How the FBI hacked Hive
The bureau is trying to take the fight to foreign ransomware gangs, even if it means giving up on bringing some of them behind bars.
When the FBI took down a notorious cybercrime gang known as Hive earlier this year, it did so without arresting a single person.
It was a coup that reflects a notable change in the way the agency fights cybercrime — focusing on outwitting hackers and disrupting them from afar rather than detaining them. Most cybercriminals operate in countries that are beyond the reach of U.S. law enforcement.
It would have been “heresy” by the old standards of the bureau to celebrate a major case like that without an arrest, deputy attorney general Lisa Monaco said at the RSA security conference in April. But now, she continued, “we’re not measuring our success only with courtroom actions.”
Hive was once one of the world’s most prolific criminal syndicates, notorious for shutting down the networks of American schools, businesses and health care facilities — and then demanding ransoms to restore access. But FBI field agents in Florida managed to unravel the group using little more than a keyboard, first hacking their way into Hive’s network in July 2022, and then undermining its extortion efforts by helping targeted organizations unlock their systems on their own.
The FBI estimates it saved victims across the globe roughly $130 million with the sting — a feat that proves the effectiveness of the approach, said Adam Hickey, the deputy assistant attorney general in the Justice Department’s national security division at the time of the Hive takedown. “You’d have to be a gorilla to think that putting people in jail is the only way to counter the cyber threat,” said Hickey, now a partner at law firm Mayer Brown.
But the approach also has its limits. POLITICO interviews with FBI officials behind the effort and independent cybersecurity experts provide fresh details on how the FBI pulled off the sting and why it could often only weaken — and not quite extinguish — the Hive operation.
The effort to infiltrate the gang was long and labor-intensive. And while the FBI’s digital sabotage yielded temporary gains, the criminals — still at large — now can regroup and start over again, knowing full well that U.S. law enforcement is on their heels.
“Unless you’re taking down the leadership and literally locking them up, it's highly unlikely you’ll be able to stop ‘ransomware’ groups from resurfacing in a meaningful way,” said Kurtis Minder, CEO of cybersecurity company GroupSense, who has acted as a ransomware negotiator on behalf of several victims.
The FBI is "doing the best with what they have,” Minder said. Still, “it’s fairly simple for these folks to spin back up again.”
Hive first came on the FBI’s radar in July 2021. As high-profile ransomware groups were launching a wave of crippling attacks on American gas pipelines and meat processors, the then-unknown Hive gang locked up the network of an undisclosed organization in Florida.
Because it was Hive’s first known attack within the United States, FBI procedure dictated that the Tampa field office, the bureau’s closest to the victim, would assume responsibility for all future Hive cases.
Justin Crenshaw, a supervisory special agent in the Tampa office, said he and his team “knew nothing” about the group at the time, but quickly dug in.
Over the next 18 months, Hive launched upward of 1,500 attacks across the globe and collected roughly $100 million in cryptocurrency from its victims, according to estimates from U.S. law enforcement. The group expanded so fast, in part, by turning ruthlessness into a powerful engine of growth, targeting organizations, such as hospitals and health care providers, that other cybercriminals had declared off limits.
As Hive launched one attack after another, the Tampa agents interviewed every victim who came forward to the bureau, a process that slowly yielded valuable intelligence about the gang.
They learned, for example, how Hive was not exactly one group but several, closer to a branded franchise like McDonald’s than a tight-knight mafia. The group ran what cybercrime experts call a ransomware-as-a-service model, in which the Hive’s core members rent encryption software to a vast web of other criminals, or “affiliates,” who specialize in penetrating networks and deploying the ransomware payload.
Twelve months after that first case hit the Tampa desk, Crenshaw finally had a breakthrough.
He found a way to break into the group’s remote administration panel, a digital nerve center where gang members safeguard the keys that allow them to scramble — and then “save” — the data of every hospital, school, and small business that fell within their grasp.
Crenshaw and Bryan Smith, a section chief for the FBI’s cyber criminals operations section, did not specify how they pulled that feat off. Smith would only say it came about through “really basic investigative activity that doesn't make for great TV, but makes for great cases.”
The coup nonetheless presented the FBI with a remarkable opportunity: the power to identify Hive’s victims as soon as the group attacked them, and then pass them the same decryption keys they needed to restore their networks.
For the next six months, FBI Tampa provided keys to more than 300 new victims across the globe.
Crenshaw’s team became so good at offering technical assistance to victims it eventually gave itself a sly nickname, Crenshaw said: “Hive helpdesk.”
But the FBI’s success infiltrating Hive never translated to the group’s wholesale demolition.
According to data compiled by researcher Allan Liska and shared exclusively with POLITICO, the group maintained a steady pace of attacks even as the FBI lurked inside it.
On a dark website where Hive posted the names and sensitive information of victims who were refusing to pay, it listed seven victims in August, eight in September, seven in October, nine in November and 14 in December — figures that were consistent with pre-infiltration tallies.
And even if victims get a decryption key, it can take several weeks and boatloads of cash to restore their networks, said Liska, a ransomware tracker at cybersecurity firm Recorded Future.
“Recovery is expensive, especially if you don't want to get hit again,” he argued.
One reason Hive appears to have remained so active is that it learned it could exert additional pressure on victims by threatening to leak their sensitive files onto the web — a threat the FBI could do little to stop until much later.
Even today, Hive members likely remain active under a new name, argued Minder, of GroupSense.
Last month, the U.S. Justice Department unsealed an indictment against a Russian national accused of working as an affiliate for Hive. That individual, Mikhail Matveev, not only remains at large, he has also worked for two other ransomware groups — a sign of how easy it is for hackers to float between gangs and resurface if one collapses.
It’s a tradeoff the bureau believes is worth it, especially given the risk that arrests may never come. Hive is believed to operate safely from within Russia, like many other ransomware gangs today.
Rob Joyce, director of NSA’s cybersecurity directorate, said the strategy is to undermine trust in the criminal ecosystem.
Operations like the Hive takedown “have a lot of criminals looking left and right, not sure who they can trust or what they can believe,” Joyce said. “That overall friction slows them down and inhibits their ability to operate at scope and scale.”
Over time, the approach can also turn up surprising wins, as the Hive operation demonstrated not once but twice.
Sometime in early January of this year, the Tampa field office came to its second major discovery, one that would change the Hive case for good.
On the basis of more meticulous investigative work, the FBI learned that Hive had rented the primary servers it used to stage its attacks from a data center in Los Angeles. Just two weeks later, it seized the hardware. Shortly thereafter, it announced the takedown.
Smith said the FBI moved so quickly because it finally saw an opportunity to stop Hive in its tracks. Until then, he said, the operation “was always happening in arrears.”
Still, Smith and Crenshaw said the case didn’t end at the podium, since Hive members are still out there. And the two servers may even help the FBI unmask the web of affiliates who worked with Hive over those 18 months — meaning the takedown may lead to more arrests over the long term, not fewer.
“For us,” Crenshaw said, “that’s just round one.”