[HN Gopher] DOJ Seizes $2.3M in Crypto Paid to the Ransomware Ex...
___________________________________________________________________
DOJ Seizes $2.3M in Crypto Paid to the Ransomware Extortionists
Darkside
Author : nthitz
Score : 56 points
Date : 2021-06-07 21:46 UTC (1 hours ago)
(HTM) web link (www.justice.gov)
(TXT) w3m dump (www.justice.gov)
| ProjectArcturis wrote:
| How? Looks like Darkside transferred the money to an exchange
| (Coinbase?), didn't hide it well enough, and the FBI just grabbed
| it?
| cirowrc wrote:
| where's that sweet sweet transaction graph?
| blancNoir wrote:
| Not exhaustive, but you might find this interesting:
|
| https://blog.wolfram.com/2021/05/25/sleuthing-darkside-crypt...
| yamrzou wrote:
| There are more technical details in the linked affidavit (page 6
| and 7): https://www.justice.gov/opa/press-
| release/file/1402056/downl...
|
| They kept following transactions on the blockchain, but it's not
| clear how the private key became in the posession of the FBI.
| qeternity wrote:
| The wetware is always the weakest link.
| ianhawes wrote:
| Netsec Twitter's theory is that the attacker(s) had a VPS
| operating in the US that the FBI was able to access and which
| contained the key to the wallet where the final payment ended
| up.
| gruez wrote:
| So many questions. Why are they running a bitcoin node on a
| vps? do they need to make automated payments or something?
| it's very easy to run a bitcoin node locally, or even airgap
| the signing keys.
| vmception wrote:
| The FBI doesn't need the VPS to be in the United States for
| that
|
| The FBI specifically has had expanded Congressional authority
| for like 10 years to operate extraterritorially on cyber
| matters
|
| FBI agents will show up physically in any country and request
| cooperation from local municipal police (maybe) to seize
| electronic property as well as affect arrests in a way
| compliant with both jurisdictions. Given that private key
| crypto seizure is consequence free and irrevocable, if the
| FBI had access to the memory at a foreign data center they
| could have just taken it without worrying about local
| procedural nuances.
|
| Using crypto the proper way already shield against this,
| because you have to assume that you can't trust your own
| security or the data center operators, let alone the state.
| The server should only have the Master Public Key[1] for
| giving a one-time use address and rotating down the index in
| one of the address trees immediately after any input is
| received (rotate to a new account upon receipt of funds, new
| accounts are from an infinite tree of arrays at each node).
| The mnemonic for the master public key would have been
| generated offline and never on any device. Moving the funds,
| whenever one feels like it, can be signed offline and
| physically handed to a node that will append the signed
| transaction to the blockchain.
|
| [1]Bitcoin Improvement Protocols - BIP 44 (2014), BIP 39
| (2013), BIP 32 (2012)
|
| but anyway I'm leaning towards it being a private key on
| Coinbase that they got a warrant to check for, and it was
| correct, and they seized those assets
| TaupeRanger wrote:
| Really? That seems like something fairly obvious to attempt
| to prevent from an attacker's viewpoint.
| hammock wrote:
| How? A keylogger? Cache somewhere?
| walrus01 wrote:
| I am by far no ransomware expert, but it really seems like
| amateur hour if they were running a Linux based Bitcoin full
| node using the mainline CLI daemon and client, with a wallet,
| on some hosting company geographically within the United
| States. Why would it need to be in the US?
| partyboy wrote:
| Don't underestimate the stupidity/incompetence of these
| ransomware devs. Many cybercriminals have been caught for
| unbelievably dumb reasons.
| encryptluks2 wrote:
| LOL... I simply don't believe any of these press releases. For
| all we know, the government negotiated a deal with the cyber-
| attackers to create this press release as a way to try to thwart
| future attacks. Seriously wouldn't put it past them one bit.
| spfzero wrote:
| Or, maybe something like the FBI knows who's behind it through
| other means (friendly foreign government, etc.). They contact
| them and let them know they are going to prosecute to the full
| extent of the law, long prison sentences. The hackers offer to
| give the money back in exchange for not being prosecuted, FBI
| agrees, private key is supplied by hackers.
