How were the 63.7 bitcoins recovered?

FBI vs Hacking Group

Today was a humiliating day for hacker group Darkside, as the bitcoins it obtained in a global ransom attempt were not only devalued by the recent plunge in cryptocurrency prices, but also intercepted by the FBI in a transfer that was derided by their peers as “extremely low-tech. At the same time, this means that the unseen hand that has been threatening public safety and criminalizing the use of virtual currencies like Bitcoin has slapped itself hard in the face.

Incident

U.S. Deputy Attorney General Lisa Monaco said investigators recovered 63.7 bitcoins paid by Clonier Pipeline Transportation, or about 85 percent of the total amount paid, the Associated Press reported on July 7. The report said the bitcoins are now worth about $2.3 million (about $14.71 million) as the price of bitcoins has fallen. Monaco said in a news release, “We will continue to use all of our resources to increase our research into defending against ransomware attacks.”

In an FBI affidavit, law enforcement officials used a blockchain transaction monitoring tool in real time to track several transactions in Bitcoin and ultimately identify the address where the ransom was received. In addition, they obtained the private key. A private key can be simply understood as a “password”. However, no official documents or trial transcripts explain how the FBI obtained the private key.

Explanation of the transfer

In fact, in the documents made public by the U.S. Department of Justice, the entire process of this extortion time is detailed, and even the relevant addresses involved are basically disclosed.

From the disclosed documents, it appears that on May 8, 2021, Colonial namely transferred 75 bitcoins to the hacker’s address.

Although the relevant documents blocked some address information, with the on-chain analysis system of Zhongke Chain Security, we can still find the relevant addresses and transactions.

The other party’s

Then, the relevant bitcoins were further transferred to the new address of

That’s not all, the hackers made further transfers of the bitcoins in question, as well as splitting.

The next key is the story of the nearly 63.75 BTC, which was further transferred twice into a wallet (such a wallet includes multiple addresses created with the same private key), then the hacker went silent for a while and finally transferred all the bitcoins on the wallet, totaling 69.60422177 BTC, to a new address on May 27.

It could be argued that during this period of transfer, the hackers were only making ordinary transfers, which could not even be called “money laundering” and the whole process was very easy to trace, and then the hackers seemed to really start a process of splitting up the money laundering.

This is a typical bitcoin “chain money laundering” feature, but the process has just begun and ended, note the address XXXXdh77gls, yes, it was the bitcoins at this address that were intercepted by the FBI in the last two days, which is where we recently saw the news segment that fine-tuned the mention of “recovered 63.7 of those bitcoins” came from.

How was it recovered? From public information, this is not strictly a “recovery” process, it is known that the FBI intercepted the private key from the above address in North Carolina, re-imported it and took control of the bitcoin, as to whether the private key was obtained from the server or the suspect, no further information has been disclosed.

Taking a Shot at Virtual Currency Crime
The global crackdown on virtual currency crime has been ramping up in recent years. The use of virtual currencies such as Bitcoin for money laundering and extortion crimes has long been a focus of international attention. Global virtual currency money laundering crime remediation is imminent. Affected by this hacking attack, Colonial was forced to urgently shut down approximately 5,500 miles of fuel pipelines, suspending fuel supply to the east coast of the United States. The hack caused Kronil to stop oil supply for more than 10 days, and the eastern United States suffered an oil panic and a global oil price spike, causing huge economic losses.

This FBI ransom recovery incident also proves that virtual currency crime has not only been disrupting the financial order, it has risen to a means of crime that endangers public security.

More comprehensive and in-depth regulation of virtual currency through blockchain technology means of real-time monitoring, tracking, on-chain address anonymous penetration, on-chain data analysis identification, etc. is the way to the future development, where there is virtual currency crime, will be fired to where!