In May 2021, a ransomware attack shut down the largest fuel pipeline in the United States, triggering fuel shortages across the East Coast. The entry point: one password, leaked from a breached account, sitting on the dark web.
On the morning of 7 May 2021, an operator at Colonial Pipeline's control room in Alpharetta, Georgia, saw something that made their stomach drop: a ransom note on the screen.
By the time staff had confirmed what they were looking at, the company had already made a decision that would affect the daily lives of tens of millions of Americans. They shut down the pipeline.
Colonial operates roughly 5,500 miles of pipeline stretching from Houston, Texas to Linden, New Jersey. It carries about 45 percent of the fuel consumed on the US East Coast — petrol, diesel, jet fuel. When it stopped, the downstream effects were almost immediate. Within days, fuel stations in Georgia, the Carolinas, and Virginia were running dry. Lines stretched around the block. Panicked drivers filled plastic bags with petrol, which is both ineffective and extraordinarily dangerous.
The attack caused one of the most visible infrastructure failures in recent American history. The entry point was a single compromised password.
The attackers were inside Colonial's network for at least a day before anyone noticed. On 6 May — the day before the ransom note appeared — the DarkSide ransomware group had already exfiltrated roughly 100 gigabytes of data from Colonial's IT systems. The data theft served a dual purpose: it was both leverage (pay us or we publish your files) and an insurance policy in case the company could restore from backups without paying.
When Colonial's staff found the ransom note on 7 May, they made a conservative call. The company's operational technology (OT) systems — the industrial control systems that actually move fuel through the pipeline — had not been directly infected. But Colonial's leadership couldn't be sure that the infection wouldn't spread there too. Concerned about potentially operating a compromised pipeline, they made the decision to proactively shut down all pipeline operations.
The ransomware hit only the IT side. The decision to shut down the pipeline was Colonial's own. Whether that was the right call is still debated, but the logic was understandable: an infected industrial control system on a fuel pipeline is a physical danger, not just a data problem.
Colonial paid a ransom of approximately $4.4 million in Bitcoin within hours of confirming the attack. The decision was announced later and drew significant criticism — paying ransoms funds criminal operations and provides no guarantee of data recovery. In this case, the decryption tool provided by DarkSide reportedly worked so slowly that Colonial largely restored from backups anyway.
The pipeline was back at full capacity within a week.
Investigators from the cybersecurity firm Mandiant, brought in after the attack, traced the initial access to a VPN account — a virtual private network connection that Colonial employees used to log into company systems remotely. The account was no longer actively used. But it was still enabled. And its credentials had been leaked in a separate, earlier data breach.
The FBI later confirmed that the password was found in a batch of leaked credentials on the dark web — a marketplace where stolen data is bought and sold. Someone, presumably a member or affiliate of the DarkSide ransomware group, had purchased or found that batch and run what's known as a credential stuffing attack: an automated process that tests stolen username/password combinations against a target login page at scale. The Colonial VPN portal responded with a successful login.
This is not sophisticated hacking in any technical sense. No zero-day vulnerability was exploited. No custom malware was deployed to crack passwords. The attacker simply found a key that had been left under a digital rock, tried the door, and walked in.
Crucially, the account did not have multi-factor authentication (MFA) enabled. MFA — which requires a second form of verification, like a code sent to your phone, in addition to a password — would almost certainly have stopped the attack at this step. The stolen password alone would not have been enough.
It's worth sitting with that for a moment. The fuel supply of the US East Coast was disrupted for six days partly because one account wasn't configured with a setting that takes about 90 seconds to turn on.
For the people who actually experienced the Colonial shutdown, the disruption was not abstract. It was petrol stations with plastic bags over pump handles. It was lines stretching past traffic lights. It was family cars and commercial vehicles queuing for hours. At its peak, more than 10,000 petrol stations along the East Coast were out of fuel, according to tracking data from GasBuddy. In North Carolina, that figure reached 65 percent of all stations. In Washington, DC, it was over 80 percent.
Fuel prices spiked sharply within days. The average national petrol price rose to $3.04 a gallon, the highest since 2014. The ripple effects extended beyond consumers. Aviation was affected — the pipeline supplies jet fuel to major East Coast airports, and some airlines were forced to adjust fuelling strategies, taking on extra fuel at unaffected airports or rerouting to add range rather than refuel at terminals running low.
Hospitals and emergency services in the affected states faced fuel supply problems for backup generators. Several governors declared states of emergency, including those of Georgia, Virginia, North Carolina, and Florida. The federal government temporarily relaxed regulations on the road transport of fuel to allow more flexible trucking of supply — an emergency measure that also revealed just how dependent the region was on pipeline infrastructure that most residents had never thought about.
