Live: Cyber Monday deals Small Business Saturday Xbox Game Pass Ultimate Black Friday sales you can still buy US to restrict travel from South Africa due to new COVID variant The Beatles: Get Back documentary

US recovers part of multimillion-dollar ransom paid in Colonial Pipeline hack

Colonial Pipeline CEO Joseph Blount says he made the call to pay the ransom.

Privacy and security on the internet

Colonial Pipeline suffered a major ransomeware cyberattack in May.

James Martin/CNET

The US Department of Justice said Monday that it's recovered millions of dollars in cryptocurrency that was part of a ransom paid to hackers who attacked Colonial Pipeline and prompted the shutdown last month of the East Coast's main fuel-supply artery.

The DOJ said it seized 63.7 bitcoins valued at about $2.3 million that was part of the ransom demanded by a group known as DarkSide, which is thought to be based in Russia. The pipeline operator had paid hackers $4.4 million in cryptocurrency.

Looking for Cyber Monday deals?
Don’t miss a minute of the action with our coverage of the best Cyber Monday 2021 deals.

In a statement about the seizure, US Deputy Attorney General Lisa Monaco said it could help deter future attacks. "Ransom payments are the fuel that propels the digital extortion engine, and today's announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises."

On Tuesday, Colonial Pipeline CEO Joseph Blount told lawmakers that deciding to pay the ransom was the hardest decision in his 39 years in the energy industry. 

"I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible," Blount said during a hearing before the Senate Committee on Homeland Security and Governmental Affairs. "I kept the information closely held because we were concerned about operational safety and security, and we wanted to stay focused on getting the pipeline back up and running."

Colonial Pipeline reported the ransom demand to the FBI in May after hackers used a form of malicious software known as ransomware to breach the company's computer systems. Law enforcement officials were able to track down the ransom payment to a specific address, and the FBI had a "private key" that allowed investigators to retrieve the money, according to the DOJ.

The Colonial Pipeline hack, which occurred on or about May 7, resulted in a six-day shutdown. Pipeline operations restarted on May 12 and operations returned to full capacity on May 17. In response, the US Department of Homeland Security issued its first cybersecurity regulations for the pipeline sector.

"As our investigation into this event continues, Colonial will continue its transparency in sharing intelligence and learnings with the FBI and other federal agencies," Blount said in a statement.