The explanation raises a lot of questions. How did the DOJ get the key to access the Bitcoin? Was the professional hacker group that sloppy?
The Department of Justice announced it recovered millions in Bitcoin that Colonial Pipeline paid DarkSide after a ransomware attack shut down the main pipeline for gas on the East Coast.
But many crypto experts raised their eyebrows with this announcement.
What the DOJ Says
Colonial Pipeline told the FBI the hacker group DarkSide accessed the network and demanded 75 Bitcoin (BTC). They paid the ransom.
The DOJ took 63.7 BTC, which is valued at around $2.3 million. However, Colonial Pipeline paid the hackers 75 BTC ($4.4 million).
From the press release:
“Following the money remains one of the most basic, yet powerful tools we have,” said Deputy Attorney General Lisa O. Monaco for the U.S. Department of Justice. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide.”
“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said FBI Deputy Director Paul Abbate. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”
“Cyber criminals are employing ever more elaborate schemes to convert technology into tools of digital extortion,” said Acting U.S. Attorney for the Northern District of California Stephanie Hinds. “We need to continue improving the cyber resiliency of our critical infrastructure across the nation, including in the Northern District of California. We will also continue developing advanced methods to improve our ability to track and recover digital ransom payments.”
Hinds also said, “The extortionists will never see this money.”
An FBI agent explained in an affidavit why the FBI had probable cause to seize the BTC from DarkSide.
The agent wrote in the affidavit that one address received two payments on May 8. The agent then detailed how payments went to different addresses on that same day.
The following day, May 9, BTC payments went to two addresses.
The agent noted “[A]n online public blockchain explorer identified at least 23 other addresses collected together with” the address that collected almost 64 BTC on May 9.
On May 27, almost 70 BTC, including the almost 64 BTC, went to one address. No one has touched those funds since that date.
What Crypto Experts Say
I am no crypto expert, but I know enough to know the story from the DOJ is a little…off.
First off, Colonial Pipeline paid 75 BTC. The DOJ only retrieved 63.7 BTC.
Where is the rest of the money?
Second, DarkSide is a professional group. It does not keep a BTC in a wallet accessible only by password.
The crypto experts secure their BTC. In other words, you can only access their BTC if you have the device that stores the BTC. You can have their password, but you’d only see their balance.
This leads to the most crucial question: How did the DOJ receive the private key of that final wallet housing the majority of the BTC?
As I said, DarkSide is professional. It likely does not hold its BTC in a wallet only accessible by a password.
Crypto experts and others who understand crypto raised important questions and observations on Twitter.
"The FBI had the password to the hackers' #Bitcoin account." Hmm–there's no such thing as a "Bitcoin account." Did hackers use an exchange (in which case an "account" existed, but it's not a "bitcoin account") or did the FBI have the private key to the hackers' bitcoin wallet?🤔 https://t.co/iO1NT8mcDz
— Caitlin Long 🔑 (@CaitlinLong_) June 7, 2021
So I’m supposed to believe that the DOJ was able to “seize” crypto? So if the Colonial Pipeline hackers’ Bitcoin password was figured out, no crypto is safe. This is bull bruh! Unbelievable story. https://t.co/rNahPelId7
— Rance the Royal 🤴🏾 (@RanceRob) June 7, 2021
Umm..that’s not how Bitcoin works 🤔 https://t.co/qWIAMr9Vz5
— Mike Garvey Jr. 🌴☀️ (@MikeGarveyJr) June 7, 2021
I’m curious as to how FBI got their passwords. Either the hackers were sloppy and stored their wallet information on their computers, or the FBI found a way to override that wallet’s login.
Moral of the story, paper ledgers and cold wallets are key🔑 https://t.co/dy0cgt7EiH
— Sam Trujillo❄️ (@SAMT_WX) June 7, 2021
— Stranger in my own land (@chuckberry3141) June 7, 2021
How did Russian hackers manage to shutdown part of our infrastructure but weren’t able to keep their bitcoin hidden? Were not getting the full story here… You look awfully suspect DOJ…
— Roger (@Roger93528023) June 7, 2021
Donations tax deductible
to the full extent allowed by law.