As the diagram shows, the hackers’ funds were sent to a high-volume address within just a few transactions, and we can only speculate about whether the transactions past that point include the Petya/NotPetya ransom money. In fact, that first high-volume address the money hits is itself an exchange, through which perfectly legitimate money frequently passes.

There are several techniques that bitcoin owners can use to mix or tumble their money to ensure anonymity. One is called coin-joining, and works by combining transactions on a large scale to convolute their transaction trails. Imagine Matt wants to send $20 in bitcoin to address X, and Kira wants to send $40 in bitcoin to address Y. Coin-joining works by combining both of those payments, potentially with thousands of other payments, into a series of thousands of transactions that eventually pay out Matt’s $20 to X and Kira’s $40 to Y.

If we knew what bitcoin address or addresses the Petya/NotPetya money ended up in, we’d likely find hundreds of thousands of transactions between that address and the starting address. That’s more than we could ever chart, but if we could, many paths would flow out from the center as they do in the diagram above, and eventually some of them would consolidate into one point, or however many addresses the money was sent to.

Of course, many experts have speculated that the Petya/NotPetya attack was a state-sponsored event and that the hackers behind it don’t actually care about the money. The Ukrainian government has accused Russia of masterminding the attack, and an article in Wired described Russia as using its neighbor as a “test lab for cyber war.” Moscow has denied any involvement.

Notes on methodology: The diagram above is based on outgoing transactions, starting with the wallet that held the Petya/NotPetya funds from July 4 to July 7. We collected each spent output from that address, then each spent output from those addresses, and so on. In order to limit the number of rabbit holes the crawler followed, we only included transfers that occurred within eight hours of the first outgoing transaction from the first wallet. We considered high-volume wallets, shown in pink, to be wallets that had three or more total transactions, as returned from the API, but the vast majority of those had more than 10 total transactions.

📬 Sign up for the Daily Brief

Our free, fast, and fun briefing on the global economy, delivered every weekday morning.