Skip to content
Naked Security Naked Security

How could the FBI recover BTC from Colonial’s ransomware payment?

But Bitcoins are anonymous! However could they get refunded?

The cybersecurity buzz of the week is the intriguing – and highly unusual – aftermath of the Colonial Pipeline ransomware attack.

Colonial runs the largest American supply pipeline for refined petroleum products, capable of shifting about 500 million litres a day of various fuels, including gasoline (petrol), jet fuel, diesel and heating oil, between Texas and the North Eastern US.

At least, that’s how much the pipeline can move if it’s not shut down, something that happened recently in the aftermath of a ransomware attack by a cybercrime gang known as DarkSide.

Even though law enforcement groups around the world urge ransomware victims not to pay up (as we know only too well, today’s ransomware payments directly fund tomorrow’s ransomware attacks), Colonial apparently decided to hand over what was then $4.4 million in bitcoins anyway.

We assume that the company hoped that the decryption tool promised by the blackmailers would help them unscramble the computers on the network faster than doing the job using conventional recovery tools, and thus get fuel flowing again sooner…

…but by many accounts the decryption tool was a dud, and didn’t speed things up at all.

No backsies with Bitcoin

At this point, whether you’ve ever been the victim of cryptocurrency extortion yourself or not, you’re probably thinking, “Ouch. No backsies with Bitcoin.

Cryptocurrencies aren’t managed or regulated by any central authority such as a financial institution, so transferring cryptocoins to someone you don’t know and can’t identify is like handing over a suitcase full of cash to someone you’ve never met before and wouldn’t recognise again.

If you change your mind, or the seller doesn’t deliver the promised product, or the product turns out not to be fit for purpose, then the only way you’re going to get a refund is if the seller agrees to it.

There’s no clearing house who could reverse the transaction; no legal protection built into the process; no regulator or ombudsman to handle any appeal you might make; and, in all likelihood, there’s no easy or reliable way of identifying the seller even if there were a well-defined international process for settling cryptocurrency disputes.

Despite all that, however, the latest news is that the FBI – which can’t have been terribly happy with Colonial in the first place for paying anything at all to the DarkSide gang – has apparently managed to claw back 63.7 of the 75 bitcoins handed over by the beleaguered company.

Sadly, the value of Bitcoin has taken a tumble since last month, so even though 85% of the bitcoins involved in the blackmail payment were recovered, they’re now worth about 50% of what they cost when Colonial purchased them to do its deal with the criminals. What we can’t tell you is whether the FBI will hodl onto the recouped BTC in the hope of a price recovery, or cash out now in case the value falls further.

How was that possible?

That probably leaves you wondering, “How on earth was that possible, and if it could be done for Colonial, who paid up in the face of advice not to do so, why can’t it be done for everyone who has ever been blackmailed for cryptocoins by cybercrooks?

The answer is that although most Bitcoin ownership is anonymous, and although there is no regulatory or baked-in way to force the reversal of unwanted or unlawful transactions…

…every Bitcoin payment ends up in someone’s Bitcoin wallet, and every wallet has a private key by means of which the contents of that wallet can be spent, i.e. transferred onwards to someone else’s Bitcoin wallet.

That’s because Bitcoin transactions are based on public-key cryptography, which you can think of as a lock that comes with two different keys, rather than just one: the first key secures the lock, but only the second key can open it up again.

The idea, greatly simplified, is that you can publish the first key, known unsurprisingly as the public key, so that anyone can “lock up” data for you; but as long as you keep the second key, the private key, to yourself (the hint is in the name!), then only you can ever unlock and view that data, whatever it might be.

And that, simplified yet further, is very loosely how BTC transations work: your Bitcoin wallet address, derived from your public key, can be used by anyone to “lock away” funds so that they “belong” to you.

But the public key can’t subsequently unlock those funds to spend them onwards. (Note, however, that the transactions by means of which bitcoins get spent don’t require a password or cryptographic key – the transaction ledger, or blockchain, is a matter of public record.)

In order to release the funds to pass them onto someone else, you need your own private key to “unlock” the bitcoins from your own wallet before you can transfer the contents to the Bitcoin wallet of the next person in the chain.