The panic buying dynamic was a story in itself. Health and safety officials had to publicly urge people not to store petrol in plastic bags or containers not rated for fuel — genuinely dangerous behaviour that caused at least a handful of reported fires. The spectacle of a modern American city running short on something as fundamental as fuel, triggered by a criminal group deploying software purchased from an underground forum, was a kind of cultural shock that went beyond the operational disruption.
When the pipeline came back online on 12 May and normalised by 15 May, the crisis receded quickly. But the week had demonstrated something that critical infrastructure managers had known for years and the public generally hadn't: the digital and physical worlds are not separate. A ransomware infection in an IT office in Georgia could empty petrol stations in Virginia within 72 hours.
DarkSide, the criminal group responsible, operated what's known as a ransomware-as-a-service (RaaS) model. They developed the malware and provided it to affiliates — essentially franchising out their criminal operation — in exchange for a cut of the ransom. It's a business model, complete with customer support, affiliate agreements, and reputational management on underground forums.
The affiliate structure is worth understanding in detail, because it explains both the operational scale of modern ransomware and the difficulty of disrupting it. DarkSide, like most mature RaaS operations, split ransom proceeds with affiliates on a sliding scale: affiliates who generated ransoms under $500,000 paid around 25 percent to DarkSide; larger ransoms attracted a lower cut. Affiliates handled their own victim identification, access acquisition, and initial deployment; DarkSide provided the malware, the infrastructure for hosting stolen data, and negotiation support. The arrangement let DarkSide scale without centralising operations — a deliberate resilience strategy.
The group operated what amounted to a press office. They published a blog on the dark web where they listed victims and released stolen data as leverage. When an affiliate hit a target that generated unwanted attention — a hospital, a government agency — DarkSide's administrators would occasionally offer to provide a decryption key for free, a gesture calculated to position them as having standards. Researchers at Mandiant (then FireEye) documented the group's PR strategy in detail, noting it was designed as much to manage affiliate behaviour and maintain reputation in criminal markets as to generate genuine public sympathy.
The group emerged in August 2020 and developed a reputation for selective targeting — they claimed to avoid hospitals, schools, and non-profit organisations, and to only go after companies they'd verified could afford to pay. This was partly ethics-washing (criminal enterprises do PR too) and partly practical: ransomware groups that take down hospitals generate law enforcement attention they'd rather avoid.
DarkSide's leadership appeared, briefly, to be alarmed by the political heat generated by the Colonial attack. In a statement issued after the attack became public, the group said they were "apolitical" and would introduce vetting for targets going forward. The statement had all the authenticity of a corporate press release, but it reflected a real calculation: taking out a major piece of US infrastructure was a different category of act from encrypting a mid-sized manufacturer's files.
On 13 May 2021 — six days after the ransom note appeared on Colonial's screens — DarkSide announced it was shutting down. The statement, circulated through underground forums, claimed that the group had lost access to some of its infrastructure and that servers used for its blog and payment processing had been seized. The Record Media reported that the announcement was partly verified by researchers who confirmed the DarkSide infrastructure had gone offline.
Cybersecurity analysts were largely sceptical that this represented a genuine disbanding. Ransomware groups routinely reboot under new names after law enforcement actions or when public pressure becomes too intense. Several researchers linked DarkSide's successor activity to a group operating as BlackMatter, which emerged in July 2021 and was itself declared shut down in November 2021 following a Europol operation targeting REvil and broader law enforcement pressure. The personnel and tools moved, but they didn't disappear.
The Department of Justice announced on 7 June 2021 that it had seized 63.7 Bitcoin — approximately $2.3 million at the time — that represented a significant portion of the ransom payment.
The mechanism was notable. The FBI had obtained the private key to a Bitcoin wallet used by a DarkSide affiliate. Bitcoin transactions are public on the blockchain, so investigators were able to trace the flow of funds from Colonial's payment; the challenge was obtaining the key to actually control the wallet. How the FBI obtained the key was not disclosed. The seizure demonstrated that Bitcoin payments are not as untraceable as ransomware operators often assume — but the majority of the ransom was not recovered.
Deputy Attorney General Lisa Monaco's remarks at the press conference announcing the seizure were notable for their directness: "Today we turned the tables on DarkSide." The DOJ also announced the creation of a new Ransomware and Digital Extortion Task Force to coordinate the government's response across agencies.
The Colonial attack accelerated policy discussions that had been building for years. On 12 May 2021 — while the pipeline was still ramping back up — President Biden signed Executive Order 14028, "Improving the Nation's Cybersecurity."
The order was significant in scope. It directed federal agencies to move to zero-trust security architectures, mandated multi-factor authentication for federal systems within 180 days, required software vendors selling to the federal government to meet new security standards, and created a Cybersecurity Safety Review Board modelled loosely on the National Transportation Safety Board. It was the most substantial executive action on cybersecurity in years.
