Cybercrime Bitcoin Revenue Estimations: Quantifying the Impact of Methodology and Coverage
Pages 3183 - 3197
Abstract
Multiple works have leveraged the public Bitcoin ledger to estimate the revenue cybercriminals obtain from their victims. Estimations focusing on the same target often do not agree, due to the use of different methodologies, seed addresses, and time periods. These factors make it challenging to understand the impact of their methodological differences. Furthermore, they underestimate the revenue due to the (lack of) coverage on the target's payment addresses, but how large this impact remains unknown.
In this work, we perform the first systematic analysis on the estimation of cybercrime bitcoin revenue. We implement a tool that can replicate the different estimation methodologies. Using our tool we can quantify, in a controlled setting, the impact of the different methodology steps. In contrast to what is widely believed, we show that the revenue is not always underestimated. There exist methodologies that can introduce huge overestimation. We collect 30,424 payment addresses and use them to compare the financial impact of 6 cybercrimes (ransomware, clippers, sextortion, Ponzi schemes, giveaway scams, exchange scams) and of 141 cybercriminal groups. We observe that the popular multi-input clustering fails to discover addresses for 40% of groups. We quantify, for the first time, the impact of the (lack of) coverage on the estimation. For this, we propose two techniques to achieve high coverage, possibly nearly complete, on the DeadBolt server ransomware. Our expanded coverage enables estimating DeadBolt's revenue at $2.47M, 39 times higher than the estimation using two popular Internet scan engines.
References
[1]
Bitcoinponzitool, 2018. https://github.com/bitcoinponzi/BitcoinPonziTool/.
[2]
On the economic significance of ransomware campaigns: A bitcoin transactions perspective (dataset), 2018. https://spritz.math.unipd.it/datasets/btcransomware/ knowledge_base.zip.
[3]
Ransomware in the bitcoin ecosystem | dataset extraction, 2019. https://github. com/behas/ransomware-dataset.
[4]
Spams meet cryptocurrencies dataset, 2019. https://github.com/MatteoRomiti/ Sextortion_Spam_Bitcoin.
[5]
Cryptocurrency exchange scams dataset, 2020. https://cryptoexchangescam. github.io/ScamDataset/.
[6]
Bitcoin abuse, 2022. https://www.bitcoinabuse.com.
[7]
WatchYourBack, 2022. https://github.com/cybersec-code/watchyourback.
[8]
Bitcoin Wiki: no change heuristic, 2023. https://en.bitcoin.it/wiki/Privacy#Exact_ payment_amounts_.28no_change.29.
[9]
Chainalysis, 2023. https://www.chainalysis.com/.
[10]
Coindesk: Bitcoin, ethereum, crypto news and price data, 2023. https://api. coindesk.com/v1/bpi/historical/close.json.
[11]
Double and nothing dataset, 2023. https://double-and-nothing.github.io/.
[12]
iocsearcher, 2023. https://github.com/malicialab/iocsearcher.
[13]
Wallet explorer, 2023. https://www.walletexplorer.com/info.
[14]
L. Abrams. New DeadBolt ransomware targets QNAP devices, asks 50 BTC for master key, January 2022. https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/.
[15]
E. Androulaki, G. O. Karame, M. Roeschlin, T. Scherer, and S. Capkun. Evaluating User Privacy in Bitcoin. In Financial Cryptography and Data Security, 2013.
[16]
M. Bartoletti, S. Lande, A. Loddo, L. Pompianu, and S. Serusi. Cryptocurrency Scams: Analysis and Perspectives. IEEE Access, 9:148353-148373, 2021.
[17]
M. Bartoletti, B. Pes, and S. Serusi. Data Mining for Detecting Bitcoin Ponzi Schemes. In Crypto Valley Conference on Blockchain Technology, June 2018.
[18]
H. L. Bijmans, T. M. Booij, and C. Doerr. Just the Tip of the Iceberg: Internet-Scale Exploitation of Routers for Cryptojacking. In ACM SIGSAC Conference on Computer and Communications Security, 2019.
[19]
Bitiodine, 2023. https://github.com/mikispag/bitiodine.