In practice, you can’t split up the funds in a wallet before you make a payment. If you have, say, 4 bitcoins in your wallet, you have to spend them all at once. But you can split them between multiple recipients. so you can pay me, say, BTC0.5 and pay BTC3.5 back to yourself, less the transaction fees that pay for the work done by the BTC community to approve the transaction, a process known as “mining”. Also, although all transactions end up in a wallet, not all wallets can actually be spent. If the wallet’s owner has lost the private key, or has destroyed it on purpose (known as “burning” cryptocurrency), then recovering the missing key by brute force is computationally unfeasible and the funds in that wallet are essentially locked up forever.

Follow the chain

So, if the FBI were able to get hold of the private key of the Bitcoin wallet or wallets where Colonial’s ransom payment ended up, then it could simply transfer those funds to itself (assuming that it had permission from a court to do so, of course), whether it knew who owned those wallets or not.

(We said “wallet or wallets” above because cybercrooks often make haste to split incoming payments many different ways into numerous different wallets, precisely to make following the chain of transactions more complex and troublesome.)

And that is what seems to have happened in this case.

Exactly how the FBI managed to get hold of the relevant private keys is part of its tradecraft that it understandably hasn’t explained, but the Department of Justice (DOJ) press release says:

As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes.

Why doesn’t this happen every time?

Of course, this raises the question, “Why doesn’t law enforcement do this for everyone who ever gets scammed by crooks?

The answer is that it’s simply not always possible: loosely speaking, the recipient of the criminal transaction needs to make some sort of operational blunder; and the organisation trying to track down the errant bitcoins typically needs to put in a lot of effort as well as enjoying at least a little bit of good luck.

Bitcoin private keys are usually not only kept private, but also stored in encrypted form so that you need a password to unlock the private key before you can begin to unlock the funds secured by that private key. (You can think of the private key as a bank ATM card, and the top-level decryption key as the PIN that you need before the card can actually be used to do anthing.)

Here are some of the ways a law enforcement team like the FBI, trying to recover criminalised bitcoins, might end up with the cryptographic data they need to do the job.

Don’t forget, however, that cybercrooks themselves can use any or all of these techniques to steal legitimately owned cryptocoins from you – and the crooks don’t have the complexity of applying to a court for formal legal approval first:

  • Implant a spyware tool on your computer to search for files and record keystrokes. With a bit of luck, implanted spyware might not only be able to exfiltrate your private key, but also figure out the password needed to unlock it. Offline cryptocurrency wallets and private keys of this sort are known in the trade as “cold wallets”, because they’re not meant to be accessible online.
  • Work with a cryptocurrency exchange to access data stored there. Some cryptocurrency fans keep at least some of their funds in what are known as “hot wallets”, meaning that they trust a third party that runs a cryptocoin trading site with their private key so that they can quickly buy and sell cryptocoins online. Legitimate exchanges can and will work with law enforcement if required by warrant, and if the exchange has your wallet and your private key, it can hand them over. (Also, the exchange could get hacked, or, if the exchange itself is crooked, run off with your cryptocurrency itself.)
  • Hit the jackpot by subverting an insider. One or more people inside the DarkSide ransomware crew would have had access to the ill-gotten funds, so the FBI could have acquired the intelligence it needed from them. Similarly, if you tell other people your cryptocoin passwords, they could sell you out or simply steal the funds themselves, in much the same way that they could make phantom withdrawals from your bank account if you told them the PIN of our ATM card.

What to do?

Although it’s a relief that FBI recovered a large chunk of the funds in this case, possibly at least in part because of poor tradecraft on the part of the crooks, it’s not so great to lose cryptocoins of your own – or, for that matter, to lose any private data or encryption keys you meant to keep to yourself.

Our tips, therefore, are:

  • Don’t put all your cryptocoins in hot wallets. When you entrust your savings or your wage payments to a bank, you are doing so with years of regulatory scrutiny and protection to back you up. In the cryptocurrency world, however, you are largely on your own if something goes wrong. Don’t keep more than you can afford to lose in a hot wallet.
  • Don’t keep all your data online all the time. Ironically, perhaps, one important defence against ransomware in the first place is to maintain an offline backup, ideally one that is also off-site. Keeping your cryptocoins, as well as any truly private or critical data, offline – is a similarly useful precaution.
  • Don’t expect to keep a secret such as a Bitcoin password or ATM PIN if you tell it to other people. As Benjamin Franklin is supposed to have said, “Three people can keep a secret, if two of them are dead.” Remember: If in doubt, don’t give it out.
  • Don’t expect to get your money back like Colonial did. You need to think of cryptocoin recovery as a rare exception, not as a common rule. As explained above, it typically requires a high-profile case, plus strong operational intelligence, plus a bit of plain old luck, for law enforcement to achieve a result like this.

