Blockchain & Cryptocurrency , Critical Infrastructure Security , Cybercrime

How Did FBI Recover Colonial Pipeline's DarkSide Bitcoins?

Suspect's Device, Seized by Foreign Law Enforcement Agency, May Have Had Private Key
How Did FBI Recover Colonial Pipeline's DarkSide Bitcoins?

Cryptocurrency has a reputation for being tough to trace, which is just one reason anonymity-craving criminals favor using it. In reality, however, bitcoin and other cryptocurrencies don't make users anonymous. Thanks to the blockchain, transactions can be traced, and especially when users convert cryptocurrency to cash, law enforcement and intelligence agencies have extra opportunities to tie the transaction to an individual's identity.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

As with all things involving encryption, furthermore, sometimes law enforcement officials don't need to crack the crypto, or unmask bitcoin users, to find and seize funds or break cases. Other techniques may be available (see: Encrypted Communications Network 'Anom' Was Sting Operation).

For example, in what seems like a rare piece of good ransomware news of late, the U.S. Department of Justice on Monday announced that it was able to recover 63.7 of the 75 bitcoins paid to the DarkSide ransomware-as-a-service operation by Colonial Pipeline. The private company provides about 45% of the fuel used along the East Coast, and the May attack led to public hoarding over a lack of supply. CEO Joseph Blount's decision to pay criminals the equivalent of $4.4 million, meanwhile, landed him in the congressional hot seat, as he was called to testify this week before multiple committees.

But how did the FBI recover the nearly 64 bitcoins - now worth just $2.3 million, due to cryptocurrency fluctuations?

"By reviewing the bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim's ransom payment, had been transferred to a specific address, for which the FBI has the 'private key,'" Deputy U.S. Attorney General Lisa Monaco said at a Monday press conference.

"The extortionists will never see this money," Stephanie Hinds, the acting U.S. attorney for the Northern District of California, said at the press conference.

Wallets are used to store cryptocurrency, and a private key - the equivalent of a password - is required to unlock the wallet and control any funds it stores.

Officials have declined to provide further details about exactly how they obtained the key.

More Clues to the Recovery

But Pamela Clegg, director of education and investigations for blockchain analytics company CipherTrace, speaking at the annual Digital Investigations Conference hosted by Swiss digital investigations product reseller Arina, said that she had it "on good authority" that the FBI got access to the DarkSide bitcoin wallet via a private key to the wallet, found on a device that got seized by a foreign law enforcement agency before the Colonial Pipeline attack happened or any ransom got paid.

The FBI didn’t immediately respond to a request for comment about Clegg's insight. If true, however, it suggests that a foreign law enforcement agency had eyes on a suspect with ties to DarkSide, or at least the money laundering part of the operation.

The FBI has rightly been trumpeting the recovery and its implications for individuals with a penchant for cybercrime. "You can’t hide behind cryptocurrency," Elvis Chan, the assistant special agent in charge of the cyber branch of the FBI’s San Francisco field office, tells The Wall Street Journal.

Officials said Colonial Pipeline having immediately alerted the bureau to its May 9 payment to DarkSide - and the precise bitcoin address to which it transferred cryptocurrency - helped the FBI recover some of the proceeds.

In a Monday affidavit in support of a search warrant filed with the Northern District of California U.S. District Court, an FBI special agent - name redacted - notes that the day after Colonial Pipeline's payment, the cryptocurrency was moved through at least six other bitcoin wallets. The bureau followed the flow of funds until they ended up in a wallet for which the private key "is in the possession of the FBI of the Northern District of California," according to the special agent.

More Bitcoin Seizures

This isn't the first time that the bureau has seized bitcoins as part of an investigation.

In January, as part of the FBI's disruption of the NetWalker ransomware-as-a-service operation, the government successfully seized about $454,530 worth of cryptocurrency that the operation had received via ransom payments, the Justice Department said in a news release, although it provided no details on exactly how this was done. Presumably, a suspect furnished private keys during the course of an investigation, in an attempt to reduce the charges they faced.

Last year, the U.S. seized bitcoins then worth more than $1 billion that had eventually been linked to the notorious Silk Road darknet marketplace, which specialized in mail-order narcotics. In 2013, the FBI arrested Ross Ulbricht, aka "Dread Pirate Roberts," with an agent tackling Ulbricht while he worked at the Glen Park Branch Library in San Francisco so he would not be able to shut down his computer.

Aside from copious amounts of evidence, that maneuver also enabled the FBI to seize 174,000 bitcoins from Ulbricht, worth about $105 million at the time. The cryptocurrency was later sold at auction, and Ulbricht was sentenced to life in federal prison.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.