The FBI and Department of Justice were able to recover most of the bitcoin paid in the Colonial Pipeline hack. Michael Bucella, BlockTower general partner, and CNBC’s Eamon Javers join ‘Power Lunch’ to discuss the retrieval of the money and what it could mean for the regulatory response of cryptocurrencies going forward.
The F.B.I.’s recovery of Bitcoins paid in the Colonial Pipeline ransomware attack showed cryptocurrencies are not as hard to track as it might seem.
When Bitcoin burst onto the scene in 2009, fans heralded the cryptocurrency as a secure, decentralized and anonymous way to conduct transactions outside the traditional financial system.
Criminals, often operating in hidden reaches of the internet, flocked to Bitcoin to do illicit business without revealing their names or locations. The digital currency quickly became as popular with drug dealers and tax evaders as it was with contrarian libertarians.
But this week’s revelation that federal officials had recovered most of the Bitcoin ransom paid in the recent Colonial Pipeline ransomware attack exposed a fundamental misconception about cryptocurrencies: They are not as hard to track as cybercriminals think.
On Monday, the Justice Department announced it had traced 63.7 of the 75 Bitcoins — some $2.3 million of the $4.3 million — that Colonial Pipeline had paid to the hackers as the ransomware attack shut down the company’s computer systems, prompting fuel shortages and a spike in gasoline prices. Officials have since declined to provide more details about how exactly they recouped the Bitcoin.
Yet for the growing community of cryptocurrency enthusiasts and investors, the fact that federal investigators had tracked the ransom as it moved through at least 23 different electronic accounts belonging to DarkSide, the hacking collective, before accessing one account showed that law enforcement was growing along with the industry.
That’s because the same properties that make cryptocurrencies attractive to cybercriminals — the ability to transfer money instantaneously without a bank’s permission — can be leveraged by law enforcement to track and seize criminals’ funds at the speed of the internet.
Bitcoin is also traceable. While the digital currency can be created, moved and stored outside the purview of any government or financial institution, each payment is recorded in a permanent fixed ledger, called the blockchain.
That means all Bitcoin transactions are out in the open. The Bitcoin ledger can be viewed by anyone who is plugged into the blockchain.
“It is digital bread crumbs,” said Kathryn Haun, a former federal prosecutor and investor at venture-capital firm Andreessen Horowitz. “There’s a trail law enforcement can follow rather nicely.”
Ms. Haun added that the speed with which the Justice Department seized most of the ransom was “groundbreaking” precisely because of the hackers’ use of cryptocurrency. In contrast, she said, getting records from banks often requires months or years of navigating paperwork and bureaucracy, especially when those banks are overseas.
Given the public nature of the ledger, cryptocurrency experts said, all law enforcement needed to do was figure out how to connect the criminals to a digital wallet, which stores the Bitcoin. To do so, authorities likely focused on what is known as a “public key” and a “private key.”
A public key is the string of numbers and letters that Bitcoin holders have for transacting with others, while a “private key” is used to keep a wallet secure. Tracking down a user’s transaction history was a matter of figuring out which public key they controlled, authorities said.
Seizing the assets then required obtaining the private key, which is more difficult. It’s unclear how federal agents were able to get DarkSide’s private key.
Justice Department spokesman Marc Raimondi declined to say more about how the F.B.I. seized DarkSide’s private key. According to court documents, investigators accessed the password for one of the hackers’ Bitcoin wallets, though they did not detail how.
The F.B.I. did not appear to rely on any underlying vulnerability in blockchain technology, cryptocurrency experts said. The likelier culprit was good old-fashioned police work.
Federal agents could have seized DarkSide’s private keys by planting a human spy inside DarkSide’s network, hacking the computers where their private keys and passwords were stored, or compelling the service that holds their private wallet to turn them over via search warrant or other means.
“If they can get their hands on the keys, it’s seizable,” said Jesse Proudman, founder of Makara, a cryptocurrency investment site. “Just putting it on a blockchain doesn’t absolve that fact.”
The F.B.I. has partnered with several companies that specialize in tracking cryptocurrencies across digital accounts, according to officials, court documents and the companies. Start-ups with names like TRM Labs, Elliptic and Chainalysis that trace cryptocurrency payments and flag possible criminal activity have blossomed as law enforcement agencies and banks try to get ahead of financial crime.
Their technology traces blockchains looking for patterns that suggest illegal activity. It’s akin to how Google and Microsoft tamed email spam by identifying and then blocking accounts that spray email links across hundreds of accounts.
“Cryptocurrency allows us to use these tools to trace funds and financial flows along the blockchain in ways that we could never do with cash,” said Ari Redbord, the head of legal affairs at TRM Labs, a blockchain intelligence company that sells its analytic software to law enforcement and banks. He was previously a senior adviser on financial intelligence and terrorism at the Treasury Department.
