skip to main content
research-article

A Large-scale Empirical Analysis of Ransomware Activities in Bitcoin

Authors Info & Claims
Published:22 December 2021Publication History
Skip Abstract Section

Abstract

Exploiting the anonymous mechanism of Bitcoin, ransomware activities demanding ransom in bitcoins have become rampant in recent years. Several existing studies quantify the impact of ransomware activities, mostly focusing on the amount of ransom. However, victims’ reactions in Bitcoin that can well reflect the impact of ransomware activities are somehow largely neglected. Besides, existing studies track ransom transfers at the Bitcoin address level, making it difficult for them to uncover the patterns of ransom transfers from a macro perspective beyond Bitcoin addresses.

In this article, we conduct a large-scale analysis of ransom payments, ransom transfers, and victim migrations in Bitcoin from 2012 to 2021. First, we develop a fine-grained address clustering method to cluster Bitcoin addresses into users, which enables us to identify more addresses controlled by ransomware criminals. Second, motivated by the fact that Bitcoin activities and their participants already formed stable industries, such as Darknet and Miner, we train a multi-label classification model to identify the industry identifiers of users. Third, we identify ransom payment transactions and then quantify the amount of ransom and the number of victims in 63 ransomware activities. Finally, after we analyze the trajectories of ransom transferred across different industries and track victims’ migrations across industries, we find out that to obscure the purposes of their transfer trajectories, most ransomware criminals (e.g., operators of Locky and Wannacry) prefer to spread ransom into multiple industries instead of utilizing the services of Bitcoin mixers. Compared with other industries, Investment is highly resilient to ransomware activities in the sense that the number of users in Investment remains relatively stable. Moreover, we also observe that a few victims become active in the Darknet after paying ransom. Our findings in this work can help authorities deeply understand ransomware activities in Bitcoin. While our study focuses on ransomware, our methods are potentially applicable to other cybercriminal activities that have similarly adopted bitcoins as their payments.

