Colonial Hackers Broke the Fundamental Bitcoin Rule


When kidnappers ask for a ransom, they’d be wise to have a plan to store the loot securely. Cybercriminals aren’t exempt.

Hackers who broke into and encrypted the computer files of the Colonial Pipeline operator last month made a now-common demand: Pay me, or your files stay locked forever. The ransom was to be paid in Bitcoin.

Cryptocurrencies, according to folklore (and law enforcement), are a favored medium of crooks and terrorists because they’re purely digital and hard to trace. Computer ransom attacks happened before Bitcoin was invented, but have surged since such tokens became popular. 

At Colonial Pipeline Co., the interruption was briefly devastating, with fuel supplies through eastern parts of the U.S. cut off and motorists forced to line up for gas. On May 8, executives paid 75 Bitcoins in ransom, equivalent to around $4.3 million at the time. The files were then unlocked — technically, decrypted — and eventually the oil started flowing again. But so did the trail of evidence.

For the Federal Bureau of Investigation — which advocates against paying ransom — this first transaction marked the start of a digital car chase. Agents at the FBI’s Cyber Crimes Squad in San Francisco knew something that it seems many people forget: Every Bitcoin transaction is traceable. They’re recorded in a public distributed ledger. 

Using readily available tools, anyone can trace the comings and goings for any given crypto address. The FBI did just that, deploying a blockchain explorer — think of it as a crypto search engine — to, quite literally, follow the money.

When the hackers — identified by the FBI as Russia-linked cybercrime group DarkSide — asked for a ransom to be paid in Bitcoin, they needed to leave their address. Getting the money is always the weak point in any kidnapping or hijacking scheme, and this one was no different.

So now the FBI had the address where 75 Bitcoins were paid, and they had a search tool that could track movement at that address. In analog times, this would be akin to making a drop to a post-office box and having the feds camped outside waiting for the perpetrator to pick it up.

In the digital world, though, it’s a simple matter to then transfer those Bitcoins to another address. And another. And another. This is done to obscure a trail and mask the flow of funds, kind of like money laundering. By May 27, the FBI had identified at least two dozen different Bitcoin addresses used in the distribution. Then, finally, most of it, 69.6 Bitcoins in total, was funneled back to one last address.

It’s here that the feds pounced — and where the story gets murky.

Somehow, they had the private key for this last address. Most cryptography works on a public-private key protocol. The public key can be thought of as similar to an email address, and the private key the password. Except these passwords are extremely long and almost impossible to guess.  

Law enforcement agencies don’t like to share their tradecraft, so how the FBI managed to get the key to this stash isn’t yet public. There’s a chance that the FBI hacked the hackers, or that someone else did and passed the key to the Bureau. Or maybe an informant handed it over. 

There’s also the possibility that this final address didn’t actually belong to the hackers, but to a cryptocurrency exchange.

It’s a widely misunderstood feature of centralized exchanges that people who think they have Bitcoin don’t actually have Bitcoin. Instead, that Bitcoin sits in the wallet of an exchange, like Coinbase, and all the customer has is what’s akin to an IOU. The private key resides with the exchange, not the customer, giving rise to the mantra: If you don’t own your private keys, you don’t own your Bitcoin.

That’s why thousands of consumers over the years have lost millions of dollars in cryptocurrency as a result of exchanges being hacked, the most famous being the Mt. Gox breach that ended with the Japanese company going bankrupt in 2014.

Exchanges are required to follow the law, which means fielding requests from government agencies for customer information. Coinbase, for example, received more than 4,200 requests in 2020, more than half in the latter part of the year. The FBI was the agency behind 30% of its U.S. inquiries. An exchange may be required to hand over the private keys to a specific address.

Where exactly the Bitcoins were held, and who gave the FBI the private key, hasn’t been disclosed.

For the hackers, the specifics of how the FBI got its hands on the password isn’t of great importance. They appear to have made a more fundamental mistake by keeping their Bitcoin online at all. This method of storage is called a hot wallet, meaning it can be accessed over a network for convenience and to aid nimble transactions. But it’s vulnerable to hacking.

Security advocates recommend that anyone with cryptocurrency store it in a cold wallet, also known as a hardware wallet, that isn’t connected to the internet and thus can’t be hacked. This typically takes the form of a USB thumb drive, but since a private key is simply a 256-bit string of 1s and 0s, it can even be printed out on a piece of paper to be typed in when access to the address is needed.

The Colonial Pipeline hackers are fully aware of all this, yet for some reason didn’t follow the basic tenets of Bitcoin security. And now they’re much poorer for it.

Technically, one wallet can have multiple addresses.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

Tim Culpan is a Bloomberg Opinion columnist covering technology. He previously covered technology for Bloomberg News.

©2021 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.