How The DOJ Recovered $2.3 Million Paid During The Colonial Pipeline Ransomware Hack

By / June 8, 2021 / Information Security, Security News / Leave a Comment

Unless you’ve been living under a rock, you’ve almost certainly heard of the ransomware attack on Georgia-based Colonial pipeline on May 7th, 2021 that forced the company to freeze many of its IT systems in order to prevent further damage. The attack itself was perpetrated by an advanced persistent threat (APT) group that goes by the name of Darkside.

This particular APT group is highly sophisticated, and similar to groups like Maze, state that they will never target critical and other vulnerable bodies such as schools, hospitals and governments. In this instance, they went after the business side of Colonial Pipeline, as opposed to pipeline operations, which could have been devastating to oil and gas markets in not just the U.S., but internationally, as well.

How The DOJ Recovered Coins From a Bitcoin Wallet

According to a news release by the U.S. Department of Justice on June 7th, 2021, they announced that they were able to recover 63.7 bitcoins valued at approximately $2.3 million USD, by seizing a bitcoin wallet that was used by the threat actors.

When Colonial Pipeline paid the 75 bitcoin ($4.4 million) ransomware payment to the Darkside group, they would have had to send it to one or more bitcoin wallets. A bitcoin wallet is just a string of between 26 and 35 characters that will be entered as the recipient of a bitcoin payment. It’s kind of like entering your friends email address when sending them an eTransfer, except that bitcoin wallet addresses don’t identify the owner in and of themselves.

Bitcoin blockchain data is publicly searchable and available via various websites such as Blockchain.com. The DOJ was lucky enough to find out that the bitcoin wallet, and thus the bitcoins within it, were managed by a company in which they had jurisdiction. Even though the wallet address doesn’t identify the owner, the address needs to be generated by software. In this instance, that software was owned by an organization that the U.S. DOJ was able to get a warrant for.

With that warrant, the DOJ managed to obtain the private key for that bitcoin wallet, access it, and withdraw the funds within it. A private key is a second string of alphanumeric characters that gets generated for every bitcoin wallet address. This private key is just as a password for accessing the wallet, and should be stored securely and safely.

The funds took an interesting route their final wallet, so the DOJ simply had to follow the money until it was accessible. I’ve put the timeline into a table, and have included the last 6 characters of the bitcoin wallet so that you can see how they possibly laundered this through a number of other wallets until it sat in a wallet that the DOJ was able to gain access to.

DateSenderAmount (BTC)Recipient
5/8/2021Colonial Pipeline75xxxxxxxxxxxxXjc9fr
5/8/2021Unknown0.0005xxxxxxxxxxxxXjc9fr
5/8/2021xxxxxxxxxxxxXjc9fr0.00001693xxxxxxxxxxxxfytpsf
5/8/2021xxxxxxxxxxxxXjc9fr75.00034246xxxxxxxxxxxxXg7q5X
5/8/2021xxxxxxxxxxxxXg7q5X74.99998307xxxxxxxxxxxxfytpsf
5/8/2021xxxxxxxxxxxxXg7q5X0.00006748xxxxxxxxxxxxtKycsm
5/8/2021xxxxxxxxxxxxfytpsf11.24962019xxxxxxxxxxxxz99zwt
5/8/2021xxxxxxxxxxxxfytpsf63.74998561xxxxxxxxxxxxeqwg45
5/9/2021xxxxxxxxxxxxeqwg4563.7xxxxxxxxxxxxKcdNxB
5/9/2021xxxxxxxxxxxxeqwg450.04976631xxxxxxxxxxxxeqwg45
5/27/2021xxxxxxxxxxxxKcdNxB69.60422177xxxxxxxxxxxxcfsegq

What you might notice is that the wallet in which was seized by the DOJ contained a little more than 69 bitcoins. Colonial got the 63.7 bitcoins that the DOJ could track directly back to their payment, and the DOJ is going to be the recipient of 5.390422177 bitcoins, or just over $188,000 USD.