The U.S. DoJ Retrieved $2.3 Million of the ‘Colonial Pipeline’ Ransom Payment to ‘DarkSide’

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

The U.S. Department of Justice announced the seizure of 63.7 Bitcoins (approximately $2.3 million) that were part of ‘Colonial Pipeline’ ransomware payment to ‘DarkSide.’ According to the announcement, law enforcement agents were devoted to tracking multiple transfers of the particular bitcoin assets and were able to seize them when they reached a specific address for which the FBI held the private key. From what appears to be the case, the actors didn’t use a bitcoin spinning/tumbling service but just bounced the amount around, hoping that their tracks will get lost.

Since the first moment of the attack on Colonial Pipeline, it became clear that this was a high-profile case that would enjoy the FBI's involvement. ‘DarkSide’ knew that it would be hard to hide when the sharpest minds of the American law enforcement agencies are watching them, and soon, they stumbled upon technical and practical problems. Just four days after the attack at the pipeline operator, the hacking group announced its last victim, Toshiba France, and quickly after that declared losing access to its RaaS funds.

Whatever really happened back then, the result now is that the DarkSide group has lost 63.7 of the 75 Bitcoins it received as a ransom payment, which is 85% of the amount. The seized amount appears to be the 85% cut of the affiliate of the Colonial Pipeline attack, while the remaining 15% is the RaaS operator’s cut. DarkSide had already been severely disrupted, but this development shows that they have really bitten off more than they could chew with Colonial Pipeline.

There’s certainly a mystery around why the DarkSide affiliate decided not to use a bitcoin tumbling service on the dark web, which would essentially “launder” the ransom payment. We have reached out to William Callahan, an expert in blockchain intelligence at BIGG and a former investigator at DEA, and here are his speculative thoughts on the matter:

There could be a number of reasons why the actors didn't use a coin tumbler. Maybe they could not find a tumbler that would accept them, risking to draw the attention of the FBI, or possibly they did not trust any of these services, which are intrinsically untrustworthy anyway. So, they probably decided to perform some tentative transactions around to see if they would get caught instead of just parking the funds somewhere.

As the DoJ announcement closes, the newly formed “Ransomware and Digital Extortion Task Force” will continue to disrupt, investigate, and prosecute ransomware actors and their activity, strategically targeting the criminal ecosystem and involving agencies from around the world at an engagement level that matches that of terrorism. Whether or not this will make a difference in practice, or if the seizure of the DarkSide affiliate’s crypto was just a stroke of luck, remains to be seen.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: