The FBI likely exploited sloppy password storage to seize Colonial Pipeline bitcoin ransom

The seal of the F.B.I. hangs in the Flag Room at the bureau’s headquarters.

Chip Somodevilla | Getty Images

The FBI’s breach of a bitcoin wallet held by the cyber criminals who attacked Colonial Pipeline is all about sloppy storage, and not a reflection of a security vulnerability in the digital currency, crypto experts told CNBC.

On Monday, the Justice Department reported a successful mission to retrieve $2.3 million in bitcoin paid by Colonial Pipeline to ransomware hackers in April. Court documents indicated that investigators traced bitcoin transaction records to a digital wallet, which they subsequently seized under court order. Officials were then able to access that wallet with something called a “private key,” or password. 

It remains unclear how exactly the FBI retrieved the key. 

“I don’t want to give up our tradecraft in case we want to use this again for future endeavors,” Elvis Chan, an assistant special agent with the FBI’s San Francisco office, said in a news call Monday.

How the FBI likely seized bitcoin

Until the FBI is more transparent with its methods, it’s not possible to know exactly how federal investigators managed to retrieve the private key in question. But there are a few possible scenarios. 

DarkSide, the cyber criminal gang that targeted Colonial, reportedly used a payment server to collect the funds. A centralized platform like this is relatively easy for the FBI to track. 

“Following the money remains one of the most basic, yet powerful, tools we have,” said Deputy Attorney General Lisa O. Monaco in a statement on Monday.

“Because these transnational, organized criminal groups are facilitating these payments in cryptocurrency, and because of the transparency and traceability that cryptocurrency provides, you can actually more effectively follow the money and potentially mitigate and arrest illicit activity within this ecosystem, than you can with traditional finance and fiat currencies and payments,” explained Jesse Spiro, Global Head of Policy for Chainalysis, a company that provides blockchain forensic and investigative services to private sector companies, including crypto exchanges.

When a ransomware-related payment is made, Chainalysis is actually able to produce and generate what Spiro characterizes as “unprecedented intelligence and information in relation to the supply chain.”

Chainalysis was not able to speak to any specifics on the Colonial investigation.

Once the FBI had that wallet in hand, it’s extremely unlikely they broke something called the “Elliptic Curve Digital Signature Algorithm,” which is how the digital currency ensures that bitcoin can only be spent by the rightful owner.

“In fact, that is so far-fetched, as to be impossible,” said Nic Carter, founding partner at Castle Island Ventures.

What’s much more likely, according to Carter, is that they were able to access a server where the hackers stored private key information. That points not to any fundamental flaw in bitcoin’s security, but rather a case of bad IT hygiene for a criminal organization. 

Just take the 2014 hack of Mt. Gox, once the leading bitcoin exchange. It was the first high-profile hack in cryptocurrency history. The exchange filed for bankruptcy and lost 750,000 of its users’ bitcoins, plus 100,000 of its own. 

“Bitcoin itself functioned perfectly, but what functioned imperfectly was their system of storing your private keys,” explained Carter.

This is why some cyber criminals take their coins offline to cold storage, in order to insulate nefariously earned tokens from the government and law enforcement. 

“If you want to store your coins truly outside of the reach of the state, you can just hold those private keys directly. That’s the equivalent of burying a bar of gold in your backyard,” said Carter.  

Setting a good precedent

Source link

Related Articles

Back to top button