U.S. investigators have recovered $2.3 million worth of cryptocurrency paid as a ransom to the cybercrime group responsible for the attack that shut down Colonial Pipeline last month, the Justice Department announced Monday.
Pretty crazy. I thought doing it was impossible to do this unless they physically caught the guys. Curious how it was accomplished.
Access to the hackers networks, and that Colonial was following directions for the xfer. Also says they deemed the hackers to be less than ninjas.
My supposition after reading the articles is the hackers got hacked by the good guys, and not that a transaction was reversed by a govt actor on the blockchain, based on the info provided.
Just a guess, and the article definitely says otherwise, but it sounds like they caught the perpetrators (maybe) and worked out some kind of plea - give us back some of the BTC and maybe tell us how you did it to help us build safeguards against future ransomware attacks and you can keep some.
otherwise I'd be interested in the explanation for partial recovery.
Federal investigators tracked the ransom as it moved through a maze of at least 23 different electronic accounts belonging to DarkSide, the hacking group, before landing in one that a federal judge allowed them to break into, according to law enforcement officials and court documents.
Just a guess, and the article definitely says otherwise, but it sounds like they caught the perpetrators (maybe) and worked out some kind of plea - give us back some of the BTC and maybe tell us how you did it to help us build safeguards against future ransomware attacks and you can keep some.
otherwise I'd be interested in the explanation for partial recovery.
According to the article, they (FBI) basically hacked one of Darkside's wallets which contained 63.5 of the 75 bitcoins. Presumably, they had transferred or exchanged the other 11 coins prior to the hack.
A U.S. Congressman posted a picture of his laptop with his PIN# and Gmail address on a post-it note on the screen. Definitely a pipe dream.
Not only that, but he sits on the House Subcommittee on Cyber, Innovative Technologies, and Information Systems! And yet can't take a screen shot. In 2021.
Just a guess, and the article definitely says otherwise, but it sounds like they caught the perpetrators (maybe) and worked out some kind of plea - give us back some of the BTC and maybe tell us how you did it to help us build safeguards against future ransomware attacks and you can keep some.
otherwise I'd be interested in the explanation for partial recovery.
Bitcoin was worth 60k at the time of the compromise.
you would think that these companies would have backup programs so that they could delete the hacked program and re-install with the backup.
Of course they would need to be able to prevent the hack again...
Just a guess, and the article definitely says otherwise, but it sounds like they caught the perpetrators (maybe) and worked out some kind of plea - give us back some of the BTC and maybe tell us how you did it to help us build safeguards against future ransomware attacks and you can keep some.
otherwise I'd be interested in the explanation for partial recovery.
Bitcoin was worth 60k at the time of the compromise.
you would think that these companies would have backup programs so that they could delete the hacked program and re-install with the backup.
Of course they would need to be able to prevent the hack again...
I believe Colonial did. But the hackers typically threaten to publicly release (or at least dump it on the dark web) some of the encrypted/stolen data if the ransom isn't paid. That data could easily contain a company's IP and/or personal information for its employees.
Just a guess, and the article definitely says otherwise, but it sounds like they caught the perpetrators (maybe) and worked out some kind of plea - give us back some of the BTC and maybe tell us how you did it to help us build safeguards against future ransomware attacks and you can keep some.
otherwise I'd be interested in the explanation for partial recovery.
Bitcoin was worth 60k at the time of the compromise.
no it wasn't.
The attack happened on May 6. Look up the price for that week.
you would think that these companies would have backup programs so that they could delete the hacked program and re-install with the backup.
Of course they would need to be able to prevent the hack again...
I believe Colonial did. But the hackers typically threaten to publicly release (or at least dump it on the dark web) some of the encrypted/stolen data if the ransom isn't paid. That data could easily contain a company's IP and/or personal information for its employees.
IP would be changed, but employee personal info would be bad.
Still cannot understand how these hackers do not get caught. I would have to believe the US Air Force has much better equipment and hackers themselves. (I think the USAF is in charge of US cyber security, iirc?)
you would think that these companies would have backup programs so that they could delete the hacked program and re-install with the backup.
Of course they would need to be able to prevent the hack again...
I believe Colonial did. But the hackers typically threaten to publicly release (or at least dump it on the dark web) some of the encrypted/stolen data if the ransom isn't paid. That data could easily contain a company's IP and/or personal information for its employees.
IP would be changed, but employee personal info would be bad.
Still cannot understand how these hackers do not get caught. I would have to believe the US Air Force has much better equipment and hackers themselves. (I think the USAF is in charge of US cyber security, iirc?)
Just a guess, and the article definitely says otherwise, but it sounds like they caught the perpetrators (maybe) and worked out some kind of plea - give us back some of the BTC and maybe tell us how you did it to help us build safeguards against future ransomware attacks and you can keep some.
otherwise I'd be interested in the explanation for partial recovery.
Bitcoin was worth 60k at the time of the compromise.
no it wasn't.
The attack happened on May 6. Look up the price for that week.
the attack happened April 29th, ransom payment was may 7th - low that day 55k, high 57.5k.
Anyway, it's been explained they recovered 43 out of 60-something BTC. I wonder where the others went.
I believe Colonial did. But the hackers typically threaten to publicly release (or at least dump it on the dark web) some of the encrypted/stolen data if the ransom isn't paid. That data could easily contain a company's IP and/or personal information for its employees.
IP would be changed, but employee personal info would be bad.
Still cannot understand how these hackers do not get caught. I would have to believe the US Air Force has much better equipment and hackers themselves. (I think the USAF is in charge of US cyber security, iirc?)
They're not caught because they often operate on foreign soil, typically in countries that are unfriendly to the US (Darkside is Russian-linked). Even if we produced rock-solid proof, Russia isn't likely to extradite the individuals to us.
I imagine the NSA was involved in tracking the money, though FBI itself probably has some significant capabilities in this area as well.
it's still expensive for a company to do that (exact costs depending on what the IP is), not to mention the costs of monitoring any litigating any cases of infringement that pop-up (assuming that's even possible).
Not necessarily true. It's possible the hackers left the money on an exchange like Coinbase and the FBI was able to force the exchange to turn the private keys over.
here's the seizure warrant for the 63 btc in the address they tracked
"Because of the declining value of Bitcoin since the ransom was paid, the U.S. seizure in late May amounted to $2.3 million, just over half the $4.4 million paid weeks earlier after the ransom was demanded.
Deputy FBI Director Paul Abbate said at a Justice Department briefing announcing the seizure that law enforcement identified a virtual wallet used in the ransom payment and then recovered the funds. He said investigators found more than 90 companies victimized by DarkSide, a Russia-linked cybercrime group blamed in the pipeline attack."
Agree value of the coins is less relevant than the number of coins. I like the idea of “Friday Night Hackers,” featuring Boris and Yevgenia. Last week they took over a meat processing plant. What hijinx will our cooky hackers get up to this weekend? Is love in the air?!? Will the annexation of Crimea be complete before the pipeline?
Tune in Friday at 8pm, Belarusian time so you won’t miss out! Special super anonymous guest star Vlad P, will be joining us in the Seventh half hour!
Do Svidiania.
RE: RE: Regarding how they recovered it - from NYT newsletter this AM
Not necessarily true. It's possible the hackers left the money on an exchange like Coinbase and the FBI was able to force the exchange to turn the private keys over.
There are so many ways to shuffle Bitcoin around that to not have done it is beyond negligent. There are dozens, if not hundreds, of “tumbler” services on the DarkNet where you deposit your Bitcoin, the transaction dead ends, and you get back a percentage that is completely untraceable from a pool of usually dirty btc mixed with clean btc people have deposited for spin-to-win type contests, that’s now all clean as a whistle with basically no trace route.
Perhaps they were holding for the price to improve.
you would think that these companies would have backup programs so that they could delete the hacked program and re-install with the backup.
Of course they would need to be able to prevent the hack again...
I believe Colonial did. But the hackers typically threaten to publicly release (or at least dump it on the dark web) some of the encrypted/stolen data if the ransom isn't paid. That data could easily contain a company's IP and/or personal information for its employees.
IP would be changed, but employee personal info would be bad.
Still cannot understand how these hackers do not get caught. I would have to believe the US Air Force has much better equipment and hackers themselves. (I think the USAF is in charge of US cyber security, iirc?)
CISA/US-CERT is under DHS
An offensive cyber operation such as this was almost certainly done by US Cyber Command/NSA. CISA is more of a defensive outfit.
said the recovery was done by the DOJ recently formed Ransomware and Digital Extortion Task Force.
And it's unlikely any agency broke any codes or cryptography, they likely had been tipped off, someone compromised along the way (one of the wallets for example) or were monitoring the group from the beginning (based on what I've read).
Still cannot understand how these hackers do not get caught. I would have to believe the US Air Force has much better equipment and hackers themselves. (I think the USAF is in charge of US cyber security, iirc?)
When it comes to tech and cyber security the government is waaaaaay behind. It's just not built to have either the best or up and coming, and things move fast in that world. Not to mention the people good at this certainly have an anti authoritian streak. I joined the Navy to become a CTN back in 2011 because I saw this as the next major issue. Apparently, my 98 ASVAB wasn't good enough in a post-housing crisis world and downsizing the military. Soon I'll be joining a cybersecurity SaaS team on the other side selling. That's the one thing I'm envious about China with, they give you the best opportunities when you show aptitude.
