US Treasury Tracks $5.2bn of Ransomware Transactions in Six Months

The US Treasury has tracked $5.2bn worth of Bitcoin transactions likely to have been ransomware payments in the first half of 2021.

Its Financial Crimes Enforcement Network (FinCEN) bureau hinted in a new report that even this amount might only be the tip of the iceberg. It’s linked to the top 10 ransomware variants, but FinCEN said it identified 68 ransomware families in total.

The most frequently reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon and Phobos.

The $5.2bn figure is associated with 177 wallet addresses mentioned in the suspicious activity reports (SARs) sent by banks to the authorities to combat financial crime and money laundering.

The number of those SARs related to ransomware has soared over the first half of 2021, FinCEN said.

Some 635 were filed during the reporting period of January 1 and June 30 2021, up 30% from the total of 487 SARs filed for the entire 2020 calendar year. There were 458 transactions reported in these SARs, and a total value of suspicious activity of $590m, which is more than the value reported for all of 2020 ($416m).

That puts the average value of reported ransomware transactions per month in the first half of 2021 at around $100m, although much activity is not reported.

Although FinCEN couldn’t say with complete certainty that all of the $5bn+ transactions it identified through blockchain analysis were ransomware related, the figures certainly re-emphasize the huge financial impact of ransomware.

The sum is also linked only to Bitcoin transactions. FinCEN revealed that threat actors are increasingly demanding payments in currencies that are harder to track, like Monero.

It pointed to other anonymity-related tactics growing in popularity, such as avoiding reusing wallet addresses, “chain hopping” – where funds are moved between cryptocurrencies and from one exchange to another – and the use of mixing services and decentralized exchanges launder proceeds.

FinCEN is mandated to produce much-needed visibility into the sector because of the Anti-Money Laundering Act of 2020 (AMLA), which requests that the agency publish threat patterns and trend information derived from the SARs it receives from banks.

What’s Hot on Infosecurity Magazine?