Misleading titles – Why “FBI acquired Darkside Hackers Private Keys” is false, and a detailed explanation of what actually happened
The most important thing to understand with this “hack” is the difference between dark side and the person who demanded the ransom. “Dark side” is a ransomware-as-a-service group. They charge 15% of the total ransom to design the code that their client (aka affiliate) will then use to install on tech (infrastructure / servers) and then reference to demand a ransom payment.
Darkside’s model is unique. Because they solely provide the code, they aren’t at any risk themselves. They do not demand the ransom and have no contact with the victims. The affiliates are usually insiders or individuals who have access to the ransomed servers but who lack the technical sophistication to develop the code on their own.
Key emphasis in this case is the lack of technical sophistication of the affiliate / ransomer.
Dark side vets the affiliate – almost certainly by getting their full information so that dark side can make sure the affiliate pays them dark side’s share of the ransom (15%) after it gets collected .
The ransom was for 75 bitcoins. The FBI recovered 63.7.. which is exactly 85% of the ransom amount. The FBI didn’t recover dark side’s 15%, they only recovered the technologically illiterate affiliate’s 85%… because the affiliate who demanded the ransom is an idiot. His only value was being in a position to install the ransomware.
The fbi’s warrant was for the northern district of California. That’s the location of multiple CEX headquarters (binance, Coinbase has an office there, etc). It is apparent that the affiliate used one of these sites to try to fiat off ramp. You can see him moving his 85% of the funds to his own wallet. The wallet that received the BTC ransom is bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq
Dark side’s 15% hasn’t been recovered and won’t be. Unlike the dude who hired them, they aren’t idiots. They’ve actually publicly apologized for this ransom and have vowed to better vet future clients. (They have a low, but existent set of morals – no attacking schools, governments, hospitals, critical infrastructure, etc)
Please ignore the media saying that the FBI hacked Bitcoin.. they didn’t. They used a warrant (linked below) to gain access to the affiliate’s funds on a centralized exchange. Remember – not your keys, not your coins. If the affiliate hadn’t moved his share of the btc to a centralized exchange then the FBI wouldn’t have been able to get them.
There is significant misinformation out there about this. There are also people saying that this was a “false flag” attack… it wasn’t. Again, you can view the wallet and the transactions on the block chain explorer.
Most of the confusion in the media and on Twitter comes from the failure to differentiate Dark Side – the programming RaaS group – from the affiliate, who had no technical knowledge and suffered the consequence by losing his BTC by doing something stupid (moving it to a KYC’d CEX) after he had done something even stupider (ransomed a huge company). Confiscating this dude’s crypto is significantly less impressive than if the FBI had gotten Dark Side’s share… but the narrative has been set and it sounds a lot cooler to say that the FBI “hacked an elite group of Russian ransom ware hackers” … but that isn’t what happened. Not even remotely.
Please spread the word, not just to all the media sources that are using this to condemn Bitcoin, but also to all the Bitcoin investors that are literally making shit up to try to “defend bitcoin.” The latter are particularly harmful to the currency because their misinformation is just as false as the media’s but they are seen as “speakers” for Bitcoin and are being caught in easily disprovable lies (no, dark side didn’t give the money back.. no, there’s no evidence that it was a false flag.. no, this doesn’t mean that your non-SHA256 crypto will “moon”… no, the fbi doesn’t have a quantum computer… no no no! If you don’t know what happened then please just don’t say anything!)
Primary, a security firm that had been keeping tabs on dark side: http://www.elliptic.co/blog/us-authorities-seize-darkside
Useful article on Dark Side’s structure: https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
Bitcoin wallet that received the ransom: https://www.blockchain.com/btc/address/bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq
FBI affidavit explaining the sequence of events: https://storage.courtlistener.com/recap/gov.uscourts.cand.379840/gov.uscourts.cand.379840.1.0.pdf