FBI agents became cryptocurrency fraudsters to arrest hackers who hacked into 1500 government agencies in 80 countries

A joint operation by the Federal Bureau of Investigation, the U.S. Department of Justice, German and Dutch police has resulted in the dismantling of one of the largest ransomware networks, Hive. According to a former intelligence agent, the Hive gang either had an undercover FBI agent working for them or the Bureau recruited someone from within Hive.

The attackers have targeted schools, banks, and hospitals in more than 80 countries. Since June 2021, approximately 1,500 institutions around the world have fallen victim to them, and the hackers themselves have earned more than $ 100 million in cryptocurrencies. The FBI managed to infiltrate the Hive network back in July 2022, and since then, law enforcement has found and seized more than 1,300 decryption keys to help victims recover their funds.

How did FBI agents infiltrate Hive? According to former FBI Special Agent in Charge Darren Mott, one of the obvious signs of an insider in the gang was an unsecured decryption key. Former FBI advisor Chris Pearson emphasized that the operation could have combined two approaches. For example, the authorities could have recruited an insider to invite «their» person to join the team.

Also, FBI hackers could have infiltrated the Hive system without internal help. Once inside, the feds began tracking the cybercriminals' activities on the network. «Basically, they hack into the environment, sit back and watch, and gather information about the operation, just like cybercriminals do when they attack a company,» Pearson said.

What was the hackers' scheme of work? First, they stole confidential data from emails, documents, and files and encrypted them. Then they demanded a ransom in bitcoins from the owners of this information, which was supposed to guarantee the deletion of data in the hackers' archives and preservation of confidentiality. If the victims refused to pay, Hive ransomware published all the stolen data on the darknet.

Why didn’t the hackers realize they were trapped? The FBI provided more than 1000 decryption keys to Hive victims, but the hackers still did not notice so many failed attacks. This may be due to the fact that the hackers worked on a RaaS (Ransomware-as-a-Service) model — Hive had so many affiliates that they did not monitor the victims. The cybercriminals might not have suspected anything at all if the victims who decided to cooperate with law enforcement had not publicly stated that they had lost their money.

Why did the FBI wait 6 months? According to Randy Pargman, a former member of the FBI Cyber Task Force, the longer the FBI stayed inside the group, the more chances they had to take down Hive. If the Bureau’s hackers had shut down the Hive server immediately, the attackers would have created a new one and continued their activities. Instead, law enforcement agencies monitored the existing server and quietly provided decryption keys to the victims.

The elimination of the Hive network is not the only successful operation by the FBI to combat cryptocriminals. In July 2022, the Estonian police, together with FBI specialists, detained two founders of the HashFlare bitcoin cloud miner. Sergey Potapenko and Ivan Turygin are suspected of cryptocurrency fraud worth $ 575 million.