US recovers part of multimillion-dollar ransom paid in Colonial Pipeline hack

Colonial Pipeline CEO Joseph Blount says he made the call to pay the ransom.

Queenie Wong Former Senior Writer
Queenie Wong was a senior writer for CNET News, focusing on social media companies including Facebook's parent company Meta, Twitter and TikTok. Before joining CNET, she worked for The Mercury News in San Jose and the Statesman Journal in Salem, Oregon. A native of Southern California, she took her first journalism class in middle school.
Expertise I've been writing about social media since 2015 but have previously covered politics, crime and education. I also have a degree in studio art. Credentials
  • 2022 Eddie award for consumer analysis
Queenie Wong
2 min read
Privacy and security on the internet

Colonial Pipeline suffered a major ransomeware cyberattack in May.

James Martin/CNET

The US Department of Justice said Monday that it's recovered millions of dollars in cryptocurrency that was part of a ransom paid to hackers who attacked Colonial Pipeline and prompted the shutdown last month of the East Coast's main fuel-supply artery.

The DOJ said it seized 63.7 bitcoins valued at about $2.3 million that was part of the ransom demanded by a group known as DarkSide, which is thought to be based in Russia. The pipeline operator had paid hackers $4.4 million in cryptocurrency.

In a statement about the seizure, US Deputy Attorney General Lisa Monaco said it could help deter future attacks. "Ransom payments are the fuel that propels the digital extortion engine, and today's announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises."

On Tuesday, Colonial Pipeline CEO Joseph Blount told lawmakers that deciding to pay the ransom was the hardest decision in his 39 years in the energy industry. 

"I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible," Blount said during a hearing before the Senate Committee on Homeland Security and Governmental Affairs. "I kept the information closely held because we were concerned about operational safety and security, and we wanted to stay focused on getting the pipeline back up and running."

Colonial Pipeline reported the ransom demand to the FBI in May after hackers used a form of malicious software known as ransomware to breach the company's computer systems. Law enforcement officials were able to track down the ransom payment to a specific address, and the FBI had a "private key" that allowed investigators to retrieve the money, according to the DOJ.

The Colonial Pipeline hack, which occurred on or about May 7, resulted in a six-day shutdown. Pipeline operations restarted on May 12 and operations returned to full capacity on May 17. In response, the US Department of Homeland Security issued its first cybersecurity regulations for the pipeline sector.

"As our investigation into this event continues, Colonial will continue its transparency in sharing intelligence and learnings with the FBI and other federal agencies," Blount said in a statement.