Seizing Cryptocurrency: How is Law Enforcement Tracing and Recovering Bitcoin Payments?
A look into recent cryptocurrency tracing and recovery operations by the FBI and UK’s Metropolitan Police
On June 7, 2021, the U.S. Department of Justice announced that it had seized $2.3 million in cryptocurrency paid to the DarkSide ransomware gang following the Colonial Pipeline attack. On June 24, 2021, the UK’s Metropolitan Police announced that it had seized £114 million in money laundering cryptocurrency. How did they do that? Is bitcoin security broken?
Colonial Pipeline ransomware attack
On May 7, 2021, Colonial Pipeline announced it was the victim of a cyberattack, and it had proactively halted all pipeline operations. It rapidly emerged that this was a ransomware attack by the Russia-based DarkSide gang or one of its affiliates, and that it was an attack against the U.S. infrastructure.
The first part is true; the second part – strictly speaking – is not.
The attack was against the Colonial’s business systems; that is against Colonial’s IT rather than operational technology (OT). It was Colonial’s decision to shut down the pipeline – it wasn’t forced to do so by the ransomware.
There is an important point here: it is no longer realistic to talk about IT and OT as if they are always two separate systems. Business integration means that the two things can be inextricably combined – a successful attack against IT could have a serious operational effect as a successful attack against OT (albeit probably less dramatic and probably less dangerous).
The attack against the infrastructure may have been an unintentional by-product of the ransomware, which may have been delivered by a DarkSide affiliate rather than the primary gang itself; that is, it was an accident.
This would mesh with what is known about the DarkSide gang. When it first surfaced on Russian language forums, it stated that it would not attack medicine, funeral services, education, non-profit and/or government sectors. Pipelines are not specified, but as part of the critical infrastructure, would appear within the spirit of this statement.
Add to this a statement the gang released shortly after the Colonial attack: “Our goal is to make money, not to create problems for society. From today we will introduce moderation and will check each company that our partners want to encrypt to avoid social consequences in the future.”
The implication from these statements is that the Colonial attack was against DarkSide’s principles, and was undertaken by an unmoderated partner, or affiliate organization. Days later it was reported that DarkSide had ceased operations. Its servers had been seized, and money had been siphoned off.
The immediate general assumption was that DarkSide was running from the FBI – an argument that gained some credence when the DOJ announced that it had seized $2.3 million in cryptocurrency from the Colonial Pipeline ransomware payment. Nevertheless, for this to be true, the FBI had a major success in a minimal time period.
On May 12, 2021, CNBC reported former NSA hacker David Kennedy was arguing that “Russian President Vladimir Putin is connected to the actions of DarkSide.” If Putin is connected to DarkSide, then the FSB is connected to DarkSide. But Putin would not like to be associated with a Russian state attack against American critical infrastructure at this stage of his relationship with Joe Biden.
Occam’s razor is often simplified to the argument, ‘the simplest explanation is usually the best one’, but is perhaps better explained as ‘the best solution is the one that makes the fewest assumptions’. So, which is the simplest/best explanation? The FBI had already infiltrated DarkSide and had inside information on the gang’s infrastructure and crypto wallets; or the FSB was already inside DarkSide? If DarkSide was running, was it from the FBI or the FSB?
UK Money Laundering
Little is known about the Metropolitan Police seizure of £114 million of what is described as money laundering by bitcoin. The law enforcement agency announced on June 24, 2021, “Specialist detectives investigating money laundering offences made the seizure worth £114 million – the largest cryptocurrency seizure in the UK and believed to be one of the largest globally.”
The funds are related to street crime rather than cybercrime. “Cash remains king,” commented deputy assistant commissioner Graham McNulty, “but as technology and online platforms develop, some are moving to more sophisticated methods of laundering their profits… This cash can no longer be reinvested in crime, it cannot be used to buy and peddle drugs and weapons, and cannot be used to entice and exploit young and vulnerable people into criminality.”
This announcement was followed one day later by a brief statement, a “39-year-old woman was arrested at an address in London and taken into custody at a London police station. She was arrested on suspicion of POCA offences (Money Laundering). She has since been bailed to a date in late July.”
The paucity of information is not in itself surprising. UK law enforcement never provides as much information on its operations as does U.S. law enforcement.
Statements from the parties involved
Taken at face value, these events could be taken to imply that law enforcement has found some way to crack the encryption of bitcoin wallets. This is most unlikely if not simply untrue. Tracing bitcoin wallets is difficult but not beyond the resources of law enforcement. It is largely a matter of using the public ledger and comparing dates and amounts. If a traced wallet is found within a friendly jurisdiction, it can then be seized with a court order. But seizing the wallet is not synonymous with cracking the key and retrieving the content.
Until such time as we have adequate quantum computing able to run Shor’s algorithm with sufficient speed, the content of bitcoin wallets is and will remain unrecoverable without prior knowledge of the key. Nobody seriously believes this is yet possible (although we cannot say with 100% certainty that none of the big national intelligence agencies do not secretly possess such a quantum computer).
To understand what really happened, we need to look closely at the original statements from the parties involved.
The DarkSide closure statement appeared on several underground forums, but a version obtained from Russian OSINT was published by Brian Krebs. It says:
A few hours ago, we lost access to the public part of our infrastructure, namely the
Now these servers are unavailable via SSH, the hosting panels are blocked. Hosting support, apart from information “at the request of law enforcement agencies”, does not provide any other information.
Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address.
The striking thing in this statement is what isn’t said. The geographical location of the servers is not specified – that would possibly give some indication of who could take down the servers. And, of course, the ‘law enforcement agencies’ concerned are not named.
The immediate and common perception is that this was the work of the FBI – but there is nothing in DarkSide’s statement to confirm that. It could have been law enforcement from any country.
