June 8, 2021 - On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline.

On May 13, it was revealed that Colonial Pipeline paid the nearly $5M in ransom.

On June 7, the FBI announced that it has recovered nearly $2.3M of the stolen fund using moneyflow, onchain analyses and other techniques.

This blog will attempt to reconstruct the process for the readers.

To start the analysis we need to get access to the BTC addresses of interest. Specifically, we need:

1. The original BTC ransom address (or the deposit address from which Colonial made the initial payment of 75 BTC, or $4.3M)

2. The hacker payment address from which the FBI obtained some of the recovered funds (e.g., the $2.3M recovered)

3. The FBI address where the recovered funds remain.

From the Seizure warrant, one can only obtain partial details of these addresses. However, with a bit of detective work, our team was able to uncover the FBI address as bc1qpx7vyv5tp7dm0g475ev527krg764t73dh77gls.

Using onchain analysis, we are then able to trace backward and determine the remaining addresses as follows:

1. Ransom deposit address - 15JFh88FcE4WL6qeMLgX5VEAFCbRXjc9fr

2. Hacker payment address - bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq

Using a Sankey diagram, the moneyflow is determined from the initial event represented by the vertical gray line where the Ransom Deposit Address is shown. A better image for the below can be viewed here.

It is important to state that the 'coinbase' label shown in the Sankey diagram has no relationship to Coinbase.com but denotes the first transaction in a block. Coinbase transaction is a unique type of bitcoin transaction created by a miner to collect the block reward for their work and any other transaction fees collected by the miner.

The stolen funds were then transferred across multiple addresses and, five hops later, at the hacker payment address only 69.6 BTC remains. This is where things got more interesting.

1. 63.7 BTC was sent to the FBI address, where it remains unspent. Based on FBI press release this address is controlled by the FBI, thus they have the private keys.

2. Eight minutes later, 5.9 BTC was sent to an unknown address bc1qvjh9cq6qlj4f4q5vxnkgt25mc6qld04vv20fhe, where it also remains unspent.

It is not known why the FBI did not just seize both the 63.7 BTC and the 5.9 BTC as the sum is well within the total of the original stolen funds. Based on blockchain properties, we can deduce that address bc1qvjh9cq6qlj4f4q5vxnkgt25mc6qld04vv20fhe is likely controlled by the owner of address bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq. However, that is not where the issue is at.

The key to why the FBI only seized 63.7 BTC lies in TX Hash 0677781a5079eae8e5cbd5e6d9dcc5c02da45351a3638b85c88e5e3ecdc105a7.

Of the 75 BTC sent, address bc1qxu83k5qkj8kcqdqqenwzn7khcw4llfykeqwg45 received only 63.7 BTC. Additionally, this transfer pattern (shown in the image above) provides a high degree of privacy thus one cannot prove to a high degree of certainty that both the recipient addresses belong to the same party. Also, it is also possible that only the 63.7 BTC remains in a custodial wallet allowing the seizure to take place.

Of the remaining balance, 11.2 BTC was sent to address

bc1qu57hnxf0c65fsdd5kewcsfeag6sljgfhz99zwt and that address further sent (shown below) the BTC into a holding address bc1q2sewgrnau4e4gvceh8ykzf8lqxawpluu0k0607

which currently has an unspent balance of 107.8 BTC.

It is very likely that this address is also controlled by the hackers and that the address may be on a non-custodial wallet which the FBI has yet to identify.

Accordingly, the FBI could only request the seizure warrant only for that specific amount of 63.7 BTC.

Just a quick disclaimer, Zero Friction has no access to any nonpublic information with regard to this case.