No the FBI Are Not Sending Bitcoins to the Shadowbrokers

Uncategorized
1

A few days ago someone made the following post which suggested the FBI were sending bitcoin from the wallet where all of the seized coins from Silkroad were sent to the ShadowBrokers acution address; furthermore, the explanation was given that they were trying to “chum the water” and enable them to track transactions when the ShadwoBrokers decide to launder and withdraw the money. I tried hard to nip this story in the bud, but ultimately I woke up this morning to find it had made various tech news sites (here, and here). I can’t really say whether the article that started this off was a honest mistake or a troll, but I’m leaning towards the latter as multiple people have called out the author in question but the article still has not been removed or amended.

 

Chumming The Water

So let’s assume the FBI sent bitcoin to the ShadowBrokers wallet (spoiler, they didn’t), the given reason was that it was some attempt to track the bitcoins in the account when they ultimately get laundered; this might make sense to you at first if you don’t stop and think about it. Let’s assume I want to track some wire transfers, do I need to send money to the account I want to track or do I just subpoena the bank for their wire transfer logs? I think we know the answer here. Now when it comes to bitcoin, you can go ahead and put those subpoena forms back in the draw: ALL bitcoin transactions are displayed in a public ledger known as “The Blockchain” which can be browsed via blockchain.info by ANYONE. So if I’m looking to track someone’s bitcoin transactions and I already have complete and unrestricted access to all past, present, and future transaction data; why on earth would I need to send bitcoin to any addresses?

The other given theory is it was a joke from the FBI, an organization worldwide renowned for their sense of humor. So my assumption is the chain of custody works something like this: Special Agent Sir Trollalot contacts his superior and asks for access to the wallet where the seized coins are kept, allowing him to pursue the noble cause of funding what is likely an enemy nation-state actor, for shits and giggles, then I guess his great request is passed up the chain of command until it’s signed off by someone very senior who also for some reason things this is a great idea. Yeah, no.

 

The Actual Transaction

So as I hinted earlier, the whole story doesn’t end at the stupid explanation for what happen, because what happened never actually happened.

Let’s look at the transaction in question, transaction fb4627c976f2292a5b3f12c6bf8b7964e037628714cd90c2cc55043a023cf1c4:

 

trollsaction

Now if someone told you that the Silkroad Seized Coins address (1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX) sent bitcoin to the ShadowBrokers (19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK) and you saw the above transaction (both stated addresses appear in the same transaction), you might believe them.

But, let’s break it down using my superior MS Paint illustrating ability.

trollsaction2

What you’re seeing here is something called a multi-output transaction, it’s where one address (12efxuRxVcaVY2NWKS8DVDGVGgvXxyG2Qk) send bitcoin to multiple addresses (12efxuRxVcaVY2NWKS8DVDGVGgvXxyG2Qk, 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK, 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX). So what happened here is some troll sent 0.00204626 bitcoin to themselves, 0.001 bitcoin to the ShadowBrokers, 0.001 bitcoin to the Silkroad Seized Coins address, and 0 bitcoin to an address that was unable to be decoded (likely a null transaction). What you’re seeing is someone sending bitcoins TO the FBI AND the ShadowBrokers, not the FBI sending to ShadowBrokers or ShadowBrokers sending to the FBI; we can further confirm this by looking at the Silkroad Seized Coins address (1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX), where you can see only deposits (green arrows) and no withdrawals (red arrow) have been made since before the ShadowBrokers came to town.

 

Conclusion

If you’re a journalist for a tech news site (or really any news site), it might pay to just verify data you read off of some random blog (including this one), it has become way too easy to spread misinformation or straight up troll because people take everything “security experts” say at face value with no verification.

Now before anyone comes up with any conspiracies about the FBI being behind the rickroll of the ShadowBrokers bitcoin address, here is the message “MalwareTech is love, MalwareTech is life.” signed with the private key of 1never9kNNkr27UseZSHnaEHg1z8v3Mbb:
GzmjWJ/nUtiv76lTWLtp5uSzIiZNCiLV6agdIEF/AJoDaElV8jjrk/hdndOR+2Chbdm1ItEpZOApC+fP9NIKeHA=

TrolledSoftly

 

 

 

Uncategorized
3
Best Languages to Learn for Malware Analysis

One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require …

Uncategorized
2
Investigating Command and Control Infrastructure (Emotet)

Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying …

Uncategorized
10
Creating a Simple Free Malware Analysis Environment

Computer Requirements: A CPU with AMD-V or Intel VT-x support (pretty much any modern CPU). 4 GB RAM (more is better). Make sure Virtualization (AMD-V or Intel VT-x) is enabled in the BIOS. To do this, you’ll need to google “enable virtualization” along with your bios or motherboard version, then …