According to the FBI, it has successfully seized most of the Bitcoin ransom paid by Colonial Pipeline to “Darkside” criminals after the highly publicized ransomware attack that led to recent gas shortages in multiple US States.
Unlike reversing financial transactions performed by banks and/or classic funds-transfer networks, seizing Bitcoin typically entrails issuing a new transaction to move Bitcoin from the address at which it resides to a new address controlled by the seizer; to perform such a transaction, however, the transferrer ostensibly requires knowledge of the private key associated with the origination address. (Seizing can also be done through other methods – all of which typically require knowing the private key of the origination address.)
It is no secret that cryptocurrencies enable various types of criminal activity and facilitate money laundering and the unreported transfers of large sums of money; as a result, I have wondered for years if lawmakers and law enforcement seemingly “turning a blind eye” to much of the issue has not been the result of naiveite, but because governments have “back doors” into popular crypto networks; are various government bodies able to better trace transactions than is commonly believed, to exploit zero-day implementation vulnerabilities in the crypto networks themselves or in the communications infrastructure upon which the networks rely, or to crack private keys far faster than outsiders believe through the use of quantum computers more advanced than are publicly known to exist? Could Satoshi Nakomoto even be some government agency somewhere? Whoever knows the answers to these questions will clearly not answer them to the public. (Of course, if the FBI has such capabilities, it would likely use them sparingly and ascribe any successes to other techniques – just as the Allies did not act on every piece of data obtained by hacking Enigma so as not to alert the Nazis to Enigma’s compromise.)
Of course, it is also possible that the FBI obtained the private key to the address/es to which the Colonial Pipeline ransom was transferred through far less sophisticated means; an FBI-filed affidavit notes that “the private key for the Subject Address [Perhaps the bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq address being discussed online] is in the possession of the FBI in the Northern District of California” – so, maybe the BTC was stored at a crypto-exchange or other form of cryptocurrency-custodian-service that operates in California (exchanges and other custodians hold the keys to the addresses for the coins that are “under their care” – and the FBI can get those keys with a warrant). Or, perhaps, the private key was obtained from a physical computer or crypto-key storage device seized during a physical search in California (i.e., performed after obtaining a classic search warrant).
Another possibility is that an insider helped law enforcement – there are many hackers who may believe that the Colonial Pipeline hack violated some sort of “code of ethics” because it created a gas shortage impacting ordinary Americans and a potential national security concern – perhaps one or more such hackers turned on their colleagues or even their co-conspirators.
It is also not clear as of yet (at least to the public) if the coins were all seized from the criminals themselves or from others who the criminals had paid in exchange for something else; would criminals who successfully attacked Colonial Pipeline really have been stupid enough to store their take on servers within the FBI’s jurisdiction?
We will probably learn a lot more over the next few weeks – but, some details, especially about the true extent of the capabilities of law enforcement agencies, will likely not be released to the public any time soon.