My supposition after reading the articles is the hackers got hacked by the good guys, and not that a transaction was reversed by a govt actor on the blockchain, based on the info provided.
People being better prepared and more diligent. Probably a pipe dream but...
They'll probably rush a Hollywood agent team to get them signed to a reality TV contract. Every Sunday Night, it's "Real Hackers of Russia"
Quote:
What's to stop them from doing it again, if only for retaliation?
People being better prepared and more diligent. Probably a pipe dream but...
A U.S. Congressman posted a picture of his laptop with his PIN# and Gmail address on a post-it note on the screen. Definitely a pipe dream.
Just a guess, and the article definitely says otherwise, but it sounds like they caught the perpetrators (maybe) and worked out some kind of plea - give us back some of the BTC and maybe tell us how you did it to help us build safeguards against future ransomware attacks and you can keep some.
otherwise I'd be interested in the explanation for partial recovery.
Quote:
In comment 15281777 KeoweeFan said:
Quote:
What's to stop them from doing it again, if only for retaliation?
People being better prepared and more diligent. Probably a pipe dream but...
A U.S. Congressman posted a picture of his laptop with his PIN# and Gmail address on a post-it note on the screen. Definitely a pipe dream.
Sounds like the combination to an idiot's luggage.
Just a guess, and the article definitely says otherwise, but it sounds like they caught the perpetrators (maybe) and worked out some kind of plea - give us back some of the BTC and maybe tell us how you did it to help us build safeguards against future ransomware attacks and you can keep some.
otherwise I'd be interested in the explanation for partial recovery.
According to the article, they (FBI) basically hacked one of Darkside's wallets which contained 63.5 of the 75 bitcoins. Presumably, they had transferred or exchanged the other 11 coins prior to the hack.
A U.S. Congressman posted a picture of his laptop with his PIN# and Gmail address on a post-it note on the screen. Definitely a pipe dream.
Not only that, but he sits on the House Subcommittee on Cyber, Innovative Technologies, and Information Systems! And yet can't take a screen shot. In 2021.
Just a guess, and the article definitely says otherwise, but it sounds like they caught the perpetrators (maybe) and worked out some kind of plea - give us back some of the BTC and maybe tell us how you did it to help us build safeguards against future ransomware attacks and you can keep some.
otherwise I'd be interested in the explanation for partial recovery.
Bitcoin was worth 60k at the time of the compromise.
Of course they would need to be able to prevent the hack again...
Quote:
get $2.3M of the $4.4M paid?
Just a guess, and the article definitely says otherwise, but it sounds like they caught the perpetrators (maybe) and worked out some kind of plea - give us back some of the BTC and maybe tell us how you did it to help us build safeguards against future ransomware attacks and you can keep some.
otherwise I'd be interested in the explanation for partial recovery.
Bitcoin was worth 60k at the time of the compromise.
no it wasn't.
Of course they would need to be able to prevent the hack again...
I believe Colonial did. But the hackers typically threaten to publicly release (or at least dump it on the dark web) some of the encrypted/stolen data if the ransom isn't paid. That data could easily contain a company's IP and/or personal information for its employees.
Quote:
In comment 15281854 pjcas18 said:
Quote:
get $2.3M of the $4.4M paid?
Just a guess, and the article definitely says otherwise, but it sounds like they caught the perpetrators (maybe) and worked out some kind of plea - give us back some of the BTC and maybe tell us how you did it to help us build safeguards against future ransomware attacks and you can keep some.
otherwise I'd be interested in the explanation for partial recovery.
Bitcoin was worth 60k at the time of the compromise.
no it wasn't.
The attack happened on May 6. Look up the price for that week.
Quote:
you would think that these companies would have backup programs so that they could delete the hacked program and re-install with the backup.
Of course they would need to be able to prevent the hack again...
I believe Colonial did. But the hackers typically threaten to publicly release (or at least dump it on the dark web) some of the encrypted/stolen data if the ransom isn't paid. That data could easily contain a company's IP and/or personal information for its employees.
IP would be changed, but employee personal info would be bad.
Still cannot understand how these hackers do not get caught. I would have to believe the US Air Force has much better equipment and hackers themselves. (I think the USAF is in charge of US cyber security, iirc?)
Quote:
In comment 15282100 section125 said:
Quote:
you would think that these companies would have backup programs so that they could delete the hacked program and re-install with the backup.
Of course they would need to be able to prevent the hack again...
I believe Colonial did. But the hackers typically threaten to publicly release (or at least dump it on the dark web) some of the encrypted/stolen data if the ransom isn't paid. That data could easily contain a company's IP and/or personal information for its employees.
IP would be changed, but employee personal info would be bad.
