The U.S. Department of Justice announced that it has recovered part of the cryptocurrency ransom paid by Colonial Pipeline to the ransomware DarkSide.
It is reported that Colonial Pipeline, the largest fuel pipeline in the United States, was previously attacked by ransomware DarkSide, and DarkSide made a $5 million bitcoin ransom demand. Colonial Pipeline delivered a ransom of 75 BTC on May 9, Beijing time.
According to CoinHolmes, an anti-money laundering and anti-fraud system under PeckShield, after Colonial Pipeline delivered a ransom of 75 BTC, the 75 BTC was transferred to two wallet addresses starting with bc1qxu and bc1qu5 respectively, and the ransom ratios were approximately 84% and 16%.
PeckShield previously analyzed that DarkSide, a ransomware organization, has formed a complete "Ransomware-as-a-Service (RaaS)" industry chain. Developers provide crime tools and methods to the next party, and then take a profit. From the fund flow diagram, it can be seen that what was frozen by the FBI this time was the downstream funds of extortion (starting with bc1qxu, 63.7 BTC), and the developer’s funds have not been moved since they were received (starting with bc1qu5, 11.2 BTC).
The 63.7 BTC beginning with bc1qxu belonging to the downstream of the ransomware was first transferred to the address beginning with 3EYkxQ, then transferred to the address beginning with bc1qq2, and then transferred to the target address beginning with bc1qpx in two transactions (the address where the FBI holds the private key, 63.7 BTC) and another address (5.9 BTC).
An affidavit filed on Monday showed that the recovery of the ransom was due to the fact that the FBI had the private key to a key wallet in the transfer process, but did not disclose how the FBI obtained the key. .
PeckShield "Paid Shield" anti-money laundering expert said: "The FBI is likely to track down the ransomware server agent in the United States, and then it was taken, and the private key may be stored on the server."
Earlier, DarkSide's website was blocked, they issued a document announcing their disbandment, and transferred the funds on the payment server to an unknown address.
"In the past, we have helped the police track virtual currency cases involving money laundering. In general, by tracking and analyzing the flow of funds, analyzing transaction patterns and counterparty information, if a criminal suspect uses a centralized trading institution to launder money, he can use the location center to In the case of Colonial Pipeline, the assets did not flow into the centralized trading organization, and the FBI should not seize the funds in this way. In addition, there is currently no indication that there is a possibility of private key leakage, and our judgment tends to be that the FBI recovers the ransom from the server agent.” PeckShield “Paid Shield” anti-money laundering expert explained.