|
| It's possible they underestimated how serious things would get
| and got cold feet.
| nkrisc wrote:
| Do you have a specific reason to not believe it?
| bellyfullofbac wrote:
| Well, evidence-less speculation is also useless, here's another
| one: maybe they have a quantum computer that spat out the
| private key?
|
| Or they asked Google to hack the hackers' Android phones!
| shiado wrote:
| This story makes absolutely no sense at all. The errors present
| by these hackers are so comical it's simply unbelievable. I'm
| supposed to believe some elite Russian hacking group keeps their
| crypto wallets running on a US host where the FBI just logs right
| in and snatches the private key? I'm starting to entertain the
| conspiracies that the future of commodities price manipulation is
| fake ransomware attacks. There needs to be a serious audit of CME
| derivatives trading. There will come a day when some oil futures
| trader pays a ransomware group or an employee at a pipeline
| company and makes billions.
| floatingatoll wrote:
| No, they're not elite, they're just script kiddies with a
| payout mechanism.
| SavantIdiot wrote:
| "Script kiddies" got their name because 20 years ago any kid
| could download some code and create a DDoS attack by running
| a pre-written script. Ransomware hacks seem a bit more
| sophisticated, even with today's highly modular malware. I
| think it is an interesting proposal: a fake attack as shown
| by the disparity in savvy between the attack and the payment,
| or a really dumb screw up.
| vmception wrote:
| "Russians did it!" - the modern Bugs Bunny
| osrec wrote:
| I was reading the article in utter confusion too. I personally
| think it's the authorities trying to save face, as I don't
| think even a computer-literate high school kid would make these
| mistakes.
| walrus01 wrote:
| The most interesting and unknown question is how the DOJ/FBI came
| to be in possession of the private key.
| benmmurphy wrote:
| If they carried out the attack they would have had the private
| key in their possession.
| vmception wrote:
| _gigglesnort_
|
| or by "in possession of the private key" they mean "Coinbase
| generated the private key earlier and just gave it to the
| FBI"
|
| the amateur hour doesn't stop there though
| ulzeraj wrote:
| A private key is not needed if the funds are on an exchange.
| Apparently there is a warrant to seize property on Northern
| California so I guess it might be Coinbase.
|
| And yeah... if the crackers sent the funds to an exchange they
| were comically dumb.
| vesinisa wrote:
| The press release specifically mentions that the
| cryptocurrency was seized through FBI having posession of the
| private key.
| SavantIdiot wrote:
| To the previous poster's point: it didn't say _which_
| private key. There can be multiple with cloud storage.
| lhorie wrote:
| It's not an either/or thing though, right? IMHO, it seems
| plausible for the FBI to get a private key from a
| cooperating exchange?
| ulzeraj wrote:
| Did the crackers surrendered the private keys? And if so
| why was a warrant issued?
|
| https://www.elliptic.co/hs-
| fs/hubfs/Screenshot%202021-06-07%...
| koheripbal wrote:
| The warrant does not imply that the coins were on an
| exchange. The warrant only indicates that they needed legal
| authority to seize coins, wherever they are.
|
| It seem more likely that the FBI/NSA had and gained some
| access to the gang's infrastructure and seized the money.
|
| Transmitting ransom money to an exchange without any type of
| tumbler or atomic swapping, that it's not a realistic
| scenario.
|
| Maybe they tried to use an ineffective tumbler?
| vmception wrote:
| The warrant is for a location in Northern California and
| they needed a warrant to get it.
|
| Use your head man, this means they literally went to a
| Federal Judge and said "hey we have probable cause that
| this address is on Coinbase" and the Judge was like "wow
| that is pretty probable" and then they took the warrant to
| Coinbase who was like "oh damn that's legit ..... can we
| squirm out of dealing with this .... no ... oh wow that is
| our address too, okay here is the private key" and then the
| FBI transferred it
| [deleted]
___________________________________________________________________
(page generated 2021-06-07 23:00 UTC)