To Catch a Ransomer: How the FBI Chases Crime on the Blockchain

Ever wonder how the FBI catches ransomware perpetrators? This special agent laid out the process in great detail.

AccessTimeIconFeb 1, 2017 at 2:00 p.m. UTC
Updated Sep 11, 2021 at 1:03 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

FBI special agent Joseph Battaglia sits at a desk between a New York police detective and an employee of the Internal Revenue Service (IRS).

Charged with helping oversee investigations at the New York field office of the FBI's cyber division, Battaglia and his colleagues have developed methods for identifying a wide range of online criminal activities, ranging from the use of child porn to espionage.

But during a recent keynote address at Fordham University’s law school in New York City, Battaglia peeled back the curtain of a different kind of investigation. Addressing a group of about 150 law students and others attending the inaugural blockchain initiative hosted by IBM and the university, Battaglia gave a step-by-step account of how he identifies the criminals using cryptocurrency ransomware.

The key to overcoming a range of hurdles in this process, he said, is collaboration between a few key public and private organizations and some 'outside the box' thinking.

Speaking during the keynote address, Battaglia told the audience:

"I can use all these methods to actually identify my subject when my investigation started with nothing more than a complaint from a victim who had a bitcoin address that hadn’t been used on the blockchain yet."

Everything, Battaglia detailed, begins with a single user opening his or her computer and discovering they’ve received an email informing them their files have been locked with "military grade encryption" and won’t be released unless they pay a ransom.

Seventy-five percent of the time that ransom request is denominated in bitcoin, he said, but other cryptocurrencies that have been used include litecoin and the increasingly popular monero.

Typically, the ransom note will include instructions on buying and spending the cryptocurrency of choice.

To pay or not to pay?

At that point, the victim has to decide if they’re going to pay or not.

Though the FBI doesn’t encourage people to give into such demands, Battaglia explained that professional files are sometimes compromised, leaving the victim little choice but to hand over the funds to be able to continue with crucial business.

So pervasive are such attacks that, in 2016, data security firm Citrix published a report showing that small businesses were stockpiling bitcoin in case of a ransom demand. The same year, the US Department of Homeland Security (DHS) funded the development of a bitcoin analysis tool specifically aimed at ransomware.

But even if the victim decides not to pay, the FBI has ways to identify the scope of the attack and the identity of the perpetrator, even on an unused bitcoin address.

"Because the address hasn't been used yet on the bitcoin blockchain," said Battaglia, "there’s not going to be any information I can get on the blockchain yet. But I can take the ransom note and plug it into IC3."

Founded in 2000, the FBI’s Internet Crime Complaint Center (IC3) accepts reports of alleged cyber crimes including theft of intellectual property, corporate espionage and “online extortion” or ransomware.

In September, IC3 published a statement encouraging victims to report ransomware incidents to the FBI, adding that, in the first several months of last year, "global ransomware infections were at an all-time high".

IC3 received over 8,000 complaints in 2015, with a total reported loss of about $275m.

Even if a ransom isn’t paid, Battaglia indicated that his team will compare the ransom demand with those on file at IC3 to look for connections. In similar cases with similar demands, some victims may have decided to pay the ransom, resulting in possibly helpful data for the cases in which the ransom was not paid.

Addresses from victims who did pay are then processed by the FBI’s "blockchain tool" to generate a list of wallets associated with the same "entity" that issued the ransom demand. From the initial pool of addresses that paid, the FBI then searches for connections between the recipient wallet and its expenditures.

While initial data may be limited, as more of the funds are spent the tool accumulates more data, including from 'change addresses' that return satoshis or other denominations to the original recipient wallet.

"I might find that those transactions occur within another cluster of bitcoin addresses that I don’t know anything about," said Battaglia, "and my analysis tool doesn’t know anything about. But I can take those addresses, pull them out, plug them into our case management system."

The same but different

When running the cluster of bitcoin addresses through the FBI’s case management system, Battaglia said he’ll be looking for cases being worked by other agents who have gathered additional identifiable information.

For example, this could be an FBI agent who is working with a "cooperator on a darknet marketplace" and who knows that the funds associated with the addresses are also associated with someone selling extremely popular remote desktop protocol (RDP) credentials for accessing third-party computers from anywhere in the world.

