How the feds seized the Colonial Pipeline ransom
Posted on
Last month, a professional hacking syndicate known as DarkSide shut down one of the major oil pipelines that feeds the eastern United States, causing a small amount of chaos until they’d been paid roughly $4.4 million in bitcoin.
This week, the U.S. Department of Justice announced they’d recovered about $2.3 million of the paid ransom. If the ransom had been fiat currency, recovering the funds would’ve been straightforward, but in the world of crypto, it raises some questions:
The DOJ said law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins ($3.77 million on May 8), “representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.”
How it came to have that private key is the key question. Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, said the most likely explanation is that law enforcements agent seized money from a specific DarkSide affiliate responsible for bringing the crime gang the initial access to Colonial’s systems.
“The ‘obtained the private key’ part of their statement is doing a lot of work,” Weaver said, point out that the amount the FBI recovered was less than the full amount Colonial paid.
“It is ONLY the Colonial Pipeline ransom, and it looks to be only the affiliate’s take.”
This question of how the DOJ managed to do this belies a certain misunderstanding about how cryptocurrencies actually work. The first is that crypto is inherently secret, when the reality is the exact opposite. Every transaction is published on the ledger defined by a cryptocurrency’s protocol, meaning it’s possible to view every single transaction ever made. If you know the address of a crypto wallet, you can identify all of the coins sent and received by that address. The DOJ was able to identify a single address that most of the ransom had been transferred to.
The second misunderstanding is that crypto is inherently secure, or can’t be stolen like, say, cash. Bitcoin wallets rely on public key cryptography, just like every other secure computer system, and the private key for accessing a wallet is secured with a passphrase. If you have the private key and the passphrase, you can make any transfer to and from that wallet, just like if you had the username and password to someone’s online bank account. Unlike an FDIC secured bank account, though, if someone empties your bitcoin wallet, it’s gone for good.
For obvious reasons, the DOJ is pretty mum on how they managed to secure the private key and passphrase. It seems like they had access to a DarkSide server where the keys were stored, so there was likely some good old fashioned spycraft or law enforcement involved.