The DOJ statement includes:
As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes.
There are several peculiarities in this statement. Firstly, it sounds like ‘multiple transfers of bitcoin’ were gathered into a single address. This is contrary to what would more usually be expected. Criminally acquired bitcoin would be separated and moved around, using a mixer or tumbler service to break any traceable link chain. Here, the opposite happens: they are gathered into a single address – similar to DarkSide’s statement: “funds… were withdrawn to an unknown address.”
Secondly, the FBI already has the key for this address. There is no suggestion that they cracked the bitcoin encryption – they already had the key. The implication is that the new address is a server in California. “The seizure warrant was authorized earlier today by the Honorable Laurel Beeler, U.S. Magistrate Judge for the Northern District of California,” says the DOJ statement.
It would seem unlikely that after extorting part of the U.S. critical infrastructure, DarkSide would willingly gather the proceeds into a single address in California. However, with knowledge of the bitcoin location, with a key to the wallet, and a court order, the FBI had everything necessary to open the wallet and seize the bitcoin. What remains unexplained is how and why the bitcoin was gathered, and how did the FBI get the key?
SecurityWeek has asked the DOJ for further information, but has not received any response. If anything is forthcoming, it will be appended to this article.
The Met’s seizure of £114 million is not related to any single cyber incident, but is rather related to ongoing street crime. The cyber element is purely to launder the proceeds of that street crime.
Typically for British law enforcement, few details are provided in the official statement. The ‘why’ is made clear: “There is an inherent link between money and violence. Violence is used to extort, blackmail, burgle, control and exploit. It’s used to protect criminal profits and maintain control of territories,” said McNulty. By confiscating criminal funds, those funds cannot be used in the furtherance of continued or future gang violence.
The ‘how’ is also briefly mentioned: “The seizure was carried out by detectives from the Met’s Economic Crime Command on the back of intelligence received about the transfer of criminal assets.”
There is nothing in the statement to specify whether the wallet was accessed or merely confiscated and put into cold storage out of the reach of the gangs. It is worth noting that to achieve the aim of disrupting criminal finances, placing the wallet in cold storage is as effective as breaking into the wallet.
SecurityWeek asked the Met Police for further details, and was told, “This was one single seizure amounting to 114 million, we won’t be going into more detail about which cryptocurrency.”
To all other questions, it replied, “We aren’t going into detail about this;” but added, “As you can hopefully appreciate this is an ongoing investigation and while proceedings are continuing we are not releasing much more.”
What really happened here?
The Met Police seized a wallet containing £114 million of street crime proceeds. We don’t know the cryptocurrency concerned, but we do know it was a single wallet. We don’t know if the wallet was accessed or merely confiscated. We do know that the operation proceeded based on intelligence received.
“If I were to hazard a guess,” Jake Moore, a cyber security specialist with ESET, told SecurityWeek, “I would suggest that the Met Police had infiltrated the gangs.” Moore had spent 14 years with the UK’s Dorset Police, as both a cyber security advisor and head of digital forensics. “It’s what the police do.”
If this is true, it would explain where the Met received its information. It would also explain the paucity of information from the Met – a life or lives could be at risk here.
The DOJ/FBI operation provides more information. We can assume that the FBI accessed the wallet because it had the key. ‘The key’ is singular, although the DOJ says it “was able to track multiple transfers of bitcoin…” If these statements are both accurate, the implication is that the bitcoin was gathered into a single wallet that the FBI could access. We do not know who did this.
“I do not believe that the FBI – or anyone else – is currently able to break the encryption around bitcoin,” John Callahan, CTO at Veridium, told SecurityWeek. “Any idea on how the FBI obtained the key is pure speculation.”
One possibility could be through signals intelligence (which could also apply to the Met Police information). The NSA in the U.S. and GCHQ in the UK are perhaps the two most proficient SIGINT organizations in the world.
There is also the example of ANOM. ANOM was supposedly a secure chat system pre-installed on special phones and widely used by criminals. But it was actually a sting operation jointly conceived and operated by the FBI and the Australian Federal Police. The scale was impressive. For years, law enforcement was able to monitor the chats of around 300 criminal syndicates in more than 100 countries who were using some 12,000 of the special ANOM devices.
News of ANOM was released by Europol the day after the DOJ’s Colonial Pipeline ransom recovery was announced by the DOJ. Both the U.S. and the UK were among 16 nations involved in the arrest of 800 suspected criminals around the world. The timing means it is possible that both the FBI and the Met Police obtained their intelligence via ANOM.
This, however, still doesn’t explain how and why the DarkSide funds were gathered into a single location. There are only two possibilities here – either the FBI had infiltrated DarkSide and learned the key from the inside; or some other law enforcement agency did similar (and the most obvious candidate would be the FSB).
FBI infiltration still does not explain how the DarkSide servers (in an unspecified country, but likely to be Russia) were taken down and the bitcoin content siphoned off to (probably) California. This would require collaboration between Russia and the U.S.
This is not too far-fetched. Biden is not Trump, and Putin would need to gauge his new adversary before being too provocative. Russia effectively returning the Colonial Pipeline ransom could be a diplomatic way for Putin to say, “look, we do not attack critical infrastructure. This was a mistake by DarkSide. As a sign of good faith, we will close down DarkSide and return the bitcoin. And here’s the key.”
We have explored several hypotheses on how U.S. and UK law enforcement could have effected two major bitcoin seizures. Any one, or none, could have been the route – in the world of hypotheses, one hypothesis is as valid as any other hypothesis. What we have shown, however, is that the seizures could have been achieved without needing to break the bitcoin encryption security.
The one thing we can say with almost certainty is that bitcoin remains secure and unbreakable with current technology.