Category Archives: Analysis

New Blacklisted Bitcoin Address API

We’re proud to announce the availability of two new APIs:

Blacklisted Addresses (Reported Scams)
Public Sightings (Website Appearances)

Register for a key today!

Remain fully informed about a bitcoin addresses involvement with reported scams and website appearances found by BitcoinWhosWho.com!

  • Know Your Customers
  • Manage Risk
  • Help Prevent Scams
  • Unique Forensic Analysis

http://bitcoinwhoswho.com/api

Blackmail Scam Run on Russian Wallet Matbea

BitcoinWhosWho.com started receiving reports of a mass email attempting to blackmail recipients out of bitcoin about a month ago. The hilariously worded text always closes with “sorry for misprints, I am foreign”. Rudimentary block exploring shows at least some of these scam addresses are being consolidated on the Russian wallet service Matbea.com. Continue reading Blackmail Scam Run on Russian Wallet Matbea

Bitcoin Ransomware Addresses

List of Bitcoin Ransomware Addresses

Ransomware Name Bitcoin Address
CryptoLocker 4.0 15sJ3pT7J6zefRs95SEsfBZMz8jAw1zAbh
CryptoLocker 1HrEqMHQVWhKuCg7a3rxo2tAFAiKquJ5iP
CryptoLocker 1EJbVfn5hXQ9JcfRyn965UKpNX4qxRW7pY
CryptoLocker 14bgivtRtTjzwiS4rRECoKGXkSZbf1Co39
CryptoTorLocker2015 1KpP1YGGxPHKTLgET82JBngcsBuifp3noW
DMALocker 1382JAg5xbQv7QNwq1svDeyw6ELtNCmujG
Bucbi 1MfVk1utxgvGjMFV3K3CzXsDRDZznj5tey
CryptoHost 18AVPLKGBamXtGpdT3kP2b5Dv3iBUDpjKv
7ev3n 1Lud76Q98VRHCUiyK7XUs7AgFofrqXeP78
TeslaCrypt 15Y2TmHrxjmRFxfNUttwb9aU4DifvDpWKM
TeslaCrypt 1NRn15kJnVRrptTSQJJnMD9KJcWkVFh1Gv
ThunderCrypt 14dqhE6XPoxkkttwwh7qTWmmSwXerWd2Ho
ThunderCrypt 18yfx86BwNK5xYKw71uaHwAxPgCGRJaqgg
ThunderCrypt 1HFY12o56xbHer3oeNxC99A7SGyXaR64hs
Trump Locker 1N82pq3XovKoJYqUmTrRiXftpNHZyu4jyv
Buddy 1AoNMLZfhw7cbMCKAhaKHiveMdwFyVUGeA
Chimera 1JHxr5sbXDoZuDsx624TmZ2MWyDdD9ag8K
CTB Locker 1Hf2vPmYNxzFYWiaURs75h8JoyCczLXCG2
CTB Locker 1E4jsfwFsKVaAVFNfrmGVgDY1HRU8qf7PV
Jigsaw 15fbyNgDnqYQR5vSHJ8PTAEJbKy4dwNBCZ

Bitcoin Ransomware Links

Evolution of Encrypting Ransomware

Ransomeware Notes

WannaCry Ransomware Extorts 39 Payments Worth 6.49 BTC – DAY 1

WannaCry Ransom Note
UPDATE: WannaCry Ransomware Attack up to 14.08007493 BTC on 92 payments as of 11:30am ET May 13. Balances more than doubled in 12 hours.

Today’s widely reported WannaCry ransomware attack is extensive, growing and has already yielded ~USD$12k in profits according to a quick analysis of the BTC addresses involved. On May 12 the 3 bitcoin addresses known to be receiving extortion payments show receipt of 6.49372428 BTC in 39 separate transactions with ransom varying between .15 to .30 BTC each. None of the balances have been moved to new bitcoin addresses since receipt.

