Official says US seized cryptocurrency ransom paid to Colonial Pipeline hackers

[jaysabi]

The Associated Press is reporting that US authorities have seized the ransom that was paid to the Colonial Pipeline hackers.  Since the payment was made in cryptocurrency, I'm actually really interested in what they're going to say at the press conference later about how they "seized" the ransom.

The U.S. government has seized millions of dollars in a cryptocurrency payment made to hackers after a cyberattack that caused the operator of the nation’s largest fuel pipeline to halt its operations last month.

WASHINGTON -- The U.S. government has seized millions of dollars in a cryptocurrency payment made to hackers after a cyberattack that caused the operator of the nation's largest fuel pipeline to halt its operations last month, a law enforcement official said Monday.

FBI and Justice Department officials were to disclose the operation at a news conference later Monday. The official was not authorized to discuss the news ahead of the news conference and spoke on condition of anonymity.

Georgia-based Colonial Pipeline, which supplies roughly half the fuel consumed on the East Coast, temporarily shut down its operations on May 7 after a gang of criminal hackers known as DarkSide broke into its computer system.

Colonial officials have said they took their pipeline system offline before the attack could spread to its operating system, and decided to pay a roughly $4.4 million ransom in an effort to bring itself back online as soon as it could.

The FBI generally discourages the payment of ransom, fearing it could encourage additional hacks.

[ulhaq]

According to this article they got the hacker's private key: https://californianewstimes.com/us-says-it-has-recovered-large-portion-of-colonial-pipeline-ransom/383269/
Unclear how, but it mentions some servers being seized, so maybe they got access to a physical device. Or perhaps they got malware onto the device or there was a cooperating exchange.

[TravelMug]

According to this article they got the hacker's private key: https://californianewstimes.com/us-says-it-has-recovered-large-portion-of-colonial-pipeline-ransom/383269/
Unclear how, but it mentions some servers being seized, so maybe they got access to a physical device. Or perhaps they got malware onto the device or there was a cooperating exchange.

Really hard to say if they got the private key, but it is really weird if they try to hack back the hackers?

Servers doesn't contained private key, and I believed that the hackers will keep in somewhere safe. So it is really mind boggling, if governments has the ability to track and seized the ransom, then by all means they can get to anyone.

Anyhow, this is clearly an cyber war now against those group of hackers who is targeting, anything, from universities to hospitals to private companies to demand huge amount of money in bitcoins.

[Darker45]

Unclear how, but it mentions some servers being seized, so maybe they got access to a physical device. Or perhaps they got malware onto the device or there was a cooperating exchange.

It is less likely that the FBI has gotten access to a physical device used by the hackers. There's a mention that the funds were seized from the Russia-based Dark Side. My hunch is that there was indeed a cooperating exchange. After all, Colonial's CEO has also said that the private sector has played an important role in bringing the cybercriminals to accountability. Moreover, the FBI was also able to track the transfers of ransom funds to a certain wallet. It is possible the wallet has got the private keys and cooperated with the investigation.

[20kevin20]

I'm not surprised to hear about this and I wouldn't be surprised to hear that the gov is doing something perhaps... less legal to get to those funds or to persons such as Ross Ublricht.

I feel like they're only acting like they can't do that much about it when in fact they have access to way more information than we think they do. Anyway, it's funny to think that it's illegal for me to hack someone but it's completely legal for authorities to hack me, lol.

[Kong Hey Pakboy]

That wasa ransomware that they used so that means that they will be paid in cryptocurrency like any other ransomware out there. Also, this seizure doesn't mean that they have got it from the hackers, remember that cryptocurrency can be tainted so I don't think there's nothing for this news.

[20kevin20]

Also, this seizure doesn't mean that they have got it from the hackers, remember that cryptocurrency can be tainted so I don't think there's nothing for this news.

How else can they get to seize them? The assets have been seized and it appears that the only ones who had access to the funds are the hackers themselves. Tainted or not, this doesn't make the coins more seizable or not.

[Kittygalore]

According to this article they got the hacker's private key: https://californianewstimes.com/us-says-it-has-recovered-large-portion-of-colonial-pipeline-ransom/383269/
Unclear how, but it mentions some servers being seized, so maybe they got access to a physical device. Or perhaps they got malware onto the device or there was a cooperating exchange.

