FBI seized Colonial Pipeline ransom from DarkSide affiliate

New research from Chainalysis claims the DarkSide ransomware affiliate involved in last year's Colonial Pipeline attack also had ties to the NetWalker ransomware operation.

The $2.3 million recovered by the FBI following last year's Colonial Pipeline Co. ransomware attack came from a DarkSide ransomware affiliate, according to a Thursday blog post by blockchain analysis vendor Chainalysis.

Colonial Pipeline, one of the largest and most important oil pipelines in the U.S., was compromised in a ransomware attack last May that remains one of the largest cyber attacks against U.S. critical infrastructure. The pipeline was shut down for six days as gasoline shortages impacted parts of the East Coast.

Colonial Pipeline paid the ransom -- $4.4 million in bitcoin -- to DarkSide on May 7, and in June, the U.S. Department of Justice (DOJ) announced $2.3 million of it had been recovered. Chainalysis's blog post, titled "Chainalysis In Action: How FBI Investigators Seized Funds from DarkSide Following the Colonial Pipeline Ransomware Attack," provides additional context into how the funds were recovered.

According to the post, Colonial Pipeline sent 75 bitcoin to DarkSide's victim payment address. The funds were then transferred to DarkSide administrators, and after that, 85% of the ransom -- 63.7 bitcoin -- was sent to the ransomware affiliate that conducted the attack.

These were, for the most part, the funds seized by the FBI in its investigation.

"After tracking the funds to the affiliate's address, FBI investigators were able to seize [69.6 bitcoin] on May 28, 2021," the post read.

Chainalysis, which said its cryptocurrency tracking tools assisted the FBI's investigation, did not elaborate on how exactly the funds were seized. A spokesperson declined to provide additional clarification to SearchSecurity due to the ongoing nature of the investigation.

However, the post did provide additional context on the affiliate in question. Chainalysis said the affiliate also had funds that were traced back to NetWalker, a ransomware group disrupted last January. Said affiliate apparently received a total of 595.3 bitcoin from NetWalker operators across four payments in mid-2020.

The FBI did not respond to SearchSecurity's request for comment.

Cryptocurrency tracking has emerged as a key component in law enforcement efforts to curb ransomware attacks and hold cybercriminals accountable. Earlier this week, DOJ announced it seized approximately $3.6 billion in bitcoin that had been stolen during the 2016 hack of cryptocurrency exchange Bitfinex; DOJ said it was the largest financial seizure in its history.

In addition, the U.S. government has started to take action against cryptocurrency exchanges and "mixers" that are accused of helping ransomware actors conceal and launder their ransom payments. In September, the Treasury Department's Office of Foreign Assets Control announced sanctions against Russia-based cryptocurrency broker Suex. Chainalysis, which assisted the investigation, said Suex hosted approximately $160 million in ransomware payments, scams and illicit dark web purchases.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Data security and privacy