On June 7, the United States Justice Department and the Federal Bureau of Investigation (FBI) announced the “recovery” of 63.70 bitcoin from the funds Colonial Pipeline sent to the hackers. The official story has a number of inconsistencies and federal investigators did not disclose how the FBI was able to confiscate the Darkside gang’s private key.
Darkside Ransomware Gang Story Loaded With Discrepancies and a Vague Bitcoin Key Capture
The cryptocurrency space has been discussing the recent law enforcement capture of 63.7 BTC or $2.3 million worth of bitcoin at the time of seizure. There have been issues with the way the story has unfolded and people are skeptical of the official story. Bitcoin.com News reported on Monday, how the Justice Department and Deputy Attorney General Lisa Monaco revealed the seizure story. Monaco detailed that federal authorities had “turned the tables on Darkside.”
But from the very moment this story broke by a number of mainstream media outlets, there were a few discrepancies. The first was whether or not the U.S. government advised Colonial Pipeline to oblige the ransomware demands or specifically told the company to pay. If the government did tell the business to pay Darkside then it would contradict the government’s stance toward not paying ransomware hackers.
The criminals used a “Payment Server” that was easily tracked by the FBI and their physical cloud server was just found and searched for a password.
— Documenting Bitcoin 📄 (@DocumentingBTC) June 8, 2021
Another issue with the original story is when CNN originally reported on the hack, the news outlet claimed the oil company wasn’t intending to pay the ransom. According to Bloomberg, shortly after, Colonial Pipeline did pay nearly $5 million to the ransomware gang Darkside.
Besides the two contradicting elements in both CNN and Bloomberg’s stories, the articles also noted differences with the digital currency used. CNN originally reported that the payment was demanded to be paid in “bitcoin,” while Bloomberg wrote Darkside asked for “difficult-to-trace” cryptocurrencies. CNN’s article was updated after Bloomberg’s article published to reflect the same narrative.
Then there’s the fact that it is impossible to crack a bitcoin (BTC) key without forcing the owner to reveal the private key. This is a constant theme on Twitter, as the crypto community discusses the situation of how the FBI agent obtained the private key. The story’s affidavit filed on June 7, 2021, explains how law enforcement leveraged “blockchain explorers” to trace the coins. But other than that the affidavit is extremely vague and contains lots of redactions.
But how did they get the private key? Seems sketchy.
“The FBI seized control of DarkSide’s BTC by gaining access to a central account…They were able to access the private key for one of the BTC wallets. It was unclear how the key was compromised.”#ColonialPipeline $BTC #FUD
— Squanchy (@C_OneThreeSeven) June 8, 2021
The report published yesterday on Bitcoin.com News explains that executives from Blockchain Intelligence Group (CSE: BIGG) highlight that law enforcement was dependent on “training and analysis [that] requires advanced tools and learning” Other blockchain surveillance companies also followed the ransomware coins as Elliptic recently wrote about following Darkside funds.
So far between all the comments from Monaco, the Justice Department, the FBI agent’s affidavit, and comments from a few blockchain analysis teams, there are no dots that are deeply connected to how the FBI obtained ownership of the private key now in possession.
Crypto Sleuths Discover Hackers Stored Data on the Cloud, Feds Obtain Cloud Server Password via Warrant
A report published by NPR discloses three possible scenarios. One possibility, NPR’s Vanessa Romo notes is that maybe the federal agents were tipped off by an insider in the Darkside gang. The second theory is that Darkside was “careless” or a member of the gang slipped by releasing information tied to the key.
Another theory could be that the FBI was able to shakedown a third party or possibly a cryptocurrency exchange. Some people even openly attacked bitcoin’s “key selling points” that it was supposed to be “beyond the reach of the government.”
Something seems weird about this whole case. Was the BTC sent to an exchange?
— Rick McCracken DIGI (@RichardMcCrackn) June 8, 2021
The lawyer Jake Chervinsky who often comments on the blockchain and crypto space regularly said: “We don’t know exactly how FBI seized the Colonial Pipeline ransom [and] they’re not telling us. The warrant application suggests they got the private key. Maybe from the DarkSide server seizure? There’s no suggestion that an exchange or custodian was involved, but that’s possible.”
Independent journalist Jordan Schachtel gave his opinion about the situation on Twitter and told his 123,000 followers that the “FBI did not ‘hack back’ a bitcoin wallet, despite claims that they did. It’s mathematically impossible to hack private keys.” Schachtel continued:
[There is] no evidence of Russian involvement. This was all entirely avoidable if Colonial had basic security measures in place. I think it’s fair to say that it is currently impossible to hack private keys. Improbable is not strong enough language to demonstrate how unlikely it is to retain a private key through computing power. Quantum is still very much a theoretical threat.
Schachtel and many others also discovered the warrant that does indicate the U.S. government obtained the key by leveraging a warrant. The journalist said that it was possibly an exchange based in San Fransico or a database server based in the state of California.
used a rented cloud server.
FBI got a subpoena to take control of the rented server
and recover half of the total 75 #btc
The FBI didn’t “crack Bitcoin.”
They got the wallet encryption key (password) from the server. pic.twitter.com/WwHTRjiHod
— Amy Snow (@helloamysnow) June 8, 2021
The CSO at Coinbase, Philip Martin, said he saw a lot of accusations pointing at Coinbase as possibly being “involved” with the seizure. Martin and Coinbase insist that “Coinbase was not the target of the warrant and did not receive the ransom or any part of the ransom at any point. We also have no evidence that the funds went through a Coinbase account/wallet.”
The election attorney, litigator, and bitcoin practice group leader, Bryan Jacoutot, reiterated the fact that bitcoin private keys cannot be “hacked.”
“For those of you who think the US gov’t cracked SHA-256 and correctly guessed the private key of the Colonial Pipeline hackers,” Jacoutot said. “Here’s a fun fact: The size of bitcoin’s private key space is 10^77. For comparison, the amount of *atoms* in the observable universe is 10^80.”
A Twitter account called “Cthulhu” mentioned it could be a false flag and said:
So either the FBI were the hackers of the Colonial Pipeline or they don’t need a key to get anyone’s BTC. LOL. I don’t think too much thought went into doing this false flag.
“The FBI either was given the private keys or they stole them,” another individual dubbed Kingt Crypto remarked on Monday. The fact is the FBI didn’t crack a bitcoin wallet. No one can crack a secure bitcoin wallet. The FBI obtained the private keys to the Darkside funds via getting an encryption key to a cloud server by obtaining a warrant issued in San Fransico.
Currently, as the story continues to trend across the web, there are lots of skeptics questioning the ‘official’ tale told by the U.S. government.
Do you believe the federal government’s official story about the Colonial Pipeline bitcoin ransomware case? Let us know what you think about this subject in the comments section below.
Image Credits: Shutterstock, Pixabay, Wiki Commons, Twitter,
Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.