DOJ Seizes Millions in Ransom Paid to Colonial Pipeline Hackers

Kramer Levin Naftalis & Frankel LLP

On June 7, the Department of Justice (DOJ) announced that it seized 63.7 of the 75 bitcoins paid by Colonial Pipeline to ransomware attackers last month. The recovered bitcoins were valued at $2.3 million at the time of seizure. The seizure represents a significant victory for the DOJ as it steps up efforts to combat cyberattacks.

The Colonial Pipeline attack disrupted operations that supplied roughly 45% of the East Coast’s fuel. This led to gas shortages, price spikes and the federal government declaring a state of emergency in 17 states. Hacking group DarkSide claimed responsibility and announced its “retirement” shortly after, citing its own monetary success and increasing pressure from U.S. law enforcement.

The US Government Increases Its Focus on Cybersecurity

A seizure of this magnitude is relatively unusual and demonstrates the attention and resources that the DOJ is devoting to ransomware. Calling ransomware payments “the fuel that propels the digital extortion engine,” the DOJ said it will “continue to target the entire ransomware ecosystem to disrupt and deter these attacks.” The DOJ also thanked Colonial Pipeline for “quickly notifying the FBI when they learned that they were targeted by DarkSide.” 

The FBI touted the seizure as proof that there is “no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors.” The FBI traced the transfer of bitcoins paid by Colonial Pipeline until they reached digital wallets that the FBI could subject to seizure.

The DOJ’s increased focus on ransomware attackers is in line with the executive branch’s heightened scrutiny of cybersecurity. In direct response to the recent SolarWinds and Colonial Pipeline attacks, President Biden issued an executive order on May 12 enhancing the cybersecurity requirements for government agencies and contractors. These include requirements to share threat information between the public and private sectors, standards for securing the supply chain of government-procured software, guidelines for testing that code, and special rules for handling a new class of “critical software.” Government agencies may not obtain or renew contracts for software that fails to meet these standards. 

These cybersecurity standards will likely reach beyond government contracts. Last week, following another ransomware attack, this time on JBS’s beef, pork and poultry plants, the White House issued an open letter urging private companies to adopt many of the measures required by the May 12 executive order. 

Ransomware Payments Still Discouraged

Although the FBI recovered most of the bitcoins paid by Colonial Pipeline, and the DOJ praised it for quickly contacting law enforcement, the FBI officially discourages ransomware payments. The Office of Foreign Assets Control also warns that victims who pay ransoms to bad actors could face sanctions under Anti-Money Laundering laws and FinCEN regulations. State and local agencies also discourage ransomware payments, including the New York State Department of Financial Services, which recommends against paying ransom to avoid fueling “ever more frequent and sophisticated ransomware attacks.”

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kramer Levin Naftalis & Frankel LLP | Attorney Advertising

Written by:

Kramer Levin Naftalis & Frankel LLP

Kramer Levin Naftalis & Frankel LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.