FBI Recovers Colonial Bitcoin Payment

In May of 2021, the United States’ largest pipeline, Colonial Pipeline, halted operations due to a ransomware attack. At the time, Colonial Pipeline carried 45% of the fuel used on the U.S. East Coast, running from Texas to the New York Bay Area. The attack was carried out by a Russian-based hacking group known as ‘Darkside’. The hacking group exported over 100GB of data in a 2-hour timeframe from Colonial Pipeline. Later Darkside requested a bitcoin ransom to return Colonial Pipeline data unencrypted and unreleased to the public Internet.

Did They Pay?

Cybersecurity experts around the world urge ransomware victims not to pay the ransom. The US Treasury banned ransomware payments in 2020. However, Colonial Pipeline decided to pay $4.4 million in bitcoins. Weeks later, the FBI allegedly managed to return back 63.7 of the 75 bitcoins paid to Darkside shocking the cybersecurity community. Bitcoins and their payments are supposed to be untraceable.

How did the FBI Recover Bitcoins?

According to a report from the DoJ, the FBI was able to get hold of the private key of the Bitcoin wallet(s) where Colonial’s ransom payment ended up, giving them access to their respective cryptocurrency trading account. The FBI then simply transferred the funds in the account(s) to themself whether they knew who owned those wallets or not. Oftentimes hackers will use more than one account/wallet when accepting bitcoin payments so they can further their anonymity.

How It Happened

The recipient of the criminal transaction made a mistake and exposed their bitcoin wallet private keys to the FBI. Bitcoin private keys are usually not only kept private, but also stored in encrypted form where you need two-factor authentication to unlock the private key before you can begin to unlock the funds secured by that private key in the bitcoin wallet.

Here are the most likely ways the FBI may have recovered the private wallet Bitcoin keys:

Implant a spyware tool on your computer to search for files and record keystrokes. With a bit of luck, implanted spyware might not only be able to exfiltrate your private key, but also figure out the password needed to unlock it. Offline cryptocurrency wallets and private keys of this sort are known in the trade as “cold wallets” because they’re not meant to be accessible online.
Work with a cryptocurrency exchange to access data stored there. Some cryptocurrency fans keep at least some of their funds in what is known as “hot wallets”, meaning that they trust a third party that runs a crypto coin trading site with their private key so that they can quickly buy and sell crypto coins online. Legitimate exchanges can and will work with law enforcement if required by a warrant, and if the exchange has your wallet and your private key, it can hand them over. (Also, the exchange could get hacked, or, if the exchange itself is crooked, run off with your cryptocurrency itself.)
Hit the jackpot by subverting an insider. One or more people inside the DarkSide ransomware crew would have had access to the ill-gotten funds, so the FBI could have acquired the intelligence it needed from them. Insider attackers can be informants for the FBI too! Similarly, if you tell other people your crypto coin passwords, they could sell you out or simply steal the funds themselves, in much the same way that they could make phantom withdrawals from your bank account if you told them the PIN of our ATM card.

What To Do?

It’s a relief the FBI recovered a large piece of the funds in this case, although there are certain things you should be doing in light of this event:

Don’t put all your crypto coins in hot wallets. When you entrust your savings or your wage payments to a bank, you are doing so with years of regulatory scrutiny and protection to back you up. In the unregulated cryptocurrency world, you are largely on your own if something goes wrong. Don’t keep more than you can afford to lose in a hot wallet.
Don’t keep all your data online all the time. Ironically, perhaps, one important defense against ransomware in the first place is to maintain an offline backup, ideally one that is also off-site. Keeping your crypto coins, as well as any truly private or critical data, offline – is a similarly useful precaution.
Don’t expect to keep a secret such as a Bitcoin password or ATM PIN if you tell it to other people. As Benjamin Franklin is supposed to have said, “Three people can keep a secret, if two of them are dead.” Remember: If in doubt, don’t give it out.
Don’t expect to get your money back like Colonial did. You need to think of crypto coin recovery as a rare exception, not as a common rule. As explained above, it typically requires a high-profile case, plus strong operational intelligence, plus a bit of plain old luck, for law enforcement to achieve a result like this.

In addition to these cryptocurrency-specific actions, your company needs to take proactive measures to first reduce its chances of being hit by ransomware. CyberHoot recommends the following best practices to avoid, prepare for, and prevent damage from these attacks: