San Francisco, CA

San Francisco Judge Authorizes FBI To Seize Bitcoin Ransom Paid by Colonial Pipeline

Toby Hazlewood

But did the FBI hack Bitcoin or not?
Bitcoin in chainsImage from Shutterstock

Following a cyber attack upon the Colonial Pipeline in May 2021, FBI agents have been able to identify and seize the majority of the 75 Bitcoin ransom paid to the Russian hacking group responsible. At the conclusion of the investigation, agents were granted a warrant by a San Francisco judge authorizing the seizure of property “located in the Northern District of California.”

The property in question turned out to be a computer server that had been rented anonymously by the Russian hacking group - DarkSide, on which around 63 of the 75 Bitcoin paid by Colonial Pipeline were still stored. On June 7th at a Department of Justice briefing, members of the FBI triumphantly reported the recovery of these funds.

While this is good news, it’s frustrating that Bitcoin’s many critics believe that the FBI has somehow undermined, hacked or compromised Bitcoin in the process. The news also prompted (or at least contributed to) another drop in Bitcoin’s price.

In reality, the FBI’s recovery of the Bitcoin was enabled by a feature of Bitcoin that’s built into blockchain technology. It was also in-part due to an act of negligence by the hackers

Source: Twitter

The Colonial Pipeline Hack

In case you’re unaware of what happened to Colonial Pipeline in May 2021, here are the headlines:

  • DarkSide (a Russian cyber criminal group) admitted responsibility for stealing a cache of confidential data from the Colonial Pipeline and for planting ransomware in their network. They admitted the attack was driven by financial gain, not an intention to cause disruption.
  • As a preventative measure, Colonial shutdown the pipeline that transports around 45% of the gasoline and jet fuel used on the East Coast USA, causing gas prices to spike beyond $3 per gallon and prompting panic buying amongst consumers leading to temporary fuel shortages.
  • Colonial eventually agreed to pay the ransom (75 Bitcoin, worth between $4 and $5 million at the time) and once control of their systems were restored, the pipeline was opened again — normal service resumed and Colonial are undoubtedly now strengthening their cyber defenses (including by filling the role of Cyber Security Manager in their staff which has been empty for some time).

In the aftermath of the attack critics of Bitcoin were quick to pile-in with the usual scathing statements about how Bitcoin enables criminality and how this wouldn’t have happened if Bitcoin hadn’t existed.

Ransoms, blackmail and money

To blame Bitcoin for the existence of ransomware is naive and a case of scapegoating the currency for the crime. Ransoms and blackmail have existed as long as money has existed and the criminal classes were willing to kidnap or take something from someone else and to demand money for its return.

In the Austin Powers movie, when Doctor Evil threatened the world with annihilation using stolen nuclear weapons unless they paid him a comically small ransom of $1 million, it wasn’t the existence of USD that made the crime possible. His dastardly plan was based on the global population being willing to pay the money than risk a nuclear blast.

Source: YouTube

Bitcoin has merely replaced the USD as the currency of choice in this cyber crime (something that may well soon be changing — more on that in a minute).

Ransomware is possible because of vulnerabilities

Ransomware is becoming more and more prevalent according to recent analysis from the FBI. Attacks are made possible by the exponential growth and advancement of technology into virtually every aspect of our lives. The devices and software that we use in our work, leisure and throughout our lives provide attack surfaces that cyber criminals can use to probe into and disrupt our lives.

As long as technology has existed, hackers have been able to dismantle it in search of flaws that could be exploited (known as ‘Zero Day’ vulnerabilities) to seize control, to alter, disrupt or destroy them.

Organizations like DarkSide probe the internet to find corporations that are using technology with known vulnerabilities. These are then exploited to gain access to the networks and systems of companies like Colonial Pipeline so that malware can be planted and ransoms demanded for the return of control.

Bitcoin is just a convenient means of taking payment where in the past a wire-transfer (or envelopes or suitcases full of unmarked bills) would have been demanded as a ransom.

So how did the FBI recover it?

There’s a saying amongst Bitcoin users that goes something like “Not your keys, not your coins”. Recommended best-practice is that to truly own your Bitcoin safely and securely, you should download it to offline cold-storage.

In practice this means transferring the unique and private cryptographic keys that correspond to Bitcoin onto a hardware device that’s then disconnected from the Internet and stored offline. A hardware wallet looks much like a USB flash drive and popular models can be bought online for less than $100.

Theoretically, (and just like any other item of data that exists online) as long as a Bitcoin’s private keys remain on an online-server or other computer (known as hot-storage) then they are susceptible to theft or to being seized if that device is also stolen (or taken legally).

The blockchain is transparent

The other pertinent feature of the architecture of Bitcoin is the transparent and publicly available Bitcoin ledger built on blockchain technology. While a holder of Bitcoin (the holder of the private keys that denotes ownership) can may remain anonymous, the movement of specific Bitcoin around the network is recorded immutably and irrefutably within the ledger. Copies of the full ledger are maintained at each network node that runs and sustains the network.

In the immediate aftermath of the payment of the Colonial Pipeline ransom, blockchain analysis firm Elliptic were able to identify the specific online address that had received the ransom payment of 75 Bitcoin.

Source: Twitter

The FBI were able to track down the location of the Bitcoin address to a rented temporary cloud server hosted in Northern California. The crucial error made by DarkSide was in not moving the Bitcoin offline immediately after receiving it. Instead, they’d started to gradually skim funds from the wallet (presumably paying the individuals responsible for the attack) but had not taken the balance of it offline.

Knowing that the majority of the Bitcoin had been left online in hot-storage meant that the FBI were able to obtain a warrant in San Francisco to seize the server in question and with it, the Bitcoin private keys.

Crime solved.

Yes, the FBI tracked it down but they were only able to seize it since DarkSide had mistakenly left the ransom on the online server.

What happens next?

Bitcoin has been associated with criminality for much of its existence — it played a pivotal role in the operation of the dark web marketplace for drugs and weapons, The Silk Road. The FBI was eventually able to track down those running that site, and to shut it down.

Through analysis of the Bitcoin blockchain, investigators were also able to identify and convict two corrupt agents who had stolen Bitcoin from The Silk Road, and recover over 200,000 Bitcoin associated with those running the site. Unfortunately it seems that by auctioning them off as worthless property rather than selling the Bitcoin at the height of its value the US Government missed out on over $10 Billion, but I digress.

Bitcoin is often seen primarily as being a means of preserving anonymity amongst its users — certainly it’s designed to be decentralized and regulated only by mutual validation of its users and the network rather than by trusting an overarching governing body.

But as has been proven in this case, the transparency of the blockchain is overlooked as a beneficial feature of Bitcoin — one that was pivotal in the FBI recovering most of the Colonial Pipeline ransom from DarkSide.

This high-profile seizure may just be a means of discouraging criminals from demanding ransoms and the proceeds of crime using Bitcoin in future. At the very least, hackers may be more inclined to invest a few dollars in a hardware wallet to store the proceeds of their crimes.

Comments / 0

Published by

Commentary, Interpretation and Analysis of News and Current Affairs

Florida State

More from Toby Hazlewood

Comments / 0