Ransomware payments in the Bitcoin ecosystem
Why is this work in the frame?
A frame that forgets how it found something cannot be audited. These are the routes that admitted this work.
Full frame distilled prediction
Learned from the 10,348 direct Codex labels and 10,348 direct Gemma labels. Candidate is the union of thresholded teacher heads; consensus is their intersection. These outputs are machine_predicted_unvalidated and are not human labels or direct frontier model labels.
- Candidate categories
- none
- Consensus categories
- none
- Domain
- Candidate signal: noneConsensus signal: none
- Study design
- Candidate signal: Theoretical or conceptualConsensus signal: none
- Genre
- Candidate signal: EmpiricalConsensus signal: Empirical
- Teacher disagreement score
- 0.420
- Threshold uncertainty score
- 0.245
- Validation status
machine_predicted_unvalidated·codex-gemma-dda1882f352a
Codex and Gemma teacher scores by category
| Category | Codex | Gemma |
|---|---|---|
| Metaresearch | 0.001 | 0.000 |
| Meta-epidemiology (narrow) | 0.000 | 0.000 |
| Meta-epidemiology (broad) | 0.000 | 0.000 |
| Bibliometrics | 0.000 | 0.000 |
| Science and technology studies | 0.000 | 0.000 |
| Scholarly communication | 0.000 | 0.001 |
| Open science | 0.001 | 0.000 |
| Research integrity | 0.000 | 0.000 |
| Insufficient payload (model declined to judge) | 0.000 | 0.000 |
Machine scores (provisional)
Baseline scores from an immature model (maturity gate not passed, 7 training rounds). Scores rank; they never assert a category.
The two teacher heads of the student model, read on this work. A score orders the frame for review; it never asserts a category, and the validation status ships verbatim with every row.
- Teacher spread
- 0.233 · how far apart the two teachers sit on this one work
- Validation status
score_only:v0-immature-baseline· verbatim from the scoring run: score_only means the number may rank works, and no category label ships from it
Abstract
Ransomware can prevent a user from accessing a device and its files until a ransom is paid to the attacker, most frequently in Bitcoin. With over 500 known ransomware families, it has become one of the dominant cybercrime threats for law enforcement, security professionals, and the public. However, a more comprehensive, evidence-based picture on the global direct financial impact of ransomware attacks is still missing. In this article, we present a data-driven method for identifying and gathering information on Bitcoin transactions related to illicit activity based on footprints left on the public Bitcoin blockchain. We implement this method on-top-of the GraphSense open-source platform and apply it to empirically analyze transactions related to 35 ransomware families. We estimate the lower bound direct financial impact of each ransomware family and find that, from 2013 to mid-2017, the market for ransomware payments has a minimum worth of USD 12 768 536 (22 967.54 BTC). We also find that the market is highly skewed with only a few number of players responsible for the majority of the payments. Based on these research findings, policy-makers and law enforcement agencies can use the statistics provided to understand the size of the illicit market and make informed decisions on how best to address the threat.
Fetched live from OpenAlex and de-inverted. Abstracts are not stored in this database: the inverted indexes are 8.6 GB of the frame’s 9.3 GB of text, and the host has 13 GB free.
The record
- Venue
- Journal of Cybersecurity
- Topic
- Advanced Malware Detection Techniques
- Field
- Computer Science
- Canadian institutions
- Université de Montréal
- Funders
- European Commission
- Keywords
- RansomwarePaymentCybercrimeBusinessComputer securityLaw enforcementRansomEnforcementVirtual currencyInternet privacyCryptocurrencyMalwareThe InternetFinanceComputer scienceEconomicsMonetary economicsLawCurrency
- Has abstract in OpenAlex
- yes