The Department of Justice announced that it has recovered a portion of the funds paid out to the hacking group that held the Colonial Pipeline to ransom in May. Nearly 64 bitcoin, worth approximately $2.3 million, has been seized – just under half of the $4.4 million that the energy company was coerced to pay. The cyber attack led to gas shortages and a spike in prices when it was launched on May 7.
Deputy Attorney General Lisa Monaco announced the recovery on Monday, saying, “The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st-century challenge … But the old adage ‘follow the money’ still applies.”
“Today, we turned the tables on DarkSide by going after the entire ecosystem that fuels ransomware and digital extortion attacks, including criminal proceeds in the form of digital currency.”
DarkSide is the group held responsible for the attack and subsequent ransom demand; authorities identified it as affiliated with Russia. However, the warrant that allowed the Justice Department to obtain the bitcoin authorized agents to seize property located in the Northern District of California.
Rarely discussed is that Darkside is only the middle man in this growing operation. An “affiliate” – possibly someone with access to the target – contacts the hackers and asks to use their malware service. The affiliate receives the lion’s share of the cash or bitcoin, with the provider receiving a smaller cut. It seems that despite Monaco’s insistence that the DOJ has “turned the tables” on DarkSide, the agency has, in fact, only aggrieved the group’s client.
Understanding the Seizure
The bitcoin seized is the affiliate’s share; this has two ramifications. First, it means that those who wish to target a corporation or organization may be wary of their payday being fully secure. Second, DarkSide is likely not impacted financially.
The group announced on May 13 that it was already in the process of shutting down and that its servers had been “blocked.” With DarkSide no longer in operation, what happens to the malware that is capable of hijacking systems and shutting out the rightful owners? Little speculation has been made so far in the media, and government officials seem happy not to give this question public consideration. Yet this could be one of the most important issues that faces the Biden administration. If the malware is sold to multiple other hacking groups or even made freely available for all would-be hackers on the dark web, we could see a massive spike in these types of attacks.
National Security Advisor Jake Sullivan said that the use of cryptocurrency “lies at the core of how these ransom transactions are played out” and hinted that the topic of possible regulation may be on the agenda at the June G7 meeting. It will almost certainly be discussed at the summit with Russian President Vladimir Putin.
In the case of Colonial Pipeline, the DOJ task force was able to retrieve the bitcoin because the passkey for the funds was present in California, and presumably, the outfit had intelligence on the exact location. It does not seem likely that future hacks will be so open to exposure. Over $400 million was paid out in ransoms last year, almost none of which was recovered.
DarkSide is still in the wind. Hacker attacks happen every day. And the governments of the world are largely unable to either stop the culprits or retrieve the cash. Don’t be surprised if this half-win for the DOJ sparks a Washington, D.C. conversation on how to regulate this Wild West monetary system.
Read more from Mark Angelides.