Much of the bitcoin payment to a cybercriminal gang responsible for the ransomware attack on Colonial Pipeline, which crippled US fuel supplies last month, has been recovered.

The US Department of Justice reached into a bitcoin wallet to seize 63,7 bitcoins currently valued at approximately $2,3-million.

These funds are believed to represent the proceeds of an 8 May ransom payment to the DarkSide group, which had targeted Colonial Pipeline with the result that critical infrastructure was taken out of operation.

The seizure warrant was authorised by Laurel Beeler, US magistrate judge for the Northern District of California.

“Following the money remains one of the most basic, yet powerful tools we have,” says Lisa Monaco, deputy attorney general at the US Department of Justice. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the US will use all available tools to make these attacks more costly and less profitable for criminal enterprises.

“We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide.”

FBI deputy director Paul Abbate adds: “There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors. We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”

Stephanie Hinds, acting US attorney for the Northern District of California, comments: “Cyber criminals are employing ever more elaborate schemes to convert technology into tools of digital extortion. We need to continue improving the cyber resiliency of our critical infrastructure across the nation, including in the Northern District of California. We will also continue developing advanced methods to improve our ability to track and recover digital ransom payments.”

In early May, Colonial Pipeline was the victim of a highly publicised ransomware attack, resulting in the company taking portions of its infrastructure out of operation. The company received and paid a ransom demand for approximately 75 bitcoins to DarkSide.

According to the supporting affidavit, by reviewing the bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63,7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the private key needed to access assets.

Since the bitcoin represent proceeds traceable to a computer intrusion and property involved in money laundering, they could be seized pursuant to criminal and civil forfeiture statutes.