Looking at the DOJ's Ransomware Recovery
On May 7, Colonial Pipeline’s billing system was hacked, leading to suspension of service and gasoline shortages across a broad swath of the Southeastern US. The hackers requested a ransom of 75 BTC, 63.7 BTC of which was paid to the hacker and the remainder of which was presumably paid to the DarkSide malware syndicate. The US Department of Justice successfully seized 63.7 BTC on Monday, leading to fears that Bitcoin itself had been compromised. These fears were unfounded—there was no novel exploit found in either the Bitcoin network or any wallet software. Bitcoin remains perhaps the world’s most secure software and network.
What We Know Happened
Using a compromised password, hackers affiliated with the malware broker DarkSide gained access to Colonial Pipeline’s billing system. The attackers took control of the system on May 7 and demanded a ransom of 75 BTC. The target, which operates the largest refined oil pipeline in the United States, suspended service in response to the breach, leading to gasoline shortages across the region.
The next day, the target paid the requested ransom, worth about $4.4 million, using an account at a US-based exchange. Shortly after, on May 14, DarkSide announced that the hacking syndicate had been compromised and they’d lost access to their payment servers. Facing pressure from United States law enforcement, the service stated that it would be shutting down.
By May 27, 63.7 BTC stemming from the ransom payment had ended up at an address controlled by the hackers. 11.249 BTC, or about 15% of the payment, was ultimately routed to a different address, presumably as DarkSide’s commission. The remainder of the payment was distributed to different addresses across multiple smaller transfers.
On June 7, the Department of Justice (DOJ) served a warrant in the Northern District of California for the seizure of the 63.7 BTC held by the hacker, to which the FBI purportedly already held the private key, according to the affidavit supporting the warrant. They then seized the funds and moved them to a new address.
What Didn’t Happen
Crypto markets plunged immediately following the DOJ announcement, though the price action may not have been a direct result of the news. This is not unprecedented: following the seizure of the Silk Road marketplace by law enforcement in 2013, the Bitcoin markets collapsed.
There was a misconception spread on social media that the Bitcoin seizure was the result of an FBI exploited vulnerability in Bitcoin’s core technology—its blockchain or cryptography. This is false. Bitcoin itself was not compromised in any way, and a successful attack on the network or its cryptography remains exceedingly unlikely. Bitcoin relies on the same cryptographic primitives that secure online payments, passwords, and messaging. Bitcoin is hiding in the crowd, and a successful attack on the math securing the network would be bad news for everyone who uses these services, not just bitcoiners. Thankfully, that’s not what happened.
There’s also no evidence that any wallet software has been compromised. More likely, this was a case of sloppy execution by the hacker and well-done investigative work by the DOJ.
What Might Have Happened
With the information currently available, it is difficult to get a good idea of what exactly unfolded. We may never have a complete understanding of the situation without additional disclosures from authorities, two theories currently seem most plausible.
The first resembles the typical sequence of events for this type of seizure: the hacker sent funds to an onshore exchange or OTC desk, which was either served a warrant or voluntarily complied with regulators to return the extorted funds. This exchange could have then transferred the funds to the warranted address and granted law enforcement the key.
The second theory instead focuses on a compromised computer with access to the wallet. DarkSide itself wrote in mid-May that its servers were compromised, and this could have been a result of actions by United States law enforcement. Alternatively, the FBI may have apprehended someone affiliated with the hackers with access to the private key.
Either of these two broad scenarios would result in the FBI having access to the funds, and neither requires a broader compromise in Bitcoin or any wallet software.
Summary
The recent sequence of events serves as a reminder that Bitcoin is, at its core, a traceable bearer asset. While there are some techniques that can be used to increase privacy, for the most part observers can easily follow the flow of funds, and users of the network seeking to safeguard BTC should self-custody or place funds in the care of a trusted custodian.
Bitcoin is also incredibly secure. It’s neutral money that can be and has been used by bad actors, but also by investors, activists, institutions, and even governments. Bitcoin doesn’t rely on exotic assumptions, using the same cryptography that secures the entire internet. After a dozen years’ existence as the world’s largest bug bounty, Bitcoin hasn’t been hacked.
Legal Disclosure:
This document, and the information contained herein, has been provided to you by Galaxy Digital Holdings LP and its affiliates (“Galaxy Digital”) solely for informational purposes. This document may not be reproduced or redistributed in whole or in part, in any format, without the express written approval of Galaxy Digital. Neither the information, nor any opinion contained in this document, constitutes an offer to buy or sell, or a solicitation of an offer to buy or sell, any advisory services, securities, futures, options or other financial instruments or to participate in any advisory services or trading strategy. Nothing contained in this document constitutes investment, legal or tax advice or is an endorsement of any of the stablecoins mentioned herein. You should make your own investigations and evaluations of the information herein. Any decisions based on information contained in this document are the sole responsibility of the reader. Certain statements in this document reflect Galaxy Digital’s views, estimates, opinions or predictions (which may be based on proprietary models and assumptions, including, in particular, Galaxy Digital’s views on the current and future market for certain digital assets), and there is no guarantee that these views, estimates, opinions or predictions are currently accurate or that they will be ultimately realized. To the extent these assumptions or models are not correct or circumstances change, the actual performance may vary substantially from, and be less than, the estimates included herein. None of Galaxy Digital nor any of its affiliates, shareholders, partners, members, directors, officers, management, employees or representatives makes any representation or warranty, express or implied, as to the accuracy or completeness of any of the information or any other information (whether communicated in written or oral form) transmitted or made available to you. Each of the aforementioned parties expressly disclaims any and all liability relating to or resulting from the use of this information. Certain information contained herein (including financial information) has been obtained from published and non-published sources. Such information has not been independently verified by Galaxy Digital and, Galaxy Digital, does not assume responsibility for the accuracy of such information. Affiliates of Galaxy Digital may have owned or may own investments in some of the digital assets and protocols discussed in this document. Except where otherwise indicated, the information in this document is based on matters as they exist as of the date of preparation and not as of any future date, and will not be updated or otherwise revised to reflect information that subsequently becomes available, or circumstances existing or changes occurring after the date hereof. This document provides links to other Websites that we think might be of interest to you. Please note that when you click on one of these links, you may be moving to a provider’s website that is not associated with Galaxy Digital. These linked sites and their providers are not controlled by us, and we are not responsible for the contents or the proper operation of any linked site. The inclusion of any link does not imply our endorsement or our adoption of the statements therein. We encourage you to read the terms of use and privacy statements of these linked sites as their policies may differ from ours. The foregoing does not constitute a “research report” as defined by FINRA Rule 2241 or a “debt research report” as defined by FINRA Rule 2242 and was not prepared by Galaxy Digital Partners LLC. For all inquiries, please email [email protected]. ©Copyright Galaxy Digital Holdings LP 2022. All rights reserved.