Last month was not very kind on Colonial Pipeline. The firm suffered a huge ransomware attack, and as a result the United States suffered a widespread fuel shortage. Such was the extent of damage, that the Government had to declare a state of emergency in 17 states. Against all advice, however, Colonial decided to pay the gang behind the attack. It payed around $4.4 million, equivalent to 75 Bitcoins at the time of payment, for a decryption tool that would help it get its data back. As expected, the decryption tool didn’t work. But finally something good happened- the FBI was able to recover 63.7 bitcoins paid as a ransom by Colonial Pipeline. But how could they?
Bitcoin and Anonymity
Those aware of how Bitcoin works, are also privy to the fact that it offers anonymity be design. A Bitcoin address (or wallet) is nothing but a cryptographic key. The Bitcoin network allows tracking of transactions, but it doesn’t reveal the identity of the sender or the receiver.
Further, cryptocurrencies are not managed by a centralised agency such as a bank. It is a decentralised network. If you transfer a certain amount of Bitcoin into another person’s Bitcoin wallet, there’s no one in between who can possibly reverse the transaction. Therefore, even if the receiver of funds doesn’t hold up his end of the bargain, there’s no way to get the fund back unless the receiver himself agrees. No legal process can help you, period.
So How did FBI recover Bitcoins?
If you read the above section diligently, you would remember that a Bitcoin address is nothing but a cryptographic key. In our explainer on Blockchain, we drew an analogy to help you understand.
"Every person in the block-chain has 2 keys, a public key and a private key. Both these keys are called a key-pair. These are then used to encrypt the transaction. It helps to understand these private and public keys using everyday comparisons. The public key is like the postal address to a person that other people may know or can find out. It is using the public key that one person transacts with another in the block-chain. The other key is the private key that is to be kept very safe and secure as this is the key that “unlocks” the transaction. The private key can be thought to be comparable to the key that unlocks your mailbox. Only you have it, and it is stowed away in a safe place. A combination of the public and private key forms an encrypted unique digital signature for each individual on the block-chain allowing them to control ownership of their account or “post-box”."
What we understand from the above analogy is: you can identify a Bitcoin wallet using a public key; and you can unlock it or transfer funds from it using the private key.
So the FBI can trace transactions, even if there are several of them used to split funds available from one wallet into multiple wallets. Once the FBI identifies wallets aka public keys, it needs the private key of those wallets to transfer the Bitcoins to itself.
The FBI hasn’t explained as to how it got hold of the private keys in its Press Release. However, it says that a U.S. Magistrate Judge for the North District of California authorized the seizure warrant. It further mentions:
As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes. “
How the FBI could have got the Private Key?
Those private keys are hard to get. Users often protect this key with a password. Here are some of the ways that any law enforcement agency may use to retrieve private keys.
Collaborate with Crypto-Exchanges. Crypto exchanges operate throughout the world. These crypto exchanges have two types of wallets- cold wallet (offline) and hot wallet (online). If the funds are available in a hot wallet, chances are that the exchange has the private keys with it, and the user only has a password.
Arrest/ get information from person involved in the criminal enterprise. The easiest way to go about this is to get hold of a person involved. Once that person reveals the password, you can seize Bitcoins. Also, law enforcement can seize computer hardware from such accused which it can use to extract passwords and private keys.
Hacking/ forensics. If the funds are not in a hot wallet but in a cold wallet, it gets a lot more difficult. The best bet is to perform computer forensics to extract private key and even its password from seized computers. If you don’t have the luxury of seized computers, then there also a way which is highly glamorous and also unlikely to work- implant a spyware on a target machine to extract the private key, and its password.
We should learn from the mistakes of others. Don’t pay ransomware operators. Today’s ransom is tomorrow’s attack. And there’s no guarantee that the decryption tool would work, or the law enforcement would be lucky/ competent enough to retrieve lost Bitcoins.
Invest in cyber security. Cuz sometimes even if you get lucky and get you your Bitcoins back, Bitcoin could plummet to half by the time you get it back. When FBI retrieved those 63.7 out of 75 Bitcoins, it’s value had almost halved, from $4.4 mn to $2.3 mn.