According to a news release from the U.S. Department of Justice, the Federal Bureau of Investigation (FBI) has seized 63.7 BTC which allegedly represent the proceeds of a ransom payment made by Colonial Pipeline to hacker group DarkSide.
“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said FBI Deputy Director Paul Abbate, per the release. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”
Acting U.S. Attorney for the Northern District of California, Stephanie Hinds, also commented on the seizure, highlighting the need “to continue improving the cyber resilience” of critical infrastructure across the nation. She added that advanced methods to improve authorities’ “ability to track and recover digital ransom payments” will continue to be developed.
The 63.7 bitcoin seized allegedly represent part of a ransom payment made by Colonial Pipeline, the largest pipeline system for refined oil products in the U.S., after the company fell victim to a ransomware attack authored by hacker group DarkSide.
Ransomware is a kind of computer malware that hijacks the victim’s data, encrypts it and demands a ransom payment to restore it. The attack forced Colonial to shut down its entire pipeline, halting its distribution services to many U.S. states and triggering gas price rises across the country.
Upon noticing that the company’s systems were under attack, Colonial promptly reported to the FBI and informed them about the ransom payment made to DarkSide. According to the seizure’s supporting affidavit, the FBI analyzed the Bitcoin blockchain and inferred the path taken by the ransom payment through transaction graph heuristics.
The bureau was then allegedly able to identify that 63.7 BTC from the ransom payment had been transferred to a specific address, for which the FBI has the private key, and is, therefore, able to spend — or in this case seize — those funds.
The affidavit didn’t mention how the FBI could control the private keys for the address used by DarkSide, and it is unclear how that would be possible, given Bitcoin’s censorship-resistant nature. One possibility is that the address could be in a custodial wallet, thereby facilitating control. Another likely scenario would be the funds being stored in an unencrypted wallet — which is vulnerable to theft. Lastly, the FBI could have employed digital forensics on the wallet to retrieve sensitive information remotely.
According to a tweet from Blockstream CEO Adam Back, the FBI obtained a subpoena granting access to a rented cloud server used by the hackers, which allowed it to seize the bitcoin.