Abstract
Exploiting the anonymous mechanism of Bitcoin, ransomware activities demanding ransom in bitcoins have become rampant in recent years. Several existing studies quantify the impact of ransomware activities, mostly focusing on the amount of ransom. However, victims’ reactions in Bitcoin that can well reflect the impact of ransomware activities are somehow largely neglected. Besides, existing studies track ransom transfers at the Bitcoin address level, making it difficult for them to uncover the patterns of ransom transfers from a macro perspective beyond Bitcoin addresses.
In this article, we conduct a large-scale analysis of ransom payments, ransom transfers, and victim migrations in Bitcoin from 2012 to 2021. First, we develop a fine-grained address clustering method to cluster Bitcoin addresses into users, which enables us to identify more addresses controlled by ransomware criminals. Second, motivated by the fact that Bitcoin activities and their participants already formed stable industries, such as
- [1] . 2018. Tendrils of crime: Visualizing the diffusion of stolen bitcoins. In Proceedings of the 5th Workshop on Graphical Models for Security. Springer, 1–12.Google Scholar
- [2] . 2020. Bitcoinheist: Topological data analysis for ransomware prediction on the bitcoin blockchain. In Proceedings of the 29th International Joint Conference on Artificial Intelligence (IJCAI’20). 4439–4445. Google Scholar
Digital Library
- [3] . 2016. Bitcoin pricing, adoption, and usage: Theory and evidence. Stanf. Inst. Econ. Pol. Res. 13, 4 (2016), 675–746.Google Scholar
- [4] . 1995. Neural Networks for Pattern Recognition. Oxford University Press. Google Scholar
Digital Library
- [5] . 2018. Visualizing bitcoin flows of ransomware: Wannacry one week later. In Proceedings of the 2nd Italian Conference on Cyber Security (ITASEC’18).Google Scholar
- [6] . 2018. A comprehensive survey of graph embedding: Problems, techniques, and applications. IEEE Trans. Knowl. Data Eng. 30, 9 (2018), 1616–1637.Google Scholar
Digital Library
- [7] . 2017. Tracking bitcoin users activity using community detection on a network of weak signals. In Proceedings of the 6th Conference on Complex Networks and Their Applications (Complex Networks). Springer, 166–177.Google Scholar
- [8] . 2019. Market manipulation of bitcoin: Evidence from mining the mt. Gox transaction network. In Proceedings of the 38th IEEE Conference on Computer Communications (INFOCOM’19). IEEE, 964–972.Google Scholar
Cross Ref
- [9] . 2017. Ransomware Is Now Big Business on the Dark Web and Malware Developers Are Cashing in. Retrieved from https://www.zdnet.com/article/ransomware-is-now-big-business-on-the-dark-web-and-malware-developers-are-cashing-in/.Google Scholar
- [10] . 2014. Bitcoin Plummets 20 after Major Exchange Halts Withdrawals. Retrieved from https://www.cnbc.com/2014/02/07/bitcoin-plummets-20-after-major-exchange-halts-withdrawals.html.Google Scholar
- [11] . 2021. US Offers up to $10 Million Reward for Information on Cyberattacks against Critical Infrastructure by Foreign States. Retrieved from https://www.cnn.com/2021/07/15/politics/us-state-department-reward-cyberattacks/index.html.Google Scholar
- [12] . 2018. On the economic significance of ransomware campaigns: A bitcoin transactions perspective. Comput. Secur. 79 (2018), 162–189.Google Scholar
Digital Library
- [13] . 2020. Knowing your bitcoin customer: Money laundering in the bitcoin economy. In Proceedings of 13th International Conference on Systematic Approaches to Digital Forensic Engineering (SADFE’20). IEEE, 38–45.Google Scholar
Cross Ref
- [14] . 2015. Diffusion on networked systems is a question of time or structure. Nat. Commun. 6, 1 (2015), 1–10.Google Scholar
Cross Ref
- [15] . 2019. Sex, drugs, and bitcoin: How much illegal activity is financed through cryptocurrencies?Rev. Financ. Stud. 32, 5 (2019), 1798–1853.Google Scholar
Cross Ref
- [16] . 2010. Comparative analysis of various ransomware virii. J. Comput. Virol. 6, 1 (2010), 77–90.Google Scholar
Cross Ref
- [17] . 2002. Community structure in social and biological networks. Natl. Acad. Sci. 99, 12 (2002), 7821–7826.Google Scholar
Cross Ref
- [18] . 2021. Google Trends. Retrieved from https://trends.google.com/trends/.Google Scholar
- [19] . 2017. Inductive representation learning on large graphs. In Proceedings of the 31st International Conference on Neural Information Processing Systems (NeurIPS’17). Curran Associates, Inc., 1024–1034. Google Scholar
Digital Library
- [20] . 2021. Temporal networks based industry identification for bitcoin users. In Proceedings of the 16th International Conference on Wireless Algorithms, Systems, and Applications (WASA’21). Springer, 108–120.Google Scholar
Cross Ref
- [21] . 2018. Tracking ransomware end-to-end. In Proceedings of the 39th IEEE Symposium on Security and Privacy (S&P’18). IEEE, 618–631.Google Scholar
Cross Ref
- [22] . 2021. Coinjoinmess. Retrieved from https://www.walletexplorer.com/wallet/CoinJoinMess.Google Scholar
- [23] . 2021. Walletexplorer.com. Retrieved from https://www.walletexplorer.com.Google Scholar
