Colonial Pipeline Ransomware Attack; How did Federal Agents Recover Bitcoin and access a Crypto Wallet

Colonial Pipeline Ransomware Attack; How did Federal Agents Recover Bitcoin and access a Crypto Wallet

Federal authorities are fairly tight-lipped on the method of recovering some $2.3 million in bitcoin paid to cyber-hackers of Colonial Pipeline Cos., last month. It is a rare, but not unprecedented, win for agents who are part of a newly formed Ransomware and Digital Extortion Task Force.

But the big question for crypto market participants may be how the government tactically tracked down the bitcoin BTCUSD, -4.79% allegedly obtained by the Eastern European hacking group known as DarkSide and how the federal agents obtained access to a password-protected wallet.

The Justice Department on Monday said a news conference that it seized about 64 bitcoin paid by Colonial to hackers, valued at roughly $2.3 million, from a virtual wallet.

Here’s what we know through court documents and conversations with those familiar with tactics that may have been employed by the Justice Department and the Federal Bureau of Investigation:

An unidentified special agent with the FBI’s cybercrimes squad, in an affidavit with the California’s Northerrn District, requesting a warrant to seize the digital assets, says that the agency used public blockchain explorers to track payments made to the hackers.

Blockchain explorers have been described succinctly as the Google of cryptocurrencies and blockchain and they allow users to find details related to transactions on specific wallet addresses and blockchains including amounts transacted, sources and destination of funds, and status of the transactions. In this case, the FBI was able to track the addresses where roughly 75 bitcoins were sent to hackers around May 8, court documents show.

The documents indicate that Colonial Pipeline had reached out to the FBI in early May to advise the agency that it had been instructed to send a ransom payment of approximately 75 bitcoin, calculated at the time to be worth $4.3 million to a specific address that was partly redacted in court filings.

blog post by Dr. Tom Robinson of blockchain analytics firm Elliptic identified the bitcoin address tied to the Colonial hack as address bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq — probably the same one mentioned in the seizure affidavit.

Ransomware attacks are those that compel the victim to pay a sum to a specific location to resolve a breach of a company’s computer systems, and increasingly hackers are demanding crypto in exchange for ending their attack. The filings show that the FBI agent used blockchain explorers to track the movement of the crypto to nearly two dozen addresses.

A private key for a virtual wallet linked to one of the addresses , where the cryto-currency sat for some time, was obtained by the FBI, but the agency didn’t disclose how it obtained the key, which serves as a password for the wallet. A crypto wallet can be used to store bitcoin, user addresses and other private key information.

Advocates of blockchain technology have long touted the traceability of the distributed public ledger as one counterpoint to those who say crypto is largely used for illicit activities. “This action by US authorities demonstrates the value of blockchain analytics to track down proceeds of crime in cryptocurrency, and ensure that ransomware does not pay for the criminals behind it,” Robinson wrote. That said, cracking a crypto wallet is usually the remit of hackers and not the FBI.

National Public Radio speculated on 3 possible ways federal agents obtained DarkSide’s private key:

  1. Carelessness by the perpetrator
  2. Help from an insider at the ransomware group
  3. Possible help from a wallet provider or exchange

What is being dismissed is the idea that the Fed somehow employed their own hacking methods to obtain the private key.

On Tuesday, Colonial Pipeline Co. CEO Joseph Blount said the company was still working to fully restore some of its computer systems harmed by last month’s attack. The pipeline company operates the largest refined-products pipeline in the country, spanning more than 5,500 miles and transporting more than 100 million gallons, or 2.5 million barrels, of fuel a day to consumers from Houston to the New York Harbor,

Speaking to the Senate Homeland Security Committee during a hearing, Blount explained why he decided to pay the hackers, especially since the FBI tends to discourage ransom payments because doing so can encourage such acts.

“I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible,” Blount said. He said that the decryption keys that the hackers provided in exchange for the payment didn’t provide an immediate restoration of the pipeline’s services, which were gummed up for nearly a week and briefly led to a run on gasoline RB00, 1.50% in parts of the East Coast.

The Fed’s recovery of the bitcoin may have helped contribute to a slump in bitcoin and other crypto.

“The US government took over the server where the wallet existed and somehow got the private key for the address that held the majority of the funds,” said Edward Moya, Senior Market Analyst, The Americas, at OANDA. “This uncertainty over how they got their private key is scaring many bad players to exit Bitcoin holdings. “