Colonial Pipeline

On May 6, 2021, a DarkSide affiliate logged into Colonial Pipeline's network using a single set of VPN credentials. The account was no longer in active use but had never been disabled, and crucially had no multi-factor authentication. The password appeared in a previous batch of leaked credentials available on the dark web.

Over the following hours, attackers exfiltrated approximately 100 GB of data and deployed DarkSide ransomware against Colonial's IT (business) systems on the morning of May 7. The operational technology pipeline-control network was not directly affected — but Colonial preemptively shut it down, both to stop attackers pivoting and because the billing system needed to track every gallon delivered was inoperable.

The pipeline carries roughly 45 percent of all transportation fuel for the US East Coast, supplying 50 million people from Texas to New Jersey. Within 48 hours of the shutdown, panic-buying caused thousands of gas stations across the Southeast to run dry. The Biden administration declared a regional state of emergency, the DOT relaxed driver-hour limits for fuel trucks, and average gas prices crossed $3.00 nationally for the first time since 2014.

Colonial paid a 75 BTC (~$4.4 million) ransom on May 7 and received a decryptor — which proved so slow that the company restored from backups instead. On June 7, the FBI announced it had traced and seized 63.7 BTC (~$2.3 million at the time) of the ransom. DarkSide announced shortly after the attack that it was dissolving, claiming pressure from law enforcement; researchers suspect the group simply rebranded.

A single password without MFA collapsed America's largest refined-fuel pipeline. Colonial chose to shut down the operational pipeline to prevent attackers pivoting from IT to OT, and to ensure they could not be billed for fuel they couldn't measure. Fuel prices spiked, gas stations ran dry across the Southeast, and the Biden administration declared a regional state of emergency. The FBI eventually clawed back 63.7 BTC of the ransom by tracing it on-chain.

• Colonial Pipeline Company — operations halted ~5 days, $4.4M ransom
• Consumers across 17 US East Coast states — fuel shortages and panic buying
• Major airports (Charlotte, Atlanta) re-routing flights due to jet-fuel scarcity
• Roughly 11,000 of 14,000 Southeast gas stations reported as out of gas at peak

• Multi-factor authentication on VPNs is not optional — single-factor remote access is a one-bug failure mode.
• Disable or delete unused accounts; standing access is debt that compounds quietly.
• IT/OT segmentation matters in both directions: Colonial shut OT preemptively because the IT compromise threatened the operational network.
• Ransomware payments are not always irreversible — on-chain forensics can recover funds when operational security slips.