The U.S. DoJ Retrieved $2.3 Million of the ‘Colonial Pipeline’ Ransom Payment to ‘DarkSide’

  • The U.S. Department of Justice seized 85% of the ransom amount paid by Colonial Pipeline to DarkSide.
  • The actors hadn’t passed that amount through a bitcoin tumbler but simply bounced it around.
  • This development could be the omen of a higher-level disruption or just an isolated case of enforcement.

The U.S. Department of Justice announced the seizure of 63.7 Bitcoins (approximately $2.3 million) that were part of ‘Colonial Pipeline’ ransomware payment to ‘DarkSide.’ According to the announcement, law enforcement agents were devoted to tracking multiple transfers of the particular bitcoin assets and were able to seize them when they reached a specific address for which the FBI held the private key. From what appears to be the case, the actors didn’t use a bitcoin spinning/tumbling service but just bounced the amount around, hoping that their tracks will get lost.

Since the first moment of the attack on Colonial Pipeline, it became clear that this was a high-profile case that would enjoy the FBI's involvement. ‘DarkSide’ knew that it would be hard to hide when the sharpest minds of the American law enforcement agencies are watching them, and soon, they stumbled upon technical and practical problems. Just four days after the attack at the pipeline operator, the hacking group announced its last victim, Toshiba France, and quickly after that declared losing access to its RaaS funds.

Whatever really happened back then, the result now is that the DarkSide group has lost 63.7 of the 75 Bitcoins it received as a ransom payment, which is 85% of the amount. The seized amount appears to be the 85% cut of the affiliate of the Colonial Pipeline attack, while the remaining 15% is the RaaS operator’s cut. DarkSide had already been severely disrupted, but this development shows that they have really bitten off more than they could chew with Colonial Pipeline.

There’s certainly a mystery around why the DarkSide affiliate decided not to use a bitcoin tumbling service on the dark web, which would essentially “launder” the ransom payment. We have reached out to William Callahan, an expert in blockchain intelligence at BIGG and a former investigator at DEA, and here are his speculative thoughts on the matter:

There could be a number of reasons why the actors didn't use a coin tumbler. Maybe they could not find a tumbler that would accept them, risking to draw the attention of the FBI, or possibly they did not trust any of these services, which are intrinsically untrustworthy anyway. So, they probably decided to perform some tentative transactions around to see if they would get caught instead of just parking the funds somewhere.

As the DoJ announcement closes, the newly formed “Ransomware and Digital Extortion Task Force” will continue to disrupt, investigate, and prosecute ransomware actors and their activity, strategically targeting the criminal ecosystem and involving agencies from around the world at an engagement level that matches that of terrorism. Whether or not this will make a difference in practice, or if the seizure of the DarkSide affiliate’s crypto was just a stroke of luck, remains to be seen.

REVIEW OVERVIEW

Latest

Why Is Demon Slayer So Popular?

In August 2019, the world suddenly started talking about an anime series that had just released its nineteenth episode. Fast forward to...

F1 Live Stream 2022: How to Watch Formula 1 Without Cable

There's not much time until the 2022 Formula 1 World Championship gets underway - the first race is scheduled for late March,...

Disney+ Announces Basketball Series Inspired By Award-Winning Book The Crossover

Disney Plus announced a new basketball-themed drama series that is set to land on the streaming platform, drawing inspiration from the critically...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari