[HN Gopher] DOJ Seizes $2.3M in Crypto Paid to the Ransomware Ex... ___________________________________________________________________ DOJ Seizes $2.3M in Crypto Paid to the Ransomware Extortionists Darkside Author : nthitz Score : 56 points Date : 2021-06-07 21:46 UTC (1 hours ago) (HTM) web link (www.justice.gov) (TXT) w3m dump (www.justice.gov) | ProjectArcturis wrote: | How? Looks like Darkside transferred the money to an exchange | (Coinbase?), didn't hide it well enough, and the FBI just grabbed | it? | cirowrc wrote: | where's that sweet sweet transaction graph? | blancNoir wrote: | Not exhaustive, but you might find this interesting: | | https://blog.wolfram.com/2021/05/25/sleuthing-darkside-crypt... | yamrzou wrote: | There are more technical details in the linked affidavit (page 6 | and 7): https://www.justice.gov/opa/press- | release/file/1402056/downl... | | They kept following transactions on the blockchain, but it's not | clear how the private key became in the posession of the FBI. | qeternity wrote: | The wetware is always the weakest link. | ianhawes wrote: | Netsec Twitter's theory is that the attacker(s) had a VPS | operating in the US that the FBI was able to access and which | contained the key to the wallet where the final payment ended | up. | gruez wrote: | So many questions. Why are they running a bitcoin node on a | vps? do they need to make automated payments or something? | it's very easy to run a bitcoin node locally, or even airgap | the signing keys. | vmception wrote: | The FBI doesn't need the VPS to be in the United States for | that | | The FBI specifically has had expanded Congressional authority | for like 10 years to operate extraterritorially on cyber | matters | | FBI agents will show up physically in any country and request | cooperation from local municipal police (maybe) to seize | electronic property as well as affect arrests in a way | compliant with both jurisdictions. Given that private key | crypto seizure is consequence free and irrevocable, if the | FBI had access to the memory at a foreign data center they | could have just taken it without worrying about local | procedural nuances. | | Using crypto the proper way already shield against this, | because you have to assume that you can't trust your own | security or the data center operators, let alone the state. | The server should only have the Master Public Key[1] for | giving a one-time use address and rotating down the index in | one of the address trees immediately after any input is | received (rotate to a new account upon receipt of funds, new | accounts are from an infinite tree of arrays at each node). | The mnemonic for the master public key would have been | generated offline and never on any device. Moving the funds, | whenever one feels like it, can be signed offline and | physically handed to a node that will append the signed | transaction to the blockchain. | | [1]Bitcoin Improvement Protocols - BIP 44 (2014), BIP 39 | (2013), BIP 32 (2012) | | but anyway I'm leaning towards it being a private key on | Coinbase that they got a warrant to check for, and it was | correct, and they seized those assets | TaupeRanger wrote: | Really? That seems like something fairly obvious to attempt | to prevent from an attacker's viewpoint. | hammock wrote: | How? A keylogger? Cache somewhere? | walrus01 wrote: | I am by far no ransomware expert, but it really seems like | amateur hour if they were running a Linux based Bitcoin full | node using the mainline CLI daemon and client, with a wallet, | on some hosting company geographically within the United | States. Why would it need to be in the US? | partyboy wrote: | Don't underestimate the stupidity/incompetence of these | ransomware devs. Many cybercriminals have been caught for | unbelievably dumb reasons. | encryptluks2 wrote: | LOL... I simply don't believe any of these press releases. For | all we know, the government negotiated a deal with the cyber- | attackers to create this press release as a way to try to thwart | future attacks. Seriously wouldn't put it past them one bit. | spfzero wrote: | Or, maybe something like the FBI knows who's behind it through | other means (friendly foreign government, etc.). They contact | them and let them know they are going to prosecute to the full | extent of the law, long prison sentences. The hackers offer to | give the money back in exchange for not being prosecuted, FBI | agrees, private key is supplied by hackers. | | It's possible they underestimated how serious things would get | and got cold feet. | nkrisc wrote: | Do you have a specific reason to not believe it? | bellyfullofbac wrote: | Well, evidence-less speculation is also useless, here's another | one: maybe they have a quantum computer that spat out the | private key? | | Or they asked Google to hack the hackers' Android phones! | shiado wrote: | This story makes absolutely no sense at all. The errors present | by these hackers are so comical it's simply unbelievable. I'm | supposed to believe some elite Russian hacking group keeps their | crypto wallets running on a US host where the FBI just logs right | in and snatches the private key? I'm starting to entertain the | conspiracies that the future of commodities price manipulation is | fake ransomware attacks. There needs to be a serious audit of CME | derivatives trading. There will come a day when some oil futures | trader pays a ransomware group or an employee at a pipeline | company and makes billions. | floatingatoll wrote: | No, they're not elite, they're just script kiddies with a | payout mechanism. | SavantIdiot wrote: | "Script kiddies" got their name because 20 years ago any kid | could download some code and create a DDoS attack by running | a pre-written script. Ransomware hacks seem a bit more | sophisticated, even with today's highly modular malware. I | think it is an interesting proposal: a fake attack as shown | by the disparity in savvy between the attack and the payment, | or a really dumb screw up. | vmception wrote: | "Russians did it!" - the modern Bugs Bunny | osrec wrote: | I was reading the article in utter confusion too. I personally | think it's the authorities trying to save face, as I don't | think even a computer-literate high school kid would make these | mistakes. | walrus01 wrote: | The most interesting and unknown question is how the DOJ/FBI came | to be in possession of the private key. | benmmurphy wrote: | If they carried out the attack they would have had the private | key in their possession. | vmception wrote: | _gigglesnort_ | | or by "in possession of the private key" they mean "Coinbase | generated the private key earlier and just gave it to the | FBI" | | the amateur hour doesn't stop there though | ulzeraj wrote: | A private key is not needed if the funds are on an exchange. | Apparently there is a warrant to seize property on Northern | California so I guess it might be Coinbase. | | And yeah... if the crackers sent the funds to an exchange they | were comically dumb. | vesinisa wrote: | The press release specifically mentions that the | cryptocurrency was seized through FBI having posession of the | private key. | SavantIdiot wrote: | To the previous poster's point: it didn't say _which_ | private key. There can be multiple with cloud storage. | lhorie wrote: | It's not an either/or thing though, right? IMHO, it seems | plausible for the FBI to get a private key from a | cooperating exchange? | ulzeraj wrote: | Did the crackers surrendered the private keys? And if so | why was a warrant issued? | | https://www.elliptic.co/hs- | fs/hubfs/Screenshot%202021-06-07%... | koheripbal wrote: | The warrant does not imply that the coins were on an | exchange. The warrant only indicates that they needed legal | authority to seize coins, wherever they are. | | It seem more likely that the FBI/NSA had and gained some | access to the gang's infrastructure and seized the money. | | Transmitting ransom money to an exchange without any type of | tumbler or atomic swapping, that it's not a realistic | scenario. | | Maybe they tried to use an ineffective tumbler? | vmception wrote: | The warrant is for a location in Northern California and | they needed a warrant to get it. | | Use your head man, this means they literally went to a | Federal Judge and said "hey we have probable cause that | this address is on Coinbase" and the Judge was like "wow | that is pretty probable" and then they took the warrant to | Coinbase who was like "oh damn that's legit ..... can we | squirm out of dealing with this .... no ... oh wow that is | our address too, okay here is the private key" and then the | FBI transferred it | [deleted] ___________________________________________________________________ (page generated 2021-06-07 23:00 UTC)