Russia-linked cybercriminals raked in $400 million in cryptocurrency from ransomware attacks in 2021, Chainalysis says

Russia-linked cybercriminals raked in $400 million in cryptocurrency from ransomware attacks in 2021, Chainalysis says
  • Cybercriminals with Russian links accounted for 74% of revenue from ransomware attacks in 2021, Chainalysis said Monday.
  • The attacks brought in more than $400 million in cryptocurrency last year.

Cybercriminals with links to Russia have set the pace for ransomware attacks, accounting for nearly three-quarters of revenue from such online extortion hacks last year, Chainalysis said in a report Monday.

More than $400 million worth of cryptocurrency, or about 74% of ransomware revenue in 2021, went to entities "highly likely to be affiliated with Russia in some way," the blockchain analysis firm said in a blog post as part of its 2022 Crypto Crime Report preview.

The firm said it generally tied specific ransomware strains to Russian cybercriminals using on one of three criteria, including the sharing of documents and announcements written in the Russian language. Connections to Evil Corp., a Russia-based cybercriminal organization, and attacks that avoided former Soviet countries also helped identify ransomware strains.

Following ransomware attacks, most of the extorted funds — roughly 13% — went to services primarily catering to Russian users, the company said, citing blockchain analysis alongside web-traffic data.

"That brings us to another point: A huge amount of cryptocurrency-based money laundering, not just of ransomware funds but of funds associated with other forms of cybercrime as well, goes through services with substantial operations in Russia," said Chainalysis.


Chainalysis said it's been tracking several dozen cryptocurrency businesses operating in Moscow City, the Russian capital's financial district. Collectively, the businesses receive hundreds of millions of dollars worth of cryptocurrency each quarter, hitting a peaking of nearly $1.2 billion in the second quarter of 2021.

"In any given quarter, the illicit and risky addresses account for between 29% and 48% of all funds received by Moscow City cryptocurrency businesses," Chainalysis said, adding that between 2019 and 2021, the businesses have received about $700 million worth of cryptocurrency from illicit addresses.

There was "positive momentum" last year in cracking down on ransomware attacks, including the US government's seizure of more than $2 million from DarkSide, the Russia-linked hacking group that launched a cyberattack on Colonial Pipeline last year. The attack knocked out operations of the fuel pipeline system in the US, prompting Colonial to pay the ransom in bitcoin.