[20]
J. Cable. Ransomwhere: A Crowdsourced Ransomware Payment Dataset, May 2022.
[21]
Censys, 2022. https://censys.io/.
[22]
Censys DeadBolt, 2022. https://datastudio.google.com/reporting/f8d38b6c-9997-4bba-be93-19cf57d7371a/page/DcGtC.
[23]
N. Christin. Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace. In The World Wide Web Conference, 2013.
[24]
M. Conti, A. Gangwal, and S. Ruj. On the economic significance of ransomware campaigns: A bitcoin transactions perspective. Computers & Security, 79:162--189, 2018.
[25]
N. Coppinger. Netwalker Ransomware Guide: Everything You Need to Know, February 2022. https://www.varonis.com/blog/netwalker-ransomware.
[26]
M. Ellzey and E. Austin. The Evolution of ESXiArgs Ransomware, February 2023. https://censys.io/the-evolution-of-esxiargs-ransomware.
[27]
D. Ermilov, M. Panov, and Y. Yanovich. Automatic Bitcoin Address Clustering. In IEEE International Conference on Machine Learning and Applications, 2017.
[28]
S. Gatlan. Police tricks DeadBolt ransomware out of 155 decryption keys, October 2022. https://www.bleepingcomputer.com/news/security/police-tricks-deadbolt-ransomware-out-of-155-decryption-keys/.
[29]
S. Goldfeder, H. A. Kalodner, D. Reisman, and A. Narayanan. When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies. PoPETs, 2018:179--199, 2018.
[30]
A. Goldsmith. What do we know about REvil, the Russian ransomware gang likely behind the Medibank cyber attack?, November 2022. https://theconversation.com/what-do-we-know-about-revil-the-russian-ransomware-gang-likely-behind-the-medibank-cyber-attack-194337.
[31]
G. Gomez, P. Moreno-Sanchez, and J. Caballero. Watch your back: Identifying cybercrime financial relationships in bitcoin through back-and-forth exploration. In ACM SIGSAC Conference on Computer and Communications Security, 2022.
[32]
G. Gomez, K. van Liebergen, and J. Caballero. Cybercrime Bitcoin Revenue Estimations: Quantifying the Impact of Methodology and Coverage, 2023. https: //arxiv.org/abs/2309.03592.
[33]
M. Harrigan and C. Fretter. The Unreasonable Effectiveness of Address Clustering. In IEEE International Conference on Ubiquitous Intelligence and Computing (ATC), 2016.
[34]
B. Haslhofer, R. Stütz, M. Romiti, and R. King. Graphsense: A general-purpose cryptoasset analytics platform. Arxiv pre-print, 2021. https://arxiv.org/abs/2102. 13613.
[35]
G. Hong, Z. Yang, S. Yang, L. Zhang, Y. Nan, Z. Zhang, M. Yang, Y. Zhang, Z. Qian, and H. Duan. How You Get Shot in the Back: A Systematical Study about Cryptojacking in the Real World. In ACM SIGSAC Conference on Computer and Communications Security, 2018.
[36]
D. Y. Huang, M. M. Aliapoulios, V. G. Li, L. Invernizzi, K. McRoberts, E. Bursztein, J. Levin, K. Levchenko, A. C. Snoeren, and D. McCoy. Tracking Ransomware End-to-end. In IEEE Symposium on Security and Privacy, May 2018.
[37]
D. Y. Huang, H. Dharmdasani, S. Meiklejohn, V. Dave, C. Grier, D. McCoy, S. Sav-age, N. Weaver, A. C. Snoeren, and K. Levchenko. Botcoin: Monetizing Stolen Cycles. In Network and Distributed Systems Security Symposium, 2014.
[38]
H. Kalodner, M. Möser, K. Lee, S. Goldfeder, M. Plattner, A. Chator, and A. Narayanan. BlockSci: Design and Applications of a Blockchain Analysis Platform. In USENIX Security Symposium, 2020.
[39]
C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. Spamalytics: An empirical analysis of spam marketing conversion. Communications of the ACM, page 99--107, sep 2009.
[40]
G. Kappos, H. Yousaf, R. Stütz, S. Rollet, B. Haslhofer, and S. Meiklejohn. How to peel a million: Validating and expanding bitcoin clusters. In USENIX Security Symposium, 2022.
[41]
S. Lee, C. Yoon, H. Kang, Y. Kim, Y. Kim, D. Han, S. Son, and S. Shin. Cybercriminal Minds: An Investigative Study of Cryptocurrency Abuses in the Dark Web. In Network and Distributed Systems Security Symposium, 2019.
[42]
X. Li, A. Yepuri, and N. Nikiforakis. Double and nothing: Understanding and detecting cryptocurrency giveaway scams. In Network and Distributed Systems Security Symposium, 2023.
[43]
K. Liao, Z. Zhao, A. Doupé, and G.-J. Ahn. Behind Closed Doors: Measurement and Analysis of CryptoLocker Ransoms in Bitcoin. In APWG Symposium on Electronic Crime Research, June 2016.
[44]
G. Maxwell. Coinjoin: Bitcoin privacy for the real world, August 2013. https: //bitcointalk.org/index.php?topic=279249.0.
[45]
S. Meiklejohn, M. Pomarole, G. Jordan, K. Levchenko, D. McCoy, G. M. Voelker, and S. Savage. A Fistful of Bitcoins: Characterizing Payments among Men with No Names. In Internet Measurement Conference, 2013.
[46]
P. H. Meland, Y. F. F. Bayoumy, and G. Sindre. The ransomware-as-a-service economy within the darknet. Computers & Security, 92:101762, 2020.
[47]
M. Möser, R. Böhme, and D. Breuker. An Inquiry into Money Laundering Tools in the Bitcoin Ecosystem. In APWG eCrime Researchers Summit, September 2013.
[48]
S. Nakamoto. Bitcoin: A peer-to-peer electronic cash system. https://bitcoin.org/bitcoin.pdf, 2008.
[49]
J. D. Nick. Data-Driven De-Anonymization in Bitcoin. Master's thesis, Distributed Computing Group, Computer Engineering and Networks Laboratory, ETH Zurich, Zurich, Switzerland, August 2015.
[50]
U. D. of State. DarkSide Ransomware as a Service (RaaS), November 2021. https: //www.state.gov/darkside-ransomware-as-a-service-raas.
[51]
Omni layer, 2023. https://www.omnilayer.org.
[52]
K. Oosthoek, J. Cable, and G. Smaragdakis. A tale of two markets: Investigating the ransomware payments economy, 2022.
[53]
M. Paquet-Clouston, B. Haslhofer, and B. Dupont. Ransomware Payments in the Bitcoin Ecosystem. Journal of Cybersecurity, 5(1), 2019.
[54]
M. Paquet-Clouston, M. Romiti, B. Haslhofer, and T. Charvat. Spams Meet Cryptocurrencies: Sextortion in the Bitcoin Ecosystem. In ACM Conference on Advances in Financial Technologies, 2019.
[55]
S. Pletinckx, C. Trap, and C. Doerr. Malware Coordination using the Blockchain: An Analysis of the Cerber Ransomware. In IEEE Conference on Communications and Network Security, 2018.
[56]
R. S. Portnoff, D. Y. Huang, P. Doerfler, S. Afroz, and D. McCoy. Backpage and Bitcoin: Uncovering Human Traffickers. In ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2017.
[57]
T. M. Research. What We Know About the DarkSide Ransomware and the US Pipeline Attack, May 2021. https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html.
[58]
Responders.NU, October 2022. https://deadbolt.responders.nu/.
[59]
D. Ron and A. Shamir. Quantitative Analysis of the Full Bitcoin Transaction Graph. In Financial Cryptography and Data Security, 2013.
[60]
D. Ron and A. Shamir. How Did Dread Pirate Roberts Acquire and Protect his Bitcoin Wealth? In Financial Cryptography and Data Security, 2014.
[61]
T. Ruffing, P. Moreno-Sanchez, and A. Kate. Coinshuffle: Practical decentralized coin mixing for bitcoin. In Computer Security - ESORICS 2014, pages 345--364. Springer International Publishing, 2014.
[62]
M. Sebastian, R. Rivera, P. Kotzias, and J. Caballero. AVClass: A Tool for Massive Malware Labeling. In Research in Attacks, Intrusions, and Defenses, 2016.
[63]
Shodan, 2022. https://www.shodan.io/.
[64]
M. Spagnuolo, F. Maggi, and S. Zanero. BitIodine: Extracting Intelligence from the Bitcoin Network. In Financial Cryptography and Data Security, 2014.
[65]
T. Taniguchi, H. Griffioen, and C. Doerr. Analysis and Takeover of the Bitcoin-Coordinated Pony Malware. In ACM ASIA Conference on Computer and Communications Security, 2021.
[66]
F. I. Team. Conti Ransomware: The History Behind One of the World's Most Aggressive RaaS Groups, October 2022. https://flashpoint.io/blog/history-of-conti-ransomware.
[67]
E. Tekiner, A. Acar, A. S. Uluagac, E. Kirda, and A. A. Selcuk. SoK: Cryptojacking Malware. In IEEE European Symposium on Security and Privacy, 2021.
[68]
K. Thomas, D. Huang, D. Wang, E. Bursztein, C. Grier, T. J. Holt, C. Kruegel, D. McCoy, S. Savage, and G. Vigna. Framing dependencies introduced by underground commoditization. In Workshop on the Economics of Information Security, 2015.
[69]
J. van de Laarschot and R. van Wegberg. Risky business? investigating the security practices of vendors on an online anonymous market using Ground-Truth data. In 30th USENIX Security Symposium (USENIX Security 21), pages 4079--4095. USENIX Association, Aug. 2021. https://www.usenix.org/conference/usenixsecurity21/presentation/van-de-laarschot.
[70]
L. Wu, Y. Hu, Y. Zhou, H. Wang, X. Luo, Z. Wang, F. Zhang, and K. Ren. Towards understanding and demystifying bitcoin mixing services. In Proceedings of the Web Conference 2021, WWW '21, page 33--44. Association for Computing Machinery, 2021.
[71]
P. Xia, H. Wang, B. Zhang, R. Ji, B. Gao, L. Wu, X. Luo, and G. Xu. Characterizing Cryptocurrency Exchange Scams. Computers & Security, 98, 2020.
Index Terms
- Cybercrime Bitcoin Revenue Estimations: Quantifying the Impact of Methodology and Coverage
Recommendations
Tactics, Techniques and Procedures of Cybercrime: A Methodology and Tool for Cybercrime Investigation Process
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and SecurityIndividuals, organizations and nation-states are increasingly falling victim to cyberattacks. A lot of research on how to understand the modus operandi of a cyber attacker through the MITRE ATT&CK framework, CAPEC enumeration and various cyber kill ...
Redesigning Bitcoin's fee market
WWW '19: The World Wide Web ConferenceThe Bitcoin payment system involves two agent types: Users that transact with the currency and pay fees and miners in charge of authorizing transactions and securing the system in return for these fees. Two of Bitcoin's challenges are (i) securing ...
Revealing and Concealing Bitcoin Identities: A Survey of Techniques
BSCI '21: Proceedings of the 3rd ACM International Symposium on Blockchain and Secure Critical InfrastructureBitcoin remains the most widely used cryptocurrency. It has attracted users from tech enthusiasts to commercial investors to criminals, in no small part due to its reputation for anonymity. While not designed primarily for privacy, Bitcoin's ...
Comments
Information & Contributors
Information
Published In
November 2023
3722 pages
ISBN:9798400700507
DOI:10.1145/3576915
- General Chairs:
- Weizhi Meng,
- Christian D. Jensen,
- Program Chairs:
- Cas Cremers,
- Engin Kirda
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 21 November 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
CCS '23
Sponsor:
CCS '23: ACM SIGSAC Conference on Computer and Communications Security
November 26 - 30, 2023
Copenhagen, Denmark
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '24
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 249Total Downloads
- Downloads (Last 12 months)249
- Downloads (Last 6 weeks)8
Reflects downloads up to 27 Jul 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in