• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
Restore Privacy

Restore Privacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

How did the Justice Department Seize $2.3M in Bitcoin from the Colonial Pipeline Ransomware Extortionists?

June 9, 2021 By RestorePrivacy Team — 5 Comments
DOJ Colonial Pipeline Bitcoin Seized

A few days ago, the Justice Department announced that it had recovered around $2.3 million in Bitcoin that was paid to the extortionists group DarkSide who hit the Colonial Pipeline with a ransomware attack last month. “Today, we turned the tables on DarkSide,” said U.S. Deputy Attorney General Lisa Monaco.

While this appears to be a victory for justice, many questions remain unanswered. But in order to get a better understanding of the events, let’s first examine what happened.

Last month the Colonial Pipeline got hit with a major attack on their IT networks, and the company’s operations were forced to shut down. Colonial Pipeline was instructed to pay a ransom payment of 75 BTC, calculated to be worth around $4.3 million at the time of the attack. The company paid the ransom under great pressure and received the decryption tool to restore its system.

Joseph Blount, CEO of Colonial Pipeline, stated in a Wall Street Journal report that the decryption tool was too slow and ineffective to restore the system. Additionally, he paid the ransom because of the uncertainty of how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back.

What is ransomware and who is responsible?

Ransomware is a form of malicious software that encrypts a victim’s files and basically holds their computer or network hostage until the victim pays a fee to regain their access. In order to get the payment, hackers often threaten the victims by stating that they will leak their sensitive information or keep attacking the company’s networks.

The FBI confirmed that the criminal group named “DarkSide”, which allegedly originates from Eastern Europe or Russia, was responsible for the Colonial Pipeline attack.

DarkSide is a platform that sells “Ransomware as a Service” (RAAS). This platform is operated by the developers creating malware, and then the ransomware affiliate is the one who infects companies by using the malware and negotiating the payment with the victim.

DarkSide states that their motivation is to make money, and not create problems for society. Therefore they only target big companies who are able to afford it, and will not target certain industries, including healthcare, education, and the Government Sector.

DarkSide Colonial Pipeline Hack
This DarkSide Leaks advertisement explains the motives and guiding principles of the group.

On may 13th, the DarkSide group announced to call it quits and immediately cease all existing operations of the group, after their servers were seized and losing part of their infrastructure by an unknown law enforcement agency.

How did the Justice Department gain access to the cryptocurrency?

“Following the money remains one of the most basic, yet powerful tools we have,” said DOJ Deputy Attorney General Lisa Monaco.

According to the DarkSide affidavit, the investigator followed the money by using blockchain explorer – to eventually figure out the single address that held 63.7 bitcoins from the ransomware payment.

DarkSide Colonial Pipeline Bitcoin Seized
This is a page form an affidavit explaining the seizure of Bitcoin funds.

During the press conference on Monday, law enforcements explained that the funds were recovered by a new Digital Task Force. In the official press release, the DOJ stated that “proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.”

However there is one unexplained factor that was of utmost importance for the success behind this operation. How did they obtain the private key?

How did the FBI get DarkSide’s private key?

There are multiple theories about how the private key was obtained by the FBI. However, it seems most likely that the FBI seized the money from the DarkSide affiliate and not the developers.

Experts of the blockchain analytics company Elliptic, came to the conclusion that the address that held the funds was the 85% share of the ransom payment that went to the affiliate of the DarkSide group. The remaining 15% that has not been seized was funneled through addresses controlled by DarkSide developers. According to Elliptic’s co-founder Tom Robinson’s blog post, “Any ransom payment made by a victim is then split between the affiliate and the developer.” In the case of the Colonial Pipeline ransom payment, 85% (63.75 BTC) went to the affiliate and 15% went to the DarkSide developer. According to the warrant there has been a US server seized that could have possibly contained the credentials of the private key stored by the affiliate himself.

According to the warrant here, there was a US server seized that could have possibly contained the credentials of the private key stored by the affiliate. Therefore this appears to be a legal action of physically taking a server, rather than an elaborate “hack” by the US government.

Darkside Ransomware BTC hack

And while there were reports of the FBI obtaining the private key by going through Coinbase’s servers, these claims were invalidated by Coinbase’s chief security officer Philip Martin. He stated on Twitter, “Coinbase was not the target of the warrant and did not receive the ransom or any part of the ransom at any point. We also have no evidence that the funds went through a Coinbase account/wallet.”

Whatever the correct theory is, the attack on Colonial Pipeline has put the Biden Administration under serious pressure to do more about increasing ransomware threats to critical infrastructure and the ability to better respond better to attacks.

“Although the Department has taken significant steps to address cybercrime, it is imperative that we bring the full authorities and resources of the Department to bear to confront the many dimensions and root causes of this threat,” Acting Deputy Attorney General John Carlin wrote to DOJ department heads, US attorneys and the FBI on Tuesday.

Additionally, in the wake of these events, some are claiming that Bitcoin is built on an unsafe network that can be compromised. We find these statements to be false and inaccurate. Nonetheless, there are inherent drawbacks with Bitcoin and privacy, given the permanent record of all transactions in the blockchain, as we noted in our guide on private and anonymous payments.

About RestorePrivacy Team

The mission of RestorePrivacy is to give you all the information and tools you need to restore your online privacy, secure your electronic devices, and stay safe online. We cover breaking news in the privacy and security space, while also publishing in-depth guides and reviews.

Reader Interactions

Comments

  1. Selt Mitchell

    July 6, 2021

    Amazing article! Now we know that the US doesn’t have the crunching power to compute the private keys, since they had to seize the equipment. +1 for the US though; they figured that the fastest route was to retrieve the physical keys by force. 😀

    Reply
  2. BoBeX

    June 12, 2021

    Hi RP Team,

    A fantastic article!
    In-depth research with ordinary language explanation; analysis of facts and noted unknowns; timely and up-to-date; a consolidation of relevant facts; and an unbiased analysis of the environment.

    I came to RP for the high quality privacy guides – so you do analysis of current affairs too?
    I’ll be checking in often.

    BoBeX

    Reply
  3. spirit

    June 10, 2021

    who has the power to monitor the complete internet to such an extent, that the can integrate it in their matrix?

    Reply
  4. Bent

    June 10, 2021

    Check this out https://odysee.com/@BenSwann:6/fbi-turns-pipeline-hack-into-pr-stunt:3

    Reply
    • Sven Taylor

      June 10, 2021

      From the video: “There is so much about this story that just seems off.”
      I completely agree. There are many questions…

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browsers
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN (68% Off Coupon) or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

Restore Privacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

Restore Privacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP