Play Live Radio
Next Up:
0:00 0:00
Available On Air Stations

U.S. Recovers Some Of The Ransom Paid To Colonial Pipeline Hackers


The FBI has recovered millions in ransom paid to end a cyberattack on one of the nation's largest fuel pipelines.


Right. So Colonial Pipeline paid about $4.4 million worth of Bitcoin to end the attack last month. U.S. officials say they recovered most of that from a virtual wallet.

FADEL: NPR justice correspondent Ryan Lucas joins us now with more. Hey, Ryan.

RYAN LUCAS, BYLINE: Good morning.

FADEL: So how did investigators track down this money and get it back?

LUCAS: Well, U.S. officials say a criminal hacker group called DarkSide was behind this ransomware attack against Colonial last month. DarkSide is based in Russia. And the group provides ransomware to criminal actors who use it to take control of the victim's computer system and demand a ransom to unlock it. And DarkSide then gets a share of the proceeds from that. The FBI says that it has been investigating DarkSide since last year. And based on that investigation, the FBI identified a digital wallet that DarkSide used to collect and hold the ransom payment from Colonial. And the FBI then got a warrant to seize those funds. In this case, it was $2.3 million in Bitcoin. Deputy Attorney General Lisa Monaco said the department had turned the tables on DarkSide, and she applauded Colonial for quickly contacting the government.


LISA MONACO: The message we are sending today is that if you come forward and work with law enforcement, we may be able to take the type of action that we took today to deprive the criminal actors of what they're going after here, which is the proceeds.

FADEL: So has Colonial said anything about the recovery of most of their ransom money?

LUCAS: Well, the company's president put out a statement in which he thanked the FBI for its work. He said that right after this ransomware attack happened, Colonial behind the scenes kind of quietly and quickly contacted the FBI in Atlanta and San Francisco. And he said the feds were instrumental in helping the company understand the hackers and what the hackers were up to and what their tactics were.

FADEL: So it seems like we're talking about ransomware a lot these days. So what else is the Justice Department doing to try to get a handle on this type of cyberattack?

LUCAS: There have been absolutely a lot of high-profile ransomware attacks as of late. Right after the Colonial Pipeline, one of the world's largest meat processing company, JBS, was hit with a ransomware attack. Here's Lisa Monaco again.


MONACO: Ransomware attacks have increased in both scope and sophistication in the last year, targeting our critical infrastructure, businesses of all types, whole cities and even law enforcement.

LUCAS: Now, that law enforcement reference there at the end hits close to home because the Washington, D.C., Police Department was the target of a recent ransomware attack. So this is a growing menace. Monaco described it as a national security and economic security issue. The Justice Department recently created a ransomware task force to focus on this problem, to investigate and prosecute the cyber criminals behind these sorts of attacks. This Colonial ransom recovery operation was actually the task force's first operation of this kind. But the Biden administration writ large is also focused on this issue. Officials say a lot of these groups operate out of Russia with sort of the tacit approval from the government there. President Biden plans to raise this issue with Russian President Vladimir Putin when the two meet next week in Geneva. So this is an issue that is very much front and center right now.

FADEL: NPR's Ryan Lucas. Thank you, Ryan.

LUCAS: Thank you. Transcript provided by NPR, Copyright NPR.

Ryan Lucas covers the Justice Department for NPR.