Ransomwhere

Websitehttps://ransomwhe.re/
CategoryCryptocurrency

Ransomwhere is an open crowdsourced database tracking Bitcoin addresses associated with ransomware payments. Maintained by Jack Cable, a security researcher affiliated with CISA (Cybersecurity and Infrastructure Security Agency), it catalogs over 11,000 addresses across 136+ ransomware families along with reported payment amounts. We use this data on hashxp.org to flag addresses linked to ransomware activity.

Source:Ransomwhere

What is Ransomwhere?

Ransomware attacks encrypt victims' data and demand cryptocurrency payment for the decryption key. Each ransomware operation typically generates unique Bitcoin addresses for each victim, but researchers have identified patterns that link addresses to specific ransomware families. Ransomwhere aggregates these findings into a single, open database.

The project collects data from multiple sources:

  • Incident reports - Victims and incident responders submit Bitcoin addresses from ransom notes
  • Security research - Malware analysts extract hardcoded or dynamically generated addresses from ransomware samples
  • Blockchain analysis - Transaction patterns help identify additional addresses controlled by the same actors through clustering techniques
  • Law enforcement disclosures - Published court documents and seizure notices sometimes include cryptocurrency addresses

Each entry in the database includes the Bitcoin address, the ransomware family it belongs to (such as LockBit, Conti, REvil, Ryuk, or WannaCry), and where available, the reported payment amount in BTC. The ransomware families span the full history of Bitcoin-demanding ransomware, from early operations like CryptoLocker through modern ransomware-as-a-service platforms.

Ransomwhere is freely accessible and its data is downloadable for integration into security tools. It serves the broader goal of increasing transparency around ransomware economics and helping the security community track the financial infrastructure of ransomware operations.

How We Use This Data

On hashxp.org, we cross-reference Bitcoin addresses against the Ransomwhere database. When you look up a Bitcoin address in our block explorer and it matches a known ransomware address, we display a warning indicating the ransomware family association.

This serves several important purposes:

  • Compliance and due diligence - Businesses and exchanges can check whether an address has known ransomware associations before processing transactions
  • Incident response - Victims investigating ransom payments can confirm which ransomware family they are dealing with
  • Research - Analysts studying ransomware financial flows can trace funds through our block explorer with immediate ransomware attribution

We store the Ransomwhere data in the ba (bad actor) field of our address database, alongside other threat intelligence flags like OFAC sanctions. This means ransomware associations appear automatically in address lookups, transaction views, and any page where the flagged address is referenced.

The data is imported via our import-ransomwhere.ts script, which fetches the latest dataset and updates our MongoDB collections.

FAQ

Does a ransomware flag mean the address holder is a criminal?
Not necessarily. The address might belong to a victim who paid a ransom (the payment destination is the criminal's address, but intermediate hops through exchanges or mixers can also be flagged). Additionally, some addresses may be flagged based on clustering heuristics that group addresses by common ownership, and these heuristics can occasionally produce false positives. The flag indicates an association with ransomware activity, not a definitive legal judgment.
How comprehensive is the Ransomwhere database?
Ransomwhere captures a significant portion of known ransomware addresses, but it is not exhaustive. Many ransomware payments go unreported, especially by organizations that pay quietly to avoid publicity. Some ransomware operations have migrated to privacy-focused cryptocurrencies like Monero, which are much harder to track. The database is strongest for major, well-documented ransomware families and weaker for smaller or newer operations that have not yet been extensively analyzed.
Why do ransomware operators still use Bitcoin if it is traceable?
Bitcoin remains the dominant ransomware payment method because of its liquidity, widespread availability, and relative ease of acquisition by non-technical victims. While Bitcoin transactions are publicly visible on the blockchain, operators use mixing services, chain-hopping (converting to other cryptocurrencies), and sophisticated laundering techniques to obscure the money trail. Law enforcement has had notable successes tracing and seizing Bitcoin ransomware proceeds, which is driving some operators toward Monero, but Bitcoin's network effects keep it dominant.