Business

How the FBI Regained the Colonial Pipeline Ransom

After Colonial Pipeline paid about $ 4.4 million in cryptocurrency to hackers holding computer systems on May 8, the Federal Investigative Service tracked digital money.

For the next 19 days, court records show that special agents were monitoring the publicly visible Bitcoin ledger while hackers were transferring 75 Bitcoins to other digital addresses. The transfer of about 64-bit coins on May 27 arrived at the virtual address accessed by the FBI, providing the opportunity to obtain a warrant and raid.

On Monday, the Justice Department said it had recovered some of the cryptocurrencies worth about $ 2.3 million in Colonial’s first ransom.

According to cybersecurity experts, the operation demonstrates the growing technological capabilities of researchers destroying the financial infrastructure that allowed ransomware gangs to squeeze hundreds of millions of dollars from victims each year. Despite the reputation of cryptocurrencies as a difficult-to-trace exchange medium useful for criminals and other groups operating outside the traditional financial system, cryptocurrencies track more than hard currencies such as the US dollar. States that can be easy.

“You can’t hide behind cryptocurrencies,” said Elvis Chan, a special agent in charge of the cyber branch of the FBI’s San Francisco field office.

For the past few weeks, senior Biden administration officials have characterized ransomware, where criminals lock their data or computer systems and demand payments, as an urgent national security threat. On Wednesday, the CEO of a meat company paid a $ 11 million ransom to cybercriminals after Hacking, who helped close a factory that processes about one-fifth of the country’s meat supply. Said.

Monday’s announcement was noteworthy due to the scale of the recovery and the widespread impact of the first attack on pipeline companies, but in recent years law enforcement officials have tracked cryptocurrencies and sometimes established a track record of seizing them. doing.

Flow of funds

Hackers move ransom payments to evade law enforcement, but the Justice Department was able to track and seize cryptocurrencies

1. A hacker breaks in and deploys ransomware.

2. Ransomware can lock your company’s data and destroy your computer system and operations.

3. The victim receives a message requesting payment for the tool to unlock the data. Hackers share the address of a digital wallet where victims can deposit cryptocurrencies (often Bitcoin).

4. Victims often call cybersecurity companies to negotiate with hackers and confirm partnerships. Authorized government or individual. Brokers can convert cash into cryptocurrencies to facilitate transfers.

5. Hackers often transfer funds between wallets to disguise their activities or pay their peers who participated in the hack. Some ransomware gangs employ money laundering services to help clean up cryptocurrencies. Hackers convert digital money to hard currencies such as the US dollar on foreign crypto exchanges.

1. A hacker breaks in and deploys ransomware.

2. Ransomware can lock your company’s data and destroy your computer system and operations.

3. The victim receives a message requesting payment for the tool to unlock the data. Hackers share the address of a digital wallet where victims can deposit cryptocurrencies (often Bitcoin).

4. Victims often call cybersecurity companies to negotiate with hackers and confirm partnerships. Authorized government or individual. Brokers can convert cash into cryptocurrencies to facilitate transfers.

5. Hackers often transfer funds between wallets to disguise their activities or pay their peers who participated in the hack. Some ransomware gangs employ money laundering services to help clean up cryptocurrencies. Hackers convert digital money to hard currencies such as the US dollar on foreign crypto exchanges.

1. A hacker breaks in and deploys ransomware.

2. Ransomware can lock your company’s data and destroy your computer system and operations.

3. The victim receives a message requesting payment for the tool to unlock the data. Hackers share the address of a digital wallet where victims can deposit cryptocurrencies (often Bitcoin).

4. Victims often call cybersecurity companies to negotiate with hackers and confirm partnerships. Authorized government or individual. Brokers can convert cash into cryptocurrencies to facilitate transfers.

5. Hackers often transfer funds between wallets to disguise their activities or pay their peers who participated in the hack. Some ransomware gangs employ money laundering services to help clean up cryptocurrencies. Hackers convert digital money to hard currencies such as the US dollar on foreign crypto exchanges.

1. A hacker breaks in and deploys ransomware.

2. Ransomware can lock your company’s data and destroy your computer system and operations.

3. The victim receives a message requesting payment for the tool to unlock the data. Hackers share the address of a digital wallet where victims can deposit cryptocurrencies (often Bitcoin).

