No the FBI Are Not Sending Bitcoins to the Shadowbrokers

A few days ago someone made the following post which suggested the FBI were sending bitcoin from the wallet where all of the seized coins from Silkroad were sent to the ShadowBrokers acution address; furthermore, the explanation was given that they were trying to “chum the water” and enable them to track transactions when the ShadwoBrokers decide to launder and withdraw the money. I tried hard to nip this story in the bud, but ultimately I woke up this morning to find it had made various tech news sites (here, and here). I can’t really say whether the article that started this off was a honest mistake or a troll, but I’m leaning towards the latter as multiple people have called out the author in question but the article still has not been removed or amended.


Chumming The Water

So let’s assume the FBI sent bitcoin to the ShadowBrokers wallet (spoiler, they didn’t), the given reason was that it was some attempt to track the bitcoins in the account when they ultimately get laundered; this might make sense to you at first if you don’t stop and think about it. Let’s assume I want to track some wire transfers, do I need to send money to the account I want to track or do I just subpoena the bank for their wire transfer logs? I think we know the answer here. Now when it comes to bitcoin, you can go ahead and put those subpoena forms back in the draw: ALL bitcoin transactions are displayed in a public ledger known as “The Blockchain” which can be browsed via by ANYONE. So if I’m looking to track someone’s bitcoin transactions and I already have complete and unrestricted access to all past, present, and future transaction data; why on earth would I need to send bitcoin to any addresses?

The other given theory is it was a joke from the FBI, an organization worldwide renowned for their sense of humor. So my assumption is the chain of custody works something like this: Special Agent Sir Trollalot contacts his superior and asks for access to the wallet where the seized coins are kept, allowing him to pursue the noble cause of funding what is likely an enemy nation-state actor, for shits and giggles, then I guess his great request is passed up the chain of command until it’s signed off by someone very senior who also for some reason things this is a great idea. Yeah, no.


The Actual Transaction

So as I hinted earlier, the whole story doesn’t end at the stupid explanation for what happen, because what happened never actually happened.

Let’s look at the transaction in question, transaction fb4627c976f2292a5b3f12c6bf8b7964e037628714cd90c2cc55043a023cf1c4:



Now if someone told you that the Silkroad Seized Coins address (1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX) sent bitcoin to the ShadowBrokers (19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK) and you saw the above transaction (both stated addresses appear in the same transaction), you might believe them.

But, let’s break it down using my superior MS Paint illustrating ability.


What you’re seeing here is something called a multi-output transaction, it’s where one address (12efxuRxVcaVY2NWKS8DVDGVGgvXxyG2Qk) send bitcoin to multiple addresses (12efxuRxVcaVY2NWKS8DVDGVGgvXxyG2Qk, 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK, 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX). So what happened here is some troll sent 0.00204626 bitcoin to themselves, 0.001 bitcoin to the ShadowBrokers, 0.001 bitcoin to the Silkroad Seized Coins address, and 0 bitcoin to an address that was unable to be decoded (likely a null transaction). What you’re seeing is someone sending bitcoins TO the FBI AND the ShadowBrokers, not the FBI sending to ShadowBrokers or ShadowBrokers sending to the FBI; we can further confirm this by looking at the Silkroad Seized Coins address (1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX), where you can see only deposits (green arrows) and no withdrawals (red arrow) have been made since before the ShadowBrokers came to town.



If you’re a journalist for a tech news site (or really any news site), it might pay to just verify data you read off of some random blog (including this one), it has become way too easy to spread misinformation or straight up troll because people take everything “security experts” say at face value with no verification.

Now before anyone comes up with any conspiracies about the FBI being behind the rickroll of the ShadowBrokers bitcoin address, here is the message “MalwareTech is love, MalwareTech is life.” signed with the private key of 1never9kNNkr27UseZSHnaEHg1z8v3Mbb:





Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …