Users with infected computers in Russia and South Korea are so far the two biggest ransom payers to the hackers who mounted a global ransomware attack, called “Wannacry,” yesterday, according to new data from Chainalysis, a provider of software that works with banks, law enforcement agencies, and bitcoin companies to analyze the blockchain for financial crimes.
All bitcoin transactions are permanently recorded on the blockchain, and anyone can view them. Chainalysis crunches these transactions and assigns them to clusters of “entities,” which could be bitcoin exchanges, wallet providers, or bitcoin miners. The firm found that the hackers, who ask for ransom to be sent to three bitcoin addresses, had received a total of nearly $23,000 so far in dollar terms, converted at the point the transaction was made.
The two entities that sent the most money to the hackers were bitcoin exchanges serving the Russian and Korean markets. ”If you look at the infection rates, a lot of it is in Russia, so [the data] is complementing that,” says Jonathan Levin, a Chainalysis co-founder. “Given that we know the infections are also in Russia, I would say, it’s Russian users.”
Analysis by information security firm Kaspersky Lab showed Russia had the most infections, although South Korea doesn’t appear among the top countries. Here’s the list of where ransoms originated from via Chainalysis:
There are a few caveats to the data. Levin points out that the payments attributed to “Tor markets,” the term Chainalysis uses to describe darknet markets, are probably “noise” generated by his analysis, and should be ignored. The low payment amount also suggests that it’s unconnected to the ransomware. Each entity could be using thousands of addresses, and it’s Chainalysis’ job to group them accurately. For instance, Levin says that one exchange, Poloniex, uses 376,000 bitcoin addresses, all of which have been clustered by Chainalysis, allowing correct attribution.
Additionally, just because a payment is from an exchange that serves Korean or Russian customers doesn’t necessarily mean the infected users are indeed in Korea or Russia—although it’s a reasonable inference. Lastly, little is known about BTC-E, the exchange at the top of the list, except that its operators are anonymous, it’s one of the longest running exchanges in bitcoin, and it notoriously doesn’t perform the identity checks that regulated exchanges must comply with, and it deals in the ruble-bitcoin market.