The FBI claimed it recovered millions of dollars in Bitcoin paid as ransom during the attack against the Colonial Pipeline — a feat that is now generating more questions than answers.
The Justice Department and the FBI announced Monday it had seized 63.7 bitcoins (worth about $2.3 million at the time) from a Bitcoin wallet thought to be controlled by cybercriminals tied to a Russia-based collective called DarkSide, which operates off a “ransom as service” model. Recovery of the cryptocurrency ransom from its presumably savvy holders, especially in such a short time, left many experts stunned.
While many details about the operation to recover the funds remain unclear, perhaps the biggest mystery, and the one that has so many people scratching their heads, is how the FBI managed to get the “private key” used to unlock and pull assets from the criminals’ specific Bitcoin address. In the realm of cryptocurrency, a private key functions like a password and is closely guarded, especially among groups dealing with such large amounts of stolen money. Experienced Bitcoin holders typically don’t link their private keys to the internet at all, instead using “cold wallets.”
The news that the long arm of the law could seize the ransom shook the cryptocurrency markets, with Bitcoin falling below 10% on Tuesday. Some of that selloff was likely attributable to jitters that some investors have about government regulation and anxiety caused by seeing that the FBI could hunt down and return the funds.
FBI USED FAKE PHONE ENCRYPTION COMPANY TO GET CRIMINALS TO RAT EACH OTHER OUT
But how did the FBI manage to pull off the feat? April Falcon Doss, executive director of the Institute for Technology Law and Policy at Georgetown Law, said that there are several theories, although some are more plausible than others.
Doss, who also worked for more than a decade at the National Security Agency, told the Washington Examiner that among the more likely theories is that an individual or group who had possession of the funds was using a “hot wallet,” or one that was connected to the internet.
If a cryptocurrency exchange owned the Bitcoin address, the FBI could theoretically attempt to get the information it needed. It is worth noting that one of the largest cryptocurrency exchanges, Coinbase, claims to have had no involvement with the Bitcoin seizure.
She also said one of the individuals involved in the attack could have exercised some poor operational security and passed the private key through a communications resource that the FBI was able to surveil.
“More sophisticated cybercriminals are not going to leave funds on an exchange with a hot wallet,” she said.
However, she added that if somebody in that group of cybercriminals was less sophisticated, that person might have slipped up and put the money in a hot wallet during the series of transactions.
The series of transactions that Doss was referring to are the steps the FBI took to track the funds before pulling it from the wallet using a private key. The FBI outlined in an affidavit that it used something called a “blockchain explorer” to scour the public Bitcoin ledger to track where the payments went and how the Bitcoin was moved from address to address among several transactions. The FBI was then able to track down the funds that finally landed in one address on May 27 and stopped moving.
GREENER CRYPTOCURRENCIES IN FOCUS AS BITCOIN FACES ENVIRONMENTAL CRITICISM
The suspects shuffled the money to various addresses to muddy the waters and obscure their trail in a move somewhat akin to money laundering, according to Bloomberg. The FBI was able to use the blockchain explorer to track it every step of the way.
Doss said another way investigators potentially got ahold of the key is because DarkSide was known to law enforcement before the attack, so the FBI could have already had surveillance on one or more members of the group who then passed the key along to someone else.
Shortly after news of the reclaimed ransom broke, it was also revealed the FBI has secretly run encrypted communications phones used by criminals to monitor their activity. The communications company, called Anom, was used to carry ou
t Operation Trojan Shield, which netted 800 suspected criminals worldwide.
Doss said some speculation has fallen upon the Anom communications program itself and whether those involved in the ransomware attack might have been using the phones to communicate. However, she said even if hackers were using the Anom platform, it would again come back to poor tradecraft because one would have had to share the private key with another person for investigators to figure out what it was.
Additionally, there is always the chance that someone involved in the ransomware attack (which gained outsize attention for its effect on gas prices and shortages) or in DarkSide tipped off the FBI about the key.
“All the buzz is around how the FBI did this and, not surprisingly, the FBI is keeping mum because whatever investigative tools and techniques they used, they certainly will want to be able to use those in future cases,” she said.
At the end of the day, Doss said the best indicator of how the FBI pulled this operation off will be proven in the coming months if there are other instances of similar FBI successes.
“Then we’ll start having a better idea whether this was sort of a lucky accident or something that they can replicate in other ransomware incidents,” she said.
The Justice Department recently announced the Ransomware and Digital Extortion Task Force to further crackdown on groups like DarkSide and its affiliates. Sarah Kreps, director of the Cornell Tech Policy Lab, told the Washington Examiner she thinks the formation is a “meaningful step” in preventing future attacks.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
Kreps also said the news of the Colonial Pipeline ransom seizure might put some of the bad actors and those engaged in ransomware attacks on alert. In most cases, she said it seems the hacker has the advantage over the victim and hinted that the quick recovery of the ransom by the FBI could be a big moment in the fight against these sorts of attacks.
In a digital sense, she said some might see the FBI’s success in recovering the money as proof that victims of ransomware attacks who are forced to pay might not be completely defenseless.
