Well well look what we have here.
The FBI "recovered" most of the Colonial cryptojack ransom payment.
Which had the bitcoin at it.
Which means it wasn't Russia-Russia-Russia, was it?
Likely the BTC was at Coinbase, since the location is identified as "Northern District of California" although that's speculation.
You won't convince me that Putie-boy hacked Colonial (nor any Russian group associated with him) and had the funds sent to a US custodial account and then left them there instead of transferring it somewhere outside the US originally (BTC is global, after all) and then immediately moving it offline into a "hard" wallet where you would have to obtain the physical hardware. Any "state-sponsored" entity would have done that within minutes of the transaction occurring.
In other words The Feds lied.
Next question: "Know Your Customer" law applies to US custodians and exchanges. So who was it held on behalf of? "I don't know" is a bad answer by the way.
PS: If an immediate indictment against whoever held that account or the custodian themselves as accessories to the crime is not forthcoming then my presumption changes -- within days -- to this was not a "hack" at all, it was an internal attack by our own government against Colonial. Why? Because KYC law is clear and so is where they seized the Bitcoin, so either the person(s) responsible are known and get busted immediately, the custodian gets busted for knowingly engaging in money laundering and as an accessory, or the government did it.