‘That horse has left the barn’: Secret Service official says ransom payments have fueled hacking sprees

“I think it’s a very small number of cases we actually hear about,” Secret Service official Stephen Nix said.
Getty Images

After the multimillion-dollar extortions of Colonial Pipeline and meat processor JBS, a Secret Service official is urging organizations not to pay off hackers and underscoring that more victims need to come forward in order to help U.S. officials get a handle on the problem.

“We’re in this boat we’re in now because over the last several years, people have paid the ransom,” Stephen Nix, assistant to the Special Agent in Charge at the U.S. Secret Service, said at CyberTalks, a summit presented by CyberScoop. “This is the monetization of security flaws. That’s what we’re looking at. That horse has left the barn.”

Nix asked ransomware victims to tell law enforcement agencies details such as the cryptocurrency wallet, or account, used by the attackers in order to track them down. “I think it’s a very small number of cases we actually hear about,” he added. “If we don’t hear about it, we can’t help you and we can’t help the next person.”

In 2020, ransomware payments from victims surged by 311% to reach nearly $350 million in cryptocurrency, according to Chainalysis, a company that tracks virtual payments. Two recent incidents have brought the issue into the national spotlight, while sparking concern among lawmakers that corporations are fueling a criminal economy.


Colonial Pipeline, which transports some 45% of fuel consumed on the East Coast, paid $4.4 million to recover its data from hackers. JBS, which accounts for an estimated one-fifth of U.S. beef production, paid its extortionists $11 million.

The CEOs of both companies said paying off criminals made them squeamish, while defending their ultimate decisions. In the case of the Colonial Pipeline, the FBI was able to recover about $2.3 million of the ransom by tracking the bitcoin ledger linked with the hackers, the Wall Street Journal reported.

In other cases, Nix said, knowing which ransomware group is behind a given hack can lead law enforcement to advise victims to low-ball extortionists who are known to accept payments below their asking price.

The Treasury announced last fall that U.S. companies could be fined for paying ransoms to sanctioned entities. Nix said communication with law enforcement can keep organizations from running afoul of those regulations.

“Most of the time, you have no clue where that wallet … that you’re paying [is],” he said.


By alerting law enforcement of ransomware attacks, victims can also get threat information such as the likelihood that they will recover their data from hackers, said Daniel Donahue, program manager at Homeland Security Investigations, a division of the Department of Homeland Security.

“The more people know and the harder that we make targets … it might actually increase the cost of doing business” for ransomware gangs, Donahue said during the CyberTalks panel.

The FBI last year announced a cybersecurity strategy to impose more costs on foreign hackers threatening U.S. interests — an approach that officials are doubling down on in the wake of the temporary disruption of key arteries of the American economy.

Nix, the Secret Service official, said his team was keen on taking a closer look at the numerous players in the cryptocurrency market.

“There are over 500 money service businesses in the United States alone that handle cryptocurrency,” Nix said at CyberTalks. “At any one point, some of these ransom funds could be mixed or tumbled through some of these money exchangers.”


“This is shared criminal infrastructure,” he added. “We have to attack all of it — the customer service aspect, the money laundering aspect.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts