The US Department of Justice announced it managed to return the control over 63.7 bitcoins paid as a ransom by the operator of the Colonial Pipeline.
At a press conference on June 7, Deputy Attorney General Lisa Monaco said the task force "found and returned" bitcoins that the Colonial Pipeline operator was forced to pay to the DarkSide hacker group, which American law enforcement agencies associate with Russia. FBI Deputy Director Paul Abatt explained that cyber specialists seized the coins from the BTC wallet that was used for the payment. The order, filed with the US District Court for the Northern District of California, indicates that the US authorities were able to recover 63.7 BTC worth $2.3 million at the current exchange rate.
Monaco said the confiscation was the first major operation of a task force whose mission is to investigate, suppress and prosecute ransomware attackers.
DarkSide launched an attack on the pipeline company in May 2021, which caused disruptions in the supply of fuel in the United States.
According to court documents, on May 7, the Colonial Pipeline operator (referred to as Victim X) informed the FBI about the ransomware attack, and on May 8 it transferred 75 BTC to the criminals' wallet. After that, within a few days, bitcoins were transferred to other addresses, mainly in two transactions, one large one and one small one worth several thousand Satoshi. One transaction resulted in moving 11 bitcoins to the mixer. They remain lost.
63.7 BTC was also sent to the mixer, as the court records read, but for some reason got stuck there until May 27. On that day, an unnamed actor (name is kept secret) transferred 69 BTC to a wallet, the key of which was in the possession of the FBI unit in the Northern District of California. It is not disclosed how the FBI got the private key of that bitcoin wallet as well as where 5.3 BTC out of 69 BTC went to.
Presumably, the FBI was able to gain access to the wallet due to the fact that hackers used a payment server, which the US intelligence services tracked. "They simply got a search warrant and found the physical computer used for the "password" or private keys to unlock the #bitcoin wallet of the hackers. It was user error, not a "hack"," one Twitter user suggested.
Other possible scenarios are the presence of an insider in the DarkSide group or the carelessness of one of the group members who accidentally leaked a private key and it was intercepted by the US special services.