ransomware defense

Analyzing Ransomware Payment Wallets

Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies wallet clusters, tracks fund movement through mixers and exchanges, and supports law enforcement attribution. Activates for requests involving ransomware payment tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain intelligence gathering.

bitcoinblockchaincryptocurrencyforensicsransomwarethreat-intelligence
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • An organization has been hit by ransomware and the ransom note contains a Bitcoin or cryptocurrency wallet address that needs investigation
  • Law enforcement or incident responders need to trace where ransom payments flowed after the victim paid
  • Threat intelligence analysts are attributing ransomware campaigns by clustering payment infrastructure across incidents
  • Investigators need to determine if a ransomware group is reusing wallet infrastructure across multiple victims
  • Compliance or legal teams need evidence of fund flows for prosecution, sanctions enforcement, or insurance claims

Do not use this skill for live payment interception or to interact directly with ransomware operators. All analysis should be passive and read-only against public blockchain data.

Prerequisites

  • Python 3.8+ with requests, json, and hashlib libraries
  • Access to blockchain explorer APIs (blockchain.com, WalletExplorer.com, Blockstream.info)
  • Familiarity with Bitcoin transaction model (UTXOs, inputs, outputs, change addresses)
  • Understanding of common obfuscation techniques (mixers, tumblers, peel chains, cross-chain swaps)
  • Optional: Chainalysis Reactor license for enterprise-grade cluster analysis
  • Optional: OXT.me for advanced transaction graph visualization

Workflow

Step 1: Extract Wallet Address from Ransom Note

Parse the ransom note to identify the payment address(es):

Common address formats:
  Bitcoin (P2PKH):   1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa  (starts with 1)
  Bitcoin (P2SH):    3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy  (starts with 3)
  Bitcoin (Bech32):  bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq (starts with bc1)
  Monero:            4... (95 characters, much harder to trace)
  Ethereum:          0x... (40 hex chars)

Step 2: Query Blockchain Explorer for Transaction History

Retrieve all transactions associated with the wallet:

import requests
 
def get_wallet_transactions(address):
    """Query blockchain.com API for address transactions."""
    url = f"https://blockchain.info/rawaddr/{address}"
    resp = requests.get(url, timeout=30)
    resp.raise_for_status()
    data = resp.json()
    return {
        "address": address,
        "n_tx": data.get("n_tx", 0),
        "total_received_satoshi": data.get("total_received", 0),
        "total_sent_satoshi": data.get("total_sent", 0),
        "final_balance_satoshi": data.get("final_balance", 0),
        "transactions": data.get("txs", []),
    }

Step 3: Map Fund Flow and Identify Clusters

Trace outputs from the ransom wallet to downstream addresses:

Fund Flow Analysis:
━━━━━━━━━━━━━━━━━━
Victim Payment ──► Ransom Wallet ──► Consolidation Wallet
                                  ├─► Mixer/Tumbler Service
                                  ├─► Exchange Deposit Address
                                  └─► Peel Chain (sequential small outputs)
 
Key indicators:
  - Consolidation: Multiple ransom payments aggregated into one wallet
  - Peel chains: Sequential transactions with diminishing outputs
  - Mixer usage: Funds sent to known mixer addresses (Wasabi, Samourai, ChipMixer)
  - Exchange cashout: Deposits to known exchange wallets (Binance, Kraken hot wallets)

Step 4: Cross-Reference with Known Wallet Databases

Check addresses against known ransomware infrastructure:

# Check WalletExplorer for entity identification
def check_wallet_explorer(address):
    url = f"https://www.walletexplorer.com/api/1/address?address={address}&caller=research"
    resp = requests.get(url, timeout=30)
    data = resp.json()
    return {
        "wallet_id": data.get("wallet_id"),
        "label": data.get("label", "Unknown"),
        "is_exchange": data.get("is_exchange", False),
    }

Step 5: Generate Attribution Report

Compile findings into a structured intelligence report:

RANSOMWARE WALLET ANALYSIS REPORT
====================================
Ransom Address:      bc1q...xyz
Family Attribution:  LockBit 3.0 (based on ransom note format)
Total Received:      4.25 BTC ($178,500 at time of payment)
Total Sent:          4.25 BTC (wallet fully drained)
Number of Payments:  3 (likely 3 separate victims)
 
FUND FLOW:
  Payment 1: 1.5 BTC → Consolidation wallet → Binance deposit
  Payment 2: 1.0 BTC → Wasabi Mixer → Unknown
  Payment 3: 1.75 BTC → Peel chain (12 hops) → OKX deposit
 
CLUSTER ANALYSIS:
  Related wallets: 47 addresses identified in same cluster
  Total cluster volume: 156.3 BTC ($6.5M USD)
  First activity: 2024-01-15
  Last activity: 2024-09-22

Verification

  • Confirm wallet address format is valid before querying APIs
  • Cross-reference transaction timestamps with known incident timelines
  • Validate cluster associations by checking common-input-ownership heuristic
  • Compare findings against OFAC SDN list for sanctioned addresses
  • Verify exchange attribution against multiple sources (WalletExplorer, OXT, Chainalysis)

Key Concepts

Term Definition
UTXO Unspent Transaction Output; the fundamental unit of Bitcoin that tracks ownership through a chain of transactions
Cluster Analysis Grouping multiple Bitcoin addresses believed to be controlled by the same entity using common-input-ownership and change-address heuristics
Peel Chain A laundering pattern where funds are sent through many sequential transactions, each peeling off a small amount to a new address
CoinJoin/Mixer Privacy techniques that combine multiple users' transactions to obscure the link between sender and receiver
Common Input Ownership Heuristic that assumes all inputs to a single transaction are controlled by the same entity

Tools & Systems

  • Chainalysis Reactor: Enterprise blockchain investigation platform with entity attribution and cross-chain tracing
  • WalletExplorer: Free tool that clusters Bitcoin addresses and labels known services (exchanges, mixers, markets)
  • OXT.me: Advanced Bitcoin transaction visualization with UTXO graph analysis
  • Blockstream.info: Open-source Bitcoin block explorer with full API access
  • blockchain.com API: Free API for querying Bitcoin address balances and transaction histories
  • OFAC SDN List: U.S. Treasury sanctioned address list for compliance checking
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md3.0 KB

API Reference: Ransomware Payment Wallet Analysis

blockchain.com API

Get Address Information

GET https://blockchain.info/rawaddr/{address}?limit=50

Returns transaction history, balance, and UTXO data for a Bitcoin address.

Response Fields

Field Type Description
address string Bitcoin address
n_tx int Total number of transactions
total_received int Total satoshis received
total_sent int Total satoshis sent
final_balance int Current balance in satoshis
txs array Array of transaction objects

Get Single Transaction

GET https://blockchain.info/rawtx/{tx_hash}

Get Unspent Outputs

GET https://blockchain.info/unspent?active={address}

Blockstream.info API

Get Address Stats

GET https://blockstream.info/api/address/{address}

Response Fields

Field Type Description
chain_stats.funded_txo_count int Number of funding transactions
chain_stats.spent_txo_count int Number of spending transactions
chain_stats.funded_txo_sum int Total satoshis funded
chain_stats.spent_txo_sum int Total satoshis spent

Get Address Transactions

GET https://blockstream.info/api/address/{address}/txs

WalletExplorer API

Look Up Address

GET https://www.walletexplorer.com/api/1/address?address={address}&caller=research

Response Fields

Field Type Description
wallet_id string Cluster wallet identifier
label string Known entity label (exchange, mixer, etc.)
is_exchange bool Whether address belongs to known exchange

Get Wallet Transactions

GET https://www.walletexplorer.com/api/1/wallet-addresses?wallet={wallet_id}&caller=research

Bitcoin Address Formats

Format Prefix Example Notes
P2PKH (Legacy) 1 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa Original format
P2SH (SegWit compatible) 3 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy Script hash
Bech32 (Native SegWit) bc1q bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq Lower fees
Bech32m (Taproot) bc1p bc1p... Newest format

Common Ransomware Wallet Indicators

Pattern Significance
Single large inbound, rapid outbound Ransom payment received, quickly laundered
Multiple small inbound from different addresses Multiple victims paying same wallet
Outbound to known mixer addresses Laundering through CoinJoin/mixer services
Peel chain (sequential diminishing outputs) Structured laundering to evade detection
Transfer to exchange hot wallet Cash-out attempt via cryptocurrency exchange

OFAC SDN Sanctions Check

Download list: https://www.treasury.gov/ofac/downloads/sdnlist.txt
Search API:    https://sanctionssearch.ofac.treas.gov/

Check addresses against OFAC Specially Designated Nationals list for compliance.

