Share this page!

Bruce Kleinman Profile picture
Twitter logo
7 Jun, 12 tweets, 3 min read
Earlier this afternoon, the DoJ announced they had seized the bitcoin (specifically, the private key) from the #ColonialPipeline ransomware attack. How might that have happened? Here is a working hypothesis. [1]
@ahcastor @BennettTomlin @KimZetter
The attackers were operating a bitcoin full node and using the default attached wallet. Their full node was running on a hosted server in Northern California per “Warrant to Seize Property Subject to Forfeiture”. [2]
Using a wallet attached to a full node is a reasonable plan, IF (big IF) your OpSec is super-clean. Simplifying: send bitcoin from said wallet ONCE AND ONLY ONCE. Oh yes 007, do be sure to ENCRYPT the attached wallet (narrator: they didn't). [3]
Although not part of the blockchain, the “first relay” address of every sending transaction is completely visible. So FFS, ne’er do wells can only send bitcoin from a wallet attached to a full node ONCE. [4]
If you haven’t already done so, take a look at the “Affidavit in Support of an Application for a Seizure Warrant” below. I’m going to refer to actions described using the paragraph numbers. [5]
storage.courtlistener.com/recap/gov.usco…
Paragraphs 28-33 describe a series of transactions, starting with receipt of the ransom sent by Colonial Pipeline. From transaction ¶28 forward, anyone can track the subsequent transactions with a bitcoin explorer. At this juncture, the IP address of the full node is UNKNOWN. [6]
Now if you asked me (and f—ing DO NOT ASK ME, because I don’t touch ne’er do wells) the instant the full node receives the ransom (¶28) and saves the bitcoin in its attached wallet, I would xfer the wallet file OFF OF THE HOSTED SERVER and incinerate the entire instance. [7]
For the remainder of my working hypothesis to play out, however, that doesn’t happen. [8]
Paragraphs 29-32 describe a series of transactions moving the ill-gotten bitcoin from one address to another. One or more of these other transaction was SENT from the full node in question, exposing its IP (as the “first relay”) address for the world to see. [9]
Repeating for clarity, in order for my working hypothesis to hold water, the ¶33 receiving transaction lands on the full node and into its attached wallet. [10]
Having readily grabbed the offending IP address from one of the sending transactions (¶29 thru ¶32) the DoJ had already recognized a bitcoin full node running at that address. One imagines the hosted server in question is under rather close observation. [11]
After the ¶33 transaction, the DoJ seizes the wallet, (and if you ask me) the full node, the hosted instance, the physical hosted server, and every router in the vicinity of the hosting service. /FIN [12]

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Bruce Kleinman

Bruce Kleinman Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @brucedkleinman has new unrolls!

Check out other threads from @brucedkleinman!

Read all threads by @brucedkleinman

:(