Total tracked ransomware payments
Ransomwhere is the open, crowdsourced ransomware payment tracker. Browse and download ransomware payment data or help build our dataset by reporting ransomware demands you have received.
Report Addresses
Download Data
About
Browse ransomware data
Time range:
Latest reports
| Created | Family |
|---|
Report ransomware addresses
Download data
All Ransomwhere data is entirely publicly available. To protect victims and prevent abuse, addresses will be made public 90 days after being submitted.
Download all dataIf you use Ransomwhere in your work, please cite the following dataset:
Cable, Jack. (2024). Ransomwhere: A Crowdsourced Ransomware Payment Dataset (1.1.0) [Data set]. Zenodo. https://doi.org/10.5281/zenodo.6512122About
Ransomwhere is the open, crowdsourced ransomware payment tracker. Transparency is crucially needed in assessing the spread of ransomware and the efficacy of mitigations. Fortunately, due to the transparent nature of Bitcoin, it's easy to track payments with knowledge of receipt addresses. By crowdsourcing ransomware payment addresses, we hope to provide an open resource for the security community and the public.Partners
Ransomwhere is a partner of Chainabuse, a multi-chain community platform to report cryptocurrency hacks, scams, and fraudulent activity, including ransomware.
Research
Read research published based on Ransomwhere data:- Jack Cable, Ian W Gray, Damon McCoy. Showing the Receipts: Understanding the Modern Ransomware Ecosystem. Symposium on Electronic Crime Research. 2024.
- Ian W Gray, Jack Cable, Benjamin Brown, Vlad Cuiujuclu, Damon McCoy. Money Over Morals: A Business Analysis of Conti Ransomware. Symposium on Electronic Crime Research. 2023.
- Oosthoek, Kris, Jack Cable, Georgios Smaragdakis. 'A Tale of Two Markets: Investigating the Ransomware Payments Economy'. Communications of the ACM. 2022.
FAQ
How can Ransomwhere be cited?
Ransomwhere can be cited as:
Cable, Jack. (2024). Ransomwhere: A Crowdsourced Ransomware Payment Dataset (1.1.0) [Data set]. Zenodo. https://doi.org/10.5281/zenodo.6512122Can't someone fake a report?
While it's impossible to verify with complete certainty that a report is accurate, we aim to utilize the wisdom of the crowds to prevent abuse. All reports are required to include a screenshot of the ransomware payment demand, and will be reviewed before being displayed. Addresses with more than one report from different sources will be given priority, and all elements of all reports will be publicly available. We will remove reports if we believe they are untruthful.
How are dollar values calculated?
Dollar values are calculated using the bitcoin exchange rate the day that the transaction was sent. As a result, they serve as an approximate measure but are not necessarily the exact amount the criminals sold the bitcoin for.
Do you have an API?
Yes, Ransomwhere has a public API. The most basic endpoint is https://api.ransomwhe.re/export
to
receive all past transactions. We are working on further documenting the API.
Why are many payments unlabeled?
These payments are sourced from Showing the Receipts: Understanding the Modern Ransomware Ecosystem. In this paper, we identify ransomware payments with high confidence, but the specific family associated with the ransomware group is lower confidence. Please get in touch if you are interested in accessing the set of labels.
How can I help out?
We are always open to collaboration! Beyond submitting reports, please email us if you are interested in further collaboration. If you are interested in contributing to code, feel free to check out our GitHub repository.