How the FBI Got Colonial Pipeline’s Ransom Money Back

On Monday, the Justice Department said it had recovered some of the cryptocurrency, equal to about $2.3 million of Colonial’s initial ransom.

The operation demonstrates investigators’ growing technical ability to disrupt the financial infrastructure that has enabled ransomware gangs to squeeze hundreds of millions of dollars from victims each year, cybersecurity experts say. Despite cryptocurrency’s reputation as a hard-to-trace medium of exchange useful to criminals and other groups that operate outside the traditional financial system, crypto experts say it is at times easier to track than hard currencies such as U.S. dollars.

“You can’t hide behind cryptocurrency,” said Elvis Chan, assistant special agent in charge of the cyber branch of the FBI’s San Francisco field office.

Senior Biden administration officials have in recent weeks characterized ransomware, in which criminals lock an organization’s data or computer system and demand payment, as an urgent national-security threat. On Wednesday, the chief executive of a meat company said it had paid an $11 million ransom to cybercriminals after a hack that contributed to the shutdown of plants that process roughly one-fifth of the nation’s meat supply.

While Monday’s announcement was noteworthy for the size of the recovery and the broad impact of the initial attack on the pipeline company, law-enforcement officials in recent years have established a track record of tracing cryptocurrency and at times seizing it.

Money Trail

Hackers move ransom payments to evade law enforcement but the Justice Department has been able to trace and seize cryptocurrency

1. Hackers break in and deploy ransomware.

2. Ransomware locks up company data, potentially crippling its computer systems and operations.

3. Victims receive a message demanding payment for a tool to unlock their data. Hackers share address for a digital wallet where victims can deposit cryptocurrency, often bitcoin.

4. Victims often call cybersecurity firms to negotiate with hackers and check for any affiliation with sanctioned governments or individuals. Brokers can convert cash to cryptocurrency, facilitate transfer.

5. Hackers often move funds among wallets to disguise their activity or pay associates who took part in the hack. Some ransomware gangs hire money-laundering services to help clean the cryptocurrency. Hackers convert digital money into hard currency, such as U.S. dollars, at cryptocurrency exchanges abroad.

1. Hackers break in and deploy ransomware.

2. Ransomware locks up company data, potentially crippling its computer systems and operations.

3. Victims receive a message demanding payment for a tool to unlock their data. Hackers share address for a digital wallet where victims can deposit cryptocurrency, often bitcoin.

4. Victims often call cybersecurity firms to negotiate with hackers and check for any affiliation with sanctioned governments or individuals. Brokers can convert cash to cryptocurrency, facilitate transfer.

5. Hackers often move funds among wallets to disguise their activity or pay associates who took part in the hack. Some ransomware gangs hire money-laundering services to help clean the cryptocurrency. Hackers convert digital money into hard currency, such as U.S. dollars, at cryptocurrency exchanges abroad.

1. Hackers break in and deploy ransomware.

2. Ransomware locks up company data, potentially crippling its computer systems and operations.

3. Victims receive a message demanding payment for a tool to unlock their data. Hackers share address for a digital wallet where victims can deposit cryptocurrency, often bitcoin.

4. Victims often call cybersecurity firms to negotiate with hackers and check for any affiliation with sanctioned governments or individuals. Brokers can convert cash to cryptocurrency, facilitate transfer.

5. Hackers often move funds among wallets to disguise their activity or pay associates who took part in the hack. Some ransomware gangs hire money-laundering services to help clean the cryptocurrency. Hackers convert digital money into hard currency, such as U.S. dollars, at cryptocurrency exchanges abroad.

1. Hackers break in and deploy ransomware.

2. Ransomware locks up company data, potentially crippling its computer systems and operations.

3. Victims receive a message demanding payment for a tool to unlock their data. Hackers share address for a digital wallet where victims can deposit cryptocurrency, often bitcoin.

4. Victims often call cybersecurity firms to negotiate with hackers and check for any affiliation with sanctioned governments or individuals. Brokers can convert cash to cryptocurrency, facilitate transfer.

