Ransomware Payouts Declined in 2022: Crystal Blockchain

Victims of ransomware attacks paid hackers 4.5 times less in crypto in 2022 than in 2021, according to a new report.

AccessTimeIconDec 22, 2022 at 10:42 p.m. UTC

Known cryptocurrency payments to ransomware hackers “totaled a mere $16 million, compared to nearly $74 million USD in 2021,” blockchain intelligence firm Crystal Blockchain says.

This may be surprising given the fact that the number of ransomware attacks has increased since 2021, according to cybersecurity researchers. This year, the notorious Conti ransomware gang, known for terrorizing U.S. hospitals during the COVID-19 pandemic, ceased operations, but new groups are constantly emerging.

Nick Smart, Crystal’s director of blockchain intelligence, told CoinDesk it may be too early to conclude that ransomware attacks are in permanent decline.

“Since the Conti leaks, we were able to gather a lot more information on historical ransomware and extortion activity, which is to say we have a better idea of what it was like before. Due to the way ransoms generally work, it’s not possible to tell what happened now as many companies don’t disclose payment information publicly,” Smart said.


Analysis of on-chain activity shows that crypto services with a high money laundering risk score – meaning they receive funds from scams and cybercrime more often than others – are seeing a drop in popularity, the report says.

“We can see that overall, crypto funds are increasingly exchanged between lower-risk [virtual asset service providers] likely due to increased regulation, registration and client expectations,” the report reads.

At the same time, crypto exchanges and services that manage to keep “dirty” crypto out, have been further tightening anti-money laundering policies, effectively scaring away criminal actors: “The volume of funds sent to low-risk exchanges from scams fell by 24% in 2022 compared to 2021,” the report said.

Offline wallets, allowing users to directly control their funds, are becoming increasingly popular among crypto users in general, the report says: more funds are being sent to such addresses.

Cross-chain bridges remain popular for illicit transactions. The Bitcoin-to-Ethereum bridge service Ren, for example, received almost a half of all crypto from sanctioned entities, the report said. The service, linked to now-failed exchange FTX, is popular among hackers.

“Perhaps the biggest endorsement of this trend was the FTX thief, who almost drained the entire of the protocol’s liquidity crossing chains,” Smart says. That’s not something new: Cybercriminals have been actively using Ren even before. However, the recent enforcement actions benefited the protocol.

“I think a lot of the attention on Ren grew after Tornado Cash was sanctioned [by the U.S. Treasury Department], which goes to show that criminals are always evolving tactics to try and beat blockchain intelligence companies and compliance teams,” Smart said.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Anna Baydakova

Anna Baydakova was CoinDesk's investigative reporter with a special focus on Eastern Europe and Russia. Anna owns BTC and an NFT.

Read more about