The US Department of Justice has stated they seized 63.7 bitcoin out of 75 bitcoin paid to ransomware hackers who briefly brought down the Colonial Pipeline.
This is the first time such announcement has been made, raising the question just how they were able to take possession of the coins.
“The private key for the Subject Address is in the possession of the FBI in the Northern District of California,” the agent said in the affidavits.
Thus there isn’t some bureaucratic miscommunication, law enforcement has been able to not only locate where the funds went to, but also actually take possession.
How? No explanation has been given in time for publishing with the censoring prone and over-classification leaning agency redacting even part of the address they took possession which we were able to allocate in full:
There’s no risk whatever in revealing this address as far we can conceive, except maybe that this shown they’ve taken possession of 69 bitcoin, not 63.7.
They’ve been separated into two withdrawals. Both are still in full at the withdrawn addresses with perhaps both in the possession of law enforcement.
This 1qq address is funded after going through some fairly direct hops by what looks like an exchange address we’ll call 29mut.
There appears to be conflicting information regarding whose address this is. Some say Coinbase, but Coinbase has fully denied having any involvement with Philip Martin, their CSO, stating:
“I’ve seen a bunch of incorrect claims that Coinbase was involved in the recent DOJ seizure of bitcoin associated with the Colonial Pipeline ransomware attack. We weren’t.
Coinbase was not the target of the warrant and did not receive the ransom or any part of the ransom at any point. We also have no evidence that the funds went through a Coinbase account/wallet.”
This is a full denial, which amounts to effectively Martin denying this 29mut address is Coinbase’s at all because the funds definitely came from that address.
If it is not Coinbase, then it is definitely Gemini. The theory thus is a warrant was issued that forced Gemini to hand over the coins.
This theory hinges mainly on: why did they request a warrant otherwise. Its weakness however lays in the fact that crypto funds on Gemini itself are bundled into hot and cold wallets.
What happened therefore was this sum of 75 bitcoins was withdrawn from Gemini’s hot wallet on May the 8th. That’s around the time the Colonial Pipeline paid the hackers.
Colonial Pipeline therefore used Gemini to make the full 75 payment. 63.7 BTC is then transferred from the receiving address in the same day, and then the next day it is transferred to another address.
On the 28th of May 2021, that 63.7 BTC is transferred again to the 1qq address together with input from other addresses amounting to a total deposit of 69.60422177 BTC.
The 75 was split almost as soon as it was received to 63.7 and 11.2. So our theory, and its just a potential of what might have happened, is that they outhacked the hackers.
“Justice Department officials said that Colonial’s willingness to quickly loop in the F.B.I. helped recoup the ransom portion, and they credited the company for its role in a first-of-its-kind effort by a new ransomware task force in the department to hijack a cybercrime group’s profits.”
So says the New York Times. Now let’s go back to history. 75 is withdrawn from the hot wallet and it doesn’t matter who the hot wallet is since this is probably legit money, but it is probably Gemini.
We don’t know who owns the address that this 75 was withdrawn to from the hot wallet. We’ll call this though the JF address. It’s not segwit.
JF then sends 75 bitcoin to a segwit address, EQ. About 50 minutes later then this 75 is withdrawn while being split into this 63 and 11 in two different addresses.
As far as we are aware Gemini has supported segwit since forever. This can be important because we could engage in stereotype and suggest JF is bureaucracy, although in this case perhaps very high tech, or at the very least suggest that JF is not the ransomers.
What we want to say is that the payment was perhaps code conditional, but we’re finding it difficult to quite contemplate just how.
However if there has been no arrest and no physical seizure, with this described as a ‘hijack,’ it appear possible there were smart contracts stealthily engaged in the payment.
If that is the case then one expects FBI to obviously say nothing and that wouldn’t necessarily be over-classification with it also potentially explaining this extra 6 bitcoin in the final address.
We could however be very mistaken but in theory it is possible, and in practice since 2016, to outhack the hackers by smarting code.
Whether that is what happened here is not clear, but if there is no arrest and if they haven’t physically taken possession of any thing with these scriptkiddies apparently based in Russia, then there is no other explanation than our boys are wizzing.
In that case the description of some they hacked bitcoin is not far off, but it’s a ‘good’ hack, within the rules of the codes in spirit and letter. They ‘hacked’ it to enhance its capabilities by using smart contracts instead of breaking bitcoin somehow, if that’s what happened anyway.