{"id":43924,"date":"2021-06-08T10:48:01","date_gmt":"2021-06-08T07:48:01","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=43924"},"modified":"2025-08-31T14:36:58","modified_gmt":"2025-08-31T11:36:58","slug":"fbi-recovers-63-7-btc-from-colonial-pipeline-ransom-gains-access-to-a-bitcoin-wallet","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/fbi-recovers-63-7-btc-from-colonial-pipeline-ransom-gains-access-to-a-bitcoin-wallet\/","title":{"rendered":"FBI recovers 63.7 BTC from Colonial Pipeline ransom, gains access to a Bitcoin wallet"},"content":{"rendered":"<p>The Federal Bureau of Investigation (FBI) returned the bulk of the ransom paid to the DarkSide hackers in Bitcoin after their attack on Colonial Pipeline, the operator of the U.S. oil pipeline.<\/p>\n<p>\\n\\n<\/p>\n<p>As the U.S. Justice Department reports, authorities confiscated 63.7 BTC. The return of the funds was handled by a specially created task force to combat digital extortion and ransomware programs.<\/p>\n<p>\\n\\n<\/p>\n<p>The FBI traced the blockchain transactions immediately after the ransom was paid from Colonial Pipeline&#8217;s address to the hackers. Some of the funds were moved to a wallet whose private key was held by law enforcement.<\/p>\n<p>\\n\\n<\/p>\n<p>Details of how the private key ended up with the agency were not disclosed. According to court documents, the FBI access was obtained in Northern California.<\/p>\n<p>\\n\\n<\/p>\n<p>The community expressed concern that U.S. authorities could be hacking cryptocurrency wallets. However, this is likely not a hack\u2014the FBI simply requested access to the wallet from a provider or hosting company, according to Adam Back, a pioneer of the crypto industry and the CEO of Blockstream.<\/p>\n<p>\\n\\n<\/p>\n<blockquote class=\\\"twitter-tweet\\\">\n<p lang=\\\"en\\\" dir=\\\"ltr\\\">Probably not even hacked, just asked the hosting company or custodial wallet provider (aka exchange) to give them the coins or keys.<\/p>\n<p>\u2014 Adam Back (@adam3us) <a href=\\\"https:\/\/twitter.com\/adam3us\/status\/1402058392647213059?ref_src=twsrc%5Etfw\\\">June 8, 2021<\/a><\/p><\/blockquote>\n<p> <script async=\\\"\\\" src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script>\\n\\n<\/p>\n<p>He also noted that the hackers used a rented cloud server. The FBI could have obtained a court order, taken control of it, and seized the funds.<\/p>\n<p>\\n\\n<\/p>\n<blockquote class=\\\"twitter-tweet\\\">\n<p lang=\\\"en\\\" dir=\\\"ltr\\\"><a href=\\\"https:\/\/twitter.com\/hashtag\/Bitcoin?src=hash&#038;ref_src=twsrc%5Etfw\\\">#Bitcoin<\/a> was NOT hacked<br \/>No bitcoin wallet was hacked, nor is even known to be possible. Ransom hackers used a rented cloud server. FBI got a subpoena and took control of it and recovered coins. That\u2019s it.<\/p>\n<p>\u2014 Adam Back (@adam3us) <a href=\\\"https:\/\/twitter.com\/adam3us\/status\/1402179970277982210?ref_src=twsrc%5Etfw\\\">June 8, 2021<\/a><\/p><\/blockquote>\n<p> <script async=\\\"\\\" src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script>\\n\\n<\/p>\n<p>In mid-May DarkSide <a href=\"https:\/\/u1f987.com\/en\/news\/elliptic-bitcoin-wallet-used-by-darkside-hackers-has-received-17-5m-since-march\">lost access<\/a> to part of its infrastructure and funds. Elliptic specialists at the time reported a possible confiscation of Bitcoin by the U.S. government.<\/p>\n<p>\\n\\n<\/p>\n<p>Some suspect that American Coinbase was involved in obtaining access to the wallet.<\/p>\n<p>\\n\\n<\/p>\n<blockquote class=\\\"twitter-tweet\\\">\n<p lang=\\\"en\\\" dir=\\\"ltr\\\">The <a href=\\\"https:\/\/twitter.com\/hashtag\/Bitcoin?src=hash&#038;ref_src=twsrc%5Etfw\\\">#Bitcoin<\/a> associated with Ransomware \/ Darkside \/ Colonial Pipeline Co. hack went through the Californian servers of <a href=\\\"https:\/\/twitter.com\/coinbase?ref_src=twsrc%5Etfw\\\">@coinbase<\/a> and likely seized by U.S. investigators there.<\/p>\n<p>Not your keys, not your 63.7 <a href=\\\"https:\/\/twitter.com\/hashtag\/BTC?src=hash&#038;ref_src=twsrc%5Etfw\\\">#BTC<\/a>. <a href=\\\"https:\/\/t.co\/4RwZLFww5c\\\">pic.twitter.com\/4RwZLFww5c<\/a><\/p>\n<p>\u2014 This is Bullish (@thisisbullish) <a href=\\\"https:\/\/twitter.com\/thisisbullish\/status\/1402055011455180801?ref_src=twsrc%5Etfw\\\">June 8, 2021<\/a><\/p><\/blockquote>\n<p> <script async=\\\"\\\" src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script>\\n\\n<\/p>\n<p>However, Coinbase asserts that it had no involvement in the incident. The head of the company\u2019s security team, Philip Martin, stressed that the company \u201chas no evidence that the funds passed through a Coinbase account\/wallet.\u201d<\/p>\n<p>\\n\\n<\/p>\n<blockquote class=\\\"twitter-tweet\\\">\n<p lang=\\\"en\\\" dir=\\\"ltr\\\">2\/ Coinbase was not the target of the warrant and did not receive the ransom or any part of the ransom at any point. We also have no evidence that the funds went through a Coinbase account\/wallet.<\/p>\n<p>\u2014 Philip Martin (@SecurityGuyPhil) <a href=\\\"https:\/\/twitter.com\/SecurityGuyPhil\/status\/1402079973003849739?ref_src=twsrc%5Etfw\\\">June 8, 2021<\/a><\/p><\/blockquote>\n<p> <script async=\\\"\\\" src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script>\\n\\n<\/p>\n<blockquote class=\\\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\\\">\n<p>\u201cCoinbase uses a single hot wallet, so transferring a specific private key makes little sense, and we (for obvious security reasons) have not built an API endpoint to export the private key into our signing systems,\u201d wrote Martin.<\/p>\n<\/blockquote>\n<p>\\n\\n<\/p>\n<p>NBC News journalist Kevin Collier, citing sources, confirmed that Coinbase did not assist the FBI, and that Microsoft specialists assisted law enforcement.<\/p>\n<p>\\n\\n<\/p>\n<blockquote class=\\\"twitter-tweet\\\">\n<p lang=\\\"en\\\" dir=\\\"ltr\\\">The FBI did not do this by seizing a Coinbase account, source familiar tells me.<\/p>\n<p>\u2014 Kevin Collier (@kevincollier) <a href=\\\"https:\/\/twitter.com\/kevincollier\/status\/1402033992040435713?ref_src=twsrc%5Etfw\\\">June 7, 2021<\/a><\/p><\/blockquote>\n<p> <script async=\\\"\\\" src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script>\\n\\n<\/p>\n<p>Deputy Attorney General Lisa Monaco stressed that authorities will continue to fight ransomware and will use all available tools.<\/p>\n<p>\\n\\n<\/p>\n<p>Earlier in May, DarkSide <a href=\"https:\/\/u1f987.com\/en\/news\/hackers-from-russia-linked-to-colonial-pipeline-attack-via-ransomware\">attacked Colonial Pipeline<\/a> in early May, blocking its computer systems and stealing data. To restore operations and retrieve the data, Colonial Pipeline <a href=\"https:\/\/u1f987.com\/en\/news\/media-colonial-pipeline-paid-hackers-a-5-million-ransom-in-cryptocurrency\">paid the attackers 75 BTC<\/a>.<\/p>\n<p>\\n\\n<\/p>\n<p>Elliptic specialists <a href=\"https:\/\/u1f987.com\/en\/news\/study-finds-darkside-victims-paid-about-90-million-in-bitcoin\">discovered 47 Bitcoin wallets<\/a>, presumably belonging to DarkSide. According to their data, over nine months the attackers collected about $90 million in Bitcoin from victims.<\/p>\n<p>\\n\\n<\/p>\n<p>In June, U.S. President Joe Biden ordered a study of <a href=\"https:\/\/u1f987.com\/en\/news\/biden-administration-to-study-use-of-cryptocurrencies-in-ransomware-attacks\">tracking cryptocurrency transactions<\/a> as one possible way to fight ransomware.<\/p>\n<p>\\n\\n<\/p>\n<p>Subsequently, media reports said that investigations into ransomware attacks in the United States received <a href=\"https:\/\/u1f987.com\/en\/news\/us-raises-the-priority-of-cyberattack-investigations-to-the-level-of-terrorism-cases\">the same level of priority as terrorism cases<\/a>.<\/p>\n<p>\\n\\n<\/p>\n<p>Read ForkLog\u2019s Bitcoin news in our Telegram \u2014 cryptocurrency news, prices and analysis.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The FBI returned the bulk of the ransom paid to the DarkSide hackers in Bitcoin after the attack on Colonial Pipeline, the operator of the U.S. oil pipeline.<\/p>\n","protected":false},"author":1,"featured_media":43925,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1154,1143,57],"class_list":["post-43924","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-crimes","tag-intelligence-agencies","tag-wallets"],"aioseo_notices":[],"amp_enabled":true,"views":"27","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/43924","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=43924"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/43924\/revisions"}],"predecessor-version":[{"id":43926,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/43924\/revisions\/43926"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/43925"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=43924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=43924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=43924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}