Skip to content
Public Safety & Security

Recovery of Colonial Pipeline ransom funds highlights traceability of cryptocurrency, experts say

Brett Wolf  Regulatory Intelligence

Brett Wolf  Regulatory Intelligence

The Justice Department's seizure of ransom paid by Colonial Pipeline to hackers shows that cryptocurrency may not be that untraceable after all

The recent seizure by the U.S. Department of Justice (DOJ) of millions of dollars-worth of cryptocurrency linked to the ransomware attack on the Colonial Pipeline Co. and its subsequent ransom payment in May demonstrated the inherent traceability of cryptocurrencies and the potential for recent law enforcement successes to push criminals to alter their money laundering tactics, experts said.

In fact, these developments could force ransomware hackers and other criminals to take drastic steps to hide their ill-gotten gains, such as burying money from cashed-out cryptocurrency in the ground to make it more difficult for authorities to track down, experts added.

“I think the seizure of approximately 85% of the ransom paid by Colonial Pipeline highlights how successful U.S. law enforcement has been in developing the capacity to execute this sort of complex operation using blockchain analysis in real time,” said David Carlisle, director of policy and regulatory affairs with London-based Elliptic, a provider of risk management systems for the cryptocurrency industry.

“It also points to the underlying traceability of crypto, which can be used as a powerful tool and asset against criminals,” Carlisle explained. “Law enforcement are becoming very adept in their use of blockchain analytics capabilities to disrupt illicit activity, and this is one of the best examples of that we’ve seen to date.”

Following the crypto breadcrumbs

On June 7, the DOJ recovered some $2.3 million in cryptocurrency ransom paid by Colonial Pipeline, cracking down on  hackers who had launched the most disruptive U.S. cyberattack on record. On May 19, Colonial Pipeline’s CEO acknowledged to the media that his company had paid a $4.4 million ransom to hackers as executives were unsure how badly its systems were breached or how long it would take to restore the pipeline.

When announcing the DOJ’s recovery, Deputy Attorney General Lisa Monaco said investigators had “found and recaptured the majority” of the ransom paid by Colonial — seizing 63.7 bitcoins, now valued at about $2.3 million — after last month’s hack of its systems had led to massive shortages at U.S. East Coast gas stations.

An affidavit filed on Monday said the FBI was in possession of a private key to unlock a bitcoin wallet that had received most of the funds. It was unclear how the FBI gained access to the key. Interestingly, the value of bitcoin slid after the FBI seizure, with some experts suggesting the sell-off was prompted by concerns about the security of cryptocurrency after the law enforcement action.

Private sector experts contracted by the DOJ have proven extremely adept at tracing dirty crypto transfers on the blockchain, highlighted by a number of high-profile cases last year.

“We can’t speak to the Colonial investigation specifically, but we can say generally that the key to tackling ransomware is disrupting the ransomware supply chain, including identifying authors and developers, affiliates, infrastructure services providers, launderers, and cash-out points,” said Maddie Kennedy, senior director of communications with New York-based Chainalysis, a consultancy that allows companies and government agencies to analyze and investigate cryptocurrency transactions.

Hackers may change tactics

Ransomware groups’ use of cryptocurrency for ransom payments “is beneficial to ransomware investigations because cryptocurrency blockchains are transparent, and with the right tools, law enforcement can follow the money on the blockchain to better understand and disrupt the organization’s operations and supply chain,” Kennedy noted.

“This is a proven successful approach, as we saw in January’s takedown of the NetWalker ransomware strain,” she added. “A shift away from cryptocurrency to less transparent options could make investigating ransomware — and shutting down these operations — more difficult.”

The recovery of the bulk of the Colonial hack funds may serve as a wake-up call for criminals, Carlisle said. “This incredibly rapid and successful response to this incident should act as a powerful warning to cybercriminals everywhere that they are not beyond the reach of law enforcement when they use crypto,” he warned. “I suspect we’ll see them look to adopt more complex money laundering techniques to try and avoid this type of disruption — which is something we’ve seen other criminal networks do when using bitcoin.”

For example, Carlisle said criminals have reverted to some “innovative and even bizarre laundering techniques,” such as money laundering services being offered on the dark web that will convert illicit bitcoins to cash, and then bury that cash in the ground somewhere for the criminal to dig up.

“These criminals will try to innovate rather than give up on their profits,” he added. “That doesn’t mean there won’t still be ways to disrupt them, but it does mean that law enforcement agencies and the private sector will need to continue to scrutinize and understand the evolving techniques these groups use in order to confiscate their assets.”

More insights