Still cannot understand how these hackers do not get caught. I would have to believe the US Air Force has much better equipment and hackers themselves. (I think the USAF is in charge of US cyber security, iirc?)
CISA/US-CERT is under DHS
Quote:
In comment 15282074 Bogey said:
Quote:
In comment 15281854 pjcas18 said:
Quote:
get $2.3M of the $4.4M paid?
Just a guess, and the article definitely says otherwise, but it sounds like they caught the perpetrators (maybe) and worked out some kind of plea - give us back some of the BTC and maybe tell us how you did it to help us build safeguards against future ransomware attacks and you can keep some.
otherwise I'd be interested in the explanation for partial recovery.
Bitcoin was worth 60k at the time of the compromise.
no it wasn't.
The attack happened on May 6. Look up the price for that week.
the attack happened April 29th, ransom payment was may 7th - low that day 55k, high 57.5k.
Anyway, it's been explained they recovered 43 out of 60-something BTC. I wonder where the others went.
I believe Colonial did. But the hackers typically threaten to publicly release (or at least dump it on the dark web) some of the encrypted/stolen data if the ransom isn't paid. That data could easily contain a company's IP and/or personal information for its employees.
IP would be changed, but employee personal info would be bad.
Still cannot understand how these hackers do not get caught. I would have to believe the US Air Force has much better equipment and hackers themselves. (I think the USAF is in charge of US cyber security, iirc?)
They're not caught because they often operate on foreign soil, typically in countries that are unfriendly to the US (Darkside is Russian-linked). Even if we produced rock-solid proof, Russia isn't likely to extradite the individuals to us.
I imagine the NSA was involved in tracking the money, though FBI itself probably has some significant capabilities in this area as well.
IP would be changed, but employee personal info would be bad.
IP in this context = Intellectual Property
seems they hacked the hackers.
seems they hacked the hackers.
Not necessarily true. It's possible the hackers left the money on an exchange like Coinbase and the FBI was able to force the exchange to turn the private keys over.
Looks like they were only able to seize the funds in the last few days so I guess add Colonial to the list of people pissed at Elon Musk.
Deputy FBI Director Paul Abbate said at a Justice Department briefing announcing the seizure that law enforcement identified a virtual wallet used in the ransom payment and then recovered the funds. He said investigators found more than 90 companies victimized by DarkSide, a Russia-linked cybercrime group blamed in the pipeline attack."
Agree value of the coins is less relevant than the number of coins. I like the idea of “Friday Night Hackers,” featuring Boris and Yevgenia. Last week they took over a meat processing plant. What hijinx will our cooky hackers get up to this weekend? Is love in the air?!? Will the annexation of Crimea be complete before the pipeline?
Tune in Friday at 8pm, Belarusian time so you won’t miss out! Special super anonymous guest star Vlad P, will be joining us in the Seventh half hour!
Do Svidiania.
Quote:
seems they hacked the hackers.
Not necessarily true. It's possible the hackers left the money on an exchange like Coinbase and the FBI was able to force the exchange to turn the private keys over.
Excellent point
Perhaps they were holding for the price to improve.
Quote:
In comment 15282120 giants#1 said:
Quote:
In comment 15282100 section125 said:
Quote:
you would think that these companies would have backup programs so that they could delete the hacked program and re-install with the backup.
Of course they would need to be able to prevent the hack again...
I believe Colonial did. But the hackers typically threaten to publicly release (or at least dump it on the dark web) some of the encrypted/stolen data if the ransom isn't paid. That data could easily contain a company's IP and/or personal information for its employees.
IP would be changed, but employee personal info would be bad.
Still cannot understand how these hackers do not get caught. I would have to believe the US Air Force has much better equipment and hackers themselves. (I think the USAF is in charge of US cyber security, iirc?)
CISA/US-CERT is under DHS
An offensive cyber operation such as this was almost certainly done by US Cyber Command/NSA. CISA is more of a defensive outfit.
And it's unlikely any agency broke any codes or cryptography, they likely had been tipped off, someone compromised along the way (one of the wallets for example) or were monitoring the group from the beginning (based on what I've read).
Everyone gets a stimi these days, to include Russia.
Still cannot understand how these hackers do not get caught. I would have to believe the US Air Force has much better equipment and hackers themselves. (I think the USAF is in charge of US cyber security, iirc?)
When it comes to tech and cyber security the government is waaaaaay behind. It's just not built to have either the best or up and coming, and things move fast in that world. Not to mention the people good at this certainly have an anti authoritian streak. I joined the Navy to become a CTN back in 2011 because I saw this as the next major issue. Apparently, my 98 ASVAB wasn't good enough in a post-housing crisis world and downsizing the military. Soon I'll be joining a cybersecurity SaaS team on the other side selling. That's the one thing I'm envious about China with, they give you the best opportunities when you show aptitude.