FBI Recovers 85% of BTC Paid to Hackers in Wake of Colonial Pipeline Ransomware Attack; Additional Seizures to Follow?
TLDR – Although the 63.7 BTC recovered represents 85% of the BTC paid to the DarkSide hacker team, the value recovered only represents about 50% of the amount paid at current market rates. As yet unclear is how the FBI effected the recovery.
There have been a number of great perspectives on how the US Government via the FBI effected recovery of the 63.7 BTC ostensibly derived from the 75 BTC Colonial Pipeline ransomware payment made to the DarkSide team.
While some observers were concerned that the FBI had somehow cracked Bitcoin’s private key encryption – which likely would have left those folks with lost private key passwords relieved and is largely statistically impossible given the current state of data processing – Evertas prefers to reflect on the likeliest scenario and easiest path to recovery.
Readers need to bear in mind that DarkSide was likely already on the law enforcement radar given the hacker team’s previous RaaS (Ransomware as a Service) successes. Additionally, reports have emerged that highlight the swift and close cooperation provided to the FBI by Colonial Pipeline. Separately, DarkSide themselves confirmed on 13 May they had lost control of their infrastructure – including an involuntary exfiltration of their cryptocurrency funds – and would cease operations less than a week after the ransomware payment was made. DarkSide also promised to close out all financial obligations by 23 May 2021. Although it remains unclear as to whether DarkSide’s announcement was genuine – some observers have suggested the admission was a potential exit scam to abscond with affiliates’ funds – subsequent events suggest that DarkSide did lose access to certain systems.
The Department of Justice announced Monday, 7 June 2021, that the FBI had seized 63.7 BTC in the wake of their investigation into the Colonial Pipeline attack that had first taken place on Friday, 7 May 2021 with the subsequent 75 BTC payment by Colonial to DarkSide having taken place on Saturday, 8 May 2021.
To quote the press release:
“As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes.”
A review of the supporting Affidavit’s paragraph 34 confirmed the private key for the identified Subject address (Affidavit Address) was in the possession of the FBI in the Northern District of California. The key distinction here is that the private key was in the Northern District; some press reports alleged that the BTC funds or the servers on which the funds were held were in the Northern District.
Subsequent to the filings, the FBI transferred the funds from the controlled DarkSide address to one presumably controlled by the US Government the same day.
Shortly after the initial confirmation of Colonial Pipeline’s payment to DarkSide and publication of the BTC amount, Evertas used a combination of Open Source (OSINT) tools and subscription-based blockchain analytics platforms to trace out the funds paid and their flow through the Bitcoin blockchain.
So, in the context of the recent seizure, what insights can a temporal analysis show?
A quick search of the Bitcoin blockchain identified the original 75 BTC payment as originating from a named US-based cryptoasset exchange on Saturday, 8 May 2021 shortly after 1700 hours UTC. This transaction identified the first DarkSide controlled address (Address 1).
Approximately 35 minutes later, whoever controlled Address 1 initiated a couple of transactions to a handful of other DarkSide controlled addresses, including splitting the ransom by sending approximately 11 BTC off to one address of note (Address 2) where it sat until 13 May. These transactions were concluded a little over an hour after the ransom was paid.
It is important to note that at this point on Saturday, 8 May DarkSide was likely still in control of its infrastructure.
The following day, 9 May, DarkSide sent the remaining ~64 BTC to yet another address (Address 3) where those funds sat until 27 May. As other observers have noted, this likely represented the affiliates’ cut of the ransomware payment.
On 13 May, the 11 BTC that had sat idle since 8 May were combined with other funds from 23 other addresses in a single transaction for a combined 107 BTC that were sent to a single address (Address 4) where they sit as of the writing of this post.
That same day, 13 May DarkSide announced that it had lost control of its infrastructure, including its ransomware payment servers, and declared they would be ceasing operations. They stated their plan to meet outstanding financial obligations by 23 May 2021, suggesting they had other means by which to effect payment.
Interestingly, the balance of 64 BTC from Address 3 was combined with funds from another 23 addresses and sent to the subject BTC address identified in the supporting Affidavit (Affidavit Address) on 27 May, where the now combined 70 BTC or so sat until Monday, 7 June.
On 7 June, 63.7 BTC were seized at 1745 hours UTC with the UTXO (Unspent Transaction Output) balance of 5.9 BTC then sent to a separate address about 8 minutes later. The 5.9 BTC has not moved since.
Somewhere between 9 and 23 May, the FBI decided to move on establishing control over DarkSide’s infrastructure. Why such a large gap in time? If it were me, I would have stayed as patient as possible to map out DarkSide’s server and payment infrastructure to gather as much intelligence on the hackers’ operation as time allowed.
Evertas assesses the announcement made on Monday, 7 June regarding the seizure of the 63.7 BTC may only be the first; the blockchain analysis underpinning the probable cause required to get a judge’s signature was a relatively straightforward and largely linear path. This initial Affidavit and subsequent seizure would serve to establish both precedent with the Judge and raise the level of comfort with the blockchain analytics.
Below is one OSINT representation of the seized 63.7 BTC funds flow.
Evertas suspects that the FBI likely now controls the remaining almost 114 BTC and may be working to tie other payments made to DarkSide by other victims of the hackers’ RaaS before effecting official seizures of the remaining funds.
Either way, this seizure is a validation of the idea of cryptoasset recovery as a concept and a victory for other victims of cryptoasset related financial crime.
More to follow.
Intel471 blog post on the DarkSide announcement:
DoJ Press Release on the 63.7 BTC seizure:
FBI DarkSide supporting Affidavit for the funds seizure: