on may 7, 2021, colonial pipeline, a us pipeline system. uu. which mainly transports gasoline and jet fuel to the southeastern united states, suffered a ransomware cyberattack that affected the computer equipment that managed the pipeline. the company learned of the attack shortly before 5 a.m. m. when an employee discovered a ransom note on a system on your network. The company believes the attack was orchestrated by darkside, a group of cybercriminals believed to operate, at least in part, outside of Russia.
On May 13, the general public learned that Colonial Pipeline paid approximately 75 bitcoins, or about 5 million US dollars, as ransom. criminal organizations like darkside prefer the use of bitcoin as a ransom payment because it provides a degree of anonymity, allows transfer from one person to another without the use of a bank, and ultimately can be converted back to fiat through multiple methods. some of which do not require the use of a legal name or address.
Reading: Pipeline hack bitcoin
On June 7, the US Federal Bureau of Investigation (FBI). uu. announced that it recovered nearly $2.3 million of the stolen funds through money flow analysis and other investigative techniques. Coinciding with China’s crackdown on bitcoin mining, news of the fbi’s bitcoin “hack” sent the broader cryptocurrency market crashing. Although the FBI did not provide specific details of the recovery process in order to safeguard its methods for future investigations, the seizure order filed with the US District Court. US, Northern District of California, provided some insights.
The public got additional details of the event the following day when Colonial Pipeline Executive Director Joseph Blount Jr. reminded members of the Senate Homeland Security and Governmental Affairs Committee of the event in prepared remarks. specifically, company personnel received a ransom note on their network stating that hackers had “exfiltrated” material from the company’s shared internal drive and were demanding approximately $5 million for the files. Immediately after the discovery, Colonial Pipeline began the process of shutting down the entire pipeline to minimize additional malware risks to the operational technology (OT) network that controls Colonial Pipeline operations. The shutdown caused major disruptions to fuel supply throughout the East Coast, air travel, and consumer fuel distribution, immediately leading to long lines at gas stations throughout the southeastern US. uu.
In this blog post, I’ll try to retrace the recovery process for readers. It is important to note that neither the author nor the company, zero friction, have access to any non-public information about this event. all methods and techniques discussed were derived using zero-friction expertise and publicly available open source intelligence tools (osint).
According to the FBI seizure warrant, the FBI has performed a money flow analysis using on-chain bitcoin data. however, the fbi withheld most of the addresses of interest, specifically:
- darkside ransom payment address
- intermediate addresses to which darkside transferred the ransom payment
- darkside collection address from which the fbi seized the partial ransom payment (this is known as the subject address on the seizure order)
- the fbi holding address where the seized funds are currently located
Starting with the partial address provided by the fbi, shown in the image below, the author built a query to search the bitcoin network for all addresses that partially match the address. the same technique used can also be applied to other use cases on other blockchain platforms, including ethereum, to search for a specific transaction value, transaction type, time periods, and others.
Source: FBI’s Seizure Warrant
for the case of the colonial pipeline, the query returns only one result, and by comparing the information returned, the author concluded with a high degree of certainty that the result is the address of the subject (item #3):
Using a bitcoin explorer (eg blockchair.com), the author was able to determine that the address has a total of three transactions (one deposit received and two transfers sent), with the first transaction showing as “received”.
Since seizures generally require custody of the fund at the seized address, it is expected that a transaction will be observed that moves the seized fund to an address controlled by the law enforcement entity. this action is necessary to mitigate any chance of hackers gaining access to a backup set of the same private keys and attempting to move the fund before the seizure can be fully completed. consequently, the hash of the first transaction:
highlighted the described action in which approximately 63.7 btc was moved to an address bc1qpx7vyv5tp7dm0g475ev527krg764t73dh77gls, identified as the fbi holding address (item #4), where it remains unspent to this day.
the transaction has the following properties:
- only one input (eg sender) and two outputs (eg recipients)
- input address was reused as change address
This transaction pattern significantly reduces the anonymity of the addresses, allowing the author to conclude that the two addresses likely belong to two different wallets and are controlled by different parties. this observation can also be confirmed by performing a clustering analysis where no address is related to any other address with previous transactions on the network (eg part of the same wallet).
approximately eight minutes after the transfer of the 63.7 btc to the fbi address, the remaining balance was moved via a second transaction hash
to the address bc1qvjh9cq6qlj4f4q5vxnkgt25mc6qld04vv20fhe, where it remains unspent to this day.
why didn’t the fbi seize the full balance of the address in question, since the total available 69.6 btc was within the 75 btc paid for the ransom? To answer this question, it is necessary to make a money flow for the transaction up to the initial ransom payment.
Starting with the subject address, it was tracked backwards following the largest incoming entries. five hops later through several intermediate addresses (item #2), the trace concludes at address 15jfh88fce4wl6qemlgx5veafcbrxjc9fr, also confirmed by the fbi as the dark side ransom payment address (item #1). /p>
source: fbi seizure warrant
Furthermore, by taking an additional jump from the ransom payment address, the author was able to determine that colonial made the payment on May 8, 2021 at 5:12 p.m.
source: fbi seizure warrant
The full picture of the colonial pipeline ransom event can be visualized, as shown below, by using a blockchain forensic solution such as breadcrumbs.app, where the thickness of the lines between addresses is weighted according to the exchange of transaction values. . here you can see a larger view of the same image.
forensic solutions offer a key advantage over osint solutions by providing selected and continuous updates to address attribution to hackers and known users, and services such as exchanges, mixers, etc. the use of blockchain forensic solutions also improves the quality of forensic investigations. and significantly reduces the time to perform them.
The key deals mapped to the deal chart above are:
ransom payment (item #1)
sent to subject address (item #3)
sent to fbi holding address (item #4)
in addition, the sankey diagram can be constructed to trace the flow of money from the colonial/coinbase sending address to the fbi holding address, with the dark side ransom payment address highlighted with a vertical gray line . money flow analysis reduces the complexity of blockchain analysis by focusing only on the large movement of funds that starts in a certain direction. a larger visible sankey plot can also be downloaded from the following url.
It is important to note that the “coinbase” tag shown in the sankey diagram is not related to the coinbase.com exchange, but simply indicates the first transaction in a block. a coinbase transaction is a unique type of bitcoin transaction created by a miner to collect the block reward for their work and any other transaction fees charged by the miner.
the key to why the fbi only seized 63.7 btc lies in the transaction hash:
where, of the 75 btc sent as a ransom payment, the address bc1qxu83k5qkj8kcqdqqenwzn7khcw4llfykeqwg45 received only 63.7 btc, with the balance transferred to another address. since darkside operates as a ransomware as a service where the affiliates pay the service for the use of the ransom tools, the 63.7 btc payment is likely to be the fee for the affiliate, and the remaining balance is likely to be the share. from the developer of darkside.
darkside developer share of 11.2 btc, or 15% of the 75 btc paid, was sent to the address
bc1qu57hnxf0c65fsdd5kewcsfeag6sljgfhz99zwt, and that address sent (as shown below) the btc to a waiting address bc1q2sewgrnau4e4gvceh8ykzf8lqxawpluu0k0607
which currently has an unspent balance of 107.8 btc. the author was able to confirm that the address is the dark side developer’s holding address by examining paid patterns in the address such as commission payments (eg 24 senders shown below) as entries in the transaction hash
Analysis of address pool related to bc1q2sew…uu0k0607 does not reveal other related addresses. the author also posits, based on observed payment patterns, that the dark side developer’s address is likely to reside within a non-custodial (eg offline) wallet controlled by the developer.
The next question, and probably the most speculative, is how the fbi was able to obtain the private keys for the subject’s address, as this would require obtaining the ip address of the node leveraged by the affiliate and then through legal means , get access to the real address. host itself that contains the private keys. From the mechanics of bitcoin, it is possible to obtain the IP addresses of all bitcoin nodes by scanning the internet for each host with port 8333 (for example, the central port of bitcoin). Once known, the hosts can be monitored in real time, allowing the identification of the IP address that first transmitted the transaction of interest. By combining such information with an IP locator lookup, details about location, service provider, type, etc. can be obtained, as shown in the following example:
consequently, the author posited that the fbi may use similar techniques to identify ip addresses by aggregating timestamps and transaction details. Without disclosing the details to preserve the integrity of the technique used by the FBI, the author confirmed several US-based IP addresses. uu. where transactions of interest could have originated, which the fbi could exploit to further identify dark side hosts. hacker.
this blog analysis highlights that while the bitcoin blockchain can offer a degree of anonymity, it is important to understand that such protection can be unmasked in the hands of a qualified blockchain forensic investigator to obtain important information, relative to what could be known. to the public using various investigative tools and techniques. Furthermore, by using blockchain forensic solutions such as breadcrumbs.app, the identity of users or services at specific addresses can also be obtained, allowing legal means to be pursued, including seizure and prosecution. As a result of these advances, the attraction to using bitcoin as a ransom payment is slowly fading.
Author’s Note: The author welcomes readers’ questions and comments on this article. feel free to contact him at email@example.com.