Security lapse, not ‘hack’, likely behind FBI’s recovery of ransomware Bitcoins
Link copied to
Experts are still puzzling out how the FBI clawed back most of the bitcoins that a pipeline operator paid as ransom to an affiliate of the DarkSide hacker — but they say there’s nothing about the matter that shows the cryptocurrency network is insecure.
Rather, the hacker or hackers simple made some kind of elementary blunder that let the FBI take the coins, analysts said.
“Basically it is theft from a wallet due to poor security practices from a wallet owner,” Jonothon Miller, managing director at crypto exchange Kraken Australia, told Stockhead.
“You can’t hack the bitcoin blockchain. It’s pretty much impossible and would break the whole network.”
The FBI wasn’t able to recover all 75 bitcoin paid by Colonial Pipeline, but they took back 63.7 coins – 85 per cent.
Court papers indicated that the FBI had the private key to the wallet — the rough equivalent of a password — but gave no indication as to how they got it.
“The ‘obtained the private key’ part of their statement is doing a lot of work,” Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, told KrebsOnSecurity.
“It is ONLY the Colonial Pipeline ransom, and it looks to be only the affiliate’s take.”
There was some one speculation that ransom was able to be seized because the hackers had tried to move it through Coinbase — but both the exchange and the FBI shot that down.
2/ Coinbase was not the target of the warrant and did not receive the ransom or any part of the ransom at any point. We also have no evidence that the funds went through a Coinbase account/wallet.
— Philip Martin (@SecurityGuyPhil) June 8, 2021
The FBI did not do this by seizing a Coinbase account, source familiar tells me.
— Kevin Collier (@kevincollier) June 7, 2021
Coinbase’s director of security also tweeted that a line in the FBI affidavit mentioning Northern California didn’t mean much.
7/ So how did they get the private key? Maybe some whiz-bang magic, but my guess would be it was some good ol’ fashioned police work to locate the target servers, and an MLAT request and/or some political pressure to get access.
— Philip Martin (@SecurityGuyPhil) June 8, 2021
Some pointed to an apparent hack of the DarkSide group’s servers last month, possibly by a US military intelligence unit.
Cybersecurity firm Recorded Future reported on May 14 that soon after US President Joe Biden said the US planned to disrupt DarkSide group, the hackers declared they had lost control of their web servers and some of their funds.
“A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. CDN [content delivery network] servers,” one of the hackers wrote in a post spotted by a Recorded Future analyst.
“Now these servers are unavailable via SSH, and the hosting panels are blocked,” wrote “Darksupp,” complaining that the web hosting provider refused to cooperate.
“In addition, the Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang’s payment server, which was hosting ransom payments made by victims,” Recorded Future wrote.
If the private key had been hosted on those servers — or if the US cyberattack had somehow been able to infiltrate DarkSide’s individual computers — then that could explain how the FBI came into possession of the private key.
The US might have also simply obtained the private key through a warrant, since much internet infrastructure is located in America, particularly California.
“ He declined to give specifics of how the FBI … gain[ed] access to the wallet, but he said it did not rely on waiting for criminals to use U.S. cryptocurrency services. It did … rely on … internet infrastructure based in the U.S. where the FBI can get warrants.” https://t.co/EvxlJuGQzB
— Sharon Goldberg (@goldbe) June 7, 2021
In any case, if the hacker had simply used a hardware wallet such as a Trezor or a Ledger – which cost around $100 – their millions of dollars in Bitcoin would almost certainly be safe.
It might seem ridiculous that a hacker might be so computer illiterate, but CNN reported last month that the attack was relatively unsophisticated.
“David Kennedy, the president of the cybersecurity firm TrustedSec, noted that DarkSide’s business model is to provide attackers with limited skills the funding and resources they need to actually launch the attacks, providing a platform that both parties can profit off of,” the network reported.
The hacker made a “gross miscalculation” in attacking a high-risk target that deals in a low-margin business, a source told CNN, noting the hacker likely hadn’t anticipated that their attack would lead to the pipeline shutdown and emergency White House meetings.
Jeff Yew, the founder and chief executive of Brisbane-based Bitcoin fund Monochrome Asset Management, told Stockhead that the FBI’s actions were unrelated to the Bitcoin network.
“Imagine the FBI subpoena an email provider to gain access to a person of interest’s email history,” he said. “You wouldn’t associate FBI’s actions to the Internet protocol.”
It’s worth reminding people that digital assets are pseudo anonymous, and not anonymous, Yew said.
“Bitcoin sits on a public ledger more transparent than the banking system,” he wrote in a text message
“That’s also one of the reasons why cash is still the preferred tool for online cybercriminals. The recent 2020 ACCC report … highlighted that online scams involving bank transfers are up 40% from previous year, at AUD $97 million.