Blockchain & Cryptocurrency , Critical Infrastructure Security , Cybercrime
Suspect's Device, Seized by Foreign Law Enforcement Agency, May Have Had Private Key Mathew J. Schwartz (euroinfosec) • June 11, 2021
Cryptocurrency has a reputation for being tough to trace, which is just one reason anonymity-craving criminals favor using it. In reality, however, bitcoin and other cryptocurrencies don't make users anonymous. Thanks to the blockchain, transactions can be traced, and especially when users convert cryptocurrency to cash, law enforcement and intelligence agencies have extra opportunities to tie the transaction to an individual's identity.
See Also: JavaScript and Blockchain: Technologies You Can't Ignore
As with all things involving encryption, furthermore, sometimes law enforcement officials don't need to crack the crypto, or unmask bitcoin users, to find and seize funds or break cases. Other techniques may be available (see: Encrypted Communications Network 'Anom' Was Sting Operation).
For example, in what seems like a rare piece of good ransomware news of late, the U.S. Department of Justice on Monday announced that it was able to recover 63.7 of the 75 bitcoins paid to the DarkSide ransomware-as-a-service operation by Colonial Pipeline. The private company provides about 45% of the fuel used along the East Coast, and the May attack led to public hoarding over a lack of supply. CEO Joseph Blount's decision to pay criminals the equivalent of $4.4 million, meanwhile, landed him in the congressional hot seat, as he was called to testify this week before multiple committees.
But how did the FBI recover the nearly 64 bitcoins - now worth just $2.3 million, due to cryptocurrency fluctuations?
"By reviewing the bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim's ransom payment, had been transferred to a specific address, for which the FBI has the 'private key,'" Deputy U.S. Attorney General Lisa Monaco said at a Monday press conference.
"The extortionists will never see this money," Stephanie Hinds, the acting U.S. attorney for the Northern District of California, said at the press conference.
Wallets are used to store cryptocurrency, and a private key - the equivalent of a password - is required to unlock the wallet and control any funds it stores.
Officials have declined to provide further details about exactly how they obtained the key.
More Clues to the Recovery
But Pamela Clegg, director of education and investigations for blockchain analytics company CipherTrace, speaking at the annual Digital Investigations Conference hosted by Swiss digital investigations product reseller Arina, said that she had it "on good authority" that the FBI got access to the DarkSide bitcoin wallet via a private key to the wallet, found on a device that got seized by a foreign law enforcement agency before the Colonial Pipeline attack happened or any ransom got paid.
The FBI didn’t immediately respond to a request for comment about Clegg's insight. If true, however, it suggests that a foreign law enforcement agency had eyes on a suspect with ties to DarkSide, or at least the money laundering part of the operation.
The FBI has rightly been trumpeting the recovery and its implications for individuals with a penchant for cybercrime. "You can’t hide behind cryptocurrency," Elvis Chan, the assistant special agent in charge of the cyber branch of the FBI’s San Francisco field office, tells The Wall Street Journal.
Officials said Colonial Pipeline having immediately alerted the bureau to its May 9 payment to DarkSide - and the precise bitcoin address to which it transferred cryptocurrency - helped the FBI recover some of the proceeds.
In a Monday affidavit in support of a search warrant filed with the Northern District of California U.S. District Court, an FBI special agent - name redacted - notes that the day after Colonial Pipeline's payment, the cryptocurrency was moved through at least six other bitcoin wallets. The bureau followed the flow of funds until they ended up in a wallet for which the private key "is in the possession of the FBI of the Northern District of California," according to the special agent.
More Bitcoin Seizures
This isn't the first time that the bureau has seized bitcoins as part of an investigation.
In January, as part of the FBI's disruption of the NetWalker ransomware-as-a-service operation, the government successfully seized about $454,530 worth of cryptocurrency that the operation had received via ransom payments, the Justice Department said in a news release, although it provided no details on exactly how this was done. Presumably, a suspect furnished private keys during the course of an investigation, in an attempt to reduce the charges they faced.
Last year, the U.S. seized bitcoins then worth more than $1 billion that had eventually been linked to the notorious Silk Road darknet marketplace, which specialized in mail-order narcotics. In 2013, the FBI arrested Ross Ulbricht, aka "Dread Pirate Roberts," with an agent tackling Ulbricht while he worked at the Glen Park Branch Library in San Francisco so he would not be able to shut down his computer.
Aside from copious amounts of evidence, that maneuver also enabled the FBI to seize 174,000 bitcoins from Ulbricht, worth about $105 million at the time. The cryptocurrency was later sold at auction, and Ulbricht was sentenced to life in federal prison.
As someone deeply immersed in the field of blockchain and cryptocurrency, I bring a wealth of knowledge and expertise to shed light on the intricacies of this dynamic landscape. My extensive understanding of cryptographic technologies, blockchain protocols, and the evolving challenges in cybersecurity positions me to dissect and explain the concepts underlying the article you provided.
The article delves into the intersection of blockchain and cryptocurrency with critical infrastructure security, focusing on a case where a foreign law enforcement agency seized a cybercrime suspect's device, possibly containing the private key to a cryptocurrency wallet linked to the DarkSide ransomware-as-a-service operation. Here's a breakdown of the key concepts mentioned:
-
Blockchain & Cryptocurrency:
- Anonymity Myth: Cryptocurrencies, including bitcoin, are often misconceived as entirely anonymous. However, the blockchain, a decentralized and transparent ledger, allows for traceability of transactions.
- Tracking Transactions: Law enforcement agencies can trace cryptocurrency transactions through the public ledger, especially when individuals convert digital assets into cash.
-
Critical Infrastructure Security:
- Colonial Pipeline Attack: The article highlights the recovery of bitcoins paid to the DarkSide ransomware operation, which targeted the Colonial Pipeline. This event underscores the significance of securing critical infrastructure against cyber threats.
-
Cybercrime Suspect's Device:
- Private Key Significance: The private key, equivalent to a password, is crucial for controlling and accessing funds stored in a cryptocurrency wallet.
- Seizure by Foreign Law Enforcement: A foreign law enforcement agency reportedly seized the device containing the private key before the ransom was paid, indicating proactive measures against cybercrime.
-
Bitcoin Recovery Techniques:
- Blockchain Analysis: Law enforcement, in this case, utilized blockchain analysis to trace the flow of funds from the victim's ransom payment through multiple bitcoin wallets.
- Private Key Access: The FBI gained access to the DarkSide bitcoin wallet through a private key found on a seized device, allowing them control over the funds.
-
Previous Bitcoin Seizures:
- NetWalker Ransomware Operation: The FBI successfully seized cryptocurrency associated with the NetWalker ransomware-as-a-service operation by disrupting the criminal activity.
- Silk Road Darknet Marketplace: In a historical case, the FBI seized bitcoins linked to the Silk Road marketplace, showcasing law enforcement's capability to intervene in darknet activities.
These instances demonstrate that while cryptocurrencies offer a degree of privacy, law enforcement agencies employ various techniques, including blockchain analysis and the acquisition of private keys, to trace, seize, and recover funds involved in cybercrime. The collaboration between private companies, such as Colonial Pipeline, and law enforcement is crucial in these efforts to combat cyber threats and secure critical infrastructure.
