How could the FBI recover BTC from Colonial’s ransomware payment?

The cybersecurity buzz of the week is the intriguing – and highly unusual – aftermath of the Colonial Pipeline ransomware attack.

Colonial runs the largest American supply pipeline for refined petroleum products, capable of shifting about 500 million litres a day of various fuels, including gasoline (petrol), jet fuel, diesel and heating oil, between Texas and the North Eastern US.

At least, that’s how much the pipeline can move if it’s not shut down, something that happened recently in the aftermath of a ransomware attack by a cybercrime gang known as DarkSide.

Even though law enforcement groups around the world urge ransomware victims not to pay up (as we know only too well, today’s ransomware payments directly fund tomorrow’s ransomware attacks), Colonial apparently decided to hand over what was then $4.4 million in bitcoins anyway.

We assume that the company hoped that the decryption tool promised by the blackmailers would help them unscramble the computers on the network faster than doing the job using conventional recovery tools, and thus get fuel flowing again sooner…

…but by many accounts the decryption tool was a dud, and didn’t speed things up at all.

No backsies with Bitcoin

At this point, whether you’ve ever been the victim of cryptocurrency extortion yourself or not, you’re probably thinking, “Ouch. No backsies with Bitcoin.

Cryptocurrencies aren’t managed or regulated by any central authority such as a financial institution, so transferring cryptocoins to someone you don’t know and can’t identify is like handing over a suitcase full of cash to someone you’ve never met before and wouldn’t recognise again.

If you change your mind, or the seller doesn’t deliver the promised product, or the product turns out not to be fit for purpose, then the only way you’re going to get a refund is if the seller agrees to it.

There’s no clearing house who could reverse the transaction; no legal protection built into the process; no regulator or ombudsman to handle any appeal you might make; and, in all likelihood, there’s no easy or reliable way of identifying the seller even if there were a well-defined international process for settling cryptocurrency disputes.

Despite all that, however, the latest news is that the FBI – which can’t have been terribly happy with Colonial in the first place for paying anything at all to the DarkSide gang – has apparently managed to claw back 63.7 of the 75 bitcoins handed over by the beleaguered company.

Sadly, the value of Bitcoin has taken a tumble since last month, so even though 85% of the bitcoins involved in the blackmail payment were recovered, they’re now worth about 50% of what they cost when Colonial purchased them to do its deal with the criminals. What we can’t tell you is whether the FBI will hodl onto the recouped BTC in the hope of a price recovery, or cash out now in case the value falls further.

How was that possible?

That probably leaves you wondering, “How on earth was that possible, and if it could be done for Colonial, who paid up in the face of advice not to do so, why can’t it be done for everyone who has ever been blackmailed for cryptocoins by cybercrooks?

The answer is that although most Bitcoin ownership is anonymous, and although there is no regulatory or baked-in way to force the reversal of unwanted or unlawful transactions…

…every Bitcoin payment ends up in someone’s Bitcoin wallet, and every wallet has a private key by means of which the contents of that wallet can be spent, i.e. transferred onwards to someone else’s Bitcoin wallet.

That’s because Bitcoin transactions are based on public-key cryptography, which you can think of as a lock that comes with two different keys, rather than just one: the first key secures the lock, but only the second key can open it up again.

The idea, greatly simplified, is that you can publish the first key, known unsurprisingly as the public key, so that anyone can “lock up” data for you; but as long as you keep the second key, the private key, to yourself (the hint is in the name!), then only you can ever unlock and view that data, whatever it might be.

And that, simplified yet further, is very loosely how BTC transations work: your Bitcoin wallet address, derived from your public key, can be used by anyone to “lock away” funds so that they “belong” to you.

But the public key can’t subsequently unlock those funds to spend them onwards. (Note, however, that the transactions by means of which bitcoins get spent don’t require a password or cryptographic key – the transaction ledger, or blockchain, is a matter of public record.)

In order to release the funds to pass them onto someone else, you need your own private key to “unlock” the bitcoins from your own wallet before you can transfer the contents to the Bitcoin wallet of the next person in the chain.

In practice, you can’t split up the funds in a wallet before you make a payment. If you have, say, 4 bitcoins in your wallet, you have to spend them all at once. But you can split them between multiple recipients. so you can pay me, say, BTC0.5 and pay BTC3.5 back to yourself, less the transaction fees that pay for the work done by the BTC community to approve the transaction, a process known as “mining”. Also, although all transactions end up in a wallet, not all wallets can actually be spent. If the wallet’s owner has lost the private key, or has destroyed it on purpose (known as “burning” cryptocurrency), then recovering the missing key by brute force is computationally unfeasible and the funds in that wallet are essentially locked up forever.