That's actually pretty cool and scary at times because it can help deter the criminal activity in the cryptospace but at the same time when being held by a nefarious hands, this way of seizure could mean that any user in cryptospace is going to be on the cross hairs of that entity and it's only a matter of time.

[NeuroticFish]

I feel like they're only acting like they can't do that much about it when in fact they have access to way more information than we think they do.

Well said. I've read another news somewhere in the last 12h, which may or may not be related: some international group was caught with the help of an application that was supposed to offer encrypted messaging, but it was actually owned by NSAFBI. My point is that I would not rule it out that the hackers were telling the private key to each other via the very same "encrypted messaging" app.

Will now US govt pump Bitcoin back to the prices from the moment the ransom was paid?  


Edit: link to the (translated) news is here.

[bryant.coleman]

This is great news and will help a lot to legitimate crypto currencies in the future. Usually people say that cryptos are completely anonymous and that criminals tend to use it for their personal gain. If the authorities can now get the money back its a huge step. Criminals will have to think twice in the future if the really want to use cryptos again. And it gives another layer of security for companies who want to use cryptos.

Just wait until the details are known. We still don't know how the FBI managed to retrieve these coins. In case the hackers sent the coins to an exchange wallet and the exchange handed them over to the FBI, then I would say that the hackers have acted in an idiotic manner. On the other hand, if the FBI had tracked down the hackers somehow and forced them to forfeit the stolen coins, then I would appreciate the FBI. In this case, it would act as a serious deterrent to any such criminal activity in the future.

[Gozie51]

This is great news and will help a lot to legitimate crypto currencies in the future. Usually people say that cryptos are completely anonymous and that criminals tend to use it for their personal gain. If the authorities can now get the money back its a huge step. Criminals will have to think twice in the future if the really want to use cryptos again. And it gives another layer of security for companies who want to use cryptos.

Just wait until the details are known. We still don't know how the FBI managed to retrieve these coins. In case the hackers sent the coins to an exchange wallet and the exchange handed them over to the FBI, then I would say that the hackers have acted in an idiotic manner. On the other hand, if the FBI had tracked down the hackers somehow and forced them to forfeit the stolen coins, then I would appreciate the FBI. In this case, it would act as a serious deterrent to any such criminal activity in the future.

As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes.

I think this information here said FBI probably has the private key but for me, I can't say how they were able to get hold of the private key.

“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said FBI Deputy Director Paul Abbate. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”

With the above, the justice department and the FBI seem to have a synergy to go after hackers. We may be having more revelation on this as the day come.

https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside

[SFR10]

I'm actually really interested in what they're going to say at the press conference later about how they "seized" the ransom.

I'm sure we're not going to see the detailed version, so most likely they'll give bits of information with a lot of missing parts to cover their tracks.

My hunch is that there was indeed a cooperating exchange.

In case the hackers sent the coins to an exchange wallet and the exchange handed them over to the FBI, then I would say that the hackers have acted in an idiotic manner.

@JordanSchachtel has posted a lot of interesting tweets recently and in one of them he mentions being a "Coinbase wallet".
^{- I'm still not sure which one is the real reason...}

If the authorities can now get the money back its a huge step.

That's not always the case ^{[unfortunately]}.

[bryant.coleman]

I think this information here said FBI probably has the private key but for me, I can't say how they were able to get hold of the private key.

Well.. that is the most important question.

Why should the hackers send the coins to a wallet, that is controlled by FBI. There are all sort of possibilities in play here. My theory goes like this:

The FBI guys arrested an individual or a group of individuals, who were operating a Bitcoin mixer. The arrested individuals shared the details of all their cryptocurrency wallets with the FBI (including the private key). The hackers think that the mixer is still in operation and they send the stolen coins to the wallet, in order to wash them.

But someone in this forum claims that the wallet is linked to the Gemini exchange. In that case, I can't really explain what happened.

[Similificator]

The way the US seized this crypto currency ransom that was paid to the colonian pipeline hackers are very intriguing. I really cannot think of any possible legal way for them to recover these funds from these hackers except for setting traps with the cooperation of some exchanges. Which is why I am thingking that there really must be something more under the surface than what they are saying because these hackers are not small flies, they are good at what they do. It'll be interesting to know more about this.