The WannaCry Ransomware Bitcoin Addresses Continue reading WannaCry Ransomware Extorts 39 Payments Worth 6.49 BTC – DAY 1

Even Bitcoin’s Richest Keep Getting Richer

Bitcoin’s richest address 3Nxwenay9Z8Lc9JBiywExpnEFiLp6Afp8v received 10,484 more BTC or about USD $8.2 million today.

The transaction originated from 73 multisig addresses. The final balance is now 135,439.82159613 BTC or USD $106.5 million (assuming a $786 exchange rate).

3Nxwenay9Z8Lc9JBiywExpnEFiLp6Afp8v is one of only 3 addresses with a balance of more than 100,000 BTC according to bitinfocharts.com. What happened to bitcoinrichlist?

Lost Forever 26.04 BTC Burned In 2016

Lost coins only make everyone else’s coins worth slightly more. Think of it as a donation to everyone.

– Satoshi Nakamoto

There will eventually be 21 million bitcoins mined however that will never be the true number in circulation. The distinction is important if you want to precisely measure bitcoin value and market capitalization which is setting new records. Not all bitcoin addresses can be spent. The genesis block can never be spent. Likewise any bitcoin sent to a “burn” address are also forever unspendable. A bitcoin burn address is like an impossible vanity address. There is no private key to a burn address and one would be impossible to generate. These are not merely ‘zombies‘ but truly gone forever. How many bitcoins have been “burned” exactly? Continue reading Lost Forever 26.04 BTC Burned In 2016

Bitcoin Ransomware Attacks

This is a list of bitcoin ransomware attacks which I will be updating periodically as more become public.

Last Updated 11-June-2016

Date BTC Amount Paid (USD) Target City Country Virus Name Source
6/29/2016 500 Sports Team USA vocativ.com
6/7/2016 20,000 University Calgary, OT CA cbc.ca
4/25/2016 NA Utility Lansing, MI USA theregister.co.uk
4/1/2016 750 Fire Department Snoqualmie, WA USA CryptoLocker “Locky” eastofseattle.news
3/1/2016 Pending (4 BTC) Hospital Henderson, KY USA CryptoLocker “Locky” livebitcoinnews.com
3/1/2016 Pending Hospital Baltimore, MD USA Samsam aka MSIL or Samas baltimoresun.com
2/1/2016 17000 Hospital Los Angeles, CA USA CryptoLocker “Locky” wired.com
2/1/2016 450 Police Station Melrose, MA USA   ibtimes.co.uk
12/10/2015 500 Retail Store Calgary, OT CA cbc.ca
10/1/2015 572 Sheriff Office Dickson County, TN USA   bostonglobe.com
4/1/2015 500 Police Station Tewksbury, MA USA KEYHolder bostonglobe.com
1/1/2015 500 Police Station Midlothian, IL USA   bostonglobe.com
11/1/2013 750 Police Station Swansea, MA USA CryptoLocker “Locky” bostonglobe.com

From pymnts.com

In 2015, the FBI received roughly 2,453 complaints related to ransomware malware attacks, which amounted to $24.1 million in losses for victims

Related from The Merkle 11-June-2016
Cisco Ransomware Tool Can Now Decrypt All Versions of TeslaCrypt

The Ever Popular DeepBit Mining Pool Address

deepbit.net mining pool
Old DeepBit.net mining pool home
The bitcoin address of long defunct mining pool DeepBit [1VayNert3x1KzbpzMGt2qdqrAThiRovi8] is still somehow crazy popular. According to Blockchain.info’s “Popular Addresses” page, DeepBit holds the #8 overall ranking for most frequently used bitcoin address. But how can a defunct mining pool, that hasn’t found a block since 2013, and has only 47 transactions since January 1, 2015, still hold the #8 overall popularity ranking based on # transactions?

The most likely explanation has to do with the significance of DeepBit in the early days of bitcoin history. Continue reading The Ever Popular DeepBit Mining Pool Address