REFERENCES

  1. [1] Ahmed Mansoor, Shumailov Ilia, and Anderson Ross. 2018. Tendrils of crime: Visualizing the diffusion of stolen bitcoins. In Proceedings of the 5th Workshop on Graphical Models for Security. Springer, 112.Google ScholarGoogle Scholar
  2. [2] Akcora Cuneyt Gurcan, Li Yitao, Gel Yulia R., and Kantarcioglu Murat. 2020. Bitcoinheist: Topological data analysis for ransomware prediction on the bitcoin blockchain. In Proceedings of the 29th International Joint Conference on Artificial Intelligence (IJCAI’20). 44394445. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. [3] Athey Susan, Parashkevov Ivo, Sarukkai Vishnu, and Xia Jing. 2016. Bitcoin pricing, adoption, and usage: Theory and evidence. Stanf. Inst. Econ. Pol. Res. 13, 4 (2016), 675746.Google ScholarGoogle Scholar
  4. [4] Bishop Christopher M. et al. 1995. Neural Networks for Pattern Recognition. Oxford University Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. [5] Bistarelli Stefano, Parroccini Matteo, and Santini Francesco. 2018. Visualizing bitcoin flows of ransomware: Wannacry one week later. In Proceedings of the 2nd Italian Conference on Cyber Security (ITASEC’18).Google ScholarGoogle Scholar
  6. [6] Cai Hongyun, Zheng Vincent W., and Chang Kevin Chen-Chuan. 2018. A comprehensive survey of graph embedding: Problems, techniques, and applications. IEEE Trans. Knowl. Data Eng. 30, 9 (2018), 16161637.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. [7] Cazabet Rémy, Baccour Rym, and Latapy Matthieu. 2017. Tracking bitcoin users activity using community detection on a network of weak signals. In Proceedings of the 6th Conference on Complex Networks and Their Applications (Complex Networks). Springer, 166177.Google ScholarGoogle Scholar
  8. [8] Chen Weili, Wu Jun, Zheng Zibin, Chen Chuan, and Zhou Yuren. 2019. Market manipulation of bitcoin: Evidence from mining the mt. Gox transaction network. In Proceedings of the 38th IEEE Conference on Computer Communications (INFOCOM’19). IEEE, 964972.Google ScholarGoogle ScholarCross RefCross Ref
  9. [9] Cimpanu Catalin. 2017. Ransomware Is Now Big Business on the Dark Web and Malware Developers Are Cashing in. Retrieved from https://www.zdnet.com/article/ransomware-is-now-big-business-on-the-dark-web-and-malware-developers-are-cashing-in/.Google ScholarGoogle Scholar
  10. [10] Clinch Matt. 2014. Bitcoin Plummets 20 after Major Exchange Halts Withdrawals. Retrieved from https://www.cnbc.com/2014/02/07/bitcoin-plummets-20-after-major-exchange-halts-withdrawals.html.Google ScholarGoogle Scholar
  11. [11] CNN. 2021. US Offers up to $10 Million Reward for Information on Cyberattacks against Critical Infrastructure by Foreign States. Retrieved from https://www.cnn.com/2021/07/15/politics/us-state-department-reward-cyberattacks/index.html.Google ScholarGoogle Scholar
  12. [12] Conti Mauro, Gangwal Ankit, and Ruj Sushmita. 2018. On the economic significance of ransomware campaigns: A bitcoin transactions perspective. Comput. Secur. 79 (2018), 162189.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. [13] Crawford Jesse and Guan Yong. 2020. Knowing your bitcoin customer: Money laundering in the bitcoin economy. In Proceedings of 13th International Conference on Systematic Approaches to Digital Forensic Engineering (SADFE’20). IEEE, 3845.Google ScholarGoogle ScholarCross RefCross Ref
  14. [14] Delvenne Jean-Charles, Lambiotte Renaud, and Rocha Luis E. C.. 2015. Diffusion on networked systems is a question of time or structure. Nat. Commun. 6, 1 (2015), 110.Google ScholarGoogle ScholarCross RefCross Ref
  15. [15] Foley Sean, Karlsen Jonathan R., and Putniņš Tālis J.. 2019. Sex, drugs, and bitcoin: How much illegal activity is financed through cryptocurrencies?Rev. Financ. Stud. 32, 5 (2019), 17981853.Google ScholarGoogle ScholarCross RefCross Ref
  16. [16] Gazet Alexandre. 2010. Comparative analysis of various ransomware virii. J. Comput. Virol. 6, 1 (2010), 7790.Google ScholarGoogle ScholarCross RefCross Ref
  17. [17] Girvan Michelle and Newman Mark E. J.. 2002. Community structure in social and biological networks. Natl. Acad. Sci. 99, 12 (2002), 78217826.Google ScholarGoogle ScholarCross RefCross Ref
