The US Federal Bureau of Investigation (FBI) says it won’t reveal how it “learned the private key” to hacker crew DarkSide’s Bitcoin wallet.
“I don’t want to give up our tradecraft in case we want to use this again for future endeavors,” said FBI assistant special agent Elvis Chan in a news call on Monday (via NBC News).
Earlier that day, the Department of Justice revealed about half the US dollar value of Colonial Pipeline’s ransom payment (63.7 BTC worth $2.3 million) had been recovered — just hours after the attack that crippled East Coast fuel distribution.
Here’s what we do know:
- The FBI filed an affidavit in support of a warrant to seize the Bitcoin.
- Authorities used a blockchain explorer to track the ransom to a custodial wallet.
- That wallet’s private key somehow ended up with the FBI.
A universe to crack Bitcoin private keys
The FBI keeping hush about how it obtained the private key has piqued the internet’s curiosity.
Chinese social media even populated the idea that FBI had hacked Bitcoin to clawback a company’s ransom.
“Hacking Bitcoin” would take cracking its encryption algorithms; effectively impossible as it would take much longer than the universe has existed for current tech to brute force the private key to any one Bitcoin address.
But wording of the affidavit implies the FBI was already in possession of the private key. Some say that’s proof the FBI had it all along.
Others inferred from the warrant the FBI demanded the private key from a custodial wallet provider with servers in North California, even going so far as to guess major crypto exchange Coinbase.
But the warrant doesn’t explicitly state the FBI needed to probe a crypto exchange for a private key, only that it needed authority to remove Bitcoin with a key it already had.
And it doesn’t state which person or entity must hand over the Bitcoin.
Coinbase’s chief security exec Philip Martin debunked claims it was involved at all. Martin highlighted Coinbase uses a “pooled hot wallet” which lumps user’s Bitcoin together under the one address.
So, asking for a single private key to access a small amount of Bitcoin belonging to one party be wouldn’t very realistic.
“So how did they get the private key? Maybe some whiz-bang magic, but my guess would be it was some good ol’ fashioned police work to locate the target servers, and an [mutual legal assistance treaty] request and/or some political pressure to get access,” tweeted Martin.
Should’ve used a mixer
Intrigue aside, TechCrunch rightly posited we could all be overestimating the ransomware threat.
It certainly seems DarkSide’s hackers chose the worst place to store their illicit private key — on a centralized server within reach of the FBI.
Not your keys, not your Bitcoin.
Update 11:20 UTC, June 12: Clarified authorities seized half the US dollar value of Colonial Pipeline’s ransom payment. Colonial Pipeline paid 75 BTC on May 8, worth around $5 million at the time.
Bitcoin’s price had fallen since the ransom payment. The FBI ended up retrieving 63.7 BTC worth $2.3 million.