My hunch is that there was indeed a cooperating exchange.
@JordanSchachtel has posted a lot of interesting tweets recently and in one of them he mentions being a "
Coinbase wallet".
- I'm still not sure which one is the real reason...I don't how Jordan Schachtel came up with his theory that the ransom funds were recovered from a Coinbase wallet. Our very own
NotATether, however, thinks the ransom funds were recovered from a Binance wallet. He/She had made his/her own
tracking of the funds and it ended up linked to a Binance.com address.
Either way, the point is that the ransom funds were most probably stored in a centralized exchange where the private keys are in the hands of the company, making them a lot easier to recover. The hackers were good in that they were able to hack Colonial Pipeline but poor in that they stored their proceeds in a wallet which is not under their sole control. Bad move!