Report: CryptoWall Creators Earned $325 Million in Bitcoin Ransoms

A new report looks at the CryptoWall ransomware and its components in an attempt to analyze its success.

AccessTimeIconOct 30, 2015 at 9:00 p.m. UTC
Updated Sep 11, 2021 at 11:58 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

A cyber-security industry group has published new research on the CryptoWall ransomware campaign, finding that the attacks have generated more than $300m in ransom income and stem from a single source or entity.

The report was published earlier this week by the Cyber Threat Alliance, founded by Intel Security, Symantec, Palo Alto Networks and Fortinet. Major takeaways from the organization’s research include evidence of as much as $325m worth of ransomware victim payments and more than 400,000 attempts to infect computers with the third variant of CryptoWall (CW3), many of which appear to have focused on targets in North America.

Backing the idea that the ransomware is sourced to a single entity is evidence found in both the code as well as the web of bitcoin payments trackable on the public blockchain. The report notes that Armenia, Belarus, Iran, Kazakhstan, Russia, Serbia and Ukraine are blacklisted, meaning the malware won’t operate in those regions and suggesting possible points of origin.

The report’s authors add that an analysis of bitcoin transactions tied to known ransom campaigns points to the common use of bitcoin wallets across those campaigns, stating:

"As a result of examining this financial network, it was discovered that a number of primary wallets were shared between campaigns, further supporting the notion that all of the campaigns, regardless of the campaign ID, are being operated by the same entity."

The bitcoins accrued – known ransom demands range from the hundreds to thousands of dollars, according to the report – are then washed through multiple addresses and known bitcoin services, though none are named directly in the report. Some of the funds are essentially reinvested in new exploit kits or rent payments for botnets.

Revenue-wise, the report’s authors note that, for its backers, CryptoWall "is extremely successful and continues to provide significant income".

"One variant alone involved with the 'crypt100' campaign identifier resulted in over 15,000 victims across the globe," the report states. "These 15,000 victims alone would account for, at minimum, roughly $5m in profit for the CW3 group."

Read the full report below:

Image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.