Speculation has been running rampant over today's FBI press conference revealing the recovery of most of the ransom paid to "Russian" hackers by Colonial Pipeline.
Media: "The FBI hacked Bitcoin and can take anyone's funds."
Reality: The pipeline hackers didn't have the Bitcoin in the first place but kept it in a remote server the FBI could access with subpoena.
Media coverage is mostly lies at this point.
Which raises the following point (h/t Jordan Schachtel):
So the "hackers" brought down the largest pipeline on the east coast...
...but couldn't spend 50 bucks on a clean hardware wallet to secure their bitcoin?
Makes sense to me!
So what really happened?
Top Department of Justice officials claimed to strike a major blow against the culprits of the Colonial Pipeline cyber attack Monday, announcing that they had seized almost all of the funds paid to the affiliate group responsible for contracting the DarkSide ransomware attack.
BREAKING: A law enforcement official says U.S. officials have seized millions of dollars in cryptocurrency paid as ransom after the Colonial Pipeline hack. The cyberattack had caused the nation’s largest fuel pipeline to halt its operations last month. https://t.co/9NTtIr41Q2— The Associated Press (@AP) June 7, 2021
Colonial Pipeline suffered a ransomware attack in early May and responded by preemptively shutting down the pipeline’s entire operations for some time, forcing a temporary but major energy crisis throughout the Southeastern United States. In order for the computers that maintained the pipeline to get back to full operation, Colonial agreed to pay a ransom in the form of 75 bitcoin, which was worth about $5 million at the time.
Now, here’s where things get weird:
In their triumphant statements this morning, the DOJ claimed to have seized the funds from the group that reportedly paid DarkSide for their Ransomware as a Service (RaaS) attack on Colonial. Notably, they did not secure the funds from DarkSide, which took a fee from the ransom in bitcoin that remains in the possession of the shadowy operation.
“The FBI successfully seized criminal proceeds from a Bitcoin wallet..” pic.twitter.com/F9RCKqSiBD— Acyn (@Acyn) June 7, 2021
JUST IN: FBI has seized back pipeline ransom funds from DarkSide's bitcoin wallet. Lisa Monaco: "Today we turned the table on Dark Side"... US now going after "the entire ecosystem."— Kevin Baron (@DefenseBaron) June 7, 2021
“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” FBI Deputy Director Paul Abbate said in a statement.
“We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”
Now, the DOJ does appear to have secured the affiliate funds, but not in the fashion that it is being advertised by federal officials and widely reported in the corporate press.
This description by The New York Times cyber beat reporters is NOT what happened. To be clear, there was no hack. Feds did not do something innovative here. They used legal mechanisms and tracked a publicly available ledger to secure the bitcoin from this alleged hacking group. pic.twitter.com/exc6VqYZaS— Jordan Schachtel (@JordanSchachtel) June 7, 2021
Bitcoin is secured through a currently unbreakable cryptographic formula known as a Elliptic Curve Digital Signature Algorithm. You can safely rule out the possibility that the feds broke this form of encryption and were able to pull off this computing power miracle, which is only theoretically possible through the use of quantum computing, a technology that is still very much a work in progress.
The feds did not “hack” a bitcoin wallet in this manner, though they certainly seemed happy to give off that impression, as it sows doubt about the security of the bitcoin network.
The DOJ has historically been extremely hostile to bitcoin, labeling it as a preferred monetary system for cyber criminals, despite bitcoin transactions being publicly available to anyone with access to the internet.
A DOJ warrant from Monday morning gives us much more detail about how the government actually secured the bitcoin funds. They did so by obtaining a warrant on a bitcoin wallet or exchange that had servers in Northern California. Yes, you read that correctly. The entity responsible for the ransomware attack did not in fact have custody over their bitcoin. Instead, they were using a custodian for their funds. It is unclear whether this account with servers in the United States is an FBI wallet or the affiliate’s wallet, but the major error in bitcoin 101 custody remains the surprising issue. Using a custodian for your funds instead of maintaining possession of them is a very basic error, especially for an allegedly sophisticated hacking gang.
Given that bitcoin transactions are publicly available, it was easy for the feds to track the funds transferred from Colonial to this outfit, as Colonial’s initial transfer to the bitcoin wallet is public information. All they had to do was “follow the money,” which strangely made its way into a U.S. based custodial address.
The latest events surrounding the Colonial Pipeline drama simply do not square with the narratives coming out of the Biden Administration and its stenographers in the corporate press.
We were told this much-hyped hacking group of alleged Russians posed a serious threat to our entire critical infrastructure, yet in the same breath happened to have committed a laughably amateurish bitcoin custody faux pas that allowed for the feds to easily take back possession of the affiliate funds.
I will refrain from getting conspiratorial about possible government involvement and leave that to the readers in the comments section.
In my opinion, this ransomware attack was successful largely due to Colonial’s lack of basic security measures in place. Similar to the notorious DNC emails hack (with the same claimed Russian government culprits), where John Podesta’s password was literally the word password, the hackers succeeded because Colonial had no measures in place to protect themselves. Everything else in the timeline going back to early May seems blown way out of proportion.
Despite the claims made by some powerful people in D.C., there is no compelling evidence that this incident was some kind of Kremlin-directed operation to decimate America’s critical infrastructure.
Gas price begins to soar as 'Kremlin-backed cyber gangsters DarkSide' keep America's biggest fuel pipe offline for FOURTH day https://t.co/9B0hr0oOvn— Daily Mail US (@DailyMail) May 11, 2021
House Intelligence Cmte Chair @RepAdamSchiff says Russia bears “some responsibility” in the Colonial Pipeline cyberattack “even if they’re not engaged in the conduct themselves,” adding that his committee is “scouring” intel to determine the Kremlin’s “degree of culpability.” pic.twitter.com/cWDRLGIef2— Hallie Jackson Reports (@HallieOnMSNBC) May 11, 2021
In the end, the Russians and Bitcoin are not the antagonist actors in this story, though the DOJ seems more than happy to promulgate both of these narratives. Once the feds were able to identify a bitcoin “hot wallet” (as opposed to an offline bitcoin wallet that is controlled by the hackers themselves) was connected to online servers, it became a routine process to seize the funds through legal channels.
There’s also the possibility that the feds identified an individual or group in the affiliate organization responsible for contracting the ransomware attack due to some kind of sting operation. Once identified, the FBI may have proceeded to require these entities to send their funds into a bitcoin wallet in Northern California that is controlled by the FBI.
Anyway, the real issue here is how easily this could have all been avoided. It shows how horrifically poor our infrastructure is protected in this nation, to the point where a cheap ransomware attack by unnamed actors can result in a nationwide energy crisis.
The story has nothing to do with U.S. adversaries and digital currencies, but of unbelievable incompetence and neglect on the part of Colonial and our overall security apparatus. It's called *critical* infrastructure for a reason.