The CISA advisory published in the aftermath of the Colonial attack — jointly issued with the FBI — provided detailed technical indicators of DarkSide activity and broader guidance on ransomware defences for critical infrastructure operators. It remains a useful reference document for industrial control system security.
A Senate investigation later found that Colonial's cybersecurity practices were inadequate for a company of its size and strategic importance. The company had a single individual responsible for IT and OT security. There was no CISO. Cybersecurity was not represented at board level.
The political response went further than the executive order. Congressional hearings through the summer of 2021 produced sharp questioning of both Colonial executives and administration officials. The Senate Homeland Security Committee issued a report in August 2021 that was unusually direct about the company's failures and called for mandatory security standards for pipeline operators.
This triggered a substantive debate that had been avoided for years: whether critical infrastructure operators — privately owned companies operating systems that the public depends on — should be subject to mandatory minimum cybersecurity standards, similar to safety regulations for aviation or pharmaceuticals. The pipeline sector had operated for decades under voluntary guidelines. The Transportation Security Administration, responsible for pipeline security, was better resourced for aviation than for the sprawling network of privately operated infrastructure it nominally oversaw.
The TSA responded to the Colonial attack by issuing a series of Security Directives in 2021 — the first mandatory cybersecurity requirements ever imposed on pipeline operators. Security Directive Pipeline-2021-01 required operators to report cybersecurity incidents to CISA, designate a cybersecurity coordinator reachable 24/7, and review current practices against CISA guidance. Later directives added requirements around network segmentation between IT and OT systems, access control, monitoring, and incident response planning. For an industry that had largely managed these questions internally, the directives represented a meaningful regulatory shift — though critics argued they were still insufficient compared to the binding requirements in sectors like nuclear energy.
The Colonial Pipeline attack is not primarily a story about sophisticated hackers. It's a story about the security posture of legacy infrastructure — systems built in a different era, extended and patched over decades, often running software that hasn't been updated because nobody wants to take the risk of breaking something that keeps fuel moving.
Critical infrastructure operators face a genuine challenge: patching and updating industrial control systems carries real operational risk. Maintenance windows are narrow. The consequences of an unplanned outage during patching can be severe. This creates a culture of deferred security work that accumulates risk quietly until something dramatic happens.
The specific failure in Colonial's case — an active VPN account with no MFA, associated with a user who wasn't even using it anymore — doesn't fall into this category of hard tradeoffs. That's a basic housekeeping failure. Unused accounts should be disabled. Active remote access accounts should require a second factor. These are not novel requirements; they appear in every security framework published in the last decade.
The lesson is uncomfortable but clear: the organisations running the infrastructure that society depends on are sometimes maintaining it to a standard that would be unacceptable for a mid-sized technology company. The Colonial attack made that gap visible to a public that had previously assumed the pipelines, power grids, and water systems that make modern life possible were secured accordingly.
They often aren't.
Five years on, the honest answer is: somewhat, but not enough.
The TSA Security Directives created a compliance floor that hadn't existed before. CISA's budget was expanded. The Cybersecurity Safety Review Board was created and issued reports. Several major critical infrastructure operators invested significantly in IT/OT network segmentation — the practice of creating hard architectural separation between the corporate IT network and the industrial control systems that actually run physical operations. Colonial itself reportedly invested heavily in its security posture after the attack.
But the broader landscape remains deeply uneven. A 2023 report from the Government Accountability Office found that while CISA had made progress in developing sector-specific cybersecurity guidance, many critical infrastructure operators — particularly in sectors outside energy — still lacked mature incident response capabilities. The water sector, in particular, has faced multiple high-profile incidents since Colonial that suggest the lessons did not transfer across sectors.
The ransomware ecosystem itself adapted rather than retreating. DarkSide became BlackMatter, which became ALPHV/BlackCat, which went on to attack MGM Resorts in 2023. The technical methods evolved. The criminal business models became more sophisticated. The money continued to flow. A Chainalysis report published in early 2024 estimated that ransomware payments reached a record $1 billion in 2023.
The Colonial attack demonstrated that critical infrastructure was vulnerable to fairly unsophisticated attacks. Whether the five years since have adequately addressed that vulnerability is, at best, an open question. The IT/OT gap remains an unresolved challenge at dozens of major operators. The VPN account that let the attackers into Colonial was a basic hygiene failure — and basic hygiene failures remain common across the sector. The next Colonial is not hypothetical. It is a probability function applied to a very large number of under-secured systems.
What changed most visibly after Colonial was the political conversation: suddenly, questions about mandatory minimum standards for critical infrastructure security were not fringe concerns raised by security researchers, they were front-page policy debates. The slow, contentious work of translating that political energy into durable regulatory requirements is still underway.
See our roundup of password managers — the single most effective step most people can take to stop their own accounts ending up in a dark web data dump. And if you want to understand why credential stuffing attacks work so well, the 23andMe breach is a textbook case.
