The US Department of Justice scored a rare victory over ransomware criminals this week by reclaiming most of the Bitcoin extorted by fraudsters following a high-profile attack on the Colonial Pipeline.
As the New York Times reported, the feds’ victory over hackers demonstrates how Bitcoin can be tracked on the public blockchain network—a fact well known to those who are well-versed in cryptocurrencies but less well known to the general public. But what the Times and others haven’t explained is how the Justice Department got hold of Bitcoin in the first place.
In a typical ransomware attack, victims cannot recover Bitcoin as the perpetrators and their wallets are located overseas. Of course, it is possible to track payments on the public blockchain. However, scammers often send Bitcoins to services called mixers—services that mix Bitcoins with other funds or convert them into other cryptocurrencies—and distribute them to other wallets, making it nearly impossible to capture the funds. So what happened to the Colonial Pipeline ransom?
Dmitry Smilyanets has a pretty good idea. Smilyanets, a threat intelligence analyst at cybersecurity firm Record Future and an expert on ransomware and cryptocurrency, believes Colonial Pipeline scammers are amateurs running a franchised operation under real minds.
The proof that Smilyanets followed is that the Ministry of Justice was able to get back only 63.7 of the 75 Bitcoins paid as ransom. The loss is 11.3 Bitcoin, which corresponds to 15% of the ransom. This figure is the usual commission for using ransomware made by the group called DarkSide. The group leases its tools to other hackers for attacks.
The unrecoverable portion of the Colonial Pipeline ransom went to a DarkSide-controlled wallet that the Justice Department was unable to obtain. Of course, that doesn’t explain how the feds, who said they “didn’t want to reveal the secret,” got the rest of the ransom.
According to Smilyanets, amateurs made a fatal mistake by hard-coding the private key of their Bitcoin wallet into the larger ransomware package they were handing out. Another major mistake was to lease a server in the United States operated by a cloud provider called Digital Ocean.
Smilyanets says scammers rented this server to speed up the process of leaking data they stole from Colonial Pipeline operator to another country. Because the amount of data is huge, using a tool like Digital Ocean to temporarily store data and transfer it overseas makes this process more efficient.
However, as Smilyanets explains, it appears that the scammers also included the private key of their Bitcoin wallet amid other data they transferred to Digital Ocean.
The design of Bitcoin’s cryptosystem makes it easy to decipher the public key if you know the private key. If the Justice Department had obtained both the private and public keys, it would have been easy to seize the Bitcoins.
Smilyanets says this all points to a sloppy operation by hackers, whom he suspects are young men intoxicated by the success of their extortion scheme, shutting down the server and dragging their feet to move Bitcoin to safety.
Smilyanets also says that the Colonial Pipeline attack was carried out by the Ministry of Justice and others in an unusually quick and efficient manner:
All of this suggests that the perpetrators of ransomware were sloppy, but also bad luck perpetrating the Colonial Pipeline crime at a time when US law enforcement took new countermeasures that included setting up a new ransomware and Digital Extortion Task Force.
Of course, there are other theories about how US law enforcement recovered most of the Bitcoins paid by Colonial Pipeline. One possibility, published by the Times, is that the feds placed a human spy on the DarkSide network and hacked their computers. However, considering DarkSide still takes up 15% and the spy didn’t warn Colonial Pipeline in advance, this seems highly unlikely. Meanwhile, some have suggested that the US government seized the ransom by cracking Bitcoin’s encryption. Although this idea was clearly wrong, it caused the Bitcoin price to plummet.
For now, Smilyanets’ theory (that Colonial Pipeline hackers are sloppy amateurs by putting the private key in a place where it can be found on US servers) seems to be the strongest.
Hello there! My name is Oktay from Tokensboss editors. I introduce myself as a business graduate and writer. I have been doing research on cryptocurrencies and new business lines for over 2 years.