An operation led by the FBI San Francisco Division recovered $2.3 million, or 63.7 bitcoin, of the ransom paid by Colonial Pipeline after its systems were infected with ransomware, officials said Monday.
The total ransom was reportedly 75 bitcoin, then valued at around $4.4 million, meaning the majority, but not all, of the funds were recovered. Officials said they looked at bitcoin transaction records and identified a bitcoin wallet used to hold the digital currency and were able to seize it under court order. The FBI had obtained the private encryption key, similar to a password, used to transfer funds out of the digital wallet, officials said.
“Following the money remains one of the most basic, yet powerful, tools we have,” said Deputy Attorney General Lisa O. Monaco in a statement.
Neither the official statement nor public court records explain how the FBI got the key.
Traditionally, bitcoin is used for ransomware and other illicit transactions because it is considered more difficult to trace and seize than other means of sending money, such as wiring money to a bank account. But it is often still possible to track the movement of bitcoin through the shared public transaction record known as the blockchain, making it difficult for high-profile proceeds of criminal activity to be exchanged for traditional currency. And bitcoin can generally be transferred by anyone who is able to obtain the private key associated with the virtual wallet where it’s stored.
The Colonial hack led to some gasoline shortages along the East Coast, after the shuttering of the pipeline that carries a substantial portion of the region’s motor fuel supply spurred panic buying. The pipeline was shut for about six days, fully resuming service by May 15.