Topic: I ID'd the Darkside address, ransom transaction and custodial exchange (Read 225 times)

when you look at the trends in the media over the past 20 years, one trend stands out:


if the trends were not natural, but deliberate, it's a perfect recipe for worldwide chaos

Interesting thing to see that this notorious russian hackers are always targeting stuff like oil, meat and coal related industries that are accused for increasing global warming just like Bitcoin.
After latest JBS and all other hacks you can clearly see that all this attacks are coming from a single center and that is not Russia, even if russian hackers may be used as a tool.
Biden recently said that global warming is biggest threat for United States and Trump said that Bitcoin is biggest threat to us dollar, so think about that.
Investigate everything, don't trust government and don't trust anything you hear on mainstream media.

However, the stupid hackers were also not that smart to use an anonymous cryptocoin. They would presently be counting their money on a beach somewhere if they chose the correct coin to use for the job hehehe.

In any case, there was another ransomware attack. This article claims the hacker group left no trace hehe. But they certainly left many traces in the bitcoin blockchain.



JBS Holdings, the world’s largest meat company by sales, paid $11 million in its May 30 bitcoin (BTC, +9.34%) ransomware attack, attempting to avoid further disruption to its business.

As reported by The Wall Street Journal on Wednesday, payment was made to a group REvil, who left no trace as to how they managed to infiltrate the company’s systems.

Source https://www.coindesk.com/ransomware-jbs-holdings-meat-producer

That exchange refers to the one Colonial Pipeline used to purchase the bitcoins (Gemini), not the exchange of the affiliate hacker. I did not find any Gemini addresses in Wallet Explorer connected to Darkside addresses.

They are maybe even intentionally stupid ignorant  

maybe the computer specialists working at the biggest, most well funded police force in the world are stupid too sorry, I meant ignorant



sorry, but this story is stretching credulity a little thin. The entire plan was based around making off with some ransom money, the sophisticated hacking of an important (and probably not public) computer network (owned by a company making alot of money from the underlying asset), was the means, not the ends.

it's like Houdini, Al Capone and David Copperfield stole all the gold in Fort Knox, only for Ayrton Senna to turn up as getaway driver in one of those circus clown cars that falls into pieces when it parks to pick up the loot

According to ErgoBTC exchange that was used is Gemini, not Binance and they posted all addresses and links on OXT browser.
My question is why would federal agents post addresses with xxxxx if everyone knows that nothing is hidden like that, like they did it on purpose.
Everything about this story stinks, centralized service theory is not true for sure, and even private key ownership is not very likely but it is still possible if you look at balance and IP address used on Electrum server.
Don't trust anything you hear from government, federal agents and mainstream media.


https://twitter.com/ErgoBTC/status/1402070662756421632

Maybe the word isn't stupid, but rather ignorant. Still, if you're committing a crime, sending the proceeds of that crime to an exchange directly is stupid.

It looks like there were actually two stashes of BTC split among two different addresses: 63.7BTC was in the affiliate's address (Darkside's operational model involves having "affiliates" do the job to pay them a commission of the ransom). The remaining 11.2BTC was stored in DarkSide's address, and NOT on an exchange (smartly) before someone apparently stole all of Darkside's bitcoins while they were being kicked off their servers and hosting panels by their providers. It was likely an insider who previously had access to their wallet that did it.

11.2 divides into 75 to give almost 0.15, so it's safe to assume that Darkside took 15% of the ransomware money for themselves, which is still at large. The remaining 85% of the BTC was in the affiliate's Binance wallet which was seized by the FBI.

but didn't the "stupid" hackers break into the computer system of a major infrastructure provider?

• smart enough to hack someone that will have had an expensive contractor securing their system
• knew almost zero about cryptocurrencies, and didn't have more than 5 minutes to learn the basics that lost them their ransom

if we consider that FBI agents have been proven corrupt liars so so many times, it's highly likely that "we hacked bitcoin" isn't the only lie being told here

I don't know who is more stupid, people who thought that FBI hacked Bitcoin or the hackers who sent coins to centralized exchange without mixing them well enough.

This story should once again prove that Bitcoin is not a good tool for criminals if they don't really-really know what they are doing, and in many cases Bitcoin would even allow law enforcement to seize the funds faster.

Addresses check out. They match with the affidavit. Names are all blacked out so there's no evidence that Coinbase was the targeted exchange. I have no clue why people think the bitcoins were on Coinbase in the first place. There isn't even any news about this when you do a google search on Coinbase. Maybe people just think it's them because they rat off the most info to the US government.

What's new is that the 75BTC was split into not just a 63.7BTC chunk but also an 11.2BTC chunk that was sent to bc1qxu83k5qkj8kcqdqqenwzn7khcw4llfykeqwg45 and bc1qu57hnxf0c65fsdd5kewcsfeag6sljgfhz99zwt respectively. Both of these addresses are involved as inputs in transactions that have huge amounts of inputs and one output with a gigantic amount of BTC, which establishes both of these wallets as cold storage for a particular exchange.

Think about it this way though: If they had the private key, then why would they need to issue a warrant (and due to the way exchanges are designed, you cannot get the private key to someone's address because everyone's funds are moved to cold storage). If this were some community wallet like Electrum or Bitcoin Core they would just swipe it immediately without consulting anyone - because there's nobody to consult/issue a warrant to!

They had to issue a warrant because they did not have access to the private key at the time of the issue. They still don't have it, because the exchange must've moved the coins to an FBI-controlled address which is what the warrant is supposed to do. Again, they cannot issue a warrant to access an exchanges' cold storage.

Also of interest is that after that affidavit was published, the coins have moved from the bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq address which the author states the 69.6BTC was transferred from the suspected-Binance address to there.

