The New York Times: The FBI used traditional methods to crack the Colonial Pipeline hacker's private key and seized 63.7 bitcoins in stolen money

When Bitcoin burst onto the scene in 2009, its followers hailed the cryptocurrency as a revolutionary financial tool that could be traded securely, decentralized and anonymously outside the traditional financial system.

Criminals who often operate in the shadowy reaches of the internet flocked to Bitcoin to conduct illegal transactions without revealing their names or locations. The digital currency quickly became popular with drug dealers and tax evaders, among other criminals.

But in the recent Colonial Pipeline ransomware attack, federal officials have recovered most of the bitcoin ransom payments, exposing a serious problem with bitcoins: they are not as hard to track as cybercriminals believe.

On Monday, the Justice Department announced it had tracked down 63.7 of the 75 bitcoins, or about $2.3 million of the $4.3 million that Colonial Pipeline paid to hackers, according to The New York Times. The ransomware attack shut down the company’s computer systems, sparking fuel shortages and soaring gasoline prices across much of the eastern United States.

The fact that federal investigators tracked the flow of ransom money through at least 23 different electronic accounts belonging to the hacking group DarkSide before gaining access to one account, The New York Times has learned, suggests that law enforcement is growing up with the industry.

That’s because the ability of cryptocurrencies to transfer money instantly without a bank’s permission could also be exploited by law enforcement to track and seize criminals’ funds at the speed of the internet.

Bitcoin is also traceable. While the digital currency can be created, moved and stored outside the purview of any government or financial institution, every payment is recorded on a permanent, fixed ledger called a blockchain.

This means that all Bitcoin transactions are public. Anyone with access to the blockchain can view the Bitcoin ledger.

“It’s digital breadcrumbs,” said Kathryn Haun, a former federal prosecutor and investor at venture capital firm Andreessen Horowitz. “As long as there’s a trail, law enforcement can follow it pretty well.”

Ms. Horowitz added that the Justice Department seized much of the ransom with “astonishing” speed, helped by the hackers’ use of cryptocurrency. By contrast, getting records from banks often takes months or years of paperwork and bureaucracy, especially when those bank accounts are stashed overseas, she said.

Deputy U.S. Attorney General Lisa Monaco announced on Monday the recovery of part of the Colonial Pipeline ransom.

Cryptocurrency experts say that given the public nature of the ledger, all law enforcement needs to do is figure out how to link criminals to the digital wallets that store bitcoins. To do that, authorities will likely focus on so-called "public keys" and "private keys." A public key is a string of numbers and letters that a bitcoin holder uses to transact with others, while a "private key" is used to keep a wallet safe and is known only to the wallet's owner. Tracing a user's transaction history, authorities say, requires only figuring out the public key they control.

Seizing assets requires obtaining private keys, which is more difficult. It is unclear how federal agents obtained the DarkSide private keys.

Marc Raimondi, a Justice Department spokesman, declined to provide more information about how the FBI seized DarkSide's private keys. According to court documents, investigators obtained the password to one of the hackers' Bitcoin wallets, but they did not elaborate on how.

Cryptocurrency experts explained to the New York Times that the FBI did not appear to rely on any potential vulnerabilities in blockchain technology and may have simply relied on traditional police work to complete the operation.

Federal agents could seize DarkSide's private keys by inserting human spies into DarkSide's network, hacking into the computers where its private keys and passwords are stored, or forcing the service that holds its private wallets to hand over the keys through a search warrant or other means.

"If they can get the private keys, then they can lock up the money," said Jesse Proudman, founder of cryptocurrency investment site Makara. "Just putting it on the blockchain doesn't absolve it of that fact."

The FBI has partnered with several companies that specialize in tracking cryptocurrency in digital accounts, according to The New York Times. As law enforcement agencies and banks try to stay ahead of financial crime, startups with names like TRM Labs, Elliptic and Chainalysis have sprung up to track cryptocurrency payments and flag possible criminal activity.