"So now, we have an idea of what’s going on with the ransomware and maybe how the intruder got into the victims’ computers," said Battaglia.

With that information, FBI investigators would then return to the original victim to see if an RDP was being run on his or her computer, and if so, what IP addresses appear in the computer’s logs.

The FBI will look not only for addresses unknown to the victim, but for known addresses being accessed by users who don’t normally log in, or who are logging in during unusual times.

While this information might initially give the victim a way to minimize further attack by changing their login credentials, it won’t necessarily provide much more information about the perpetrator, "So I’ll continue to look on the blockchain and try to find connections to other wallets or clusters of addresses," he said.

Battaglia would now likely start looking for connections across time, such as a monthly payment made from one of the suspicious bitcoin addresses to a bitcoin exchange in the US, on which he could serve a subpoena to learn what the transactions have been paying for.

Once the payment recipient is identified, the investigator will have an IP address of a virtual server with a name and address "that’s probably fake," he said. "I expect it to be fake."

The hustle

At that point, the investigation gets old school.

Battaglia said he would next implement "traditional" investigative techniques, like cross-referencing the addresses on an IP registry, such as the American Registry for Internet Numbers (ARIN) or the Global IP Address Database, to try to identify which connections are being made to the server.

But all that is for naught if the perpetrator has successfully logged into an identity-protecting virtual private network, or VPN.

Last year, Globalwebindex reported that one in four users accessed a VPN daily, with 70% of respondents accessing weekly. In the US, India, and Malaysia, the numbers are even higher, reaching one in three users accessing an identity obscuring VPN daily.

Also of concern to crimefighters, are increasingly sophisticated bitcoin mixers that obscure bitcoin sources and were last week cracked down on in a joint initiative between Europol, Interpol and the Basel Institute on Governance. Developments in cryptocurrency technologies are also an issue; for example, monero, a privacy-enhancing altcoin that doesn’t need to be mixed to be obscured.

"But people get sloppy," Battaglia said.

Evidence of a ransomer who has stopped paying attention to details could include them connecting to the Internet via public Wi-Fi hotspots, relying on the large volume of people at the location to provide a smoke screen to obscure their identity.

The special agent said:

"Through the researchers we have at the bureau, we can then pare through all that data, pare through the databases ... and track subjects very similar to the ones I just described."

Beyond the FBI, beyond bitcoin

Founded at FBI headquarters in 2002, the cyber division now splits its work roughly equally between national security cases and criminal cases, according to Battaglia.

To increase its likelihood of success even further, the organization is comprised of squads scattered around the US, and has partnerships with other agencies, including state police, the IRS, the secret service, and “detectives from all sorts of different law enforcement agencies", he explained.

Battaglia also mentioned partnerships with members of the private sector, which help identify access points used by criminals; "cooperatives" that have got into trouble in the past and later joined investigations as "independent researchers"; and legal attaches around the world.

One of the FBI’s most prominent partners is the Financial Crimes Enforcement Network, which in 2014 helped bring bitcoin into mainstream use when it declared bitcoin exchanges are legally considered money transmitters and need to be licensed as such.

In the future, however, Battaglia said he’s prepared for investigations into applications of blockchain technology beyond just cryptocurrency.

So long as the technology to support a wide range of possible assets includes considerations allowing it to be "audited and inspected properly", Battaglia said "the fact that everything is recorded in a public ledger that’s permanent and not modifiable is very good from an evidence collection perspective".

The human factor

While the FBI has received its share of criticism for having difficulty solving ransomware cases, blockchain analysis startup Chainalysis last year predicted an increase in arrests due to new high-tech partnerships.

But it is at the intersection between high-tech tools and old-fashioned investigation that Battaglia’s boss, supervisory special agent Jay Kramer, thinks the FBI has to continue to improve.

Speaking from the audience at the event, Kramer said that the FBI recognizes the old days of getting "access to content" through wiretaps are largely over.

"We recognize we’re not going to have access to encrypted communications on iPhones, we’re just not going to,” Kramer said. "So what are we doing? Are we just going to wait for a technological solution? No."

Kramer stressed that the FBI must redouble its efforts to develop human resources:

"People who want to report to the FBI the things that they have to offer. The co-conspirator of a bad actor who’s just going to give us that private key, as opposed to us trying some technological means to get the private key."

Images via the author for CoinDesk


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.