By Mark DeCambre
U.S. federal authorities are fairly tight-lipped on the method of recovering some $2.3 million in bitcoin paid to cyber-hackers of Colonial Pipeline Cos., last month. It is a rare, but not unprecedented, win for agents who are part of a newly formed Ransomware and Digital Extortion Task Force.
But the big question for crypto market participants may be how the government tactically tracked down the bitcoin /zigman2/quotes/31322028/realtime BTCUSD +4.52% allegedly obtained by the Eastern European hacking group known as DarkSide and how the federal agents obtained access to a password-protected wallet.
The U.S. Justice Department on Monday said a news conference that it seized about 64 bitcoin paid by Colonial to hackers, valued at roughly $2.3 million, from a virtual wallet.
Here’s what we know through court documents and conversations with those familiar with tactics that may have been employed by the Justice Department and the Federal Bureau of Investigation:
An unidentified special agent with the FBI’s cybercrimes squad, in an affidavit with the California’s Northerrn District, requesting a warrant to seize the digital assets, says that the agency used public blockchain explorers to track payments made to the hackers.
Blockchain explorers have been described succinctly as the Google of cryptocurrencies and blockchain and they allow users to find details related to transactions on specific wallet addresses and blockchains including amounts transacted, sources and destination of funds, and status of the transactions.
In this case, the FBI was able to track the addresses where roughly 75 bitcoins were sent to hackers around May 8, court documents show.
The documents indicate that Colonial Pipeline had reached out to the FBI in early May to advise the agency that it had been instructed to send a ransom payment of approximately 75 bitcoin, calculated at the time to be worth $4.3 million to a specific address that was partly redacted in court filings.
A blog post by Dr. Tom Robinson of blockchain analytics firm Elliptic identified the bitcoin address tied to the Colonial hack as address bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq — probably the same one mentioned in the seizure affidavit .
Ransomware attacks are those that compel the victim to pay a sum to a specific location to resolve a breach of a company’s computer systems, and increasingly hackers are demanding crypto in exchange for ending their attack.
The filings show that the FBI agent used blockchain explorers to track the movement of the crypto to nearly two dozen addresses.
A private key for a virtual wallet linked to one of the addresses , where the cryto-currency sat for some time, was obtained by the FBI, but the agency didn’t disclose how it obtained the key, which serves as a password for the wallet. A crypto wallet can be used to store bitcoin, user addresses and other private key information.
Advocates of blockchain technology have long touted the traceability of the distributed public ledger as one counterpoint to those who say crypto is largely used for illicit activities.
“This action by US authorities demonstrates the value of blockchain analytics to track down proceeds of crime in cryptocurrency, and ensure that ransomware does not pay for the criminals behind it,” Robinson wrote.
That said, cracking a crypto wallet is usually the remit of hackers and not the FBI.
National Public Radio speculated on 3 possible ways federal agents obtained DarkSide’s private key:
Carelessness by the perpetrator