  18. [18] Google. 2021. Google Trends. Retrieved from https://trends.google.com/trends/.Google ScholarGoogle Scholar
  19. [19] Hamilton William L., Ying Zhitao, and Leskovec Jure. 2017. Inductive representation learning on large graphs. In Proceedings of the 31st International Conference on Neural Information Processing Systems (NeurIPS’17). Curran Associates, Inc., 10241034. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. [20] Han Weili, Chen Dingjie, Pang Jun, Wang Kai, Chen Chen, Huang Dapeng, and Fan Zhijie. 2021. Temporal networks based industry identification for bitcoin users. In Proceedings of the 16th International Conference on Wireless Algorithms, Systems, and Applications (WASA’21). Springer, 108120.Google ScholarGoogle ScholarCross RefCross Ref
  21. [21] Huang Danny Yuxing, Aliapoulios Maxwell Matthaios, Li Vector Guo, Invernizzi Luca, Bursztein Elie, McRoberts Kylie, Levin Jonathan, Levchenko Kirill, Snoeren Alex C., and McCoy Damon. 2018. Tracking ransomware end-to-end. In Proceedings of the 39th IEEE Symposium on Security and Privacy (S&P’18). IEEE, 618631.Google ScholarGoogle ScholarCross RefCross Ref
  22. [22] Janda Aleš. 2021. Coinjoinmess. Retrieved from https://www.walletexplorer.com/wallet/CoinJoinMess.Google ScholarGoogle Scholar
  23. [23] Janda Aleš. 2021. Walletexplorer.com. Retrieved from https://www.walletexplorer.com.Google ScholarGoogle Scholar
  24. [24] Jennings Wesley G., Piquero Alex R., and Reingle Jennifer M.. 2012. On the overlap between victimization and offending: A review of the literature. Aggress. Violent Behav. 17, 1 (2012), 1626.Google ScholarGoogle ScholarCross RefCross Ref
  25. [25] Kalodner Harry A., Möser Malte, Lee Kevin, Goldfeder Steven, Plattner Martin, Chator Alishah, and Narayanan Arvind. 2020. Blocksci: Design and applications of a blockchain analysis platform. In Proceedings of the 29th USENIX Security Symposium (USENIX Security’20). USENIX Association, 27212738. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. [26] Kappos George, Yousaf Haaroon, Maller Mary, and Meiklejohn Sarah. 2018. An empirical analysis of anonymity in zcash. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). USENIX Association, 463477. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. [27] Kerstens Joyce and Jansen Jurjen. 2016. The victim–perpetrator overlap in financial cybercrime: Evidence and reflection on the overlap of youth’s on-line victimization and perpetration. Deviant Behav. 37, 5 (2016), 585600.Google ScholarGoogle ScholarCross RefCross Ref
  28. [28] Kharpal Arjun. 2017. Hackers Who Infected 200,000 Machines Have Only Made $50,000 Worth of Bitcoin. Retrieved from https://www.cnbcafrica.com/technology/2017/05/16/hackers-made-50000-worth-bitcoin/.Google ScholarGoogle Scholar
  29. [29] Kharraz Amin, Robertson William K., Balzarotti Davide, Bilge Leyla, and Kirda Engin. 2015. Cutting the gordian knot: a look under the hood of ransomware attacks. In Proceedings of 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’15). Springer, 324. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. [30] Lab A. O. Kaspersky. 2021. Wannacry: Are You Safe? Retrieved from https://www.kaspersky.com/blog/wannacry-ransomware/16518/.Google ScholarGoogle Scholar
  31. [31] Lee Seunghyeon, Yoon Changhoon, Kang Heedo, Kim Yeonkeun, Kim Yongdae, Han Dongsu, Son Sooel, and Shin Seungwon. 2019. Cybercriminal minds: An investigative study of cryptocurrency abuses in the dark web. In Proceedings of the 26th Conference on Annual Network and Distributed System Security Symposium (NDSS’19). ISOC, 115.Google ScholarGoogle ScholarCross RefCross Ref
  32. [32] Liao Kevin, Zhao Ziming, Doupé Adam, and Ahn Gail Joon. 2016. Behind closed doors: Measurement and analysis of cryptolocker ransoms in bitcoin. In Proceedings of APWG Symposium on Electronic Crime Research (eCrime’16). IEEE, 113.Google ScholarGoogle ScholarCross RefCross Ref
