After Colonial Pipeline Co. on May 8 paid roughly $4.4 million in cryptocurrency to hackers holding its computer systems hostage, the Federal Bureau of Investigation followed the digital money.
Over the next 19 days, court records show, a special agent watched on a publicly visible bitcoin ledger as hackers transferred the 75 bitcoins to other digital addresses. A May 27 transfer of nearly 64 bitcoins landed at a virtual address to which the FBI gained access, providing an opportunity to get a warrant and pounce.
On Monday, the Justice Department said it had recovered some of the cryptocurrency, equal to about $2.3 million of Colonial’s initial ransom.
The operation demonstrates investigators’ growing technical ability to disrupt the financial infrastructure that has enabled ransomware gangs to squeeze hundreds of millions of dollars from victims each year, cybersecurity experts say. Despite cryptocurrency’s reputation as a hard-to-trace medium of exchange useful to criminals and other groups that operate outside the traditional financial system, crypto experts say it is at times easier to track than hard currencies such as U.S. dollars.
“You can’t hide behind cryptocurrency,” said Elvis Chan, assistant special agent in charge of the cyber branch of the FBI’s San Francisco field office.