The Empire Strikes Back — Did the DOJ Hack the Colonial Pipeline Hackers?

Now we are in no way confusing the cyber-criminal enterprise DarkSide with the plucky light-side rebels from Star Wars, but it appears the United States Department of Justice seized 63.7 bitcoins, worth $2.3 million, paid to cyber-criminal enterprise DarkSide following the May 7 ransomware attack against Colonial Pipeline. The attack resulted in a highly publicized, brief shutdown of the company’s pipeline infrastructure, which transports approximately 45% of the oil consumed on the U.S. East Coast, and which took days to resolve and create widespread gasoline shortages in some parts of the country. The seizure was coordinated through the DOJ’s recently created Ransomware and Digital Extortion Task Force, which was created to address increasing ransomware and digital extortion attacks again U.S. businesses.

The story is big news because ransoms are rarely recovered.  Typically, the victim of a ransomware attack transfers the ransom to hackers, who then transfer the funds to hundreds of other wallets and the funds are essentially gone forever.  Even if the payments can be tracked to accounts, what is even more rare is the ability to unlock those accounts.  So the question on everyone’s mind is how did the DOJ unlock the account holding the ransom?

According to documents filed in the U.S. District Court for the Northern District of California, Colonial Pipeline provided investigators with the bitcoin address of the hackers it paid on May 8.  The hackers then moved the funds through at least six more addresses by the next day.  On May 13, DarkSide told affiliates that its servers and other infrastructure had been seized, but did not provide any details.  On May 27, the FBI seized 63.7 bitcoins traced to the Colonial ransom, when it  landed at a final address.  Impressive.

So how did the FBI get the private encryption key?  The FBI disclosed in its application for a warrant that it had the private encryption key for that bitcoin address.  The FBI has not, however, disclosed how it obtained the encryption key.  There are a few possibilities.  First, it is possible someone close to the attack tipped off the FBI.  Second, the attackers may have been careless.  The FBI noted that they had been investigating DarkSide since last year.  It is possible the FBI got access to communications that may have provided clues to the private key or access to a private server holding information about the private key.  Third, the FBI may have received assistance from the cryptocurrency exchange where the bitcoin had been moving from account to account.  Fourth, the FBI could have hacked the key on its own.  The most likely scenario is that the attackers were careless, and the FBI was able to capitalize on their carelessness to uncover the private encryption key.

The good news for the crypto community is that law enforcement was able to track down and recover much of the bitcoin.  Contrary to the perception that cryptocurrency is untraceable, it appears the public blockchain made it easier in this case to track and recover the ransom than it would have been if the ransom was paid in fiat.  We may never know how the FBI unlocked the private encryption key in this case, but if the DOJ is successful in recovering future ransom payments, it may shed some additional light on this case and others.

Copyright ©2021 Nelson Mullins Riley & Scarborough LLP

For more articles on the Colonial Pipeline hack, visit the NLR Communications, Media & Internet section.