, why the entire ransom amount was not recovered is still shrouded in mystery.

Recovering Bitcoin wasn’t easy

An FBI agent associated with the case reportedly used the blockchain explorer software. 
  • It enabled him to look for a Bitcoin blockchain and ensure the amount and destination of transactions.
  • Soon, the FBI identified the Bitcoin addresses Darkside used to launder its ransom.
  • As a result, the agent could track 63.7 Bitcoins that were received as payments on May 27 by Darkside to a Bitcoin address.

Any later, the funds would have been lost forever. 

Aftermath of the Colonial Pipeline attack

It has been a month since the attack occurred and some revelations were made during the ongoing investigation.
  • According to FireEye Mandiant, attackers accessed a dead VPN account to freeze the company’s network.
  • Security experts revealed that one more pipeline-focused business was targeted by the Xing Team hacker group around the same time as Colonial Pipeline. Hackers exposed 70GB of internal files from LineStar Integrity Services to the dark web.
  • A partial shutdown of operations at Colonial Pipeline led to a slight rise in fuel prices and prompted fuel stockpiling
  • The impact also triggered the Biden administration to issue an emergency declaration across 17 states and Washington D.C.
  • Meanwhile, the CEO of Colonial Pipeline issued a public apology for the inconvenience caused to people by the attack.

Conclusion

The recent attack will go down as one of the most devastating attacks in the history of the U.S. While no business can ever prevent all kinds of threats, there are steps that all-sized businesses can take to prepare and protect themselves. Looking at today’s recovery cost of an attack, this readiness shall offer a significant return on investment in the future.

Cyware Publisher

Publisher

Cyware