How Did the Feds Seize the Colonial Pipeline Ransomware Bitcoins?

When Colonial Pipeline was hit with a ransomware attack in early May, the firm—which transports some 45 percent of the East Coast’s fuel supply—shut down its operations as a precaution and paid the ransom, reportedly 75 bitcoins (about $4.4 million then). Fuel shortages ensued, and the US government announced it would intensify its focus on ransomware hacks.

On Monday, the United States Department of Justice made a surprising announcement: it claimed to have recovered a majority of the cryptocurrency ransom paid, some 63.7 BTC—about $2.1 million now, due to a weakened cryptocurrency market. It’s an unexpected postscript to a story that many assumed was already complete, as the pseudonymous nature of cryptocurrency seemingly makes such ransom payments incredibly difficult to claw back. Now, the question on many crypto-watchers’ minds is: how did the feds seize the bitcoins?

According to the Justice Department’s Monday announcement, it traced movement of the ransom payment on the Bitcoin blockchain from the original digital wallet to others, with that 63.7 BTC sum discovered in a wallet that the FBI obtained the private key to unlock. A cryptographic private key corresponds to the public key, which is a Bitcoin address, and ownership of the private key confers ownership of the funds. In fact, there’s a common saying in crypto: “Not your keys, not your coins.”

Officials have so far been coy. An FBI official would not confirm the exact method of how it obtained the private key for the wallet, telling reporters that “it doesn’t matter where the Bitcoin wallet is—the FBI still can get access,” tweeted NBC News correspondent Geoff Bennett.

We do know a few things, though. An affidavit filed by an FBI officer viewed by Motherboard notes that the bureau tracked the movement of funds on the blockchain. The affidavit simply notes that “the private key for the Subject Address is in the possession of the FBI in the Northern District of California.”

A warrant viewed by Motherboard shows that a judge in San Francisco authorized the seizure of funds at a Bitcoin address and noted that the “property” (in this case the funds to be seized) was “located in the Northern District of California.” This doesn’t tell us much, but the document’s existence suggests that the feds could have obtained the key by executing a warrant at an entity in California. 

Nick Neuman, CEO of Bitcoin security firm Casa, told Motherboard that there are three potential scenarios for how the Justice Department reclaimed much of Colonial Pipeline’s Bitcoin ransom. The warrant suggests that the wallet could have been held by either a crypto exchange or custodial service with servers in California, which would be within the grasp of the feds. “This would be a pretty rookie mistake on the hackers' part in securing their Bitcoin,” said Neuman, but it makes sense based on the available information.

Another scenario could have had the hackers holding the Bitcoin within their own custody on a server, albeit one based within the US. The FBI could then track the server’s IP address and compel the hosting service to give up control of the server, which could have held the private keys as well. 

“This actually seems like a pretty reasonable guess at what happened,” said Neuman, especially since it seems less like a “rookie mistake” on their part, “and it also doesn't require the FBI to find the hacker's physical location.” A message from a DarkSide leader in May claimed that a law enforcement disruption meant the group had lost access to its web servers and that funds had been drained from its payments server, suggesting something like this occured.

That last option, that the FBI tracked down the hackers to a physical location in Northern California and seized their offline hardware wallet and keys, is the least likely, Neuman said. 

In any case, Neuman said that any suggestions that the US government had somehow cracked Bitcoin’s private key encryption were false. “This is not true, and is in fact impossible unless the FBI has created a usable quantum computer without anyone knowing about it,” said Neuman.

Government agencies often rely on chain analysis tools, such as those provided by firms like Chainalysis and Elliptic, to help trace the flow of payments on a cryptocurrency’s blockchain. Bitcoin is the best-known cryptocurrency, and all transactions are on a public, immutable ledger—so while they may not have names and identifying information attached, it is possible to make connections between transactions and wallets. 

If the illicit crypto funds end up in a wallet held by an exchange or custodian within their jurisdiction, then law enforcement may be able to freeze or gain access to the cryptocurrency within. Given the nature of the blockchain, Neuman said that Bitcoin is easier to trace than cash (despite perceptions), and the tracing tools are only becoming more and more sophisticated.

“Many people misunderstand Bitcoin's usefulness in ransomware,” he said. “As law enforcement gets better at tracing Bitcoin payments using chain analysis tools, I expect it will become more difficult for hackers to use Bitcoin to receive payment in ransomware attacks.”