- [24] . 2012. On the overlap between victimization and offending: A review of the literature. Aggress. Violent Behav. 17, 1 (2012), 16–26.Google Scholar
Cross Ref
- [25] . 2020. Blocksci: Design and applications of a blockchain analysis platform. In Proceedings of the 29th USENIX Security Symposium (USENIX Security’20). USENIX Association, 2721–2738. Google Scholar
Digital Library
- [26] . 2018. An empirical analysis of anonymity in zcash. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). USENIX Association, 463–477. Google Scholar
Digital Library
- [27] . 2016. The victim–perpetrator overlap in financial cybercrime: Evidence and reflection on the overlap of youth’s on-line victimization and perpetration. Deviant Behav. 37, 5 (2016), 585–600.Google Scholar
Cross Ref
- [28] . 2017. Hackers Who Infected 200,000 Machines Have Only Made $50,000 Worth of Bitcoin. Retrieved from https://www.cnbcafrica.com/technology/2017/05/16/hackers-made-50000-worth-bitcoin/.Google Scholar
- [29] . 2015. Cutting the gordian knot: a look under the hood of ransomware attacks. In Proceedings of 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’15). Springer, 3–24. Google Scholar
Digital Library
- [30] . 2021. Wannacry: Are You Safe? Retrieved from https://www.kaspersky.com/blog/wannacry-ransomware/16518/.Google Scholar
- [31] . 2019. Cybercriminal minds: An investigative study of cryptocurrency abuses in the dark web. In Proceedings of the 26th Conference on Annual Network and Distributed System Security Symposium (NDSS’19). ISOC, 1–15.Google Scholar
Cross Ref
- [32] . 2016. Behind closed doors: Measurement and analysis of cryptolocker ransoms in bitcoin. In Proceedings of APWG Symposium on Electronic Crime Research (eCrime’16). IEEE, 1–13.Google Scholar
Cross Ref
- [33] . 2013. A fistful of bitcoins: Characterizing payments among men with no names. In Proceedings of the Conference on Internet Measurement conference (IMC’13). ACM, 127–140. Google Scholar
Digital Library
- [34] . 2020. The ransomware-as-a-service economy within the darknet. Comput. Secur. 92 (2020), 101762.Google Scholar
- [35] . 2016. Listening to whispers of ripple: Linking wallets and deanonymizing transactions in the ripple network. Proc. Priv. Enhanc. Technol. 2016, 4 (2016), 436–453.Google Scholar
- [36] . 2009. Bitcoin: A Peer-to-Peer Electronic Cash System. Retrieved from https://bitcoin.org/bitcoin.pdf.Google Scholar
- [37] . 2009. Bitcoin Forum. Retrieved from https://bitcointalk.org.Google Scholar
- [38] . 2021. Supervised learning model for identifying illegal activities in bitcoin. Appl. Intell. 51, 6 (2021), 3824–3843.Google Scholar
Digital Library
- [39] . 2021. The Concept of Industry. Retrieved from https://en.wikipedia.org/wiki/Industry_(economics).Google Scholar
- [40] . 2019. Ransomware payments in the bitcoin ecosystem. J. Cybersecur. 5, 1 (2019), tyz003.Google Scholar
Cross Ref
- [41] . 2016. Dynamical detection of network communities. Sci. Rep. 6, 1 (2016), 1–10.Google Scholar
Cross Ref
- [42] . 2021. ID Ransomware. Retrieved from https://id-ransomware.malwarehunterteam.com/.Google Scholar
- [43] . 2017. Bitcoin Gamblers Have Wagered $4.5 Billion in BTC Since 2014. Retrieved from https://news.bitcoin.com/bitcoin-gamblers-wagered-4-5-billion-btc-2014/.Google Scholar
- [44] . 2021. Bitcoinabusedataset. Retrieved from https://www.bitcoinabuse.com/.Google Scholar
- [45] . 2011. An analysis of anonymity in the bitcoin system. In Proceedings of the 2nd Conference on Privacy, Security, Risk and Trust (PASSAT’11). Springer, 1318–1326.Google Scholar
Cross Ref
- [46] . 2021. Ethonym. Retrieved from https://ethonym.com.Google Scholar
- [47] . 2014. Bitiodine: Extracting intelligence from the bitcoin network. In Proceedings of the 18th Conference on Financial Cryptography and Data Security (FC’14). Springer, 457–468.Google Scholar
Cross Ref
- [48] . 2019. Extreme risk induced by communities in interdependent networks. Commun. Phys. 2, 1 (2019), 1–7.Google Scholar
- [49] . 2018. The aftermath of a crypto-ransomware attack at a large academic institution. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). USENIX Association, 1061–1078.Google Scholar
Index Terms
A Large-scale Empirical Analysis of Ransomware Activities in Bitcoin
Recommendations
Ransomware: Recent advances, analysis, challenges and future research directions
AbstractThe COVID-19 pandemic has witnessed a huge surge in the number of ransomware attacks. Different institutions such as healthcare, financial, and government have been targeted. There can be numerous reasons for such a sudden rise in ...
On the economic significance of ransomware campaigns: A Bitcoin transactions perspective
AbstractBitcoin cryptocurrency system enables users to transact securely and pseudo-anonymously by using an arbitrary number of aliases (Bitcoin addresses). Cybercriminals exploit these characteristics to commit immutable and presumably ...
Ransomware threat success factors, taxonomy, and countermeasures
The paper surveys state-of-the-art studies on ransomware analysis, detection, and prediction.The work describes the enabling technologies and factors that contribute to successful ransomware attacks.The paper proposes a general taxonomy for the ...






Comments