skip to content

Looking at the DOJ's Ransomware Recovery

009

On May 7, Colonial Pipeline’s billing system was hacked, leading to suspension of service and gasoline shortages across a broad swath of the Southeastern US. The hackers requested a ransom of 75 BTC, 63.7 BTC of which was paid to the hacker and the remainder of which was presumably paid to the DarkSide malware syndicate. The US Department of Justice successfully seized 63.7 BTC on Monday, leading to fears that Bitcoin itself had been compromised. These fears were unfounded—there was no novel exploit found in either the Bitcoin network or any wallet software. Bitcoin remains perhaps the world’s most secure software and network.

What We Know Happened

Using a compromised password, hackers affiliated with the malware broker DarkSide gained access to Colonial Pipeline’s billing system. The attackers took control of the system on May 7 and demanded a ransom of 75 BTC. The target, which operates the largest refined oil pipeline in the United States, suspended service in response to the breach, leading to gasoline shortages across the region.

The next day, the target paid the requested ransom, worth about $4.4 million, using an account at a US-based exchange. Shortly after, on May 14, DarkSide announced that the hacking syndicate had been compromised and they’d lost access to their payment servers. Facing pressure from United States law enforcement, the service stated that it would be shutting down.

By May 27, 63.7 BTC stemming from the ransom payment had ended up at an address controlled by the hackers. 11.249 BTC, or about 15% of the payment, was ultimately routed to a different address, presumably as DarkSide’s commission. The remainder of the payment was distributed to different addresses across multiple smaller transfers.

On June 7, the Department of Justice (DOJ) served a warrant in the Northern District of California for the seizure of the 63.7 BTC held by the hacker, to which the FBI purportedly already held the private key, according to the affidavit supporting the warrant. They then seized the funds and moved them to a new address.

DarkSide-3

What Didn’t Happen

Crypto markets plunged immediately following the DOJ announcement, though the price action may not have been a direct result of the news. This is not unprecedented: following the seizure of the Silk Road marketplace by law enforcement in 2013, the Bitcoin markets collapsed.

There was a misconception spread on social media that the Bitcoin seizure was the result of an FBI exploited vulnerability in Bitcoin’s core technology—its blockchain or cryptography. This is false. Bitcoin itself was not compromised in any way, and a successful attack on the network or its cryptography remains exceedingly unlikely. Bitcoin relies on the same cryptographic primitives that secure online payments, passwords, and messaging. Bitcoin is hiding in the crowd, and a successful attack on the math securing the network would be bad news for everyone who uses these services, not just bitcoiners. Thankfully, that’s not what happened.

There’s also no evidence that any wallet software has been compromised. More likely, this was a case of sloppy execution by the hacker and well-done investigative work by the DOJ.

What Might Have Happened

With the information currently available, it is difficult to get a good idea of what exactly unfolded. We may never have a complete understanding of the situation without additional disclosures from authorities, two theories currently seem most plausible.

The first resembles the typical sequence of events for this type of seizure: the hacker sent funds to an onshore exchange or OTC desk, which was either served a warrant or voluntarily complied with regulators to return the extorted funds. This exchange could have then transferred the funds to the warranted address and granted law enforcement the key.

The second theory instead focuses on a compromised computer with access to the wallet. DarkSide itself wrote in mid-May that its servers were compromised, and this could have been a result of actions by United States law enforcement. Alternatively, the FBI may have apprehended someone affiliated with the hackers with access to the private key.

Either of these two broad scenarios would result in the FBI having access to the funds, and neither requires a broader compromise in Bitcoin or any wallet software.

Summary

The recent sequence of events serves as a reminder that Bitcoin is, at its core, a traceable bearer asset. While there are some techniques that can be used to increase privacy, for the most part observers can easily follow the flow of funds, and users of the network seeking to safeguard BTC should self-custody or place funds in the care of a trusted custodian.

Bitcoin is also incredibly secure. It’s neutral money that can be and has been used by bad actors, but also by investors, activists, institutions, and even governments. Bitcoin doesn’t rely on exotic assumptions, using the same cryptography that secures the entire internet. After a dozen years’ existence as the world’s largest bug bounty, Bitcoin hasn’t been hacked.