In order to combat the rise in cybercrime, the FBI has been deploying new tactics that are both comforting and disturbing by turns. We can be happy that criminals are going to jail or have lost stolen money. However, it also raises the question: how did the FBI access “secure” information or “untraceable” currency?

Well, part of it is an incomplete understanding of how blockchain works, part of it is clever policing, and part of it we may never know. But we can certainly make some educated guesses. So, how did “secure” online transmissions get infiltrated by US federal law enforcement?

The Colonial Pipeline Bitcoin Recovery

A couple of days ago, the FBI was able to recover 63.7 of the 75 Bitcoins that Colonial Pipeline Cos. allegedly paid to hacker group Darkside. The hacker group had managed to plant ransomware on the Colonial system, shutting down oil transport and briefly causing a run on gas in the eastern United States.

Bitcoin and other cryptocurrencies have become the preferred method of payment for ransomers because it’s supposed to be secure and untraceable. But is it? The answer is emphatically “no.”

How Crypto Works (In Part)

While many of the details are not being released to the public for obvious reasons, the FBI has said that they were able to use a blockchain explorer to trace the money. Since its creation in 2009, there have been concerns that Bitcoin could be used by criminals as untraceable money. The answer to these concerns was the blockchain explorer, a search engine for cryptocurrency.

All cryptocurrency transactions can be seen in blockchain explorers. With one you can look at wallet transaction histories, see the largest transactions of the day, explore receiving and change addresses, and a whole lot more. This not only helps the ordinary user to verify payments that haven’t hit their wallets yet, but also see attempted double payments.

This transparency also makes it trivially easy for an organization like the FBI to simply watch, in real time, the transactions and trace them to the address they were sent to. Blockchain consulting firm Elliptic was able to identify the hashed address as well, and it matches the one in the FBI seizure affidavit. 

Private Keys

However, just knowing where the Bitcoins were sent is not enough to actually recover them. Crypto wallets are protected with a private key, much like a password. Only those with the key can access the wallet.

Unsurprisingly, the FBI has declined to say how they got this private key. However, before you get too worried, understand that it probably wasn’t algorithmically cracked. That means they probably didn’t have a computer program to find an exploit or guess the key. The keys are strings of alphanumeric characters. Many are 51 characters, but can be as long as 256 characters. Or be a QR code. Or a 64 digit hex code. Or a phrase that represents the code. The most powerful supercomputer in the world would still take millions of years to try just the 984,665,640,564,039,457,584,007,913,129,639,936 possible combinations if the key is 256 characters.

How Did They Get the Key?

Most likely, the FBI got the key one of three ways: carelessness, treachery, or coordination with the provider.

Let’s explore that last one first. In the United States, companies generally have a strong working relationship with law enforcement. They are not, in general, interested in being a party to criminal activity, even indirectly. Moreover, if they are disinclined toward assisting law enforcement, they might still be legally obliged to. There is a chance that whatever company was hosting the hacker group’s crypto wallet also helped the FBI access it. This is the most disturbing idea since it means that a third party might have access to your cryptocurrency with the press of a button. It’s also the least likely.

It’s possible that the FBI has an informant within Darkside (or whomever might have done this). That person might have been able to get access to the private key and pass it on, allowing the recovery of all the remaining funds after Darkside paid their developers. This is certainly a possibility, but we don’t think it is as likely as the last option.

The most likely way that the FBI got ahold of Darkside’s private key is that somebody made a mistake. Maybe they sent it through an unsecured medium. Or told somebody. Or sent the wrong email by accident. Regular readers will know how often we stress that the best way to stay secure is to develop strong #SecurityHygiene. You are the weakest part of any of your security, and it’s probable that somebody at Darkside was the weak link in their organization.

What Did We Learn?

There are a couple of lessons we can learn from this story.

  1. Cryptocurrency is not untraceable. In fact, it’s the opposite.
  2. Security starts with you. Be smart, be vigilant, and take the time to protect your data properly.

The ANOM Sting

After several years of evidence gathering, a joint operation between the US FBI and the Australian Federal Police has led to an enormous bust. 800 people have been arrested globally. 17 high-level foreign drug distributors have been indicted on racketeering conspiracy charges. The operation, dubbed Operation Trojan Shield/Greenlight, also resulted in the seizure of 32 tons of drugs, 250 guns, 55 luxury cars, and over $148 million.

How did they do it? An old-fashioned sting operation with a high-tech twist.

Why Couldn’t I Download ANOM?

If you’re not entrenched in the world of organized crime, then you probably haven’t heard of ANOM. However, since 2019 this private messaging app has been a major way that criminals on six continents have communicated. It was supposed to be encrypted and was only available on specific, custom phones that could do nothing but text to other users.

What the criminals using ANOM didn’t realize was that the app was created by the FBI and Federal Police, distributed originally by confidential informants and undercover agents, and has been recording every message sent over it since 2019. The result: 29 million messages in 45 languages from 12,000 devices in over 100 countries. The bust required the coordination of 9,000 officers.

What Does This Mean For You? 

Was your text app really made by law enforcement? Probably not, no.

While it is possible to monitor a person’s Internet activity if they aren’t using a VPN, this was a huge operation. It required so many resources just to track roughly 9,000 people who they already suspected of crimes. Monitoring a publicly available app would be nearly impossible on volume of data alone.

You Should Still Use a VPN

With that being said, you should still use a VPN. While neither the Darkside hackers nor the 800 people arrested in Operation Greenlight could have benefitted from one, you can.

Just because mass surveillance isn’t feasible using these techniques doesn’t mean that you might not be targeted. A VPN can help keep unauthorized people from accessing your data, monitoring your Internet activity, or getting ahold of your identity.