4. Victims often call cybersecurity companies to negotiate with hackers and confirm partnerships. Authorized government or individual. Brokers can convert cash into cryptocurrencies to facilitate transfers.

5. Hackers often transfer funds between wallets to disguise their activities or pay their peers who participated in the hack. Some ransomware gangs employ money laundering services to help clean up cryptocurrencies. Hackers convert digital money to hard currencies such as the US dollar on foreign crypto exchanges.

Judiciary officials in November said they had seized about $ 1 billion in cryptocurrencies in connection with the Silk Road online black market. In January, law enforcement officials said the Justice Department had seized more than $ 454,000 in cryptocurrencies from a ransomware group known as NetWalker.

Federal authorities have previously dismantled illegal crypto networks operating abroad, including the August seizure of accounts and funds associated with the Kassum Brigade, an armed group of al-Qaeda and Palestinian militant groups Hamas. Internal Revenue Service agents make transactions aimed at funding the group to Turkish money launderers who have additional US-based customers or who used US-based exchanges. Court records show that it was tracked.

The FBI shares little detail on how it seized some of the cryptocurrencies it paid to DarkSide, a ransomware gang that investigators believe the Colonial Pipeline is operating in Russia. Hmm. However, court records, along with interviews with analysts, explain a wide range of ways investigators can track funds from pipeline operator vaults to Bitcoin addresses reached by court orders.

Cryptocurrencies are held in a digital account called a wallet, which stores the addresses of the fund’s virtual locations and the private key or password to access them. Fiat currency is sent personally using the bank code of the bank and the personal account number, while cryptocurrency owners move funds between addresses recorded in public ledgers called blockchains.

Cryptocurrency wallets provide owners with a measure of personal privacy and are free from regulatory and tax oversight in some countries. However, the blockchain is open to the public, and law enforcement investigators and outside experts can move funds between addresses and through exchanges and online services that allow users to buy, sell and cash their holdings. You can monitor the transfer of funds.

“We have effectively created a map of hundreds of millions of Bitcoin addresses related to illicit actors around the world,” said David Carlisle, director of policy and regulation at blockchain analytics firm Elliptic. I will.

When ransomware victims transfer cryptocurrencies to hackers, sophisticated criminal groups often distribute money to hundreds of other wallets, Carlyle said. These transfers include profit sharing with affiliated hackers who develop and lend ransomware, transfers to money launderers who clean up illegal funds, or attempts to convert cryptocurrencies to fiat currencies. ..

The Colonial Pipeline sent the hackers to the trail by providing the investigators with the Bitcoin address they paid to the hackers on May 8, according to court records filed with the United States District Court for the Northern District of California. Records show that hackers have moved funds to at least six addresses by the next day.

On May 13, DarkSide told affiliates that servers and other infrastructure had been confiscated, but did not specify the location or method. On May 27, court records show that a total, including 63.7 Bitcoin, tracked to colonial ransom, landed at the final address, and this week the FBI seized that portion of the money.

Share your thoughts

Does the government need to ban businesses from paying ransomware to hackers? Why or why not? Join the conversation below.

The FBI said in a warrant request on Monday that investigators possessed the private key for the address. Authorities did not elaborate on how it was obtained, and the spokesman provided no further comments.

The amount collected by the FBI is likely to represent a ransom reduction shared with DarkSide’s affiliates, said Pamela Clegg, director of financial research and education at blockchain analytics firm CipherTrace. .. On May 13, the same day Dark Side claimed the server was seized, the remaining funds from the colonial that were not collected by the FBI were associated with a ransom payment for the wallet, which currently holds about 108 Bitcoins. Integrated with other ciphers. ..

“Everyone is looking at it to see if those funds will be sent,” Craig said of the wallet.

FBI officials say the techniques used to recover some of the colonial funds can be used in future cases, such as when hackers attempt to transfer cryptocurrencies through unfriendly foreign jurisdictions. I am.

“Overseas is not a problem with this technology,” said Mr. Chan of the FBI’s San Francisco field office.

Cyber ​​attacks and business

Write to David Uberti at david.uberti@wsj.com

Copyright © 2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

How the FBI Regained the Colonial Pipeline Ransom

Source link How the FBI Regained the Colonial Pipeline Ransom

Back to top button