LEARN MORE: SEXTORTION, A CRYPTOCOIN SCAM YOU MIGHT FACE YOURSELF

A video from our What to do When… series on the Naked Security YouTube channel.

(Watch directly on YouTube if the video won’t play here.)

https://nakedsecurity.sophos.com/2019/12/17/dont-fall-for-this-porn-scam-even-if-your-passwords-in-the-subject/


45 Comments

The FBI just needs to HODL the Bitcoin for a year or two and this seizure will help pay for their entire operating budget.

A rather unlikely story indeed. If a gang is good enough to hack pipelines and not get pinched they can launder BTC. Or as some of us suspect, BTC is not exactly decentralized. How many full nodes does the FBI control anyway?

Technically, of course, they didn’t “hack a pipeline”, they infiltrated and locked up a network that happened to belong to a company that runs a big pipeline, which is not quite the same thing. Also, the stories say that DarkSide’s servers went down not long after the attack… so for all we know they weren’t as “pinch proof” as you suggest.

Just a thought… how many computers would the FBI need to have in the mix in order to “win” the 51% problem?

Waaay more than they have the budget for. It is incredibly unlikely that this outcome is due to a 51% attack, if that was the implication.

The implication (actually, the statement, or at least the claim) has nothing to do with “pwning” the Bitcoin transaction approval process itself. The claim is that the private key was hackedacquired and a court authorised its used to recover proceeds of crime.

I also think the story soes not seem right. Or in other words, unlikely.

Are you saying that the FBI didn’t get any money back (and are therefore making this all up)? Or that they did get money back, just not from the DarkSide crew (and are therefore mistaken about what happened)? Or are you saying that the FBI didn’t do or claim any of this (and therefore it is I who have got it all wrong)?

You get offended really easy, huh?

No, I simply did not understand what the OP meant by saying that the story was “not quite right” or “unlikely”. The comment is roughly equivalent to saying “there are part of this I don’t believe but I am not saying which bits they are,” which I am sure you will agree demands clarification.

There’s another concurrent story about an encryption app designed by FBI that was passed off to hackers and silk road wannabes as a safe encrypted communication app. So the simplest solution is they had a back door into this groups coordinating communications. Mystery solved.

AFIACS, that story (the service you are thinking of was known as An0m) was pitched at crooks who were not cybercrimimals, rather than pitched at hackers, malware crooks, ransomware operators and the like. I can’t see crooks like the Trickbot Group needing or using mobile phones of any description to co-ordinate their activities or to share private keys, so I am not convinced you have solved any mystery at all.

I think it may be not too far off, though. The CFO of the pipeline company has come out with a statement that a) paying the ransom was entirely his decision and b) he notified the FBI of the demand, and they agreed to his paying it – the implication being that the FBI were able, by knowing the time, amount, and origination of the transaction, to track (at least stochastically) where it was going, possibly aided by channel chat they were monitoring.

You can track where BTC payments go simply by following the blockchain. That’s the easy part.. the hard part is paying the resulting chunks of bitcoinage back to yourself.

I wonder what happens to the money now? I guess it still belongs to Colonial but I assume they will be under pressure to donate it to the public purse considering that [a] they already wrote it off by paying it to the blackmailers against government advice and [b] got ripped off anyway because it didn’t seem to work out :-)

Typical rubbish fud,if government was so skilled at recovering btc,why can’t they recover the rest of the amount they paid?

As explained in the article, crooks typically don’t leave all the funds in one wallet indefinitely. To find 85% of the BTC still locked up with one private key can be considered unusually good fortune.

If your car got stolen and dismantled for parts, then you wouldn’t expect it to be restored to you in a drivable condition even if the cops busted the chopshop where it went…

LOL didnt use monero…. what kind of hackers are they?

There was a move by ransomware crooks to shift to Monero (where transactions are harder to track because they are bundled together algorithmically), including one crime crew who offered a discount (?!) if you paid in XMR and not in BTC. Mostly they want bitcoins, though. I assume that’s because BTC is the cryptocoin that most people have heard of and are used to.

