FBI recovers 63.7 BTC from Colonial Pipeline ransom, gains access to a Bitcoin wallet

The Federal Bureau of Investigation (FBI) returned the bulk of the ransom paid to the DarkSide hackers in Bitcoin after their attack on Colonial Pipeline, the operator of the U.S. oil pipeline.

\n\n

As the U.S. Justice Department reports, authorities confiscated 63.7 BTC. The return of the funds was handled by a specially created task force to combat digital extortion and ransomware programs.

\n\n

The FBI traced the blockchain transactions immediately after the ransom was paid from Colonial Pipeline’s address to the hackers. Some of the funds were moved to a wallet whose private key was held by law enforcement.

\n\n

Details of how the private key ended up with the agency were not disclosed. According to court documents, the FBI access was obtained in Northern California.

\n\n

The community expressed concern that U.S. authorities could be hacking cryptocurrency wallets. However, this is likely not a hack—the FBI simply requested access to the wallet from a provider or hosting company, according to Adam Back, a pioneer of the crypto industry and the CEO of Blockstream.

\n\n

Probably not even hacked, just asked the hosting company or custodial wallet provider (aka exchange) to give them the coins or keys.

— Adam Back (@adam3us) June 8, 2021

\n\n

He also noted that the hackers used a rented cloud server. The FBI could have obtained a court order, taken control of it, and seized the funds.

\n\n

#Bitcoin was NOT hacked
No bitcoin wallet was hacked, nor is even known to be possible. Ransom hackers used a rented cloud server. FBI got a subpoena and took control of it and recovered coins. That’s it.

— Adam Back (@adam3us) June 8, 2021

\n\n

In mid-May DarkSide lost access to part of its infrastructure and funds. Elliptic specialists at the time reported a possible confiscation of Bitcoin by the U.S. government.

\n\n

Some suspect that American Coinbase was involved in obtaining access to the wallet.

\n\n

The #Bitcoin associated with Ransomware / Darkside / Colonial Pipeline Co. hack went through the Californian servers of @coinbase and likely seized by U.S. investigators there.

Not your keys, not your 63.7 #BTC. pic.twitter.com/4RwZLFww5c

— This is Bullish (@thisisbullish) June 8, 2021

\n\n

However, Coinbase asserts that it had no involvement in the incident. The head of the company’s security team, Philip Martin, stressed that the company “has no evidence that the funds passed through a Coinbase account/wallet.”

\n\n

2/ Coinbase was not the target of the warrant and did not receive the ransom or any part of the ransom at any point. We also have no evidence that the funds went through a Coinbase account/wallet.

— Philip Martin (@SecurityGuyPhil) June 8, 2021

\n\n

“Coinbase uses a single hot wallet, so transferring a specific private key makes little sense, and we (for obvious security reasons) have not built an API endpoint to export the private key into our signing systems,” wrote Martin.

\n\n

NBC News journalist Kevin Collier, citing sources, confirmed that Coinbase did not assist the FBI, and that Microsoft specialists assisted law enforcement.

\n\n

The FBI did not do this by seizing a Coinbase account, source familiar tells me.

— Kevin Collier (@kevincollier) June 7, 2021

\n\n

Deputy Attorney General Lisa Monaco stressed that authorities will continue to fight ransomware and will use all available tools.

\n\n

Earlier in May, DarkSide attacked Colonial Pipeline in early May, blocking its computer systems and stealing data. To restore operations and retrieve the data, Colonial Pipeline paid the attackers 75 BTC.

\n\n

Elliptic specialists discovered 47 Bitcoin wallets, presumably belonging to DarkSide. According to their data, over nine months the attackers collected about $90 million in Bitcoin from victims.

\n\n

In June, U.S. President Joe Biden ordered a study of tracking cryptocurrency transactions as one possible way to fight ransomware.

\n\n

Subsequently, media reports said that investigations into ransomware attacks in the United States received the same level of priority as terrorism cases.

\n\n

Read ForkLog’s Bitcoin news in our Telegram — cryptocurrency news, prices and analysis.