Several longtime cryptocurrency enthusiasts said the recovery of much of the Bitcoin ransom was a win for the legitimacy of digital currencies. That would help shift the image of Bitcoin as the playground of criminals, they said.
“The public is slowly being shown, in case after case, that Bitcoin is good for law enforcement and bad for crime — the opposite of what many historically believed,” said Hunter Horsley, chief executive of Bitwise Asset Management, a cryptocurrency investment company.
In recent months, cryptocurrencies have become increasingly mainstream. Companies such as PayPal and Square have expanded their cryptocurrency services. Coinbase, a start-up that allows people to buy and sell cryptocurrencies, went public in April and is now valued at $47 billion. Over the weekend, a Bitcoin conference in Miami attracted more than 12,000 attendees, including Twitter’s chief executive, Jack Dorsey, and the former boxer Floyd Mayweather Jr.
As more people use Bitcoin, most are accessing the digital currency in a way that mirrors a traditional bank, through a central intermediary like a crypto exchange. In the United States, anti-money laundering and identity verification laws require such services to know who their customers are, creating a link between identity and account. Customers must upload government identification when they sign up.
Ransomware attacks have put unregulated crypto exchanges under the microscope. Cybercriminals have flocked to thousands of high-risk ones in Eastern Europe that do not abide by these laws.
After the Colonial Pipeline attack, several financial leaders proposed a ban on cryptocurrency.
“We can live in a world with cryptocurrency or a world without ransomware, but we can’t have both,” Lee Reiners, the executive director of the Global Financial Markets Center at Duke Law School, wrote in The Wall Street Journal.
Cryptocurrency experts said the hackers could have tried to make their Bitcoin accounts even more secure. Some cryptocurrency holders go to great lengths to store their private keys away from anything connected to the internet, in what is called a “cold wallet.” Some memorize the string of numbers and letters. Others write them down on paper, though those can be obtained by search warrants or police work.
“The only way to obtain the truly unseizable characteristic of the asset class is to memorize the keys and not have them written down anywhere,” Mr. Proudman said.
Mr. Raimondi of the Justice Department said the Colonial Pipeline ransom seizure was the latest sting operation by federal prosecutors to recoup illicitly gained cryptocurrency. He said the department has made “many seizures, in the hundreds of millions of dollars, from unhosted cryptocurrency wallets” used for criminal activity.
In January, the Justice Department disrupted another ransomware group, NetWalker, which used ransomware to extort money from municipalities, hospitals, law enforcement agencies and schools.
As part of that sting, the department obtained about $500,000 of NetWalker’s cryptocurrency that had been collected from victims of their ransomware.
“While these individuals believe they operate anonymously in the digital space, we have the skill and tenacity to identify and prosecute these actors to the full extent of the law and seize their criminal proceeds,” Maria Chapa Lopez, then the U.S. attorney for the Middle District of Florida, said when the case was announced.
In February, the Justice Department said it had warrants to seize nearly $2 million in cryptocurrencies that North Korean hackers had stolen and put into accounts at two different cryptocurrency exchanges.
Last August, the department also unsealed a complaint outing North Korean hackers who stole $28.7 million of cryptocurrency from a cryptocurrency exchange, and then laundered the proceeds through Chinese cryptocurrency laundering services. The F.B.I. traced the funds to 280 cryptocurrency wallets and their owners.
In the end, “cryptocurrencies are actually more transparent than most other forms of value transfer,” said Madeleine Kennedy, a spokeswoman for Chainalysis, the start-up that traces cryptocurrency payments. “Certainly more transparent than cash.”
A ransomware gang called REvil is holding Apple’s data hostage and has its sights set on more companies as well. CNBC’s Eamon Javers reports. For access to live and exclusive video from CNBC subscribe to CNBC PRO: https://cnb.cx/2NGeIvi
a group of finance ministers to simulate a similar attack that shut down financial markets and froze global transactions. By several accounts, it quickly spun into farce: No one wanted to admit how much damage could be done or how helpless they would be to deter it.
.. something has changed since 2008, when the United States and Israel mounted the most sophisticated cyberattack in history on Iran’s nuclear program, temporarily crippling it in hopes of forcing Iran to the bargaining table.
.. the sophistication of cyberweapons has so improved that many of the attacks that once shocked us — like the denial-of-service attacks Iran mounted against Bank of America, JPMorgan Chase and other banks in 2012, or North Korea’s hacking of Sony in 2014 — look like tiny skirmishes compared with the daily cybercombat of today.
.. Yet in this arms race, the United States has often been its own worst enemy. Because our government has been so incompetent at protecting its highly sophisticated cyberweapons, those weapons have been stolen out of the electronic vaults of the National Security Agency and the C.I.A. and shot right back at us.
.. the WannaCry ransomware attack by North Korea last year, which used some of the sophisticated tools the N.S.A. had developed.
