Total tracked ransomware payments

Ransomwhere is the open, crowdsourced ransomware payment tracker. Browse and download ransomware payment data or help build our dataset by reporting ransomware demands you have received.

Browse ransomware data

Time range:

Latest reports

Created Family

Report ransomware addresses






  • or
  • or

Your email address will be kept private and will only be used to contact you if more information is needed.



By submitting, you acknowledge that all contents of your report (besides your email, if submitted) will be made publicly available.
We appreciate your help adding transparency to the ransomware ecosytem!

Download data

All Ransomwhere data is entirely publicly available. To protect victims and prevent abuse, addresses will be made public 90 days after being submitted.

Download all data

If you use Ransomwhere in your work, please cite the following dataset:

Cable, Jack. (2024). Ransomwhere: A Crowdsourced Ransomware Payment Dataset (1.1.0) [Data set]. Zenodo. https://doi.org/10.5281/zenodo.6512122

Export as BibTex

About

Ransomwhere is the open, crowdsourced ransomware payment tracker. Transparency is crucially needed in assessing the spread of ransomware and the efficacy of mitigations. Fortunately, due to the transparent nature of Bitcoin, it's easy to track payments with knowledge of receipt addresses. By crowdsourcing ransomware payment addresses, we hope to provide an open resource for the security community and the public.

Partners


Chainabuse logo

Ransomwhere is a partner of Chainabuse, a multi-chain community platform to report cryptocurrency hacks, scams, and fraudulent activity, including ransomware.

Research

Read research published based on Ransomwhere data:

FAQ

How can Ransomwhere be cited?

Ransomwhere can be cited as:

Cable, Jack. (2024). Ransomwhere: A Crowdsourced Ransomware Payment Dataset (1.1.0) [Data set]. Zenodo. https://doi.org/10.5281/zenodo.6512122

Export as BibTex

Can't someone fake a report?

While it's impossible to verify with complete certainty that a report is accurate, we aim to utilize the wisdom of the crowds to prevent abuse. All reports are required to include a screenshot of the ransomware payment demand, and will be reviewed before being displayed. Addresses with more than one report from different sources will be given priority, and all elements of all reports will be publicly available. We will remove reports if we believe they are untruthful.

How are dollar values calculated?

Dollar values are calculated using the bitcoin exchange rate the day that the transaction was sent. As a result, they serve as an approximate measure but are not necessarily the exact amount the criminals sold the bitcoin for.

Do you have an API?

Yes, Ransomwhere has a public API. The most basic endpoint is https://api.ransomwhe.re/export to receive all past transactions. We are working on further documenting the API.

Why are many payments unlabeled?

These payments are sourced from Showing the Receipts: Understanding the Modern Ransomware Ecosystem. In this paper, we identify ransomware payments with high confidence, but the specific family associated with the ransomware group is lower confidence. Please get in touch if you are interested in accessing the set of labels.

How can I help out?

We are always open to collaboration! Beyond submitting reports, please email us if you are interested in further collaboration. If you are interested in contributing to code, feel free to check out our GitHub repository.