Find News

Security lapse, not ‘hack’, likely behind FBI’s recovery of ransomware Bitcoins

Experts are still puzzling out how the FBI clawed back most of the bitcoins that a pipeline operator paid as ransom to an affiliate of the DarkSide hacker — but they say there’s nothing about the matter that shows the cryptocurrency network is insecure.

Rather, the hacker or hackers simple made some kind of elementary blunder that let the FBI take the coins, analysts said.

“Basically it is theft from a wallet due to poor security practices from a wallet owner,” Jonothon Miller, managing director at crypto exchange Kraken Australia, told Stockhead.

“You can’t hack the bitcoin blockchain. It’s pretty much impossible and would break the whole network.”

The FBI wasn’t able to recover all 75 bitcoin paid by Colonial Pipeline, but they took back 63.7 coins – 85 per cent.

Court papers indicated that the FBI had the private key to the wallet — the rough equivalent of a password — but gave no indication as to how they got it.

“The ‘obtained the private key’ part of their statement is doing a lot of work,” Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, told KrebsOnSecurity.

“It is ONLY the Colonial Pipeline ransom, and it looks to be only the affiliate’s take.”

There was some one speculation that ransom was able to be seized because the hackers had tried to move it through Coinbase — but both the exchange and the FBI shot that down.

Coinbase’s director of security also tweeted that a line in the FBI affidavit mentioning Northern California didn’t mean much.


Some pointed to an apparent hack of the DarkSide group’s servers last month, possibly by a US military intelligence unit.

Cybersecurity firm Recorded Future reported on May 14 that soon after US President Joe Biden said the US planned to disrupt DarkSide group, the hackers declared they had lost control of their web servers and some of their funds.

“A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. CDN [content delivery network] servers,” one of the hackers wrote in a post spotted by a Recorded Future analyst.

“Now these servers are unavailable via SSH, and the hosting panels are blocked,” wrote “Darksupp,” complaining that the web hosting provider refused to cooperate.

“In addition, the Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang’s payment server, which was hosting ransom payments made by victims,” Recorded Future wrote.

If the private key had been hosted on those servers — or if the US cyberattack had somehow been able to infiltrate DarkSide’s individual computers — then that could explain how the FBI came into possession of the private key.

The US might have also simply obtained the private key through a warrant, since much internet infrastructure is located in America, particularly California.

In any case, if the hacker had simply used a hardware wallet such as a Trezor or a Ledger – which cost around $100 – their millions of dollars in Bitcoin would almost certainly be safe.

It might seem ridiculous that a hacker might be so computer illiterate, but CNN reported last month that the attack was relatively unsophisticated.

“David Kennedy, the president of the cybersecurity firm TrustedSec, noted that DarkSide’s business model is to provide attackers with limited skills the funding and resources they need to actually launch the attacks, providing a platform that both parties can profit off of,” the network reported.

The hacker made a “gross miscalculation” in attacking a high-risk target that deals in a low-margin business, a source told CNN, noting the hacker likely hadn’t anticipated that their attack would lead to the pipeline shutdown and emergency White House meetings.

‘Unrelated to Bitcoin’

Jeff Yew, the founder and chief executive of Brisbane-based Bitcoin fund Monochrome Asset Management, told Stockhead that the FBI’s actions were unrelated to the Bitcoin network.

“Imagine the FBI subpoena an email provider to gain access to a person of interest’s email history,” he said. “You wouldn’t associate FBI’s actions to the Internet protocol.”

It’s worth reminding people that digital assets are pseudo anonymous, and not anonymous, Yew said.

“Bitcoin sits on a public ledger more transparent than the banking system,” he wrote in a text message

“That’s also one of the reasons why cash is still the preferred tool for online cybercriminals. The recent 2020 ACCC report … highlighted that online scams involving bank transfers are up 40% from previous year, at AUD $79 million.

 

The post Security lapse, not ‘hack’, likely behind FBI’s recovery of ransomware Bitcoins appeared first on Stockhead.

 7 total views

Share this

Leave a Reply

Your email address will not be published. Required fields are marked *

  • Subscribe to our weekly digest to stay in the loop!

    or follow us on our social channels