npx skills add mukul975/Anthropic-Cybersecurity-SkillsWhen to Use
- An organization has been hit by ransomware and the ransom note contains a Bitcoin or cryptocurrency wallet address that needs investigation
- Law enforcement or incident responders need to trace where ransom payments flowed after the victim paid
- Threat intelligence analysts are attributing ransomware campaigns by clustering payment infrastructure across incidents
- Investigators need to determine if a ransomware group is reusing wallet infrastructure across multiple victims
- Compliance or legal teams need evidence of fund flows for prosecution, sanctions enforcement, or insurance claims
Do not use this skill for live payment interception or to interact directly with ransomware operators. All analysis should be passive and read-only against public blockchain data.
Prerequisites
- Python 3.8+ with
requests,json, andhashliblibraries - Access to blockchain explorer APIs (blockchain.com, WalletExplorer.com, Blockstream.info)
- Familiarity with Bitcoin transaction model (UTXOs, inputs, outputs, change addresses)
- Understanding of common obfuscation techniques (mixers, tumblers, peel chains, cross-chain swaps)
- Optional: Chainalysis Reactor license for enterprise-grade cluster analysis
- Optional: OXT.me for advanced transaction graph visualization
Workflow
Step 1: Extract Wallet Address from Ransom Note
Parse the ransom note to identify the payment address(es):
Common address formats:
Bitcoin (P2PKH): 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa (starts with 1)
Bitcoin (P2SH): 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy (starts with 3)
Bitcoin (Bech32): bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq (starts with bc1)
Monero: 4... (95 characters, much harder to trace)
Ethereum: 0x... (40 hex chars)Step 2: Query Blockchain Explorer for Transaction History
Retrieve all transactions associated with the wallet:
import requests
def get_wallet_transactions(address):
"""Query blockchain.com API for address transactions."""
url = f"https://blockchain.info/rawaddr/{address}"
resp = requests.get(url, timeout=30)
resp.raise_for_status()
data = resp.json()
return {
"address": address,
"n_tx": data.get("n_tx", 0),
"total_received_satoshi": data.get("total_received", 0),
"total_sent_satoshi": data.get("total_sent", 0),
"final_balance_satoshi": data.get("final_balance", 0),
"transactions": data.get("txs", []),
}Step 3: Map Fund Flow and Identify Clusters
Trace outputs from the ransom wallet to downstream addresses:
Fund Flow Analysis:
━━━━━━━━━━━━━━━━━━
Victim Payment ──► Ransom Wallet ──► Consolidation Wallet
├─► Mixer/Tumbler Service
├─► Exchange Deposit Address
└─► Peel Chain (sequential small outputs)
Key indicators:
- Consolidation: Multiple ransom payments aggregated into one wallet
- Peel chains: Sequential transactions with diminishing outputs
- Mixer usage: Funds sent to known mixer addresses (Wasabi, Samourai, ChipMixer)
- Exchange cashout: Deposits to known exchange wallets (Binance, Kraken hot wallets)Step 4: Cross-Reference with Known Wallet Databases
Check addresses against known ransomware infrastructure:
# Check WalletExplorer for entity identification
def check_wallet_explorer(address):
url = f"https://www.walletexplorer.com/api/1/address?address={address}&caller=research"
resp = requests.get(url, timeout=30)
data = resp.json()
return {
"wallet_id": data.get("wallet_id"),
"label": data.get("label", "Unknown"),
"is_exchange": data.get("is_exchange", False),
}Step 5: Generate Attribution Report
Compile findings into a structured intelligence report:
RANSOMWARE WALLET ANALYSIS REPORT
====================================
Ransom Address: bc1q...xyz
Family Attribution: LockBit 3.0 (based on ransom note format)
Total Received: 4.25 BTC ($178,500 at time of payment)
Total Sent: 4.25 BTC (wallet fully drained)
Number of Payments: 3 (likely 3 separate victims)
FUND FLOW:
Payment 1: 1.5 BTC → Consolidation wallet → Binance deposit
Payment 2: 1.0 BTC → Wasabi Mixer → Unknown
Payment 3: 1.75 BTC → Peel chain (12 hops) → OKX deposit
CLUSTER ANALYSIS:
Related wallets: 47 addresses identified in same cluster
Total cluster volume: 156.3 BTC ($6.5M USD)
First activity: 2024-01-15
Last activity: 2024-09-22Verification
- Confirm wallet address format is valid before querying APIs
- Cross-reference transaction timestamps with known incident timelines
- Validate cluster associations by checking common-input-ownership heuristic
- Compare findings against OFAC SDN list for sanctioned addresses
- Verify exchange attribution against multiple sources (WalletExplorer, OXT, Chainalysis)
Key Concepts
| Term | Definition |
|---|---|
| UTXO | Unspent Transaction Output; the fundamental unit of Bitcoin that tracks ownership through a chain of transactions |
| Cluster Analysis | Grouping multiple Bitcoin addresses believed to be controlled by the same entity using common-input-ownership and change-address heuristics |
| Peel Chain | A laundering pattern where funds are sent through many sequential transactions, each peeling off a small amount to a new address |
| CoinJoin/Mixer | Privacy techniques that combine multiple users' transactions to obscure the link between sender and receiver |
| Common Input Ownership | Heuristic that assumes all inputs to a single transaction are controlled by the same entity |
Tools & Systems
- Chainalysis Reactor: Enterprise blockchain investigation platform with entity attribution and cross-chain tracing
- WalletExplorer: Free tool that clusters Bitcoin addresses and labels known services (exchanges, mixers, markets)
- OXT.me: Advanced Bitcoin transaction visualization with UTXO graph analysis
- Blockstream.info: Open-source Bitcoin block explorer with full API access
- blockchain.com API: Free API for querying Bitcoin address balances and transaction histories
- OFAC SDN List: U.S. Treasury sanctioned address list for compliance checking
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md3.0 KB
API Reference: Ransomware Payment Wallet Analysis
blockchain.com API
Get Address Information
GET https://blockchain.info/rawaddr/{address}?limit=50Returns transaction history, balance, and UTXO data for a Bitcoin address.
Response Fields
| Field | Type | Description |
|---|---|---|
address |
string | Bitcoin address |
n_tx |
int | Total number of transactions |
total_received |
int | Total satoshis received |
total_sent |
int | Total satoshis sent |
final_balance |
int | Current balance in satoshis |
txs |
array | Array of transaction objects |
Get Single Transaction
GET https://blockchain.info/rawtx/{tx_hash}Get Unspent Outputs
GET https://blockchain.info/unspent?active={address}Blockstream.info API
Get Address Stats
GET https://blockstream.info/api/address/{address}Response Fields
| Field | Type | Description |
|---|---|---|
chain_stats.funded_txo_count |
int | Number of funding transactions |
chain_stats.spent_txo_count |
int | Number of spending transactions |
chain_stats.funded_txo_sum |
int | Total satoshis funded |
chain_stats.spent_txo_sum |
int | Total satoshis spent |
Get Address Transactions
GET https://blockstream.info/api/address/{address}/txsWalletExplorer API
Look Up Address
GET https://www.walletexplorer.com/api/1/address?address={address}&caller=researchResponse Fields
| Field | Type | Description |
|---|---|---|
wallet_id |
string | Cluster wallet identifier |
label |
string | Known entity label (exchange, mixer, etc.) |
is_exchange |
bool | Whether address belongs to known exchange |
Get Wallet Transactions
GET https://www.walletexplorer.com/api/1/wallet-addresses?wallet={wallet_id}&caller=researchBitcoin Address Formats
| Format | Prefix | Example | Notes |
|---|---|---|---|
| P2PKH (Legacy) | 1 | 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa | Original format |
| P2SH (SegWit compatible) | 3 | 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy | Script hash |
| Bech32 (Native SegWit) | bc1q | bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq | Lower fees |
| Bech32m (Taproot) | bc1p | bc1p... | Newest format |
Common Ransomware Wallet Indicators
| Pattern | Significance |
|---|---|
| Single large inbound, rapid outbound | Ransom payment received, quickly laundered |
| Multiple small inbound from different addresses | Multiple victims paying same wallet |
| Outbound to known mixer addresses | Laundering through CoinJoin/mixer services |
| Peel chain (sequential diminishing outputs) | Structured laundering to evade detection |
| Transfer to exchange hot wallet | Cash-out attempt via cryptocurrency exchange |
OFAC SDN Sanctions Check
Download list: https://www.treasury.gov/ofac/downloads/sdnlist.txt
Search API: https://sanctionssearch.ofac.treas.gov/Check addresses against OFAC Specially Designated Nationals list for compliance.
Scripts 1
agent.py7.8 KB
#!/usr/bin/env python3
"""Ransomware payment wallet blockchain analysis agent.
Traces cryptocurrency payment flows from ransomware wallets using public
blockchain APIs. Identifies transaction patterns, cluster relationships,
and fund movement to exchanges or mixers.
"""
import json
import re
import sys
try:
import requests
except ImportError:
print("[!] 'requests' library required: pip install requests")
sys.exit(1)
BLOCKCHAIN_API = "https://blockchain.info"
BLOCKSTREAM_API = "https://blockstream.info/api"
BTC_ADDRESS_REGEX = re.compile(
r"^(1[a-km-zA-HJ-NP-Z1-9]{25,34}|3[a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[a-z0-9]{39,59})$"
)
KNOWN_RANSOMWARE_WALLETS = {
"12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw": "WannaCry",
"13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94": "WannaCry",
"115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn": "WannaCry",
"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX": "DarkSide (Colonial Pipeline)",
"bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh": "DarkSide",
}
def validate_btc_address(address):
"""Validate Bitcoin address format."""
if BTC_ADDRESS_REGEX.match(address):
return True
return False
def query_address_info(address):
"""Query blockchain.info for address details."""
url = f"{BLOCKCHAIN_API}/rawaddr/{address}?limit=50"
resp = requests.get(url, timeout=30)
resp.raise_for_status()
data = resp.json()
return {
"address": address,
"total_received_btc": data.get("total_received", 0) / 1e8,
"total_sent_btc": data.get("total_sent", 0) / 1e8,
"final_balance_btc": data.get("final_balance", 0) / 1e8,
"n_tx": data.get("n_tx", 0),
"transactions": data.get("txs", []),
}
def query_blockstream_address(address):
"""Query Blockstream API for address stats (fallback)."""
url = f"{BLOCKSTREAM_API}/address/{address}"
resp = requests.get(url, timeout=30)
resp.raise_for_status()
data = resp.json()
chain = data.get("chain_stats", {})
return {
"address": address,
"funded_txo_count": chain.get("funded_txo_count", 0),
"spent_txo_count": chain.get("spent_txo_count", 0),
"funded_txo_sum_btc": chain.get("funded_txo_sum", 0) / 1e8,
"spent_txo_sum_btc": chain.get("spent_txo_sum", 0) / 1e8,
}
def extract_output_addresses(transactions, source_address):
"""Extract downstream addresses from transaction outputs."""
downstream = {}
for tx in transactions:
tx_hash = tx.get("hash", "unknown")
is_outgoing = any(
inp.get("prev_out", {}).get("addr") == source_address
for inp in tx.get("inputs", [])
)
if not is_outgoing:
continue
for out in tx.get("out", []):
addr = out.get("addr")
value = out.get("value", 0) / 1e8
if addr and addr != source_address:
if addr not in downstream:
downstream[addr] = {"total_btc": 0, "tx_count": 0, "tx_hashes": []}
downstream[addr]["total_btc"] += value
downstream[addr]["tx_count"] += 1
downstream[addr]["tx_hashes"].append(tx_hash[:16])
return downstream
def check_known_wallets(address):
"""Check if address matches known ransomware wallets."""
if address in KNOWN_RANSOMWARE_WALLETS:
return {"known": True, "family": KNOWN_RANSOMWARE_WALLETS[address]}
return {"known": False, "family": None}
def detect_peel_chain(transactions, address):
"""Detect peel chain pattern in outgoing transactions."""
outgoing_values = []
for tx in transactions:
is_outgoing = any(
inp.get("prev_out", {}).get("addr") == address
for inp in tx.get("inputs", [])
)
if is_outgoing:
outputs = [o.get("value", 0) / 1e8 for o in tx.get("out", []) if o.get("addr") != address]
outgoing_values.extend(outputs)
if len(outgoing_values) < 3:
return {"peel_chain_detected": False, "reason": "Insufficient transactions"}
decreasing = sum(1 for i in range(1, len(outgoing_values)) if outgoing_values[i] < outgoing_values[i - 1])
ratio = decreasing / (len(outgoing_values) - 1) if len(outgoing_values) > 1 else 0
return {
"peel_chain_detected": ratio > 0.6,
"decreasing_ratio": round(ratio, 3),
"num_outputs": len(outgoing_values),
}
def analyze_wallet(address):
"""Full analysis of a ransomware payment wallet."""
report = {"analysis_type": "Ransomware Payment Wallet Analysis", "address": address}
if not validate_btc_address(address):
report["error"] = f"Invalid Bitcoin address format: {address}"
return report
report["known_wallet_check"] = check_known_wallets(address)
try:
info = query_address_info(address)
report["wallet_info"] = {
"total_received_btc": info["total_received_btc"],
"total_sent_btc": info["total_sent_btc"],
"final_balance_btc": info["final_balance_btc"],
"transaction_count": info["n_tx"],
}
downstream = extract_output_addresses(info["transactions"], address)
report["downstream_addresses"] = {
"count": len(downstream),
"top_recipients": sorted(
[{"address": a, **d} for a, d in downstream.items()],
key=lambda x: x["total_btc"],
reverse=True,
)[:10],
}
for recipient in report["downstream_addresses"]["top_recipients"]:
match = check_known_wallets(recipient["address"])
recipient["known_entity"] = match["family"] if match["known"] else "Unknown"
report["peel_chain_analysis"] = detect_peel_chain(info["transactions"], address)
except requests.RequestException as e:
report["error"] = f"API query failed: {e}"
try:
fallback = query_blockstream_address(address)
report["wallet_info_blockstream"] = fallback
except requests.RequestException as e2:
report["fallback_error"] = f"Blockstream fallback also failed: {e2}"
return report
if __name__ == "__main__":
print("=" * 60)
print("Ransomware Payment Wallet Analysis Agent")
print("Blockchain tracing, cluster analysis, fund flow mapping")
print("=" * 60)
if len(sys.argv) < 2:
print("\nUsage:")
print(" python agent.py <bitcoin_address>")
print(" python agent.py <bitcoin_address> --deep")
print("\nExample:")
print(" python agent.py 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw")
sys.exit(0)
address = sys.argv[1]
print(f"\n[*] Analyzing wallet: {address}")
report = analyze_wallet(address)
known = report.get("known_wallet_check", {})
if known.get("known"):
print(f"[!] KNOWN RANSOMWARE WALLET: {known['family']}")
info = report.get("wallet_info", {})
if info:
print(f"\n--- Wallet Summary ---")
print(f" Total received: {info.get('total_received_btc', 0):.8f} BTC")
print(f" Total sent: {info.get('total_sent_btc', 0):.8f} BTC")
print(f" Balance: {info.get('final_balance_btc', 0):.8f} BTC")
print(f" Transactions: {info.get('transaction_count', 0)}")
ds = report.get("downstream_addresses", {})
if ds.get("count", 0) > 0:
print(f"\n--- Top Downstream Recipients ({ds['count']} total) ---")
for r in ds.get("top_recipients", [])[:5]:
entity = r.get("known_entity", "Unknown")
print(f" {r['address'][:20]}... {r['total_btc']:.8f} BTC [{entity}]")
peel = report.get("peel_chain_analysis", {})
if peel.get("peel_chain_detected"):
print(f"\n[!] Peel chain pattern detected (ratio: {peel['decreasing_ratio']})")
if report.get("error"):
print(f"\n[!] Error: {report['error']}")
print(f"\n[*] Full report:\n{json.dumps(report, indent=2, default=str)}")