Colonial Pipeline Hackers Announce Early Retirement

Edward Kost
Edward Kost
May 17, 2021

The Colonial Pipeline story has taken an unexpected plot twist after Darkside announced the cessation of their criminal operations.

Darkside is the Russian criminal group responsible for the Colonial Pipeline cyberattack that shut down fuel supply to the U.S east coast. The reason for this sudden change of heart was Darkside’s lost access to its ransomware infrastructure and a mysterious theft from their bitcoin wallet.

Darkside operated a Ransomware-as-a-Service operation, where they offered their ransomware to affiliates and earned a percentage of each successful ransom payment. Darkside notified its affiliate network of their sudden decision via a post on their website.

The announcement explained that a public portion of the criminal group’s ransomware infrastructure was seized by an unspecified law enforcement agency.

The following assets were also seized:

  • The group’s name-and-shame blog
  • The group’s ransom payment collection website
  • The group’s Content Delivery Network (CDN).

Darkside also said that just a few hours prior to their announcement, an unauthorized transfer of funds occurred from their cryptocurrency wallet linked to ransomware payments from victims

It’s unknown whether the exfiltration of Darkside’s funds or the damage to their website was caused by a United States retaliation campaign. Usually websites seized by U.S. law enforcements are branded with a notice by the F.B.I, Darkside’s website is currently just inaccessible.

Darkside’s website is currently unacceptable - Source:

Example of website seized by F.B.I
Example of website seized by F.B.I

While fuel delivery operations have finally returned to normal, Colonial Pipeline is still has a lot of cleaning up to do, as evidenced by the error message replacing their website at the time of writing this.

Error message when Colonial Pipeline website is loaded.
Error message when Colonial Pipeline website is loaded.

But a clean-up operation may involve much more than just re-connecting a website.  

IFM Investors, an Australian investment management company, owns a 16% stake in Colonial Pipeline. The company is also owned by 27 Australian union-and-employer-backed industry super funds which links a swathe of the Australian superannuation sector to the Colonial Pipeline incident.

Other victims may also surface in the coming weeks since the cyberattacks on service providers tend to impact multiple entities connected through shared data resources.

While Darkside’s liquidation is a happy ending to this tumultuous story, it may not last. After a defeat, cybercriminal groups often resurface under different names and a new reputation.

The problem of ransomware attacks will not be solved by hoping criminal groups disappear. The onus is on organizations to strengthen their security posture.

How secure is Colonial Pipeline?

Colonial Pipeline is the largest U.S. refined products pipeline system.
  • Check icon
    View our free preliminary report on Colonial Pipeline’s security posture
  • Check icon
    13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities
Security ratings
Abstract shape
Deliver icon

Sign up for our newsletter

Stay up-to-date on everything UpGuard with our monthly newsletter, full of product updates, company highlights, free cybersecurity resources, and more.
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

Protect your organization

Get in touch or book a free demo.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating