Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
United States Security

US Recovers Millions in Cryptocurrency Paid To Colonial Pipeline Ransomware Hackers (cnn.com) 163

US investigators have recovered millions of dollars in cryptocurrency paid in ransom to hackers whose attack prompted the shutdown of the key East Coast pipeline last month, CNN reported Monday, citing people briefed on the matter. From the report: The Justice Department on Monday is expected to announce details of the operation led by the FBI with the cooperation of the Colonial Pipeline operator, the people briefed on the matter said. The ransom recovery is a rare outcome for a company that has fallen victim to a debilitating cyberattack in the booming criminal business of ransomware. Colonial Pipeline Co. CEO Joseph Blount told The Wall Street Journal In an interview published last month that the company complied with the $4.4 million ransom demand because officials didn't know the extent of the intrusion by hackers and how long it would take to restore operations. But behind the scenes, the company had taken early steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia. US officials have linked the Colonial attack to a criminal hacking group known as Darkside that is said to share its malware tools with other criminal hackers. Update: Law-enforcement officials said they have seized nearly 64 bitcoin of 75 bitcoin in ransom paid.
This discussion has been archived. No new comments can be posted.

US Recovers Millions in Cryptocurrency Paid To Colonial Pipeline Ransomware Hackers

Comments Filter:
  • by NFN_NLN ( 633283 ) on Monday June 07, 2021 @02:38PM (#61463450)

    "the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia."

    Explain why the 'hackers' wouldn't be using a cold wallet. They sound like fall guys.

    • Re: (Score:2, Interesting)

      by NFN_NLN ( 633283 )

      You could generate a public/private key pair for a wallet offline. Tell the victim to deposit money to that public address -- literally untraceable. There is NO connection to account owner.

      Sit on the money for a year or two until the heat cools off, then launder the digital money through other accounts, automatic exchanges, splitting it up into smaller and smaller pieces each time. At some point it wouldn't even be worth tracking.

      • Re:Makes no sense. (Score:5, Insightful)

        by stabiesoft ( 733417 ) on Monday June 07, 2021 @02:49PM (#61463486) Homepage
        Two problems, Most would not want to sit on multiple millions for years. Second, the feds have a great deal of patience. Think about how long the average trial takes to happen as just one example.
        • Re:Makes no sense. (Score:4, Insightful)

          by luvirini ( 753157 ) on Monday June 07, 2021 @02:55PM (#61463498)

          Indeed.

          Basically if you try to use bitcoins that are high enough profile to be worthwhile for someone to monitor, every transaction out from the receiving wallet will cause a tracking of "what was it used for?" and "Can this be used to trace them to a person", thus making them very hard to use.

          • You don't think the FBI has the ability to track that kinda thing? Seems pretty trivial to track really. Monitor a wallet and then monitor any and all transactions to or from it to subsequent places. No different than how we track transactions now through banks.
            • by ghoul ( 157158 )
              The whole point of moving away from dollars to bitcoin is that only the US govt has subpoena power on USD transactions whereas BTC is a more level playing field for all govts.
              • But the value of bitcoin is 100% tied to the value of the dollar. Therefore it's not a currency. It's a sudo-asset at very best.
                • by Hylandr ( 813770 )

                  It's tied to whatever currency you desire to sell it for. the USD can fade into obscurity, crypto will hold value for whatever it's going to be traded for. Be that Dollars, Rubles, Dinar, Sex, Food, or other goods.

          • There are tumbler/mixing services that can easily scramble a few dozen bitcoins.

            Some tumblers refuse to accept "hot" coins, but others will mix them for an extra fee.

            • Re:Makes no sense. (Score:4, Insightful)

              by dasunt ( 249686 ) on Monday June 07, 2021 @03:15PM (#61463584)

              Some tumblers refuse to accept "hot" coins, but others will mix them for an extra fee.

              So what percentage of those tumblers are run by various law enforcement agencies?

              • by DrXym ( 126579 )
                It's an interesting point. And the law enforcement agencies would even turn a small profit from operating it.
              • Re:Makes no sense. (Score:4, Insightful)

                by bsane ( 148894 ) on Tuesday June 08, 2021 @08:10AM (#61465628)

                Of the ones that aren't:

                - US based, or have a US operator would comply with a NSL or go to prison
                - Almost any western country gets the same result, but with extra steps
                - Russia or China- depends on whether they were state sanctioned, and whether or not they want to give them up
                - Anywhere else wouldn't offer enough protection of the US gov wanted to fuck you bad enough

                Even the swiss banking system eventually caved to the US, although we've probably lost enough control that wouldn't happen again.

                • The leverage that gets at banking like Switzerland is that they have large institutions like Credit Suisse and others that would like to have useful access to US financial markets. There's probably a fair number of boutique Swiss banks that would be find just holding overseas money for privacy/tax evasion purposes, but their larger brethren have more sway over the local government which values large-scale international banking over small banks hiding money for rich people, so they're willing to change the

            • by gweihir ( 88907 )

              It is pretty reasonable to expect that mixing services do not have much of a future. The way to do this is not to close them down, but to require them to keep full records, this making them worthless. There are enough laws to make that happen already, and the feds begin to apply them. The driver will mostly be tax evasion, I expect.

              • require them to keep full records, this making them worthless.

                Good luck enforcing your requirements in Ouagadougou or Minsk.

                • by gweihir ( 88907 )

                  require them to keep full records, this making them worthless.

                  Good luck enforcing your requirements in Ouagadougou or Minsk.

                  Actually very easy to do. The trick is to require anybody using such a service to provide full documentation unless the exchange does it. Otherwise you could just do money-laundering via a regular bank in Ouagadougou or Minsk. Well, you probably can as long as the amount is small...

                  • The trick is to require ...

                    Who is doing this "requiring"?

                    How will they enforce the "requirement" on a tumbler located at an anonymous TOR address?

            • by DrXym ( 126579 )
              Why would anyone want to use a tumbler unless their coins were "hot"? How does the tumbler even know for a fact they are? And if a tumbler has the reserves to launder millions of dollars then I'm quite certain the feds would be super interested in their operations too.
              • Privacy would be the obvious reason. From your spouse. From your business partners or co-workers. From the IRS.

                • Re: Makes no sense. (Score:4, Informative)

                  by Moryath ( 553296 ) on Monday June 07, 2021 @08:24PM (#61464512)
                  From your spouse.

                  If you're in a marital-property state, likely illegal. Especially if you wind up in a divorce with asset records subpoenaed.

                  From your business partners or co-workers.

                  In the real world this is a crime called "Embezzlement."

                  From the IRS.

                  In the real world this is a crime called "Tax Evasion."
                  • Re: Makes no sense. (Score:4, Interesting)

                    by ShanghaiBill ( 739463 ) on Tuesday June 08, 2021 @12:24AM (#61464922)

                    Illegal is not the same as "hot".

                    "Hot" means that law enforcement is actively looking for it.

                    The Colonial Pipeline bitcoins are hot. The bitcoins I traded my wife's engagement ring for are not.

                  • by bsane ( 148894 )

                    Since every bitcoin transaction is public there are legit reasons to tumble that aren't illegal. Hiding my purchases from coworkers or acquaintances is legal- as long as theres not intent to defraud. If I'm a business and accepting bitcoin for payment, its 100% legit to tumble before spending, in fact not doing so would give my competitors insight into my operations.

                    I could see a requirement to report tumbling to the IRS, but it absolutely is a legit privacy issue.

            • Im just waiting for the headline of someone known programmers to be found dead from some random accident. Something more subtle than polonium poisoning. Im certain there are a few kill orders out for them now that they went high profile targets.
          • by rtb61 ( 674572 )

            Here let me fix this for you "if you try to use bitcoins that are high enough profile to be worthwhile for someone to monitor" to "if you try to use bitcoins that are high enough profile to be worthwhile for AI to monitor an AI capable of monitoring billions of transactions". Relational consolidation of all bitcoin transactions, servers used, IP addresses, routers and associated network traffic from those end clients, network connections links to data accessible servers matching people to IP (any logins, no

        • And with BitCoin, laundering it is going to take time and cost you money. You may be able to automate some of the work but you can bet the FBI can also automatically track it too.
      • That...that...sounds too much like work. People who get into white collar crime mostly do it because they don't want to get into honest HARD work.

        • by sinij ( 911942 )
          I don't know about these criminals, but I am willing to put couple hours of work into generating a new wallet if the payoff is in millions.
      • You could generate a public/private key pair for a wallet offline. Tell the victim to deposit money to that public address -- literally untraceable. There is NO connection to account owner.

        Sit on the money for a year or two until the heat cools off, then launder the digital money through other accounts, automatic exchanges, splitting it up into smaller and smaller pieces each time. At some point it wouldn't even be worth tracking.

        You are mistakenly assuming that all hackers are smart. They are not.

        • by gweihir ( 88907 )

          You are mistakenly assuming that all hackers are smart. They are not.

          The other thing is that many hackers do not have a clue how things outside of their area of expertise work. Hiding and using ill-gotten money is _hard_.

      • by DrXym ( 126579 )
        I'm sure the Feds have tools to monitor bitcoin transactions and alert them to activity even if the coins sit in a wallet doing nothing for a few years. And if you launder your ill-gotten games e.g. via a tumbler, that you're just exchanging your dirty money for someone else's. And probably Feds also have heuristic tools to see what's going into the tumbler and where it's coming out and inferring what is going on. So after you wash your money you're probably no closer to being safe than before, probably les
      • by clambake ( 37702 )

        Eh, except in the real world you can never wait long enough for the heat to cool off. EVERYTHING in the blockchain is visible to EVERYONE, including FBI computers who's only reason to exist is to watch for those specific bitcoins to move and track everyone who touches them. That computer will never get tired and will never miss a transaction. Bitcoin is the best thing that ever happened to law enforcement, just nobody understands it yet.

    • Or it was made using stolen ID so persons name that is on it has no idea.
    • by nomadic ( 141991 )

      If the FBI somehow got their private key the cold storage wouldn't do much.

      • by NFN_NLN ( 633283 )

        1. ???
        2. ???
        3. ??? (original)
        4. The FBI gets their hands on the private key of your cold wallet.

        You're doing it wrong. Normally you only have an unreasonable or impossible step for #3.

        • Doing it wrong as he may be, he's right.

          They got the private key. They don't say how ($5 wrench?) but they have it, and used it to seize its contents.
          It's in the warrant.
      • by gweihir ( 88907 )

        If the FBI somehow got their private key the cold storage wouldn't do much.

        That will only realistically happen after they have gotten their hands on whoever has the keys to the cold wallet and they managed to get cooperation out of that person.

        • by Kaenneth ( 82978 )

          Torture is generally unreliable because the people would say anything, even lies to make you stop.

          But if there is an instantly verifiable password you want...

    • Explain why the 'hackers' wouldn't be using a cold wallet. They sound like fall guys.

      You seem to think that these "hackers" are like Dade and Kate hacking the gibson, full of brains and skill (but likely without the dose of bad 90s acting).
      More likely they are just a bunch of criminal morons. Ransomware generators are bought easily all over the internet. You get a nice customisable piece of malware with idiot proof checkboxes to determine functionality, and you just find some way to get it in the system which is also easily done by paying someone for a user and password database and seeing

    • by ghoul ( 157158 )
      The whole story sounds fishy to me. If the hackers are based in Russia why is the wallet in California. Sounds much more plausible this is US govt run ransomware. No need to raise corporate taxes via Congress. Just do ransomware attack, have the company pay ransom, then magically capture the Bitcoin and add it to the Federal budget as proceeds of crime. Higher corporate taxes achieved with no messy Congress budget needed.
      • Youâ(TM)re suggesting a budget measured in trillions is having a massive spending increase covered by a secretive ransomware campaign worth mere millions? Oh boy.
      • by skids ( 119237 )

        This was ransomware-as-a-service. The sellers of the ransomware were the ones in Russia. Who knows who was buying. You think if you go to someone selling ransomware services and do foolish things with your wallet that the ransomware vendor is going to hold your hand and teach you to do it right? No, they'll just give you your cut and let you get busted, as long as they are confident that they have covered their tracks... or in this case, don't need to.

    • by Jeremi ( 14640 )

      Explain why the 'hackers' wouldn't be using a cold wallet. They sound like fall guys.

      One possible explanation: the "hackers" aren't as smart as they might think they are. Not every criminal is a criminal mastermind.

  • "Victim funds were seized from that wallet, preventing Darkside actors from using them," he said.

    What does "seized" even means in this context? Is that the same "seized" as in "I know your public key" or is this something more impressive as identifying wallet's owners?

    • Or waterboarding the wallet's owners until they give up the credentials?

    • As I understand it, this, along with the criminal group's public dissolution, is part of their "good lord, we went too far and don't want a CIA wet team to visit us" contingency plan.

    • If I had to guess, I would say that the money was seized at the point where they tried to convert it to fiat currency and introduce it into the traditional banking network. Many more possibilities exist for the governments to seize a wire transfer depending on the institution that it transits.

    • by gweihir ( 88907 )

      "Victim funds were seized from that wallet, preventing Darkside actors from using them," he said.

      What does "seized" even means in this context? Is that the same "seized" as in "I know your public key" or is this something more impressive as identifying wallet's owners?

      It pretty much means "hacked the wallet", likely due to some abysmal OpSec fail on the attacker side (the irony!), but not identified anybody connected. Likely not done by the FBI at all, but by the NSA TAO and the FBI just takes credit. The most plausible way this goes is that they hacked the machine the wallet was on and then waited for somebody to access it and recorded the passphrase. After that the wallet is theirs, but identifying people can still be somewhere from exceptionally hard to impossible.

    • It probably means they asked coinbase, where the bitcoins ended up to hand over the assets
    • Is that the same "seized" as in "I know your public key" or is this something more impressive as identifying wallet's owners?

      Nope. They know their *private key* and used it to transfer money away from the wallet's owners. How they obtained the private key is an interesting question.

  • Piss off the hackers and they'll break back in and this time ask you for 440 million. Just get on with it and tighten you shit up!
    • Re:Not a good idea (Score:5, Interesting)

      by timeOday ( 582209 ) on Monday June 07, 2021 @03:23PM (#61463604)
      I think the opposite - this is a huge blow to ransomware because if they can size the payments, the motive disappears.

      As for "just have perfect cybersecurity and nothing bad can happen to you," it's not realistic.

      • by lsllll ( 830002 )

        I doubt it. Hackers will find ways to get paid.

        As for these hackers, they may be pissed off enough that they'd just hack back in and do a whole bunch of shit the company wouldn't be able to recover from.

        • by gweihir ( 88907 )

          Hacking a target with reasonable security is actually pretty hard and expensive.

          • And the hacking should be legalized.

            That will make targets treat their security seriously.

            Imagine if there is ever serious trouble with China. They will do a much better job at hacking that some random crooks. And with the current state of security they could shut the country down. Or worse.

            We need more hackers, more ransoms paid. Until it becomes technically virtually impossible.

            • And the hacking should be legalized.

              That will make targets treat their security seriously.

              Imagine if there is ever serious trouble with China. They will do a much better job at hacking that some random crooks. And with the current state of security they could shut the country down. Or worse.

              We need more hackers, more ransoms paid. Until it becomes technically virtually impossible.

              Since the concept of Penetration Testing is easily made legal with those things called contracts, where we enlist trustworthy people to test your security, be careful with your wording here.

              The way you put it, doctors should hire convicted murderers in order to teach them how to be better doctors by having them kill people. The only thing that's "technically virtually impossible" here is trusting a criminal.

              "OK, OK, you proved your point by hacking in and draining our bank accounts...can we have our mone

    • by gweihir ( 88907 )

      Wrong. This is exactly what should happen. Next steps are to identify the attackers, but that may be hard or impossible.

      But you do something in addition: You make it very clear to the ones attacked due to their abysmally bad IT security that if this happens again, a nice wall will be found to line them against and dispose of them (figuratively, but a threat of a long prison sentence and seizure of personal assets should do the trick). Then the attackers will a) not get in again and b) if they do a nice reco

    • The Russian Mafia, or fellowship of thieves will do what they did when Cyprus froze their bank accounts. Send over a well motivated collector to personally explain it to the bank manager, to pay or die. A simple binary proposition. And they have very long memories. If one were a life insurance company, they should have the sense to cancel exec life policies, before the carnage begins - or they just send the confiscated money - silently. The good news is Russian bagmen, may in future, decide that line of oc
  • I don't know what the usual protocol for this is, but this is one case where I hope the Feds keep the money instead of giving it back to Colonial.
  • by Tokolosh ( 1256448 ) on Monday June 07, 2021 @04:25PM (#61463830)

    https://www.scribd.com/documen... [scribd.com]

    The money shot is in paragraph 34 at the end. The question becomes: How did the FBI obtain the private key?

    • drugs and a $5 wrench?
    • by kyoko21 ( 198413 )

      Sounds like FBI had the key to began with and whoever was mixing the funds around sent it to an address that had been previously utilized/compromised. This is why if you are to receive something, you never reuse an address. One and done.

    • by gweihir ( 88907 )

      This is pretty easy if you have the "five eyes" support you:
      1. Find the computer the wallet is on by large-scale network traffic analysis. Sounds impressive, but it is not. I have done this (in a research context) in the past.
      2. Hack that computer. The NSA TAO may have risked a zero-day for that. More likely the computer had just shoddy security.
      3. Change the wallet code to send you the key when opened.
      4. Wait for anybody to log in and access the wallet.
      And then you have the key.

      • by mbkennel ( 97636 ) on Monday June 07, 2021 @06:48PM (#61464274)

        I saw the Scribd document. There was a gap in time between May 9 (end of probable hacker's movement) and then a burst of transactions on May27 when BTC from multiple wallets were all were transferred to the wallet with the private key known to the FBI.

        Hypothesis: between May 9 and May 27, the NSA was able to enter the computers of the ransomware, and install compromised wallet interface software which was bugged. The malefactors entered their authorization credentials. The NSA used those to send to a new wallet created to receive the funds.

        • by skids ( 119237 )

          Yeah it's unclear (as in probably intentionally not stated) from the warrant who caused the last transaction putting the coin in the wallet the FBI had the key to... If that wallet was under full FBI ownership that transfer would effectively be a seizure prior to getting the warrant. If it was a wallet owned by someone else but which the FBI knew the key to through other means, that would make more sense in the context of a warrant. IANAL tho.

      • by Jeremi ( 14640 )

        1. Find the computer the wallet is on by large-scale network traffic analysis. Sounds impressive, but it is not. I have done this (in a research context) in the past.

        Can you provide some details on how that process works? I'm curious.

  • the FBI can tell say chase bank you will reserve charge on the cash paid to the exchange

  • and will the bitcoin exchange let them cash out?

  • Too bad if they actually covert the coin back to fiat now, they would still lose money because they probably got the coin at a high and now with the drop in price, even if they got all the coins back, they would still lose money.

    They don't call it volatile for nothing.

  • Seems like only $2.3 has been recovered a relatively small amount when you consider the wallet was used to collect funds from many companies, one of which was Colonial Pipeline who paid nearly double this amount.

  • the NSA decide to give some of the bitcoin back. Maybe the FBI is trying to look relevant again by doing something other than trying and jail their political opponents.

It was kinda like stuffing the wrong card in a computer, when you're stickin' those artificial stimulants in your arm. -- Dion, noted computer scientist

Working...