Their technology tracks blockchains, looking for patterns of illegal activity, similar to how Google and Microsoft identify and block mailboxes that are spewing spam.

“Cryptocurrencies allow us to use these tools to track money and financial flows along the blockchain in a way that we can’t do with cash,” Ari Redbord, head of legal affairs at TRM Labs, a blockchain intelligence company that sells analytical software to law enforcement and banks, told The New York Times. He previously served as a senior adviser on financial intelligence and terrorism at the Treasury Department.

Some longtime cryptocurrency enthusiasts said the recovery of most of the bitcoin ransoms was a victory for the legitimacy of digital currencies. They said it would help change the negative image of bitcoin as a playground for criminals.

Hunter Horsley, CEO of cryptocurrency investment firm Bitwise Asset Management, said: "In case after case, the public is slowly being proven that Bitcoin is good for law enforcement and bad for crime, which is obviously contrary to what many people have historically believed."

Cryptocurrencies have become increasingly mainstream in recent months. Companies like PayPal and Square have expanded their cryptocurrency services. Coinbase, a startup that allows people to buy and sell cryptocurrencies, went public in April and is now valued at $47 billion. Last weekend, a bitcoin conference in Miami attracted more than 12,000 attendees, including Twitter CEO Jack Dorsey and former boxer Floyd Mayweather Jr.

As more and more people use Bitcoin, most people obtain digital currency through centralized intermediaries such as cryptocurrency exchanges in a way similar to traditional banks. In the United States, anti-money laundering and identity verification laws require such services to know who their customers are and establish a connection between identity and account. Customers must upload government identification when registering.

Ransomware attacks have put unregulated cryptocurrency exchanges under the microscope. Cybercriminals have flocked to thousands of high-risk exchanges in Eastern Europe that do not comply with these laws.

In the wake of this ransomware attack, some financial experts have proposed banning cryptocurrencies.

Lee Reiners, executive director of the Center for Global Financial Markets at Duke University School of Law, wrote in the Wall Street Journal: “We can live in a world with cryptocurrencies or a world without ransomware, but we can’t have it both ways.”

Cryptocurrency experts say hackers may have tried to make their bitcoin accounts more secure. Some cryptocurrency holders go to great lengths to store their private keys away from any connection to the internet, in so-called "cold wallets." Some memorize the string of numbers and letters. Others write them down on paper, although these can be obtained through search warrants or special police investigations.

“The only way to get true immutable characteristics for an asset class is to remember the keys and not have them written anywhere,” Mr Proudman said.

Mr. Raimondi, of the Justice Department, said the Colonial Pipeline ransom seizure was part of a special operation by federal prosecutors to recover illegally obtained cryptocurrency. He said the Justice Department has “seized numerous funds, in the hundreds of millions of dollars” from uncustodial cryptocurrency wallets used in criminal activity.

In January, the Justice Department took down another ransomware group, NetWalker, which used ransomware to extort money from municipalities, hospitals, law enforcement agencies and schools.

As part of the operation, the department obtained approximately $500,000 in cryptocurrency from NetWalker that was obtained from ransomware victims.

“While these individuals believe they are operating anonymously in the digital space, we have the skills and time to identify and prosecute these criminals and seize their criminal proceeds to the fullest extent of the law,” Maria Chapa Lopez, then-U.S. Attorney for the Middle District of Florida, said in announcing the case.

In February, the Justice Department said it had warrants to seize nearly $2 million in cryptocurrency stolen by North Korean hackers and deposited into accounts at two different cryptocurrency exchanges.

Last August, the department also released a complaint stating that North Korean hackers stole $28.7 million in cryptocurrency from a cryptocurrency exchange and then laundered the proceeds through a Chinese cryptocurrency money laundering service. The FBI traced the funds to 280 cryptocurrency wallets.

"Cryptocurrencies are actually more transparent than most other forms of value transfer, especially compared to cash," said Madeleine Kennedy, a spokeswoman for Chainalysis, a startup that tracks cryptocurrency payments.