The US Department of Justice announced that it has recovered part of the cryptocurrency ransom paid by Colonial Pipeline to the ransomware DarkSide.
It is reported that the Colonial Pipeline, the largest fuel pipeline in the United States, was attacked by DarkSide ransomware, and DarkSide requested a ransom in Bitcoin worth $5 million. Colonial Pipeline delivered a ransom of 75 BTC on May 9th, Beijing time.
According to CoinHolmes, the anti-money laundering and anti-fraud system of PeckShield, after Colonial Pipeline delivered 75 BTC, the 75 BTC was transferred to two wallet addresses starting with bc1qxu and bc1qu5, respectively. The ransom accounted for approximately These are 84% and 16%.
PeckShield has previously analyzed that DarkSide, a ransomware organization, has formed a complete “ransomware as a service (RaaS)” industry chain. Developers provide criminal tools and methods to the next home, and then make a profit. It can be seen from the fund flow diagram that this time the funds frozen by the FBI are ransomware downstream funds (beginning with bc1qxu, 63.7 BTC), and the developer’s funds have not been moved since they were received (beginning with bc1qu5, 11.2 BTC).
The 63.7 BTC starting with bc1qxu that belongs to the downstream of the ransomware is first transferred to the address starting with 3EYkxQ, then transferred to the address starting with bc1qq2, and then transferred to the target address starting with bc1qpx in two pens (the FBI holds the private key address, 63.7 BTC) and another address (5.9 BTC).
An affidavit submitted this Monday showed that the recovery of the redemption was due to the FBI’s possession of the private key of a key wallet in the transfer process, but did not disclose how the FBI obtained the key .
PeckShield “Paid shield” anti-money laundering expert said: “The FBI is very likely to trace the ransomware server agent in the United States, and then it was terminated, the private key may be stored on the server.”
Earlier, DarkSide’s website was blocked, and they posted a letter announcing the dissolution and transferred the funds on the payment server to an unknown address.
“Based on our previous assistance to the police in tracking virtual currency cases involving money laundering, under normal circumstances, by tracking and analyzing the flow of funds, analyzing transaction patterns and counterparty information, if the criminal suspect uses a centralized trading institution to launder money, he can use the location center In the case of Colonial Pipeline, the assets did not flow into the centralized trading institution, so the FBI should not use this method to block the suspected funds and lock down the suspects involved in the case. In addition, there is currently no indication that the private key may be leaked. Our judgment is inclined to the FBI to recover the ransom from the server agent.” PeckShield “Paid Shield” anti-money laundering expert explained.