The U.S. Federal Investigation Bureau (FBI) was able to recover part of the ransom paid by Colonial Pipeline, the operator of the fuel distribution company that fell victim to a hack shutting down one of its key sites in the country in May.
63.7 bitcoin or approximately $2.3 million of the 75 bitcoin ($4.4 million) ransom were recouped by the investigators, with the hackers behind the attack identified as DarkSide, a Russian group that had been on the Department of Justice's (DOJ) radar for over a year.
The hack of Colonial Pipeline's East Coast pipeline caused widespread disruption on the regional oil market, with some stations in multiple states running out of fuel. Although not the recommended route in most cases, the firm's CEO Joseph Blount complied with the hackers' ransom demands and sent $4.4 million in return for decryption keys to relaunch the pipeline's systems. As the Wall Street Journal reports, the decision to comply was made as Colonial Pipeline didn't know the extent of the breach and how long it would have taking to restart operations otherwise.
“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” FBI Deputy Director Paul Abbate stated on the seizure.
The rather positive outcome for Colonial Pipeline is not "the norm," although close coordination between victims and investigators can sometimes yield positive results, FBI Director Christopher Wray told CNN last week.
The exact steps taken by the FBI to recover the funds have been left rather vague, although Deputy Attorney General Lisa Monaco said on Monday that "following the money remains one of the most basic, yet powerful tools we have."
In its announcement, the DOJ emphasized its praise of Colonial Pipeline's quick reporting to the FBI that it had been hacked by DarkSide, which allowed the Bureau to trace multiple bitcoin transactions via chain analysis. The 63.7 bitcoin that were later recovered "had been transferred to a specific address, for which the FBI has the 'private key'," according to the DOJ.
Although it was not disclosed how the FBI acquired that private key, the seizure warrant issued by a Magistrate Judge for the Northern District of California, which led to the recovery of the coins, indicates that the FBI did in fact obtain the keys via a warrant against the holder of the private key. It is not clear who was the holder of said private key; however, as the keys were recovered with the help of a warrant issued for California, it is likely to be a financial institution, such as an exchange used by the hackers.
Hacking a private key based on a public Bitcoin address is practically impossible. The general level of difficulty in acquiring a private key can vary drastically based on the owner's care in storing the key. If the hacker group sent the bitcoin in question to a custodial wallet, which appears to have been the case, the recovery would have been easily achieved.
As CNN reports, investigators were previously "looking for any possible holes in the hackers' operational or personal security in an effort to identify the actors responsible."
CNN further reports that the hackers involved with the Colonial Pipeline incident "may have been inexperienced or novice hackers, rather than well-seasoned professionals," referring to three anonymous sources.
UPDATE (Tuesday, June 8th, 10 a.m. UTC): Updated with more information on the seizure warrant obtained by the DOJ.