The FBI likely exploited sloppy password storage to seize Colonial Pipeline bitcoin ransom
April 28, 2021
The FBI’s breach of a bitcoin wallet held by the cyber criminals who attacked Colonial Pipeline is all about sloppy storage, and not a reflection of a security vulnerability in the digital currency, crypto experts told CNBC.
On Monday, the Justice Department reported a successful mission to retrieve $2.3 million in bitcoin paid by Colonial Pipeline to ransomware hackers in April. Court documents indicated that investigators traced bitcoin transaction records to a digital wallet, which they subsequently seized under court order. Officials were then able to access that wallet with something called a “private key,” or password.
It remains unclear how exactly the FBI retrieved the key.
“I don’t want to give up our tradecraft in case we want to use this again for future endeavors,” Elvis Chan, an assistant special agent with the FBI’s San Francisco office, said in a news call Monday.
How the FBI likely seized bitcoin
Until the FBI is more transparent with its methods, it’s not possible to know exactly how federal investigators managed to retrieve the private key in question. But there are a few possible scenarios.
DarkSide, the cyber criminal gang that targeted Colonial, reportedly used a payment server to collect the funds. A centralized platform like this is relatively easy for the FBI to track.
“Following the money remains one of the most basic, yet powerful, tools we have,” said Deputy Attorney General Lisa O. Monaco in a statement on Monday.
“Because these transnational, organized criminal groups are facilitating these payments in cryptocurrency, and because of the transparency and traceability that cryptocurrency provides, you can actually more effectively follow the money and potentially mitigate and arrest illicit activity within this ecosystem, than you can with traditional finance and fiat currencies and payments,” explained Jesse Spiro, Global Head of Policy for Chainalysis, a company that provides blockchain forensic and investigative services to private sector companies, including crypto exchanges.
When a ransomware-related payment is made, Chainalysis is actually able to produce and generate what Spiro characterizes as “unprecedented intelligence and information in relation to the supply chain.”
Chainalysis was not able to speak to any specifics on the Colonial investigation.
Once the FBI had that wallet in hand, it’s extremely unlikely they broke something called the “Elliptic Curve Digital Signature Algorithm,” which is how the digital currency ensures that bitcoin can only be spent by the rightful owner.
“In fact, that is so far-fetched, as to be impossible,” said Nick Carter, founding partner at Castle Island Ventures.
What’s much more likely, according to Carter, is that they were able to access a server where the hackers stored private key information. That points not to any fundamental flaw in bitcoin’s security, but rather a case of bad IT hygiene for a criminal organization.
Just take the 2014 hack of Mt. Gox, once the leading bitcoin exchange. It was the first high-profile hack in cryptocurrency history. The exchange filed for bankruptcy and lost 750,000 of its users’ bitcoins, plus 100,000 of its own.
“Bitcoin itself functioned perfectly, but what functioned imperfectly was their system of storing your private keys,” explained Carter.
This is why some cyber criminals take their coins offline to cold storage, in order to insulate nefariously earned tokens from the government and law enforcement.
“If you want to store your coins truly outside of the reach of the state, you can just hold those private keys directly. That’s the equivalent of burying a bar of gold in your backyard,” said Carter.
Setting a good precedent
One former chairman of the U.S. Commodity Futures Trading Commission thinks the FBI breaking into the crypto wallet of a cyber criminal actually sets a good precedent for acceptance of cryptocurrency.
“It proves that the bitcoin blockchain is not hostile ground for law enforcement,” said Chris Giancarlo. “It proves that it is not a perfect tool for criminal activity.”
Mati Greenspan, portfolio manager and Quantum Economics founder, agrees that the breach bodes well for bitcoin.
″Many market participants, myself included, were expecting President Joe Biden to use crypto as a scapegoat for the hack and to come out with crushing reforms,” said Greenspan. “Instead, they were clued in to what we already knew: That it is easier for authorities to catch criminals who use crypto than anything else.”
Carter also appeared unfazed. “We’ve seen these kinds of seizures before, and I’m sure we’ll continue to.”
Despite the common stereotype, there’s no data to indicate that criminals disproportionately use cryptocurrencies like bitcoin. In fact, Chainalysis estimates that less than 1% of cryptos are used for illicit purposes.