[Jawhead999]

It's either conspiracy or his own fault (weak password, not managed properly etc), there's no way FBI could hack the entire blockchain, Bitcoin protocol or even cryptography. Even brute forcing the private keys is almost impossible because there's a lot possibilities of the private keys. This FUDs is really make people scared of Bitcoin, especially for the newcomer that has no idea of Bitcoin itself.

I'm really hope if FBI could sign a messages of the hacker's address and give detailed explanation how they can get the private key, otherwise it's just a rumor.

[Ucy]

According to this article they got the hacker's private key: https://californianewstimes.com/us-says-it-has-recovered-large-portion-of-colonial-pipeline-ransom/383269/
Unclear how, but it mentions some servers being seized, so maybe they got access to a physical device. Or perhaps they got malware onto the device or there was a cooperating exchange.

That's actually pretty cool and scary at times because it can help deter the criminal activity in the cryptospace but at the same time when being held by a nefarious hands, this way of seizure could mean that any user in cryptospace is going to be on the cross hairs of that entity and it's only a matter of time.

Wonder what cryptocurrency the hacker really used.
It's actually foolish to do that on Bitcoin, seeing how transparent the network is. And I expect the Bitcoin Network participants to be able to handle the issue successfully without breaking the network rules. If the ransom was paid in something else like physical currency or gold, it would be more difficult to trace and retrieve compared to doing so on a transparent currency like Bitcoin. The activities of security agencies on the network has to be Transparent too or atleast Immutable for the sake of playing according to the rules and accountability. Bitcoin makes it easy for the security agencies , so it's important they reciprocate by being accountable.

Was the private keys really retrieved? I'm interested to know how they did it.

[BrewMaster]

I'm actually really interested in what they're going to say at the press conference later about how they "seized" the ransom.

if this is indeed real and not some made up story by US government then it is like all the previous times they caught the hackers. these hackers probably had a completely verified coinbase account that they used to send their bitcoins to and got caught.
there are dozens of stories like this so far!!!

[Kakmakr]

It is strange that they are not mentioning what Crypto currency it is.... could be anything, XRP / ETH / Dash etc... I reckon if it was Bitcoin, they would have grabbed the opportunity to "name and shame" it. 

The only way for them to seize it, is if the hackers were caught and if they gave up the "Private Key" by themselves OR if the hackers moved the coins through a government controlled Mixer service and then to a KYC (Exchange) that can be used to identify them. 

Will be interested to know how they did this... and kuddos for them to be able to seize that. 

[QuickAccount]

In my opinion, I think crypto should stay anonymous, even if criminals use it, there are people in this forum that think crypto should be traceable. Just because criminals can use it doesn't mean that its bad for it to be non traceable.

And for the mentioned speculation on how the crypto was seized, if the people behind the attack make enough money for it to be headlines, they can afford a 3TB drive, download a node, and host their own wallet. My theory is that they somehow got access to some info (info through file metadata, server ips, the like) and used some kind of security exploit in windows server or linux server. The NSA and other government entities have a large vault of vulnerabilitys. Take the Wannacry Ransomware for example, it used the leaked 'EternalBlue' exploit developed by the NSA to operate.  They then used an exploit or the like to get some kind of access to their server where the wallet was hosted.

Just speculation though !

[kryme]

A lot of replies here. Here are my thoughts based on what I've read from multiple sources.

The DarkSide hacking group ran a RaaS (Ransomware as a Service) and the wallet used to payout affiliates was stored on a US based cloud server. The FBI physically seized this (through a court ordered warrant). The server then contained the wallet / private key. We all know it's possible to track a wallet to an IP address. Colonial Pipeline worked with the FBI from the start. The FBI is obviously running their own nodes to be able to track transactions to IP addresses and this is how it was tracked down to the US based cloud server. I'm guessing these hackers used a US based cloud server to avoid firewall/geo-filter rules from many firewalls. (I know we block all non-US IPs on our network).

Someone else here mentioned the FBI hacking the hackers. Yes, this is something the US government has started doing in recent years. Instead of being reactive, they've started to be proactive and going after these hacking groups before they strike in the first place.