DoJ Seizes $500,000 in Bitcoin Ransomware Payments

Reading Time: 2 minutes
  • The Department of Justice has seized $500,000 made in bitcoin ransomware payments
  • The FBI was able to trace and lock down two ransomware payments made by U.S. healthcare providers
  • The FBI recovered $2.3 million in ransomware payments from the Colonial Pipeline attack last year

The Department of Justice (DoJ) has seized bitcoin ransomware payments totalling some $500,000, including healthcare providers in Kansas and Colorado. The FBI was able to seize control of two accounts where ransomware payments were made and is now going through legal channels to recover it on behalf of the victims, showing that the authorities are becoming better equipped in dealing with such attacks.

Maui Ransomware Targeted Healthcare Providers

According to the Justice Department, North Korean hackers used a type of ransomware called Maui to encrypt the files and servers of a Kansas medical centre in May 2021. The centre was unable to access their servers for a week, giving it no choice but to pay approximately $100,000 in bitcoin to regain the use of their computers and equipment.

Fortunately, the victims contacted the FBI and cooperated with law enforcement immediately, which allowed the authorities a better opportunity to identify the brand new North Korean ransomware and trace the bitcoin payments to China-based money launderers.

This led to the FBI observing a bitcoin payment of approximately $120,000 in bitcoin into one of the identified accounts, which had since been seized, in April this year. This payment was from a Colorado medical provider that had just paid a ransom after being hacked by actors using the same Maui ransomware strain.

The FBI was able to seize the contents of two accounts in May, with the District of Kansas then beginning proceedings to forfeit the hackers’ funds and return the stolen money to the victims.

Training and Experience Paying Off

The operation is similar in nature to the recovery last year of $2.3 million in bitcoin payments made by the operators of the Colonial Pipeline attack, with the speed of the notification by the Kansas healthcare centre being critical to the tracing of the funds.

The success of these operations shows that, after years of being behind the curve, the training and experience gathered by the authorities in dealing with ransomware is finally paying off.