from Hacker News

DOJ seizes $2.3M in cryptocurrency paid to the ransomware extortionists Darkside

by nthitz on 6/7/21, 9:46 PM with 278 comments

  • by blhack on 6/8/21, 1:56 AM

    I think that the people here speculating about the FBI and private keys are greatly overestimating the competency of these hackers.

    While it's possible this it he FBI flexing some muscle that they have a backdoor into bitcoin's hashing algorithm, what seems much more likely (to me) is:

    There is a more sophisticated hacking group which created this particular ransomware package. They sell this ransomware package to less sophisticated criminals.

    (https://www.theverge.com/2021/5/10/22428996/colonial-pipelin...)

    Is it so hard to imagine a scenario where the more advanced creators of this ransomware kit gave instructions to their purchasers on things like private keys, and the end user simply ignored them?

    Somebody ignoring a warning when installing a software, and that allowing the FBI to subpeona access to the server where it was running, and grab this private key, seems FAR more likely to me than the FBI having a backdoor into BTC, or this all being a cover spy novel plot, or anything like that.

  • by shiado on 6/7/21, 10:42 PM

    This story makes absolutely no sense at all. The errors present by these hackers are so comical it's simply unbelievable. I'm supposed to believe some elite Russian hacking group keeps their crypto wallets running on a US host where the FBI just logs right in and snatches the private key? I'm starting to entertain the conspiracies that the future of commodities price manipulation is fake ransomware attacks. There needs to be a serious audit of CME derivatives trading. There will come a day when some oil futures trader pays a ransomware group or an employee at a pipeline company and makes billions.

  • by shiado on 6/8/21, 1:52 AM

    Here is the FBI controlled address, presumably a Coinbase deposit address

    https://www.blockchain.com/btc/address/bc1qq2euq8pw950klpjca...

    Which got funds from

    https://www.blockchain.com/btc/address/3EYkxQSUv2KcuRTnHQA8t...

    This is the wallet explorer used for clustering the wallet

    https://www.walletexplorer.com/wallet/123085fff68ee703/addre...

    I have no idea why they censored out parts of the bitcoin addresses as googling the uncensored part and transaction quantities lets you find them on countless sites.

  • by walrus01 on 6/7/21, 10:21 PM

    The most interesting and unknown question is how the DOJ/FBI came to be in possession of the private key.

  • by yamrzou on 6/7/21, 10:16 PM

    There are more technical details in the linked affidavit (page 6 and 7): https://www.justice.gov/opa/press-release/file/1402056/downl...

    They kept following transactions on the blockchain, but it's not clear how the private key became in the posession of the FBI.

  • by paulpauper on 6/7/21, 11:35 PM

    I am guessing that the key pair generation process was faulty. The FBI found an exploit in a wallet used by the hackers allowing the private key to be predicted. The prefix is bc1,which is uncommon. A few weeks ago there was such a vulnerability with Cake Wallet.

    Or they installed malware on the hacker's computers and were able to log the private key as it was generated.

    Or the hackers foolishly stored the key pairs on a server

    Bitcoin is falling and this news does not help because it shows that some aspect is less secure than previously thought.

  • by galaxyLogic on 6/8/21, 6:27 AM

    Can someone explain simply why it is supposed to be so hard to track ransomware bitcoin payments, if all bitcoin transactions are in a shared public ledger?

    If the victim pays someone we know which account it goes to, right? Then we know that account is criminal.

    If bitcoins move from that account to other accounts we know that accounts that receive them are essentially "hiding stolen goods". So they are criminal accounts as well.

    Then at some point they want to get dollars, and FBI can catch them by following where the dollars were sent. No?

  • by alex_young on 6/7/21, 11:20 PM

    Colonial paid $4.4M in BTC around May 6th. Coindesk shows BTC/USD around $58K on May 6th.

    FBI recovers $2.3M in BTC today. Current BTC/USD around $34K today.

    34 / 58 = .58

    4.4 * .58 = 2.552

    Looks like they recovered more or less all of it?

