The U.S. Department of Justice recovered almost 85 percent of the 75 Bitcoin Colonial Pipeline Company paid to ransomware hackers during a cyberattack that led to widespread gasoline supply shortages in the southeastern U.S. last month.
Despite the recovery, Colonial is still down more than 40 percent of its original cash expenditure to pay the ransom, due to a collapse in Bitcoin market price caused by the centralization of Bitcoin mining in Communist Party-controlled mainland China..
In early May, Colonial reportedly paid ransomware group DarkSide 75 BTC in order to obtain a set of decryption software to release the virus that had shutdown the company’s systems, despite reports from anonymous sources in Washington Post and Reuters the company had refused to pay.
The decryption tool Colonial received was faulty and slow, however, leading to the company to rely on its own backups to restore its systems.
In a June 7 Affidavit filed by the FBI in support of a seizure warrant for the portion of Colonial’s ransom retrieved, the Bureau refers to Colonial as “part of the critical infrastructure sector of the United States,” and confirms the company paid 75 BTC, valued at approximately $4.3 million USD, on May 8 to a specific wallet address on the Bitcoin blockchain.
Based on this calculation, Colonial spent approximately $57,300 USD per BTC to pay off the attackers.
While specific Bitcoin addresses are effectively anonymous, the blockchain database of the world’s largest crypto is completely public and subject to an array of professional caliber forensic analysis tools. The FBI used the transparent nature of the Bitcoin blockchain to track where the money went.
Investigators found the hackers first sent a test address a very small sum of Bitcoin before moving the 75 BTC sum to a separate wallet. Later the same day, they moved the whole sum again to the test address, before being split into approximately 11.25 and 63.75 BTC to two new wallet addresses.
The 63.75 BTC portion of the transaction bounced around a few times before landing in a specific address defined in the Affidavit as “Subject Address.”
The FBI only says in the Affidavit that “The private key for the subject address is in the possession of the FBI in the Northern District of California.”
Bitcoin wallets are composed of two portions: a “public key” and a “private key.” The public key is a public-facing address that a user would use to receive Bitcoin, somewhat analogous to a safety deposit box. The “private key” is a concept much like a physical key for a physical lock, hidden from the public network, controlled by the owner of the wallet, and needed to “sign” transactions to verify ownership under network rules to send Bitcoin from one wallet to another.
In short, the hackers that Colonial paid their ransom to moved 85 percent of their loot into a safety deposit box that U.S. federal law enforcement actually had the key to.
While their method has not been publicly disclosed, the FBI either obtained the private key to the hackers’ wallet, or tricked the hackers into moving their money into a wallet that the FBI controlled.
In a June 8 article by NPR, April Falcon Doss, Executive Director for the Institute for Technology Law and Policy at Georgetown Law, makes three reasonable speculations as to how the FBI pulled off its counter-larceny operation.
The first is that a snitch on the inside of the operation tipped the FBI off. For that theory to be plausible, the snitch would have had to have control of the private key for the wallet address themselves, meaning they decided to give nearly 64 BTC to U.S. federal law enforcement rather than try to spend it themselves.
The second possibility is that the criminals were careless and the FBI was able to steal the private key through a counter-cyber espionage maneuver brought about by failures in Darkside’s operational security.
Doss’s third, and most likely scenario, is that the FBI may have leveraged information from the exchange the hackers sent their coins to while attempting to convert them from crypto to spendable fiat currency.
In short, the FBI would have determined (through forensic blockchain analysis) which Bitcoin exchange the money was sent to, contacted the exchange to intervene, and then the exchange sent the stolen funds from its own wallet to one the FBI controls.
Unfortunately for Colonial, the 63.70 Bitcoin recovered by the FBI was purchased at an original price of $3.65 million USD. Because of a major price crash caused by the Chinese Communist Party’s recent ban on cryptocurrency mining operations in the country, today’s price of approximately $34,000 USD leaves the same wallet worth a meager $2.165 million USD.
Thanks to price volatility caused by the centralization of Bitcoin mining operations under CCP controlled entities, Colonial is stuck holding a red bag and is an additional $1.5 million USD in the hole beyond the 11.25 BTC DarkSide managed to make off with.