Colonial Pipeline attack: How did the FBI recover the ransom money?
The FBI claimed it recovered millions of dollars in Bitcoin paid as ransom during the attack against the Colonial Pipeline — a feat that is now generating more questions than answers.
The Justice Department and the FBI announced Monday it had seized 63.7 bitcoins (worth about $2.3 million at the time) from a Bitcoin wallet thought to be controlled by cybercriminals tied to a Russia-based collective called DarkSide, which operates off a “ransom as service” model. Recovery of the cryptocurrency ransom from its presumably savvy holders, especially in such a short time, left many experts stunned.
While many details about the operation to recover the funds remain unclear, perhaps the biggest mystery, and the one that has so many people scratching their heads, is how the FBI managed to get the “private key” used to unlock and pull assets from the criminals’ specific Bitcoin address. In the realm of cryptocurrency, a private key functions like a password and is closely guarded, especially among groups dealing with such large amounts of stolen money. Experienced Bitcoin holders typically don't link their private keys to the internet at all, instead using "cold wallets."
The news that the long arm of the law could seize the ransom shook the cryptocurrency markets, with Bitcoin falling below 10% on Tuesday. Some of that selloff was likely attributable to jitters that some investors have about government regulation and anxiety caused by seeing that the FBI could hunt down and return the funds.
But how did the FBI manage to pull off the feat? April Falcon Doss, executive director of the Institute for Technology Law and Policy at Georgetown Law, said that there are several theories, although some are more plausible than others.