WASHINGTON, June 7 (Reuters) - The Justice Department on Monday said it recovered some $2.3 million in cryptocurrency ransom paid by Colonial Pipeline Co, cracking down on hackers who launched the most disruptive U.S. cyberattack on record.
Deputy Attorney General Lisa Monaco said investigators had seized 63.7 Bitcoins, now valued at about $2.3 million, paid by Colonial after last month's hack of its systems that led to massive shortages at U.S. East Coast gas stations.
The Justice Department has "found and recaptured the majority" of the ransom paid by Colonial, Monaco said.
An affidavit filed on Monday said the FBI was in possession of a private key to unlock the hackers' Bitcoin wallet. It was unclear how the FBI gained access to this key.
A judge in San Francisco approved the seizure of funds from this "cryptocurrency address," which the filing said was located in the Northern District of California.
Colonial Pipeline had said it paid the hackers nearly $5 million to regain access. Bitcoin's value has dropped in recent weeks, trading at around $36,000 on Monday after hitting $63,000 in April.
"Today, we've turned the tables on DarkSide," said Monaco, referring to a ransomware group widely believed to have been behind the crippling fuel pipeline attack.
The hack caused a shutdown lasting several days, leading to a spike in gas prices, panic buying and localized fuel shortages. It posed a major political headache for President Joe Biden as the U.S. economy was starting to emerge from the COVID-19 pandemic.
The White House urged corporate executives and business leaders last week to step up security measures to protect against ransomware attacks after the Colonial hack and later intrusions that disrupted operations at a major meatpacking company.
Deputy FBI Director Paul Abbate, who spoke at the same news conference as Monaco on Monday, described DarkSide as a Russia-based cybercrime group.
Abbate said the FBI was tracking more than 100 ransomware variants. DarkSide itself victimized at least 90 U.S. companies, including manufacturers and healthcare providers, Abbate said.
Commerce Secretary Gina Raimondo said on Sunday the Biden administration was looking at all options to defend against ransomware attacks and that the topic would be on the agenda when President Joe Biden meets with Russian President Vladimir Putin this month.
Tom Robinson, co-founder of crypto tracking firm Elliptic, said that the Bitcoin wallet the funds were taken from had contained 69.6 Bitcoins. The seizure announced Monday was of just 63.7 Bitcoins, which Robinson said likely represented the share that had gone to the DarkSide "affiliate" who had initially hacked into Colonial.
Investigators say DarkSide often used a partnership model with other hacking groups to compromise numerous victims.
DarkSide would normally keep a smaller share for its role in providing the encryption software and negotiating with the victim, Robinson said. On Monday, minutes after the first funds were transferred out, the rest followed. The U.S. government might have seized that second amount as well but not announced it yet, Robinson said.
(Reporting by Sarah N. Lynch, Jan Wolfe, Tim Ahmann, and Christopher Bing in Washington and Stephanie Kelly in New York; Writing by Mohammad Zargham and Lisa Lambert; Editing by Howard Goller)