• Skip to primary navigation
  • Skip to main content
Evertas Logo Get in touch
  • Home
  • About Us
  • Insurance
  • Services
  • Blog
  • News
  • Resources & Education
  • Contact Us
    Instagram
    LinkedIn
    Twitter
    YouTube

Blog

FBI Recovers 85% of BTC Paid to Hackers in Wake of Colonial Pipeline Ransomware Attack; Additional Seizures to Follow?

read
9 June 2021

TLDR – Although the 63.7 BTC recovered represents 85% of the BTC paid to the DarkSide hacker team, the value recovered only represents about 50% of the amount paid at current market rates. As yet unclear is how the FBI effected the recovery.

There have been a number of great perspectives on how the US Government via the FBI effected recovery of the 63.7 BTC ostensibly derived from the 75 BTC Colonial Pipeline ransomware payment made to the DarkSide team.

While some observers were concerned that the FBI had somehow cracked Bitcoin’s private key encryption – which likely would have left those folks with lost private key passwords relieved and is largely statistically impossible given the current state of data processing – Evertas prefers to reflect on the likeliest scenario and easiest path to recovery.

Readers need to bear in mind that DarkSide was likely already on the law enforcement radar given the hacker team’s previous RaaS (Ransomware as a Service) successes. Additionally, reports have emerged that highlight the swift and close cooperation provided to the FBI by Colonial Pipeline. Separately, DarkSide themselves confirmed on 13 May they had lost control of their infrastructure – including an involuntary exfiltration of their cryptocurrency funds – and would cease operations less than a week after the ransomware payment was made. DarkSide also promised to close out all financial obligations by 23 May 2021. Although it remains unclear as to whether DarkSide’s announcement was genuine – some observers have suggested the admission was a potential exit scam to abscond with affiliates’ funds – subsequent events suggest that DarkSide did lose access to certain systems.

The Department of Justice announced Monday, 7 June 2021, that the FBI had seized 63.7 BTC in the wake of their investigation into the Colonial Pipeline attack that had first taken place on Friday, 7 May 2021 with the subsequent 75 BTC payment by Colonial to DarkSide having taken place on Saturday, 8 May 2021.

To quote the press release:

 “As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes.”

A review of the supporting Affidavit’s paragraph 34 confirmed the private key for the identified Subject address (Affidavit Address) was in the possession of the FBI in the Northern District of California. The key distinction here is that the private key was in the Northern District; some press reports alleged that the BTC funds or the servers on which the funds were held were in the Northern District.

Subsequent to the filings, the FBI transferred the funds from the controlled DarkSide address to one presumably controlled by the US Government the same day.

Shortly after the initial confirmation of Colonial Pipeline’s payment to DarkSide and publication of the BTC amount, Evertas used a combination of Open Source (OSINT) tools and subscription-based blockchain analytics platforms to trace out the funds paid and their flow through the Bitcoin blockchain.

So, in the context of the recent seizure, what insights can a temporal analysis show?

A quick search of the Bitcoin blockchain identified the original 75 BTC payment as originating from a named US-based cryptoasset exchange on Saturday, 8 May 2021 shortly after 1700 hours UTC. This transaction identified the first DarkSide controlled address (Address 1).

Approximately 35 minutes later, whoever controlled Address 1 initiated a couple of transactions to a handful of other DarkSide controlled addresses, including splitting the ransom by sending approximately 11 BTC off to one address of note (Address 2) where it sat until 13 May. These transactions were concluded a little over an hour after the ransom was paid.

It is important to note that at this point on Saturday, 8 May DarkSide was likely still in control of its infrastructure.

The following day, 9 May, DarkSide sent the remaining ~64 BTC to yet another address (Address 3) where those funds sat until 27 May. As other observers have noted, this likely represented the affiliates’ cut of the ransomware payment.

On 13 May, the 11 BTC that had sat idle since 8 May were combined with other funds from 23 other addresses in a single transaction for a combined 107 BTC that were sent to a single address (Address 4) where they sit as of the writing of this post.

That same day, 13 May DarkSide announced that it had lost control of its infrastructure, including its ransomware payment servers, and declared they would be ceasing operations. They stated their plan to meet outstanding financial obligations by 23 May 2021, suggesting they had other means by which to effect payment.

Interestingly, the balance of 64 BTC from Address 3 was combined with funds from another 23 addresses and sent to the subject BTC address identified in the supporting Affidavit (Affidavit Address) on 27 May, where the now combined 70 BTC or so sat until Monday, 7 June.

On 7 June, 63.7 BTC were seized at 1745 hours UTC with the UTXO (Unspent Transaction Output) balance of 5.9 BTC then sent to a separate address about 8 minutes later. The 5.9 BTC has not moved since.

Somewhere between 9 and 23 May, the FBI decided to move on establishing control over DarkSide’s infrastructure. Why such a large gap in time? If it were me, I would have stayed as patient as possible to map out DarkSide’s server and payment infrastructure to gather as much intelligence on the hackers’ operation as time allowed.

Evertas assesses the announcement made on Monday, 7 June regarding the seizure of the 63.7 BTC may only be the first; the blockchain analysis underpinning the probable cause required to get a judge’s signature was a relatively straightforward and largely linear path. This initial Affidavit and subsequent seizure would serve to establish both precedent with the Judge and raise the level of comfort with the blockchain analytics.

Below is one OSINT representation of the seized 63.7 BTC funds flow.

OXT.ME BITCOIN BLOCKCHAIN GRAPH SHOWING THE SUSPECTED COLONIAL PIPELINE RANSOMWARE PAYMENT FROM INITIATION TO SEIZURE OF 63.7 BTC BY THE DOJ ON 7 JUNE 2021.

Evertas suspects that the FBI likely now controls the remaining almost 114 BTC and may be working to tie other payments made to DarkSide by other victims of the hackers’ RaaS before effecting official seizures of the remaining funds.

Either way, this seizure is a validation of the idea of cryptoasset recovery as a concept and a victory for other victims of cryptoasset related financial crime.

More to follow.


Intel471 blog post on the DarkSide announcement:

https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime

DoJ Press Release on the 63.7 BTC seizure:

https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside

FBI DarkSide supporting Affidavit for the funds seizure:

https://www.justice.gov/opa/press-release/file/1402056/download

Related articles

Insight

Quantum Computing in China: the Sky is not Falling

Read More
Insight

Web3 needs more insurance, not more regulation

Read More
Insight

The Crypto Winter’s New Risks

Read More
  • About Us
  • Careers
  • Insurance
  • Services
  • Instagram
  • LinkedIn
  • Twitter
  • YouTube

Call On An
Old Friend Today.

Contact Us

Keep Me Informed

By subscribing, you’ve read and agree to our privacy policy.

Evertas Logo ©Copyright 2023, Evertas Legal Notice | Privacy Policy | Terms of Service
This website uses cookies to ensure you get the best experience. Learn more.
DeclineAllow cookies
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie Duration Description
cookielawinfo-checkbox-analytics 11 months This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional 11 months The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary 11 months This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others 11 months This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance 11 months This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy 11 months The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
908