Experts are still puzzling out how the FBI clawed back most of the bitcoins that a pipeline operator paid as ransom to an affiliate of the DarkSide hacker — but they say there’s nothing about the matter that shows the cryptocurrency network is insecure.
Rather, the hacker or hackers simple made some kind of elementary blunder that let the FBI take the coins, analysts said.
“Basically it is theft from a wallet due to poor security practices from a wallet owner,” Jonothon Miller, managing director at crypto exchange Kraken Australia, told Stockhead.
“You can’t hack the bitcoin blockchain. It’s pretty much impossible and would break the whole network.”
The FBI wasn’t able to recover all 75 bitcoin paid by Colonial Pipeline, but they took back 63.7 coins – 85 per cent.
Court papers indicated that the FBI had the private key to the wallet — the rough equivalent of a password — but gave no indication as to how they got it.
“The ‘obtained the private key’ part of their statement is doing a lot of work,” Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, told KrebsOnSecurity.
“It is ONLY the Colonial Pipeline ransom, and it looks to be only the affiliate’s take.”
There was some one speculation that ransom was able to be seized because the hackers had tried to move it through Coinbase — but both the exchange and the FBI shot that down.
2/ Coinbase was not the target of the warrant and did not receive the ransom or any part of the ransom at any point. We also have no evidence that the funds went through a Coinbase account/wallet.
— Philip Martin (@SecurityGuyPhil) June 8, 2021
The FBI did not do this by seizing a Coinbase account, source familiar tells me.
— Kevin Collier (@kevincollier) June 7, 2021
Coinbase’s director of security also tweeted that a line in the FBI affidavit mentioning Northern California didn’t mean much.
7/ So how did they get the private key? Maybe some whiz-bang magic, but my guess would be it was some good ol’ fashioned police work to locate the target servers, and an MLAT request and/or some…