August 5, 2021

Volume XI, Number 217

Advertisement

August 05, 2021

Subscribe to Latest Legal News and Analysis

August 04, 2021

Subscribe to Latest Legal News and Analysis

August 03, 2021

Subscribe to Latest Legal News and Analysis

August 02, 2021

Subscribe to Latest Legal News and Analysis

The Empire Strikes Back — Did the DOJ Hack the Colonial Pipeline Hackers?

Now we are in no way confusing the cyber-criminal enterprise DarkSide with the plucky light-side rebels from Star Wars, but it appears the United States Department of Justice seized 63.7 bitcoins, worth $2.3 million, paid to cyber-criminal enterprise DarkSide following the May 7 ransomware attack against Colonial Pipeline. The attack resulted in a highly publicized, brief shutdown of the company’s pipeline infrastructure, which transports approximately 45% of the oil consumed on the U.S. East Coast, and which took days to resolve and create widespread gasoline shortages in some parts of the country. The seizure was coordinated through the DOJ’s recently created Ransomware and Digital Extortion Task Force, which was created to address increasing ransomware and digital extortion attacks again U.S. businesses. 

The story is big news because ransoms are rarely recovered.  Typically, the victim of a ransomware attack transfers the ransom to hackers, who then transfer the funds to hundreds of other wallets and the funds are essentially gone forever.  Even if the payments can be tracked to accounts, what is even more rare is the ability to unlock those accounts.  So the question on everyone’s mind is how did the DOJ unlock the account holding the ransom? 

According to documents filed in the U.S. District Court for the Northern District of California, Colonial Pipeline provided investigators with the bitcoin address of the hackers it paid on May 8.  The hackers then moved the funds through at least six more addresses by the next day.  On May 13, DarkSide told affiliates that its servers and other infrastructure had been seized, but did not provide any details.  On May 27, the FBI seized 63.7 bitcoins traced to the Colonial ransom, when it  landed at a final address.  Impressive. 

So how did the FBI get the private encryption key?  The FBI disclosed in its application for a warrant that it had the private encryption key for that bitcoin address.  The FBI has not, however, disclosed how it obtained the encryption key.  There are a few possibilities.  First, it is possible someone close to the attack tipped off the FBI.  Second, the attackers may have been careless.  The FBI noted that they had been investigating DarkSide since last year.  It is possible the FBI got access to communications that may have provided clues to the private key or access to a private server holding information about the private key.  Third, the FBI may have received assistance from the cryptocurrency exchange where the bitcoin had been moving from account to account.  Fourth, the FBI could have hacked the key on its own.  The most likely scenario is that the attackers were careless, and the FBI was able to capitalize on their carelessness to uncover the private encryption key. 

The good news for the crypto community is that law enforcement was able to track down and recover much of the bitcoin.  Contrary to the perception that cryptocurrency is untraceable, it appears the public blockchain made it easier in this case to track and recover the ransom than it would have been if the ransom was paid in fiat.  We may never know how the FBI unlocked the private encryption key in this case, but if the DOJ is successful in recovering future ransom payments, it may shed some additional light on this case and others.

Copyright ©2021 Nelson Mullins Riley & Scarborough LLPNational Law Review, Volume XI, Number 172
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Matthew G. Lindenbaum Financial Litigation Attorney Nelson Mullins
Partner

Matthew represents companies in high-stakes litigation with an emphasis on class action defense in the automotive and financial services industries, including the emerging crypto-currency industry. He also defends companies and individuals in government investigations and enforcement actions involving the United States Department of Justice, the Securities and Exchange Commission, and conducts internal investigations for companies and special board committees.

Matthew is the leader of Nelson Mullins’ Boston Litigation Team and has been...

617-217-4632
Robert L. Lindholm White Collar Defense Lawyer Nelson Mullins
Partner

Rob focuses his practice on government investigations and white collar defense, high stakes business litigation and class action defense, and e-discovery and litigation readiness. He represents financial institutions, Fortune 500 companies, private equity firms, hedge funds, and companies/individuals involved in the cryptocurrency industry in a wide array of internal/government investigations and commercial litigation.

704.417.3231
Melanie Todd Govt Investigations Attorney Nelson Mullins Law Firm
Partner

Melanie focuses her practice on internal and governmental inquiries and investigations, high-stakes litigation, and risk counseling and assessments, focusing on the life sciences and financial services industries. Melanie also assists companies with commercial disputes and advises private and governmental entities on issues related to litigation prevention, governance, data privacy, and emerging life sciences technologies.

617-217-4629
Advertisement
Advertisement