In brief
- The hacking group made two big mistakes that let the U.S. seize the Bitcoin.
- The group likely left a private key where law enforcement could find it.
The U.S. Justice Department scored a rare victory against ransomware criminals this week, recovering most of the Bitcoin the crooks extorted following a high-profile attack on Colonial Pipeline.
As the New York Times recounted, the feds' victory against the hackers shows how Bitcoin can be traced on its public blockchain network—a fact well-known to those versed in crypto, but less so to the general public. But what the Times and others did not explain is just how the Justice Department got its hands on the Bitcoin in the first place.
The mystery is especially puzzling since the ransomware gang's attack was sophisticated enough to cripple the east coast energy supply. If the gang could pull that off, how could they be so dumb as to put the Bitcoin ransom in a digital wallet that lay within the reach of U.S. law enforcement?
In a typical ransomware attack, the victims can't recover the Bitcoin because the perpetrators and their wallet are located overseas. Sure, it's possible to trace the payments on the public blockchain. But the crooks usually whisk the Bitcoins into so-called mixers—services that blend the Bitcoins with other funds' or convert them into other cryptocurrencies—and disperse them into other wallets, making the funds all but impossible to seize. So what happened with the Colonial Pipeline ransom?
Dmitry Smilyanets has a pretty good idea. A threat intelligence analyst at the cybersecurity firm Record Future, Smilyanets is an expert in ransomware and cryptocurrency, and told Decrypt he believes the pipeline crooks are mere amateurs who ran a franchise operation under the real masterminds.
The evidence he says is that the Justice Department recovered only 63.7 of the 75 Bitcoins paid in the ransom. The missing 11.3 Bitcoins amount to 15% of the ransom—a figure that is the usual commission to use the ransomware, which is made by a shadowy group called DarkSide. The group rents out its tools to other hackers who have used them to extort more than $90 million in total.
The upshot is that the unrecovered portion of the pipeline ransom went to a wallet controlled by DarkSide, which the Justice Department couldn't get its hands on. That, of course, doesn't explain how the feds—who say they "don't want to give up our tradecraft"—seized the rest of it.
The answer, says Smilyanets, is that the amateurs made a key mistake in hard coding the private key to their Bitcoin wallet into the larger ransomware package they deployed. They made another mistake, he says, when they rented a server in the United States run by a cloud provider called Digital Ocean.
The ransomware crooks rented that server, Smilyanets says, in order to speed up the process of exfiltrating the data they stole from the pipeline operator to another country. The amount of data is vast, so using an intermediary like Digital Ocean to temporarily store and relay the data overseas makes the ransomware operation more efficient.
But as Smilyanets explained, it appears the crooks also included the private key to their Bitcoin wallet amidst the other data they funneled to Digital Ocean.
The design of Bitcoin's encryption system makes it easy to decipher the public key of a Bitcoin wallet if you know the private one (though not vice versa). If the Justice Department obtained both the private and public keys, it would have been easy to seize the Bitcoin—effectively robbing the hackers who had extorted the pipeline operator.
Smilyanets says all of this points to a sloppy operation by the hackers, who he suspects are young men who, drunk on the success of their extortion plan, dragged their feet in shutting the server and moving the Bitcoin to a safe location.
Meanwhile, Smilyanets says the severity of the pipeline attack triggered an unusually swift and efficient response by the Justice Department and others.
"It involved rapid cooperation between law enforcement and private threat intelligence and data companies," he said.
All of this suggests the ransomware perpetrators were sloppy but also unlucky to pull off the pipeline caper at a time of new countermeasures by U.S. law enforcement—countermeasures that include standing up a new Ransomware and Digital Extortion Task Force.
There are other theories, of course, about how U.S. law enforcement recovered most of the Bitcoins paid by Colonial Pipeline. One possibility, floated by the Times, is that the feds planted a human spy inside the DarkSide network and hacked its computers—but this seems unlikely given that DarkSide still got its 15% cut and that the spy didn't warn Colonial Pipeline in the first place. Meanwhile, some suggested that the U.S. government had seized the ransom by breaking Bitcoin's encryption—a suggestion that is clearly wrong, but that nonetheless caused the price of Bitcoin to crash. It has since recovered.
For now, Smilyanets' theory—that the pipeline hackers were amateurs who got sloppy by leaving a private key where it could be found on a U.S. server—is the strongest one. And the strongest theory is usually the correct one.