Don’t pay and hope they go a way,
“The New Zealand Government will not pay ransoms to criminals because this will encourage further offending,”

It was probably a teenager and some online accomlicise. They probably tracked him back to his parents house, and said give it back

All of this doesn’t even sound right, so let me get this straight, the FBI took back almost everything they gave them in crypto which means now these guys cant really trust the FBI to come through on their end of the bargain so now they are going to shut the pipeline down again on top of anything else they can gain access to just to start the bargaining process all over again. I think both sides are collecting Data on each other for when the really really big cyber disaster strikes so we need to prepare ourselves because its coming.

The FBI wasn’t part of any “bargain”, as far as I can see. The decision to pay the crooks was made by Colonial. As for “shutting down the pipeline again”, I presume you are referring to the criminals “having another go” at Colonial. I think that any company hit by ransomware would be unwise to assume that having had one attack somehow reduces the probability of another… what you learn from one attack ought to help you reduce the chance that a second attack might succeed, but I don’t think that the ransomware gangs scrupulously keep a list of “people who have already paid their dues and should be let off next time.”

I think people are stupid to believe the pipeline got hacked in the 1st place. It’s a cover up of a false alarm and it went south for there agenda. The united states does not pay or has it payed Rasom money to terrorism!

I think that many cybersecurity observers would probably argue that Colonial oughtn’t to have paid the ransom, and most will accept, with highsight, that they didn’t need to (given that the decryption software they bought was apparently not up to the job)…

…but if the backstory here is indeed a false alarm, then this is the weirdest cover-up I can think of. “Something embarrassing happened. What shall we do? I know, let’s make up a long-running story about something much more embarrrasing and way more serious instead! That’ll fool them.”

From what I read/my interpretation of tweet below, they gained access to a VPS/RDP box and then searched through it, gained access via the person’s own box/profile/access and accessed with their own box their own account & Private key, and transferred the money out.

https://twitter.com/UnderTheBreach/status/1402007724301357057

To be clear, that’s just a guess at how the FBI accessed the needed data. (There’s still the issue of the private key password.)

There are many different ways that the FBI could have carried out the various steps needed to complete the “counterheist”. The purpose of this article was not to discover the precise tradecraft used, and even less to present my own guesswork as if it were a fact. I merely wanted to remind everyone that [a] the relative anonymity of BTC transactions doesn’t itself directly protect them from being purloined by someone else, given that they don’t need to know who you are to spend your coins [b] there are numerous different ways that could give an attacker access to data such as passwords and cryptograhic keys.

Or maybe the portion they retrieved was from an exchange, not client

Big portion (85%)!

I suppose the recovered bitcoins could have come from multiple different wallets, but the FBI itself talks about having access “a private key”, as though the recovered funds really were in one big lump sum in one wallet.

How likely is it that the portion that they retrieved, which was part of the parties involved, used an exchange that owned the keys and had to give up to law enforcement?

I don’t know. I did put “getting the private key from an exchange” in my list of how spent money might, in general, be recovered by the authorities (or stolen by crooks)… but I kind of doubt that the crooks would have put that much money into a single hot wallet on someone else’s exchange that could be hit with a warrant. So although it’s technically possible I suspect that they “got at the data” in some other way. We’ve already seem one guess mentioned here that the cops got access via one of the DarkSide network servers they are said to have taken down shortly after the attack, e.g. by using RDP to jump to the computer where the private key was stored.

It is completely unbelievable that the hackers asked for BTC. A ransomware attack on this level would have most definitely asked for Monero. BTC is too easily tracked. This is clearly FUD designed by the government to make large institutions fearful of BTC. It would have been completely stupid to ask for BTC. In the US they’re very few ways to legally buy BTC. Which as a US corporation, colonial pipeline, would be entitled to follow every legal banking rule. Coinbase being the main one. Colonial Pipeline would have establish an account with a known entity or exchange. With all the KYC details involved. That would have allowed the FBI to track the transaction.
This article makes the impression that the BTC encryption was actually hacked by the FBI. Completely impossible.
Either this was stage from beginning, or the FBI got really lucky with some dumb hackers.

