Users with infected computers in Russia and South Korea are the two biggest redemption lenders to hackers who have mounted a global ransomware attack, called "Wannacry", yesterday, according to new data from Chainalysis, a software provider that works with the banks, the order forces and the bitcoin companies to analyze the blockchain for financial crimes.
All bitcoin transactions are permanently recorded on the blockchain and anyone can view them. Chainalysis crunches these transactions and assigns them to groups of "entities", which could be bitcoin exchanges, wallet suppliers or bitcoin miners. The company found that hackers, who demanded the ransom to be sent to three bitcoin addresses, received a total of nearly $ 23,000 so far in terms of dollars, converted at the time the transaction was made.
The two entities that sent the most money to the hackers were bitcoin exchanges serving the Russian and Korean markets. "If you look at infection rates, a lot is in Russia, so [the data] is completing this, "says Jonathan Levin, a co-founder of Chainalysis." Since we know that infections are also in Russia, I would say they are Russian users. "
The analysis of the computer security company Kaspersky Lab showed that Russia had the highest number of infections, even if South Korea does not appear among the first countries. Here is the list of where the ransom from Chainalysis originated:
|Name of the counterparty||Counterparty category||Value in US dollars of bitcoins sent|
|CoinPayments.net||merchant services||$ 849.30|
|Xapo.com||hosted portfolio||$ 165.39|
|Hashnest.com||mining pool||$ 20.88|
|HaoBTC.com||mining pool||$ 7.21|
|AlphaBay market||Tor market||$ 5.41|
|ANXPro (Payout wallet)||Uncategorized||$ 2.07|
|Silk market||Tor market||$ 1.85|
There are some data warnings. Levin emphasizes that the payments attributed to the "Tor markets", the term used by Chainalysis to describe the darknet markets, are probably "noise" generated by his analysis and should be ignored. The low payment amount also suggests that it is not connected to the ransomware. Each entity could use thousands of addresses, and it is up to Chainalysis to group them carefully. For example, Levin says that an exchange, Poloniex, uses 376,000 bitcoin addresses, all grouped by Chainalysis, allowing proper attribution.
Moreover, just because a payment comes from an exchange that serves Korean or Russian customers does not necessarily mean that the infected users are actually in Korea or in Russia, although this is a reasonable inference. Finally, little is known about BTC-E, the exchange at the top of the list, except for the fact that its operators are anonymous, is one of the longest bitcoin exchanges, and notoriously does not perform the identity checks that regulated exchanges must respect and take care of the ruble-bitcoin market.