Security News > 2021 > June > How could the FBI recover BTC from Colonial’s ransomware payment?
Even though law enforcement groups around the world urge ransomware victims not to pay up, Colonial apparently decided to hand over what was then $4.4 million in bitcoins anyway.
Sadly, the value of Bitcoin has taken a tumble since last month, so even though 85% of the bitcoins involved in the blackmail payment were recovered, they're now worth about 50% of what they cost when Colonial purchased them to do its deal with the criminals.
Every Bitcoin payment ends up in someone's Bitcoin wallet, and every wallet has a private key by means of which the contents of that wallet can be spent, i.e. transferred onwards to someone else's Bitcoin wallet.
That, simplified yet further, is very loosely how BTC transations work: your Bitcoin wallet address, derived from your public key, can be used by anyone to "Lock away" funds so that they "Belong" to you.
If the FBI were able to get hold of the private key of the Bitcoin wallet or wallets where Colonial's ransom payment ended up, then it could simply transfer those funds to itself, whether it knew who owned those wallets or not.
As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim's ransom payment, had been transferred to a specific address, for which the FBI has the "Private key," or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.