The Justice Department announced on Monday that it had recovered $2.3 million of the cryptocurrency ransom paid by Colonial Pipeline Co. to ransomware hackers. The funds were seized from an account located in California, leading many to suspect the ransom was paid to a Coinbase wallet — a claim the cryptocurrency exchange has denied.
Reuters reports that Deputy Attorney General Lisa Monaco stated this week that investigators have seized 63.7 Bitcoins, valued at around $2.3 million currently, paid by Colonial Pipeline Co. to ransomware hackers that hijacked the pipeline’s systems in a major hack that saw massive shortages at U.S. East Coast gas stations.
The Justice Department “found and recaptured the majority” of the ransom paid by Colonial, according to Monaco. An affidavit filed on Monday stated that the FBI was in possession of a private key that was used to unlock a bitcoin wallet that received most of the ransom funds. The affidavit did not elaborate on how the FBI gained access to the private key.
A San Francisco judge approved the seizure of funds from the “cryptocurrency address,” which the filing stated was located in the Northern District of California. It was speculated by some that the bitcoin wallet may have been one linked to the cryptocurrency exchange Coinbase, although the company was quick to deny any involvement.
1/ I’ve seen a bunch of incorrect claims that Coinbase was involved in the recent DOJ seizure of bitcoin associated with the Colonial Pipeline ransomware attack. We weren’t. a thread:
— Philip Martin (@SecurityGuyPhil) June 8, 2021
Colonial Pipeline said that it paid the hackers almost $5 million to regain access to its systems. Bitcoin seizures are rare but authorities have improved their expertise in tracking the flow of digital currency as ransomware becomes a growing issue.
However, it seems unlikely that any criminal charges will be pressed against hackers due to difficulty in tracking them down and due to the fact that many are based in Russia where prosecution could negatively affect international relations. Vice President John Hultquist of the Mandiant cybersecurity firm commented: “Right now, prosecution is a pipedream.” Describing the best course of action to prevent ransomware attacks, Hultquist stated: “Disrupt. Disrupt. Disrupt.”