Earlier this afternoon, the DoJ announced they had seized the bitcoin (specifically, the private key) from the #ColonialPipeline ransomware attack. How might that have happened? Here is a working hypothesis. [1] @ahcastor@BennettTomlin@KimZetter
The attackers were operating a bitcoin full node and using the default attached wallet. Their full node was running on a hosted server in Northern California per “Warrant to Seize Property Subject to Forfeiture”. [2]
Using a wallet attached to a full node is a reasonable plan, IF (big IF) your OpSec is super-clean. Simplifying: send bitcoin from said wallet ONCE AND ONLY ONCE. Oh yes 007, do be sure to ENCRYPT the attached wallet (narrator: they didn't). [3]
Although not part of the blockchain, the “first relay” address of every sending transaction is completely visible. So FFS, ne’er do wells can only send bitcoin from a wallet attached to a full node ONCE. [4]
If you haven’t already done so, take a look at the “Affidavit in Support of an Application for a Seizure Warrant” below. I’m going to refer to actions described using the paragraph numbers. [5] storage.courtlistener.com/recap/gov.usco…
Paragraphs 28-33 describe a series of transactions, starting with receipt of the ransom sent by Colonial Pipeline. From transaction ¶28 forward, anyone can track the subsequent transactions with a bitcoin explorer. At this juncture, the IP address of the full node is UNKNOWN. [6]
Now if you asked me (and f—ing DO NOT ASK ME, because I don’t touch ne’er do wells) the instant the full node receives the ransom (¶28) and saves the bitcoin in its attached wallet, I would xfer the wallet file OFF OF THE HOSTED SERVER and incinerate the entire instance. [7]
For the remainder of my working hypothesis to play out, however, that doesn’t happen. [8]
Paragraphs 29-32 describe a series of transactions moving the ill-gotten bitcoin from one address to another. One or more of these other transaction was SENT from the full node in question, exposing its IP (as the “first relay”) address for the world to see. [9]
Repeating for clarity, in order for my working hypothesis to hold water, the ¶33 receiving transaction lands on the full node and into its attached wallet. [10]
Having readily grabbed the offending IP address from one of the sending transactions (¶29 thru ¶32) the DoJ had already recognized a bitcoin full node running at that address. One imagines the hosted server in question is under rather close observation. [11]
After the ¶33 transaction, the DoJ seizes the wallet, (and if you ask me) the full node, the hosted instance, the physical hosted server, and every router in the vicinity of the hosting service. /FIN [12]
• • •
Missing some Tweet in this thread? You can try to
force a refresh