A question no one is asking about the Colonial Pipeline ransom attack

Reading multiple reviews and analysis on recent ransomware attacks, especially the most famous one on Colonial Pipeline which paid a ransom of 75 bitcoins (about $4 million), I am seeing a lot of discussion about what the victims did wrong and how they can avoid such attacks in the future. But no one is asking (let alone answering) a very simple question: What did the hackers do wrong that allowed the FBI to recover at least a half of the ransom already successfully transferred to them by Colonial Pipeline? And an even more important question: How did they make the mistake of allowing their transaction to be traced?

For anyone working with blockchain tech, it is obvious that ransomware hackers who use bitcoin for the payoff don’t care much about their anonymity. People dealing with crypto know that bitcoin is a pseudonymous cryptocurrency, meaning that it does provide some basic degree of anonymity, but scrutinization of the bitcoin blockchain unleashes a lot of information about both the sender and the recipient. And, of course, all the details of transfers and their amounts are publicly visible to anyone. So using bitcoin as a payment method, especially for illegal activity such as ransom is extremely dangerous for the attackers. They can be easily traced and caught, and their money can be seized. The probability that the Colonial Pipeline attackers didn’t know such basics about crypto is near zero. They would certainly have known there are well-developed privacy-centric cryptocurrencies tht provide almost absolute anonymity and security to their users.

Monero is one outstanding example; it hides all the details of its transactions from public view, including the sender, the recipient, and the transfer amount. And it is very liquid, with a market capitalization of more than $4.5 billion and a presence on most cryptocurrency exchanges. So why did the attackers not use it — or another privacy-centric cryptocurrency? There are two possible answers to this question. I don’t know which one is right.

The first possibility is that they simply didn’t care. Most are probably located in the hacker-haven countries such as Russia, China, North Korea, or Iran, that don’t have extradition agreements with the West. So they are not afraid of the FBI, not worried about being caught, and simply did not think the law enforcement agencies would be clever enough to find a way to seize their money. The second possibility is that they intentionally used bitcoin so that they would be traced and clues about their location would be exposed. In this scenario, the attack would have been more than just a commercial transaction; it would have been a demonstrative action.

As I said, I don’t know the right answer, but there is an important outcome of this attack, especially if it was a commercial one. Attackers are learning, and for the future attacks, other hackers, whose interests are purely commercial, will be using better methods that will allow them to slip away unnoticed while keeping their money (well, our money) safe. So it’s important that companies brace for impact.

While ransomware sounds terrible for most people, the security community knows how to avoid those attacks, so there is no reason companies shouldn’t be protected. A “Zero trust” architecture, with total multi-factor authentication coverage will deter hackers and prevent security breaches. Security is not free, but recent examples show that ignoring reality can be much more expensive.

Slava Gomzin is Director of Payments and Cybersecurity at Toshiba Global Commerce Solutions and an expert in blockchain technology. He is author of Hacking Point of Sale and Bitcoin for Nonmathematicians. He is also Co-founder of the Lyra blockchain.