The “what” is this: A significant portion of the bitcoin-denominated ransomware demanded of – and received from – the Colonial Pipeline operator has been recovered.
The “how” shows that bitcoin and other digital offerings, lauded by some (including some criminals and, presumably, by DarkSide) as being virtually impossible to trace … may not be as invisible as they thought. Following the money in the digital age, at least in this instance, has shown to be a twisty, turny path.
As Bloomberg reported, the FBI’s Cyber Crimes Squad in San Francisco focused its search on the fact that bitcoin activity is traceable, due to the fact that the transactions are recorded – as is always the case with blockchain – on distributed ledgers. Through the end of May, the agents had identified at least two dozen addresses that were used to send the bitcoin, and found the last address where those bitcoins were massed (thus, the recovery).
Bloomberg explained that the bitcoin “sits” in the wallet (a “hot” wallet that is still connected to the internet, versus a “cold” one that is not) that is held on an exchange, accessed by a private key. “Where exactly the bitcoins were held, and who gave the FBI the private key, hasn’t been disclosed,” noted the site.
In the affidavit in support of the warrant for the seizure of the bitcoins, the FBI noted that it had been using a Blockchain Explorer, which “uses API and blockchain nodes to draw data from a blockchain, and uses a database to arrange and present the data to a user in a searchable format. These explorers are online tools that operate as a blockchain search engine that allows users to search for and review transactional data for any addresses on a particular blockchain.”
The document details that in reviewing the bitcoin public ledger, the ransom payment address received two payments totaling 75 bitcoin to two different addresses.
And then began the hop. The affidavit details how dozens of bitcoins, and fractions of bitcoins, were sent to various addresses (redacted in the document), 23 in all, before winding up at the ultimate wallet, “where it had not been moved [from] since.”
It’s interesting to note that the value of the bitcoin recovered was worth about $2.3 million, reflecting the precipitous drop in the value of the crypto since the ransomware was paid in early May. For the bad guys, in terms of ill-gotten gains: easy come, easy go.