Are Bitcoin’s Days as the Ransomware Payment of Choice Numbered?


By: Alexia Roney

On May 7, 2021, the CEO of Colonial Pipeline found himself in a position far too common for American companies: a cyberattack had crippled his company’s IT system and shuttered his business until a ransom was paid. As gas shortages rippled across the Southeast, the CEO paid $4.4 million in Bitcoin to the hackers. Colonial Pipeline was able to bring its system back up and so ended the crisis while the Bitcoin payment disappeared.

No one expected to see any of the ransom returned. It rarely ever is. But one month later, on June 7, 2021, the U.S. Department of Justice wrote a new coda to this story. The agency clawed back $ 2.3 million of the Bitcoin ransom payment by tracing the transaction to a specific account. Bitcoin is the cybercriminal’s payment of choice because it is supposedly anonymous. In actuality, Bitcoin is pseudonymous: each user’s Bitcoin address – the “wallet” – is anonymous, but every transaction involving that wallet is stored on the Bitcoin blockchain. The blockchain, an indelible record, is public.

Colonial Pipeline’s payment was tracked through the public blockchain by cybersecurity firms, and the U.S DOJ, to a specific wallet. If that wallet can be linked to a real-world identity, anonymity is gone. In this case, the U.S. DOJ obtained the private key, the password to access the relevant wallet, and seized the contents. This shows that law enforcement can link real world bad actors and reach their wallets. This is not the first time: in the Twitter hack of July 15, 2020, Bitcoin tracking joined a plethora of other investigative techniques to successfully identify and arrest the three perpetrators. Aware of this vulnerability, developers – legitimate or not – have been working on fully anonymous cryptocurrencies such as Monero.

The Colonial Pipeline ransomware recovery is a win for the U.S. DOJ Ransomware and Digital Extortion Task Force, specifically created to combat the rising tide of ransomware attacks and the disruption it causes to businesses and the public. Notably, as part of the announcement, both the DOJ and Colonial Pipeline emphasized that this successful recovery was due in part to the company’s early notification to law enforcement. While the recovery of ransom payments remains uncommon, it is excellent news that the U.S. Government is taking the plight of business seriously and devoting significant resources to shut down bad actors.

For more information, please contact Alexia Roney at