In my May 25, 2021, blog post “Sleuthing DarkSide Crypto-Ransom Payments with the Wolfram Language,” I detailed how I used the Wolfram Language, public knowledge and some guesswork to track crypto-ransom payments made by Colonial Pipeline on May 8 and Brenntag on May 11 to the Russian hacker group DarkSide. These payments, which totaled millions of dollars, were subsequently distributed to different accounts, and on May 13, DarkSide announced it was disbanding.

But the story didn’t end when DarkSide announced its dissolution.

On June 7, the FBI seized 63.7 bitcoin (BTC), approximately $2.3 million USD, from one of the addresses to which DarkSide’s cluster, described in my earlier post, sent their ransom funds. Normally, this should have been inaccessible to anyone without a private key for that address. The FBI apparently managed, however, to obtain one.

Did the FBI run a brute-force attack on a billion-dollar supercomputer to find the private key? For the elliptic curve secp256k1, which Bitcoin is based on, the number of possible private keys for a particular public key is approximately:

&#10005 IntegerName[2^128, "Approximate"]

Looking at that number, an exhaustive search does not appear plausible. But the FBI surely has its own ways around such obstacles.

As members of the general public, we can still work with what’s publically available on the blockchain. To trace exactly what was seized by the FBI, let me walk you along the timeline of this set of transactions I identified:

&#10005 selected = \ {"6a798026d44af27dbacd28ea21462808df8deca51794cec80c1b59e07ef924a2", "915fb4f0a030937f2c1d2210996e8eb32b5a41b331965c7ec78961923775bd62", "fc78327d4e46dac01dc313067b1ac7f274cdb3a07ea9f28f6f71473145f1b264"\ , "0677781a5079eae8e5cbd5e6d9dcc5c02da45351a3638b85c88e5e3ecdc105a7", "9436dbf0435b15378f309c35754a110db880fa9bb66a062160a25533bb4a212a",\ "daf38c7b38eb0a587cf843f47000d5c294affb4f56017370ad48c5147f5e69d9", "943f2d576ed8d9f388ba75eb82fe35cce29479b84121827ac368a5a94f44cf7a", "280c5f96397b9502b99703842712b78fda84f1a0faabf826f683448082f46369"\ }; Column[selected]

Here’s how they are connected to one another and the addresses worth attention:

&#10005 $BlockchainBase = "Bitcoin"; (* generate directed edges from transaction inputs to the outputs *) transactionGraph[txid_] := Module[ {txinfo = BlockchainTransactionData[txid], edges}, edges = Join[ (*inputs in red*) Style[DirectedEdge[#[["Addresses", 1]], txid, -#["Amount"]], Darker[Red]] & /@ txinfo["Inputs"], (*outputs in green*) Style[DirectedEdge[txid, #[["Addresses", 1]], #["Amount"]], Darker[Green]] & /@ txinfo["Outputs"] ]]; (* layered plot for transaction graphs *) transactionGraphPlot[edges_, txids : {__}] := Block[{txvertices = (Rule[#, "Square"] & /@ txids)}, If[$CloudEvaluation, LayeredGraphPlot[edges, VertexShapeFunction -> txvertices], LayeredGraphPlot[edges, VertexShapeFunction -> txvertices, VertexLabels -> Placed["Name", Tooltip], EdgeLabels -> Placed["EdgeTag", Tooltip]] ] ]; (* plot multiple transactions together *) transactionsCommonGraph[txid_] := transactionsCommonGraph[{txid}]; transactionsCommonGraph[ txids : {__}] := {Flatten[ transactionGraph /@ DeleteDuplicates[txids]], DeleteDuplicates[txids]} transactionGraphPlot @@ transactionsCommonGraph[selected]

On May 8, 2021, Colonial Pipeline sent a ransom payment of approximately 75 BTC, worth about $4.3 million at that time, to the address 15JFh88FcE4WL6qeMLgX5VEAFCbRXjc9fr:

&#10005 Select[BlockchainTransactionData[ "6a798026d44af27dbacd28ea21462808df8deca51794cec80c1b59e07ef924a2", "Outputs"], MemberQ[#["Addresses"], "15JFh88FcE4WL6qeMLgX5VEAFCbRXjc9fr"] &]

Then, 75.0005 BTC was sent in another transaction from the ransom payment address to two different addresses:

&#10005 BlockchainTransactionData[\ "915fb4f0a030937f2c1d2210996e8eb32b5a41b331965c7ec78961923775bd62", \ "Outputs"]

Right away, 1DToN8Q6y31TGAz75Df729Bnujk6Xg7q5X transferred funds to the same address to which 0.00001693 BTC was sent a mere second before in the previous transaction (bc1q7eqww9dmm9p48hx5yz5gcvmncu65w43wfytpsf):

&#10005 BlockchainTransactionData[ "fc78327d4e46dac01dc313067b1ac7f274cdb3a07ea9f28f6f71473145f1b264", "Outputs"][[2]]

Half an hour later, this sum was split between two more addresses:

&#10005 BlockchainTransactionData[\ "0677781a5079eae8e5cbd5e6d9dcc5c02da45351a3638b85c88e5e3ecdc105a7", \ "Outputs"]

I already identified these two receiving addresses in my original investigation as part of a cluster used by DarkSide for its funds. In addition, bc1qxu83k5qkj8kcqdqqenwzn7khcw4llfykeqwg45 also relayed parts of the Brenntag ransom payment on May 11.

On May 9, bc1qxu83k5qkj8kcqdqqenwzn7khcw4llfykeqwg45 moved 63.7 BTC, the amount subsequently seized by the FBI:

&#10005 BlockchainTransactionData[ "9436dbf0435b15378f309c35754a110db880fa9bb66a062160a25533bb4a212a", "Outputs"][[1]]

On May 28, three days after the publication of my original article, 3EYkxQSUv2KcuRTnHQA8tNuG7S2pKcdNxB transferred its funds in a joint transaction with 23 other addresses:

&#10005 BlockchainTransactionData[ "daf38c7b38eb0a587cf843f47000d5c294affb4f56017370ad48c5147f5e69d9", "Inputs"] // Length

&#10005 BlockchainTransactionData[\ "daf38c7b38eb0a587cf843f47000d5c294affb4f56017370ad48c5147f5e69d9", \ "Outputs"]

… to bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq, where the funds remained until June 7, when a warrant was issued to seize them. According to court documents, the FBI had the private key to bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq, which they emptied on June 7:

&#10005 Take[BlockchainAddressData[ "bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq", "TransactionList"], 2]

This address holds the seized amount:

&#10005 BlockchainAddressData["bc1qpx7vyv5tp7dm0g475ev527krg764t73dh77gls", \ "Balance"]

So how did the FBI get the private key to access the crypto-ransom funds? Needless to say, they’re playing it close to the vest. According to news reports, there are three likely options: someone part of the attack provided the information, it was found during a larger ongoing investigation or the FBI “leveraged” information it discovered to produce the key.

No matter what, recovering even part of Colonial Pipeline’s crypto-ransom payment is significant: it’s the most public example of hackers having the tables turned on them.

Engage with the code in this post by downloading the Wolfram Notebook
×