U.S. Department of Justice Seized $2.3M in Bitcoin from Ransomware Hackers



The U.S. Department of Justice announced that it seized 63.7 bitcoins currently valued at approximately $2.3 million. According to the Department of Justice, “these funds allegedly represent the proceeds of a May 8, ransom payment to individuals in a group known as DarkSide.” This is the group that targeted the Colonial Pipeline, causing it to shutdown.

As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes. 

The Wall Street Journal reported a quote from Stephanie Hinds, acting U.S. attorney for the Northern District of California (where the seizure warrant was obtained). “The extortionists will never see this money. This case demonstrates our resolve to develop methods to prevent evildoers from converting new methods of payment into tools and extortion for undeserved profits.”

The Wall Street Journal also reported that the FBI officially discourages victims from paying ransoms because doing so can become a booming criminal marketplace and often won’t actually result in the restoration of the frozen computer systems.

Krebs on Security reported that Colonial Pipeline stated that the hackers only hit its business IT networks – not its pipeline security or safety systems. Colonial Pipeline shut down its pipeline as a precaution.

According to Krebs on Security, DarkSide (which is described as a “ransomware-as-a-service” syndicate) shut down on May 14, 2021, after posting a farewell message to affiliates. The message said that its Internet servers and cryptocurrency stash were seized by unknown law enforcement entities.

Personally, I find it interesting that the U.S. Department of Justice has the ability to seize cryptocurrency from thieves who received it after inflicting a company with ransomware. Perhaps this will serve as a warning to those who are interested in obtaining cryptocurrency through illegal means.