• Quick Search:

Analysis shows that ransomed entities (e.g., companies, municipalities, hospitals) behave similarly when paying the ransom. First, the entity uses an online exchange to buy coins. The exchange facilitates this process by matching sellers to the coin buyer. An address a1 is created for the entity and the bought coins are directed into it. As the ransom is usually a high amount, the inputs of this transaction can be hundreds of addresses each contributing small coin amounts.

Ransomware payments

This phenomenon is shown as the transaction t1 in the figure above. Anatomy of a ransomware payment to a0. Usually, t1 has hundreds of inputs, and one or two outputs., where the output amount is higher than the ransom amount so that a transaction fee can be paid in the ransom payment next. The transaction t2 is the ransom payment. If there is a change amount left over from the ransom, it is directed to a2. In 86.06% of ransom payments, t2 has one or two output addresses. An interesting fact is that the time difference between t1 and t2 is usually around 24 hours. This implies that there is a significant time gap between agreeing to pay and making a payment.

Task: identify transaction patterns that are used in illicit cases. 

Target attribute: None

Full dataset: See Bitcoin transaction network data files.

Cite Our Dataset:

  author    = {Kiarash Shamsi and Yulia R. Gel and  Murat Kantarcioglu and Cuneyt G. Akcora},
  title     = {Chartalist: Labeled Graph Datasets for UTXO and Account-based Blockchains},
  booktitle = {Advances in Neural Information Processing Systems 36: Annual Conference
               on Neural Information Processing Systems 2022, NeurIPS 2022, November 29-December
               1, 2022, New Orleans, LA, USA},
  pages     = {1--14},
  year      = {2022},
  url       = {https://openreview.net/pdf?id=10iA3OowAV3}


Our baseline method will be published soon.