That means either the FBI didn't actually seize the coins [highly improbable given the torrent of news reports about this] and therefore has no private keys, or they moved the coins so that people like me would not try to snoop on them from block explorers. Either way, the only private keys that the FBI controls are the ones to its own addresses. Which at this point appears to be wallet fc8d1c748f and all its outputs.

Check out this Reddit link to an article. It is an affidavit on how the FBI got the Bitcoin. Compare with this and let me know what you think.

https://www.reddit.com/r/CryptoCurrency/comments/nv7ihs/fbi_affidavit_explaining_how_they_ended_up/

Personally, I haven't seen any news reports which mentioned Coinbase to be honest. It is either confidential information, or that's not where the hackers set their base up. Binance seems to be a haven for scammers/giveaway & doubler con artists/ransomtheives. Plus they don't report as much info about your addresses (if at all) to the IRS.

But the technical analysis is what I did to conclude it was on Binance. Here's a diagram between all the connected wallets:

(Direct link on Imgur, in case this is too fuzzy to read)


What's not shown in the diagram is a bunch of other wallets connected to the 061e93d18ff39503 wallet, which have strange patterns. Many of them are chains of transactions that spend a smaller amount of a large BTC pile to an address, which itself spends a smaller amount of that, etc. until it comes to another one of those megaheavy addresses with 1000's of transactions some having a single input or output linking solely to the Binance.com wallet.

Excellent writeup! I am curious as to how you got Binance in your findings given that many people have found it being on Coinbase. Either way, thank you for not spreading misinformation!

UPDATE: I have found more information about the Darkside addresses which I have published on my blog: https://notatether.com/bitcoin/gotcha-darkside-how-i-traced-the-stolen-bitcoins/

---

I think I have traced the DarkSide address myself since nobody's telling us which one this is.

Elliptic (the forensics company that ID'd the darkside wallet) said that Colonial Pipeline paid 75BTC to the hackers on May 8 (source). And it's got to be a 1-input 2-output transaction because do you really think the victims know how to do Pay-To-Many or CoinJoin?

If we filter the transactions on Blockchair based on this info, we get these results: https://blockchair.com/bitcoin/transactions?s=output_total(desc)&q=time(2021-05-08),output_total(7400000000..7600000000)#

There is only one transaction in that range that matches these details, and it's fc78327d4e46dac01dc313067b1ac7f274cdb3a07ea9f28f6f71473145f1b264, happened on 2021-05-08 17:47:50. On walletexplorer.com the corresponding "wallet" is https://www.walletexplorer.com/wallet/b68f605feedee27e.

Also they had to have bought the bitcoins from an exchange, because there's no way the address "feeding" it could also have near exactly 75BTC and another feeding address having a dust output to it that looks like covering a transaction fee.

The address must have been generated by the hackers, because it has only been used 3 times. Its last transaction was made on 18:21 on the same day, to an exchange, identified by this wallet: https://www.walletexplorer.com/wallet/061e93d18ff39503. This is the deposit address of some exchange. But which one?

Reporters are mentioning that the FBI seized the entire contents of the darkside wallet which had about 63.7BTC. So all we have to do is find the address where the exchange sends 63.7BTC to internally.

We don't have to go very far down the page to see that it goes to this wallet: https://www.walletexplorer.com/wallet/123085fff68ee703 , on 2021-05-09 16:33:54. It would stay dormant until May 28, when its moved to yet another wallet that happens to have two transactions yesterday, clearing the entire balance.

It occurs just before the first news reports announcing the FBI recovered the DarkSide ransom money so there is a strong correlation that the FBI seized the bitcoins from that address.

But how?

Reports are claiming that the "hacker wallet" 061e93d18ff39503 has received 57 transactions to the tune of several million dollars. But I think it's merely an exchange's deposit address or an online custodial wallet's address.

I strongly doubt the FBI found the private keys to any of these addresses. The public keys can easily be found because they are revealed whenever an address is spent from. Therefore, the likely theory is that this is an exchange address, and the FBI sent a warrant to the exchange to hand over those 63.7 bitcoins. But the question is, which exchange?

If walletexplorer.com can identify other connected addresses to the 061e93d18ff39503 deposit wallet, then we can conclude that this wallet also belongs to that exchange.

---

Let's browse the wallets in the following order:

- wallet 061e93d18ff39503 makes THREE transactions to https://www.walletexplorer.com/wallet/1b5c02f022e719e6 all with the same timestamp (2021-04-29 14:16:03)
- The 1b5c02f022e719e6 wallet received a transaction from wallet https://www.walletexplorer.com/wallet/fd785af9bf3ec6fd on May 5 (before the ransom payment). Both of these wallets happen to receive transactions from a wallet ID'd from Binance: https://www.walletexplorer.com/wallet/Binance.com
- At this point it is getting suspicious that these are Binance-controlled wallets, but we still need more evidence. Tracing the fd785af9bf3ec6fd
 transaction, it sends money to https://www.walletexplorer.com/wallet/5acc6b7de22bf5b1 at the same transaction as to the 1b5c02f022e719e6 wallet.

- This wallet 5acc6b7de22bf5b1 also makes two transactions, one to https://www.walletexplorer.com/wallet/00000e6843401c9c and another to https://www.walletexplorer.com/wallet/0000255d26958dc3, on the same day: May 5. Both wallets have a heavy transaction frequency and history, with one of them frequently sending transactions to the Binance.com wallet, while the other receives transactions from the Binance.com wallet.

Since only an exchange would use an address that many times, and both have links to the Binance.com address, I think it's safe to conclude that the Darkside money was stored on Binance.

That means the FBI served Binance an order to turn in the bitcoins, which also means that the FBI did not hack bitcoin.

So please stop repeating this nonsense that FBI hacked bitcoin and private keys to get the ransom money, they did not get the private keys in the first place.