5. Hackers often move funds among wallets to disguise their activity or pay associates who took part in the hack. Some ransomware gangs hire money-laundering services to help clean the cryptocurrency. Hackers convert digital money into hard currency, such as U.S. dollars, at cryptocurrency exchanges abroad.

Justice Department officials in November said they had seized roughly $1 billion in cryptocurrency associated with the Silk Road online black market. In January, law-enforcement officials said that the Justice Department had seized more than $454,000 in crypto from a ransomware group known as NetWalker.

Federal officials have previously dismantled illicit crypto networks operating abroad, including the August seizure of accounts and funds tied to al Qaeda and the Izz ad-Din al-Qassam Brigades, the armed wing of Palestinian militant group Hamas. An Internal Revenue Service agent traced transactions intended to fund the groups to Turkish money launderers who had additional customers based in the U.S. or were using U.S.-based exchanges, court records show.

The FBI has shared few details about how it seized a portion of cryptocurrency that Colonial Pipeline paid to DarkSide, a ransomware gang that investigators say they believe operates in Russia. But court records, along with interviews with analysts, describe the broad method by which investigators traced the funds from the pipeline operator’s coffers to a bitcoin address they reached with a court order.

Cryptocurrencies are held in digital accounts called wallets, which store addresses for funds’ virtual locations and the private keys, or passwords, to access them. While fiat currencies are transferred privately using banks’ routing numbers and individuals’ account numbers, crypto owners move funds between addresses recorded in a public ledger known as a blockchain.

Crypto wallets provide owners a measure of personal privacy and freedom from regulatory and tax oversight in some countries. But blockchains are visible to the public, enabling law-enforcement investigators and outside specialists to watch the funds move between addresses and through exchanges, online services where users can buy or sell holdings or cash out.

“We’ve effectively developed a map of hundreds of millions of bitcoin addresses associated with illicit actors all around the world,” said

David Carlisle,

director of policy and regulatory affairs at blockchain analytics firm Elliptic.

Once ransomware victims transfer cryptocurrency to hackers, sophisticated criminal groups often distribute the money among hundreds of other wallets, Mr. Carlisle said. Those transfers can comprise profit-sharing with affiliated hackers who develop and rent out the ransomware, transfers to money launderers who clean illicit funds, or attempts to convert crypto to fiat currencies.

Colonial Pipeline provided investigators with the bitcoin address where it paid hackers on May 8, launching them on the trail, according to court records filed in the U.S. District Court for the Northern District of California. The hackers moved the funds through at least six more addresses by the following day, the records show.

On May 13, DarkSide told affiliates that its servers and other infrastructure had been seized, but didn’t specify where or how. On May 27, court records show, a sum including 63.7 bitcoins traced to the Colonial ransom landed at a final address, where the FBI this week seized that portion of the funds.

The FBI said in its request for a warrant Monday that its investigators had in their possession the private key for that address. Officials didn’t elaborate on how it obtained the information, and a spokesman didn’t offer further comment.

The sum recovered by the FBI likely represents a cut of the ransom shared with DarkSide’s affiliates, said

Pamela Clegg,

director of financial investigations and education at blockchain analytics firm CipherTrace. On May 13, the same day DarkSide claimed its servers had been seized, the remaining funds from Colonial that haven’t been recovered by the FBI were consolidated with other crypto tied to ransom payments in a wallet that now holds about 108 bitcoins, she added.

“Everyone has their eyes on it to see if those funds are transferred,” Ms. Clegg said of the wallet.

FBI officials say the techniques they used to recover some of Colonial’s funds can be used in future cases, including when hackers attempt to transfer cryptocurrency through unfriendly overseas jurisdictions.

“Overseas is not an issue for this technique,” said Mr. Chan of the FBI’s San Francisco field office.

—Sadie Gurman and Dustin Volz contributed to this article.

Write to David Uberti at [email protected]