  33. [33] Meiklejohn Sarah, Pomarole Marjori, Jordan Grant, Levchenko Kirill, and Savage Stefan. 2013. A fistful of bitcoins: Characterizing payments among men with no names. In Proceedings of the Conference on Internet Measurement conference (IMC’13). ACM, 127140. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. [34] Meland Per Håkon, Bayoumy Yara Fareed Fahmy, and Sindre Guttorm. 2020. The ransomware-as-a-service economy within the darknet. Comput. Secur. 92 (2020), 101762.Google ScholarGoogle Scholar
  35. [35] Moreno-Sanchez Pedro, Zafar Muhammad Bilal, and Kate Aniket. 2016. Listening to whispers of ripple: Linking wallets and deanonymizing transactions in the ripple network. Proc. Priv. Enhanc. Technol. 2016, 4 (2016), 436453.Google ScholarGoogle Scholar
  36. [36] Nakamoto Satoshi. 2009. Bitcoin: A Peer-to-Peer Electronic Cash System. Retrieved from https://bitcoin.org/bitcoin.pdf.Google ScholarGoogle Scholar
  37. [37] Nakamoto Satoshi. 2009. Bitcoin Forum. Retrieved from https://bitcointalk.org.Google ScholarGoogle Scholar
  38. [38] Nerurkar Pranav, Bhirud Sunil, Patel Dhiren R., Ludinard Romaric, Busnel Yann, and Kumari Saru. 2021. Supervised learning model for identifying illegal activities in bitcoin. Appl. Intell. 51, 6 (2021), 38243843.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. [39] Omidyar Pierre. 2021. The Concept of Industry. Retrieved from https://en.wikipedia.org/wiki/Industry_(economics).Google ScholarGoogle Scholar
  40. [40] Paquet-Clouston Masarah, Haslhofer Bernhard, and Dupont Benoit. 2019. Ransomware payments in the bitcoin ecosystem. J. Cybersecur. 5, 1 (2019), tyz003.Google ScholarGoogle ScholarCross RefCross Ref
  41. [41] Quiles Marcos G., Macau Elbert E. N., and Rubido Nicolás. 2016. Dynamical detection of network communities. Sci. Rep. 6, 1 (2016), 110.Google ScholarGoogle ScholarCross RefCross Ref
  42. [42] Ransomware ID. 2021. ID Ransomware. Retrieved from https://id-ransomware.malwarehunterteam.com/.Google ScholarGoogle Scholar
  43. [43] Redman Jamie. 2017. Bitcoin Gamblers Have Wagered $4.5 Billion in BTC Since 2014. Retrieved from https://news.bitcoin.com/bitcoin-gamblers-wagered-4-5-billion-btc-2014/.Google ScholarGoogle Scholar
  44. [44] Reed Alan. 2021. Bitcoinabusedataset. Retrieved from https://www.bitcoinabuse.com/.Google ScholarGoogle Scholar
  45. [45] Reid Fergal and Harrigan Martin. 2011. An analysis of anonymity in the bitcoin system. In Proceedings of the 2nd Conference on Privacy, Security, Risk and Trust (PASSAT’11). Springer, 13181326.Google ScholarGoogle ScholarCross RefCross Ref
  46. [46] Salber Paul and Elosegui Paul. 2021. Ethonym. Retrieved from https://ethonym.com.Google ScholarGoogle Scholar
  47. [47] Spagnuolo Michele, Maggi Federico, and Zanero Stefano. 2014. Bitiodine: Extracting intelligence from the bitcoin network. In Proceedings of the 18th Conference on Financial Cryptography and Data Security (FC’14). Springer, 457468.Google ScholarGoogle ScholarCross RefCross Ref
  48. [48] Sun Jiachen, Zhang Rui, Feng Ling, Monterola Christopher, Ma Xiao, Rozenblat Céline, Stanley H Eugene, Podobnik Boris, and Hu Yanqing. 2019. Extreme risk induced by communities in interdependent networks. Commun. Phys. 2, 1 (2019), 17.Google ScholarGoogle Scholar
  49. [49] Zhang-Kennedy Leah, Assal Hala, Rocheleau Jessica N., Mohamed Reham, Baig Khadija, and Chiasson Sonia. 2018. The aftermath of a crypto-ransomware attack at a large academic institution. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). USENIX Association, 10611078.Google ScholarGoogle Scholar

Index Terms

  1. A Large-scale Empirical Analysis of Ransomware Activities in Bitcoin

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on the Web
      ACM Transactions on the Web  Volume 16, Issue 2
      May 2022
      148 pages
      ISSN:1559-1131
      EISSN:1559-114X
      DOI:10.1145/3506669
      Issue’s Table of Contents

      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 22 December 2021
      • Accepted: 1 October 2021
      • Received: 1 July 2021
      Published in tweb Volume 16, Issue 2

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Refereed

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Full Text

    View this article in Full Text.

    View Full Text

    HTML Format

    View this article in HTML Format .

    View HTML Format
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!