You can disbelieve it all you like, but that doesn’t make it untrue. (And the curious thing about your FUD claim is that, if anything, the outcome in this case would surely tend to make people *less* fearful of BTC than more fearful of it, given that the result was that funds *were* tracked down and *were* recovered, rather than lost forever.)

As for your suggestion that we gave the impression that “BTC encryption was actually hacked by the FBI”, it’s almost as though you didn’t read the article, where we not only never even mention “cracking encryption”, but also offer an explanation of various ways in which a cryptocoin private key might be recovered and used by someone other than the owner.

And as for your suggestion that this must have been a case of the FBI getting “really lucky”, it’s almost as though you did read the article and then copied what we said. (We didn’t explicitly say “really lucky” but we did discuss the need for “luck” in a cryptocoin recovery like this.)

My guess is it would have been smarter to ask for the ransom using a privacy token like Monero. Agree?

As I mentioned in an earlier comment, we’ve actually seen some ransomware crooks offer a “discount” if you pay in Monero (XMR), due to the increased complexity of tracking transactions in the XMR blockchain. Nevertheless, the vast majority of ransomware demands (and payments) seem to be done using BTC.

Of course, if you happen to know where the crooks keep the cold wallet that contains the cryptocoins you paid them – or cryptocoins to the same value – then if you can also acquire the private key of the wallet and the paasword for it, you can pay those cryptocoins back to yourself. That’s true whether you are using BTC or XMR.

(You can argue that it might be harder to convince a court that the coins you intend to recover do indeed represent the extortion payment that was originally made, but AFAIK asset recoveries don’t always have to involve take back *exactly* what was taken from the victim, especially if what you’re seizing is monetary, where the property of “fungibility” means that $20 is merely $20, so that any $20 sum is interchangeable with any other.)

In short, some ransomware crooks have previously expressed an interest in switching to Monero… but it doesn’t seem to have caught on.

I dont get it. How did they get the private key. Presuming a Judge gives him the om….where does he get this from?

I call BS. Everyone can claim the FBI hacked the hackers but I know there is a back door to accessing BTC. [REDACTED] Binance even threatened to claw back BTC hacked from his exchange in 2019. There was a huge uproar. The algorithm is based on the hash algorithm SHA 256 developed by the NSA in 2001. I don’t trust the NSA. Think about it.

Actually, the public-private part of the BTC network that we are talking about here uses elliptic curve cryptography (specifically the secp256k1 curve parameters). That was Satoshi Nakamoto’s choice.

Whether you trust the NSA or not doesn’t actually prove that any of the Bitcoin algorithms are currently and crackably flawed. No one has yet found a SHA256 collision, or exposed a likely flaw in the algorithm, and it has had an awful lot of scrutiny from every side of the cultural, intellectual, political and social spectrums. I guess it’s possible that you know of a backdoor that no one else has noticed, but I would say that’s unlikely.

To me the bottom line is that BTC is not as immutable as it is claimed to be. Digital gold is tungsten.

There is one point in the article that is factually incorrect. Anyone that has the public key can “lock up” AND view everything inside that wallet, including all transactions. The private key is what is needed to unlock the funds.
(The article states that a private key is needed to view funds which is incorrect.)
Bitcoin is NOT anonymous like cash and much easier to track than cash. However, the person who owns each public address is private.

That’s not quite what the article says, but I accept that I may have invited people to assume that entries in the blockchain itself, where transactions are recorded, might require some sort of key. I have added a sentence to makr it clear that while your wallet is “locked” against spending by others, the blockchain is public. HtH.

I didn’t even read the article yet, but bitcoins aren’t anon, it’s literally an open ledger where u can track every movement. There are supposedly things u can do to make it anon, but on its own, nope not anon. Eliz Warren is a fudspreader.

I get the impression, from your comment, that you may not actually have read the article yet.

What if the random number generator isn’t random? That would reduce the computation required for brute forcing the private keys.

If you’re allowing the game of “What if” then there are plenty of possible explanations, e.g. that the crooks left the private key on one of the servers the FBI allegedly got access to in the take down, that the private key wasn’t itself encrypted (and thus needed no brute forcing to be usable), that a turncoat inside the group let the key out on purpose, that the key was stored in a cloud service that co-operated with law enforcement, or, indeed, that the private key had been created with a flawed generator… my inclination is to put “buggy or tainted random generator” quite low on the list.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?