    [1] https://www.coindesk.com/price/bitcoin

  • by dogman144 on 6/8/21, 3:10 AM

    I mean… this was just a software wallet getting owned, almost for sure. Pair that with not clicking the right AWS region and the details are likely.

    I’m curious what the wallet provider was.

  • by paxys on 6/7/21, 11:49 PM

    > The Special Prosecutions Section and Asset Forfeiture Unit of the U.S. Attorney’s Office for the Northern District of California is handling the seizure

    Hah, of course the DoJ office doing bitcoin investigations is in San Francisco.

    Also interesting that they were able to recover only $2.3M out of the $4.4M paid. I wonder if Colonial Pipeline will ever see this money.

  • by alksjdalkj on 6/8/21, 2:28 AM

  • by Geee on 6/8/21, 2:23 AM

    Hackers make transactions on clearnet revealing their IP address -> FBI seizes the server.

  • by ac29 on 6/8/21, 12:11 AM

    Plausible theory on how they did this here: https://twitter.com/brucedkleinman/status/140204474591697305...

    tl;dr: The hackers used the same full node wallet more than once, and the FBI was able to narrow in on an IP address because the first relay of the transactions was the same across multiple transactions. This server was in California, which allowed the FBI to seize it.

  • by h3cate on 6/7/21, 11:25 PM

    Rather than the us just "having" the key, could it not be a possibility that they in fact managed to somehow crack it? If any power could surely it's the us right?

  • by trhway on 6/8/21, 11:02 AM

    >As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address

    does it mean that "tainted" BTC can be seized any time, even if the current holder may have no relation to the original crime?

  • by cirowrc on 6/7/21, 10:12 PM

    where's that sweet sweet transaction graph?

  • by Animats on 6/8/21, 7:42 AM

    This is just an early part of an investigation. Since DOJ got this far, they have leads on who did it.

    Russian hackers have been captured in Israel, Spain, Belarius... Sometimes, after the FBI identifies them, they just watch and wait.

  • by ipsin on 6/8/21, 3:18 AM

    The DoJ press release doesn't make this clear: what happens to the money now?

    Is it returned to the company, or does the DoJ keep it as an asset forfeiture?

  • by void_mint on 6/8/21, 3:37 AM

    I was told governments can't get involved in crypto, that's what makes it great? Totally anonymous? Untraceable?

  • by Haemm0r on 6/8/21, 4:10 AM

    Maybe this is just a result of good old police work: https://xkcd.com/538/

  • by joemazerino on 6/8/21, 12:59 AM

    I'm not reading how the private key for the wallet was obtained. Anyone?

  • by Black101 on 6/8/21, 12:40 AM

    They probably should have asked for Moneros ... and in a self hosted wallet.

  • by doggosphere on 6/8/21, 2:46 AM

    Looks like the criminals used CoinBase:

    https://twitter.com/thisisbullish/status/1402056137340604418...

    How amateur is that…

  • by ProjectArcturis on 6/7/21, 10:12 PM

    How? Looks like Darkside transferred the money to an exchange (Coinbase?), didn't hide it well enough, and the FBI just grabbed it?

  • by labrador on 6/7/21, 11:28 PM

    Don't they mean Putin in an agreement with the Biden administration made Darkside give some money back as a way of easing American public tensions and political fallout ahead of the summit?

  • by xwdv on 6/7/21, 11:27 PM

    Maybe this is the way to deal with ransomware, just seize stolen crypto.

  • by vmception on 6/7/21, 11:22 PM

    SHUM - Should have used Monero

    SHUTC - Should have used Tornado.cash

    SHURENVM+TC - Should have used RenVM and Tornado.cash

  • by encryptluks2 on 6/7/21, 10:19 PM

    LOL... I simply don't believe any of these press releases. For all we know, the government negotiated a deal with the cyber-attackers to create this press release as a way to try to thwart future attacks. Seriously wouldn't put it past them one bit.