.. Nuclear weapons are still the ultimate currency of national power, as the meeting between President Trump and Kim Jong-un in Singapore last week showed. But they cannot be used without causing the end of human civilization — or at least of a regime. So it’s no surprise that hackers working for North Korea, Iran’s mullahs, Vladimir V. Putin in Russia and the People’s Liberation Army of China have all learned that the great advantage of cyberweapons is that they are the opposite of a nuke: hard to detect, easy to deny and increasingly finely targeted. And therefore, extraordinarily hard to deter.
.. Cyberattacks have long been hard to stop because determining where they come from takes time — and sometimes the mystery is never solved.
.. Today cyberattackers believe there is almost no risk that the United States or any other power would retaliate with significant sanctions, much less bombs, troops or even a counter cyberattack.
.. “They don’t fear us,”
.. At the State Department, the eviction took weeks, shutting down systems during negotiations on the Iran nuclear deal. The hackers were even bolder at the White House. Instead of disappearing when they were exposed, they fought back, looking to install new malware as soon as the old versions were neutralized.
.. It appears the attackers just wanted to prove they could go, and stay, anywhere in the American government’s network.
.. the United States never called out the Russians for what they were doing.
.. If Mr. Putin thought there was no price to be paid for invading White House systems, why wouldn’t he attack the Democratic National Committee?
.. By the summer of 2016, some Obama administration officials, waking to the threat, proposed counterstrikes that included exposing Mr. Putin’s hidden bank accounts and his ties to the oligarchs and cutting off Russia’s banking system. But the potential for escalation caused Mr. Obama and his top aides to reject the plan.
“It was an enormously satisfying response,” a senior American official told me later, “until we began to think about what it would do to the Europeans.”
Mr. Obama also understandably feared that anything the United States did might provoke Mr. Putin to tinker with election systems just enough to give credence to Donald Trump’s warning that the system was “rigged.”
.. Since the election, the American retaliation has included closing some Russian consulates and recreation centers and expelling spies — actions one Obama national security official called “the perfect 19th-century solution to a 21st-century problem.”
.. The wide-open vulnerabilities in America’s networks have essentially deterred the United States from credibly threatening retaliation against the Russians, the Chinese, the North Koreans and the Iranians.
.. One way to start is to make sure no new equipment goes on the market unless it meets basic security requirements. We won’t let cars on the road without airbags, so why do we do less with the systems that connect them to the internet?
.. Second, we must decide what networks we care most about defending — and make those priorities clear. Mr. Mattis’s threat to turn to nuclear weapons hardly seems credible — unless the cyberattack would create an existential threat to America. That requires an intensive public review of what is critical to our nation’s survival.
..President Trump forfeited the perfect opportunity when he decided against a commission to learn the larger lessons from the 2016 election.
.. the United States needs to end the reflexive secrecy surrounding its cyberoperations. We need to explain to the world why we have cyberweapons, what they are capable of and, most important, what we will not use them for.
.. it is in the nation’s interests to develop global norms clarifying that some targets are off limits: election systems, hospitals and emergency communications systems, and maybe even electric power grids and other civilian targets.
.. Microsoft’s president, Brad Smith, has proposed digital Geneva Conventions that begin to establish those norms, outside the structure of governments and treaties.
.. Intelligence agencies hate this idea: They want the most latitude possible for future operations in an uncertain world. But in any arms control negotiation, to create limits on others, you need to give up something.
The proliferation of the WannaCry ransomware last week unequivocally justifies Apple’s steadfast refusal to help the FBI break into an iPhone 5c used by one of the San Bernardino terrorists. As a quick refresher, the FBI last year wanted Apple engineers to create a brand new version of iOS that would allow them to skirt around iOS security measures. As a precaution, a security setting in iOS wipes a device clean after 10 erroneous passcode entry attempts. The FBI, as a result, tried to force Apple to release a specialized version of iOS that would not include this security limitation.So while Cook’s cancer analogy might have struck some as being extreme, the WannaCry ransomware saga last week proves that once a piece of malicious software is created, it’s impossible to keep it out of the hands of malicious actors. According to reports, the WannaCry ransomware — which infected more than 200,000 computers across 150 different countries in less than 24 hours — was based on an NSA exploit released by a hacking collective known as the Shadow Brokers. In fact, WannaCry began infecting computers worldwide just about 4 weeks after the Shadow Brokers released a treasure trove of NSA hacking tools and exploits for anyone in the world to explore and use.
.. There’s probably more information about you on your phone than there is in your house… they’re also loaded with the location of our kids in many cases, and so it’s not just about privacy but it’s also about public safety.”
.. Incidentally, Microsoft on Sunday issued a statement blasting government agencies for hoarding dangerous exploits.
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.
Expert who stopped spread of attack by activating software’s ‘kill switch’ says criminals will ‘change the code and start again’
I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit,” he told the Guardian. “I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”
The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.