The US's Department of Justice has seized $2.3 million's worth of Bitcoin from the DarkSide cybercriminals that targeted Colonial Pipeline, after tracing the ransom payment to a specific wallet for which the FBI mysteriously obtained the private key. With cryptocurrency users speculating wildly on how "feds" grabbed back the funds, the Chief Security Officer at Coinbase took to Twitter early Tuesday (June 8) to strongly refute claims that the company handed over any keys -- or indeed was involved in any way.
As Coinbase CSO Philip Martin put it: "I've seen a bunch of incorrect claims that Coinbase was involved in the recent DOJ seizure of bitcoin associated with the Colonial Pipeline ransomware attack. We weren’t. Coinbase was not the target of the warrant and did not receive the ransom or any part of the ransom at any point. We also have no evidence that the funds went through a Coinbase account/wallet."
So how did the FBI get the private key? "I don't want to give up our tradecraft in case we want to use this again for future endeavors," Elvis Chan, an FBI agent at the FBI's San Francisco office, said Monday.
See also: Hackers are using the Slack API, queued print jobs for C2
Coinbase CSO Martin meanwhile added on Twitter: "Coinbase uses a pooled hot wallet, so handing over a specific private key wouldn't make a ton of sense, and we've (for obvious security reasons) not built a private key export API endpoint into our signing systems... how did they get the private key? Maybe some whiz-bang magic, but my guess would be it was some good ol' fashioned police work to locate the target servers, and an MLAT [mutual legal assistance treaty] request and/or some political pressure to get access."
Hitting CNI may have been a bad idea...
A batch of DoJ documents shared alongside that DarkSide Bitcoin seizure news that really suggest US authorities are aiming to take much more concerted, aggressive action against ransomware operators.
The DoJ had already moved in April to launch a multi-agency "Ransomware and Digital Extortion Task Force", and a June 3 memorandum suggests this week's DarkSide Bitcoin seizure may be just its first crack of the whip. As the DoJ's Deputy Attorney General notes in it: "A central goal of the recently launched task force is ensure that we bring to bear the full authorities and resources of the Department in confronting the many dimensions and root causes of this threat".
The memorandum demands "an Urgent Report should be filed in every instance in which a United States Attorney's Office learns of either a new ransomware or digital extortion attack in its District, or an attack believed to be related to an ongoing ransomware or digital extortion investigation or case it is conducting".
(A potential outcome: cybercriminals may pivot to less strategically important targets, opt more for a middle-ground of companies big enough to pay a ransom, not big enough to draw real ire from government authorities. Whether most have the nous to target in quite such a granular way, rather than opportunistically, remains an open question.)
Follow The Stack on LinkedIn
The DoJ's Criminal Division's Computer Crime and Intellectual Property Section (CCIPS) will take the lead on such cases, as part of a new "coordinated Department- wide approach".
Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network noted: "The $2.3 million is a drop in the ocean of ransomware, however, it sends a bold statement that the DoJ now has tolerance-zero for ransomware gangs. The seizure continues the previously announced efforts to combat surging ransomware, and is likely to be a first palpable step to deter cybercriminals. Importantly, the DoJ will certainly need more funding to gradually expand its cybercrime prosecution unit (CCIPS) and foster interagency collaboration."
He added: "International cooperation is essential to curb surging ransomware attacks, including a baseline cooperation with traditionally hostile jurisdictions...
"Finally, the government should consider promoting cybersecurity among businesses to establish a continuous, risk-based and process-driven information security programs based on ISO 27001 or similar international standards that cover people, processes and technologies. Most ransomware victims of all sizes neglect even the basics of data protection, eventually becoming low-hanging fruit for unscrupulous cybercriminals. Therefore, merely prosecuting the criminals with more force will not help without first enhancing national cybersecurity awareness and preparedness.”