Follow the chain

So, if the FBI were able to get hold of the private key of the Bitcoin wallet or wallets where Colonial’s ransom payment ended up, then it could simply transfer those funds to itself (assuming that it had permission from a court to do so, of course), whether it knew who owned those wallets or not.

(We said “wallet or wallets” above because cybercrooks often make haste to split incoming payments many different ways into numerous different wallets, precisely to make following the chain of transactions more complex and troublesome.)

And that is what seems to have happened in this case.

Exactly how the FBI managed to get hold of the relevant private keys is part of its tradecraft that it understandably hasn’t explained, but the Department of Justice (DOJ) press release says:

As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes.

Why doesn’t this happen every time?

Of course, this raises the question, “Why doesn’t law enforcement do this for everyone who ever gets scammed by crooks?

The answer is that it’s simply not always possible: loosely speaking, the recipient of the criminal transaction needs to make some sort of operational blunder; and the organisation trying to track down the errant bitcoins typically needs to put in a lot of effort as well as enjoying at least a little bit of good luck.

Bitcoin private keys are usually not only kept private, but also stored in encrypted form so that you need a password to unlock the private key before you can begin to unlock the funds secured by that private key. (You can think of the private key as a bank ATM card, and the top-level decryption key as the PIN that you need before the card can actually be used to do anthing.)

Here are some of the ways a law enforcement team like the FBI, trying to recover criminalised bitcoins, might end up with the cryptographic data they need to do the job.

Don’t forget, however, that cybercrooks themselves can use any or all of these techniques to steal legitimately owned cryptocoins from you – and the crooks don’t have the complexity of applying to a court for formal legal approval first:

  • Implant a spyware tool on your computer to search for files and record keystrokes. With a bit of luck, implanted spyware might not only be able to exfiltrate your private key, but also figure out the password needed to unlock it. Offline cryptocurrency wallets and private keys of this sort are known in the trade as “cold wallets”, because they’re not meant to be accessible online.
  • Work with a cryptocurrency exchange to access data stored there. Some cryptocurrency fans keep at least some of their funds in what are known as “hot wallets”, meaning that they trust a third party that runs a cryptocoin trading site with their private key so that they can quickly buy and sell cryptocoins online. Legitimate exchanges can and will work with law enforcement if required by warrant, and if the exchange has your wallet and your private key, it can hand them over. (Also, the exchange could get hacked, or, if the exchange itself is crooked, run off with your cryptocurrency itself.)
  • Hit the jackpot by subverting an insider. One or more people inside the DarkSide ransomware crew would have had access to the ill-gotten funds, so the FBI could have acquired the intelligence it needed from them. Similarly, if you tell other people your cryptocoin passwords, they could sell you out or simply steal the funds themselves, in much the same way that they could make phantom withdrawals from your bank account if you told them the PIN of our ATM card.

What to do?

Although it’s a relief that FBI recovered a large chunk of the funds in this case, possibly at least in part because of poor tradecraft on the part of the crooks, it’s not so great to lose cryptocoins of your own – or, for that matter, to lose any private data or encryption keys you meant to keep to yourself.

Our tips, therefore, are:

  • Don’t put all your cryptocoins in hot wallets. When you entrust your savings or your wage payments to a bank, you are doing so with years of regulatory scrutiny and protection to back you up. In the cryptocurrency world, however, you are largely on your own if something goes wrong. Don’t keep more than you can afford to lose in a hot wallet.
  • Don’t keep all your data online all the time. Ironically, perhaps, one important defence against ransomware in the first place is to maintain an offline backup, ideally one that is also off-site. Keeping your cryptocoins, as well as any truly private or critical data, offline – is a similarly useful precaution.
  • Don’t expect to keep a secret such as a Bitcoin password or ATM PIN if you tell it to other people. As Benjamin Franklin is supposed to have said, “Three people can keep a secret, if two of them are dead.” Remember: If in doubt, don’t give it out.
  • Don’t expect to get your money back like Colonial did. You need to think of cryptocoin recovery as a rare exception, not as a common rule. As explained above, it typically requires a high-profile case, plus strong operational intelligence, plus a bit of plain old luck, for law enforcement to achieve a result like this.


A video from our What to do When… series on the Naked Security YouTube channel.

(Watch directly on YouTube if the video won’t play here.)

Don’t fall for this porn scam – even if your password’s in the subject!