I think that the people here speculating about the FBI and private keys are <i>greatly</i> overestimating the competency of these hackers.<p>While it's possible this it he FBI flexing some muscle that they have a backdoor into bitcoin's hashing algorithm, what seems much more likely (to me) is:<p>There <i>is</i> a more sophisticated hacking group which created this particular ransomware package. They sell this ransomware package to less sophisticated criminals.<p>(<a href="https://www.theverge.com/2021/5/10/22428996/colonial-pipeline-ransomware-attack-apology-investigation" rel="nofollow">https://www.theverge.com/2021/5/10/22428996/colonial-pipelin...</a>)<p>Is it so hard to imagine a scenario where the more advanced creators of this ransomware kit gave instructions to their purchasers on things like private keys, and the end user simply ignored them?<p>Somebody ignoring a warning when installing a software, and that allowing the FBI to subpeona access to the server where it was running, and grab this private key, seems <i>FAR</i> more likely to me than the FBI having a backdoor into BTC, or this all being a cover spy novel plot, or anything like that.
This story makes absolutely no sense at all. The errors present by these hackers are so comical it's simply unbelievable. I'm supposed to believe some elite Russian hacking group keeps their crypto wallets running on a US host where the FBI just logs right in and snatches the private key? I'm starting to entertain the conspiracies that the future of commodities price manipulation is fake ransomware attacks. There needs to be a serious audit of CME derivatives trading. There will come a day when some oil futures trader pays a ransomware group or an employee at a pipeline company and makes billions.
Here is the FBI controlled address, presumably a Coinbase deposit address<p><a href="https://www.blockchain.com/btc/address/bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq" rel="nofollow">https://www.blockchain.com/btc/address/bc1qq2euq8pw950klpjca...</a><p>Which got funds from<p><a href="https://www.blockchain.com/btc/address/3EYkxQSUv2KcuRTnHQA8tNuG7S2pKcdNxB" rel="nofollow">https://www.blockchain.com/btc/address/3EYkxQSUv2KcuRTnHQA8t...</a><p>This is the wallet explorer used for clustering the wallet<p><a href="https://www.walletexplorer.com/wallet/123085fff68ee703/addresses" rel="nofollow">https://www.walletexplorer.com/wallet/123085fff68ee703/addre...</a><p>I have no idea why they censored out parts of the bitcoin addresses as googling the uncensored part and transaction quantities lets you find them on countless sites.
There are more technical details in the linked affidavit (page 6 and 7): <a href="https://www.justice.gov/opa/press-release/file/1402056/download" rel="nofollow">https://www.justice.gov/opa/press-release/file/1402056/downl...</a><p>They kept following transactions on the blockchain, but it's not clear how the private key became in the posession of the FBI.
I am guessing that the key pair generation process was faulty. The FBI found an exploit in a wallet used by the hackers allowing the private key to be predicted. The prefix is bc1,which is uncommon. A few weeks ago there was such a vulnerability with Cake Wallet.<p>Or they installed malware on the hacker's computers and were able to log the private key as it was generated.<p>Or the hackers foolishly stored the key pairs on a server<p>Bitcoin is falling and this news does not help because it shows that some aspect is less secure than previously thought.
Can someone explain simply why it is supposed to be so hard to track ransomware bitcoin payments, if all bitcoin transactions are in a shared public ledger?<p>If the victim pays someone we know which account it goes to, right? Then we know that account is criminal.<p>If bitcoins move from that account to other accounts we know that accounts that receive them are essentially "hiding stolen goods". So they are criminal accounts as well.<p>Then at some point they want to get dollars, and FBI can catch them by following where the dollars were sent. No?
Colonial paid $4.4M in BTC around May 6th.
Coindesk shows BTC/USD around $58K on May 6th.<p>FBI recovers $2.3M in BTC today.
Current BTC/USD around $34K today.<p>34 / 58 = .58<p>4.4 * .58 = 2.552<p>Looks like they recovered more or less all of it?<p>[1] <a href="https://www.coindesk.com/price/bitcoin" rel="nofollow">https://www.coindesk.com/price/bitcoin</a>
I mean… this was just a software wallet getting owned, almost for sure. Pair that with not clicking the right AWS region and the details are likely.<p>I’m curious what the wallet provider was.
> The Special Prosecutions Section and Asset Forfeiture Unit of the U.S. Attorney’s Office for the Northern District of California is handling the seizure<p>Hah, of course the DoJ office doing bitcoin investigations is in San Francisco.<p>Also interesting that they were able to recover only $2.3M out of the $4.4M paid. I wonder if Colonial Pipeline will ever see this money.
More info: <a href="https://krebsonsecurity.com/2021/06/justice-dept-claws-back-2-3m-paid-by-colonial-pipeline-to-ransomware-gang/" rel="nofollow">https://krebsonsecurity.com/2021/06/justice-dept-claws-back-...</a>
Plausible theory on how they did this here: <a href="https://twitter.com/brucedkleinman/status/1402044745916973057" rel="nofollow">https://twitter.com/brucedkleinman/status/140204474591697305...</a><p>tl;dr: The hackers used the same full node wallet more than once, and the FBI was able to narrow in on an IP address because the first relay of the transactions was the same across multiple transactions. This server was in California, which allowed the FBI to seize it.
Rather than the us just "having" the key, could it not be a possibility that they in fact managed to somehow crack it? If any power could surely it's the us right?
>As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address<p>does it mean that "tainted" BTC can be seized any time, even if the current holder may have no relation to the original crime?
This is just an early part of an investigation. Since DOJ got this far, they have leads on who did it.<p>Russian hackers have been captured in Israel, Spain, Belarius... Sometimes, after the FBI identifies them, they just watch and wait.
The DoJ press release doesn't make this clear: what happens to the money now?<p>Is it returned to the company, or does the DoJ keep it as an asset forfeiture?
Maybe this is just a result of good old police work: <a href="https://xkcd.com/538/" rel="nofollow">https://xkcd.com/538/</a>
Looks like the criminals used CoinBase:<p><a href="https://twitter.com/thisisbullish/status/1402056137340604418?s=21" rel="nofollow">https://twitter.com/thisisbullish/status/1402056137340604418...</a><p>How amateur is that…
Don't they mean Putin in an agreement with the Biden administration made Darkside give some money back as a way of easing American public tensions and political fallout ahead of the summit?
LOL... I simply don't believe any of these press releases. For all we know, the government negotiated a deal with the cyber-attackers to create this press release as a way to try to thwart future attacks. Seriously wouldn't put it past them one bit.