Scripts 1

agent.py7.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Ransomware payment wallet blockchain analysis agent.

Traces cryptocurrency payment flows from ransomware wallets using public
blockchain APIs. Identifies transaction patterns, cluster relationships,
and fund movement to exchanges or mixers.
"""

import json
import re
import sys

try:
    import requests
except ImportError:
    print("[!] 'requests' library required: pip install requests")
    sys.exit(1)

BLOCKCHAIN_API = "https://blockchain.info"
BLOCKSTREAM_API = "https://blockstream.info/api"

BTC_ADDRESS_REGEX = re.compile(
    r"^(1[a-km-zA-HJ-NP-Z1-9]{25,34}|3[a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[a-z0-9]{39,59})$"
)

KNOWN_RANSOMWARE_WALLETS = {
    "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw": "WannaCry",
    "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94": "WannaCry",
    "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn": "WannaCry",
    "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX": "DarkSide (Colonial Pipeline)",
    "bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh": "DarkSide",
}


def validate_btc_address(address):
    """Validate Bitcoin address format."""
    if BTC_ADDRESS_REGEX.match(address):
        return True
    return False


def query_address_info(address):
    """Query blockchain.info for address details."""
    url = f"{BLOCKCHAIN_API}/rawaddr/{address}?limit=50"
    resp = requests.get(url, timeout=30)
    resp.raise_for_status()
    data = resp.json()
    return {
        "address": address,
        "total_received_btc": data.get("total_received", 0) / 1e8,
        "total_sent_btc": data.get("total_sent", 0) / 1e8,
        "final_balance_btc": data.get("final_balance", 0) / 1e8,
        "n_tx": data.get("n_tx", 0),
        "transactions": data.get("txs", []),
    }


def query_blockstream_address(address):
    """Query Blockstream API for address stats (fallback)."""
    url = f"{BLOCKSTREAM_API}/address/{address}"
    resp = requests.get(url, timeout=30)
    resp.raise_for_status()
    data = resp.json()
    chain = data.get("chain_stats", {})
    return {
        "address": address,
        "funded_txo_count": chain.get("funded_txo_count", 0),
        "spent_txo_count": chain.get("spent_txo_count", 0),
        "funded_txo_sum_btc": chain.get("funded_txo_sum", 0) / 1e8,
        "spent_txo_sum_btc": chain.get("spent_txo_sum", 0) / 1e8,
    }


def extract_output_addresses(transactions, source_address):
    """Extract downstream addresses from transaction outputs."""
    downstream = {}
    for tx in transactions:
        tx_hash = tx.get("hash", "unknown")
        is_outgoing = any(
            inp.get("prev_out", {}).get("addr") == source_address
            for inp in tx.get("inputs", [])
        )
        if not is_outgoing:
            continue
        for out in tx.get("out", []):
            addr = out.get("addr")
            value = out.get("value", 0) / 1e8
            if addr and addr != source_address:
                if addr not in downstream:
                    downstream[addr] = {"total_btc": 0, "tx_count": 0, "tx_hashes": []}
                downstream[addr]["total_btc"] += value
                downstream[addr]["tx_count"] += 1
                downstream[addr]["tx_hashes"].append(tx_hash[:16])
    return downstream


def check_known_wallets(address):
    """Check if address matches known ransomware wallets."""
    if address in KNOWN_RANSOMWARE_WALLETS:
        return {"known": True, "family": KNOWN_RANSOMWARE_WALLETS[address]}
    return {"known": False, "family": None}


def detect_peel_chain(transactions, address):
    """Detect peel chain pattern in outgoing transactions."""
    outgoing_values = []
    for tx in transactions:
        is_outgoing = any(
            inp.get("prev_out", {}).get("addr") == address
            for inp in tx.get("inputs", [])
        )
        if is_outgoing:
            outputs = [o.get("value", 0) / 1e8 for o in tx.get("out", []) if o.get("addr") != address]
            outgoing_values.extend(outputs)

    if len(outgoing_values) < 3:
        return {"peel_chain_detected": False, "reason": "Insufficient transactions"}

    decreasing = sum(1 for i in range(1, len(outgoing_values)) if outgoing_values[i] < outgoing_values[i - 1])
    ratio = decreasing / (len(outgoing_values) - 1) if len(outgoing_values) > 1 else 0
    return {
        "peel_chain_detected": ratio > 0.6,
        "decreasing_ratio": round(ratio, 3),
        "num_outputs": len(outgoing_values),
    }


def analyze_wallet(address):
    """Full analysis of a ransomware payment wallet."""
    report = {"analysis_type": "Ransomware Payment Wallet Analysis", "address": address}

    if not validate_btc_address(address):
        report["error"] = f"Invalid Bitcoin address format: {address}"
        return report

    report["known_wallet_check"] = check_known_wallets(address)

    try:
        info = query_address_info(address)
        report["wallet_info"] = {
            "total_received_btc": info["total_received_btc"],
            "total_sent_btc": info["total_sent_btc"],
            "final_balance_btc": info["final_balance_btc"],
            "transaction_count": info["n_tx"],
        }

        downstream = extract_output_addresses(info["transactions"], address)
        report["downstream_addresses"] = {
            "count": len(downstream),
            "top_recipients": sorted(
                [{"address": a, **d} for a, d in downstream.items()],
                key=lambda x: x["total_btc"],
                reverse=True,
            )[:10],
        }

        for recipient in report["downstream_addresses"]["top_recipients"]:
            match = check_known_wallets(recipient["address"])
            recipient["known_entity"] = match["family"] if match["known"] else "Unknown"

        report["peel_chain_analysis"] = detect_peel_chain(info["transactions"], address)
    except requests.RequestException as e:
        report["error"] = f"API query failed: {e}"
        try:
            fallback = query_blockstream_address(address)
            report["wallet_info_blockstream"] = fallback
        except requests.RequestException as e2:
            report["fallback_error"] = f"Blockstream fallback also failed: {e2}"

    return report


if __name__ == "__main__":
    print("=" * 60)
    print("Ransomware Payment Wallet Analysis Agent")
    print("Blockchain tracing, cluster analysis, fund flow mapping")
    print("=" * 60)

    if len(sys.argv) < 2:
        print("\nUsage:")
        print("  python agent.py <bitcoin_address>")
        print("  python agent.py <bitcoin_address> --deep")
        print("\nExample:")
        print("  python agent.py 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw")
        sys.exit(0)

    address = sys.argv[1]
    print(f"\n[*] Analyzing wallet: {address}")

    report = analyze_wallet(address)

    known = report.get("known_wallet_check", {})
    if known.get("known"):
        print(f"[!] KNOWN RANSOMWARE WALLET: {known['family']}")

    info = report.get("wallet_info", {})
    if info:
        print(f"\n--- Wallet Summary ---")
        print(f"  Total received: {info.get('total_received_btc', 0):.8f} BTC")
        print(f"  Total sent:     {info.get('total_sent_btc', 0):.8f} BTC")
        print(f"  Balance:        {info.get('final_balance_btc', 0):.8f} BTC")
        print(f"  Transactions:   {info.get('transaction_count', 0)}")

    ds = report.get("downstream_addresses", {})
    if ds.get("count", 0) > 0:
        print(f"\n--- Top Downstream Recipients ({ds['count']} total) ---")
        for r in ds.get("top_recipients", [])[:5]:
            entity = r.get("known_entity", "Unknown")
            print(f"  {r['address'][:20]}... {r['total_btc']:.8f} BTC [{entity}]")

    peel = report.get("peel_chain_analysis", {})
    if peel.get("peel_chain_detected"):
        print(f"\n[!] Peel chain pattern detected (ratio: {peel['decreasing_ratio']})")

    if report.get("error"):
        print(f"\n[!] Error: {report['error']}")

    print(f"\n[*] Full report:\n{json.dumps(report, indent=2, default=str)}")
Keep exploring