Ransomware payments fell 35% in 2024, but attack frequency increased, revealing criminals’ strategic shift toward fragmented operations using blockchain infrastructure for money laundering.
Cross-chain bridges replaced traditional crypto mixers as the preferred laundering method after law enforcement crackdowns on Tornado Cash and other privacy-focused platforms.
Criminal groups now leverage leaked source code to create ransomware variants while storing funds in personal wallets, adopting risk-averse behaviors amid regulatory scrutiny.
The crypto-chain market remains at the heart of this criminal ecosystem. Ransomware operators are exploiting blockchain’s pseudonymity, global accessibility, and open programmability—making it the preferred financial infrastructure for cyber extortion.
Data shows that ransomware revenue dropped sharply by 35% in 2024. But is that really the full picture? Or have cybercriminal groups simply evolved—moving away from traditional encryption-based extortion methods and instead leveraging blockchain infrastructure to operate Ransomware-as-a-Service (RaaS) networks?
These groups are now obfuscating illicit funds through decentralized mixers and deploying new malware strains built from leaked source code.
The crypto-chain market remains at the heart of this criminal ecosystem. Ransomware operators are exploiting blockchain’s pseudonymity, global accessibility, and open programmability—making it the preferred financial infrastructure for cyber extortion.
RANSOMWARE PAYMENTS DOWN 35% YOY—CRYPTO-CHAIN MARKET FACES NEW THREAT VECTORS
According to data from Chainalysis, both 2022 and 2024 saw significant drops in ransomware payment volumes.
At first glance, this may appear to reflect the growing effectiveness of global efforts to combat ransomware. In 2022, the decline marked the first year-over-year drop in revenue, signaling initial progress in disrupting ransomware operations worldwide.
However, the 35% decrease in 2024 cannot be solely attributed to improved enforcement—it tells a more complex story beneath the surface.
Tools such as Monero, cross-chain bridges, and privacy-enhancing DeFi protocols are being used to move ransom payments in ways that are difficult to trace.
This article will uncover how ransomware is evolving in the Web3 era, and why blockchain continues to be both a battleground and a conduit for this growing threat.
Figure 1
Image Source: Chainalysis 2024 Crypto Crime Report
As shown in Figure 2, the number of ransomware attacks steadily increased from 2020 to 2022, marking a period of rapid expansion and maturation of the ransomware ecosystem. In 2023, there was a slight decline in attack volume, which appeared to validate the effectiveness of intensified enforcement efforts in 2022.
However, in 2024, the number of ransomware attacks actually rose again—despite a sharp drop in total payments—revealing a clear contradiction between attack frequency and ransom volume. This suggests that additional underlying factors are influencing the ransomware landscape.
Figure 2
Data Sources: Coveware & Arete IR, Unit 42 & Recorded Future
HOW THE CRYPTO-CHAIN MARKET IS SHAPING THE NEW DYNAMICS OF RANSOMWARE DECLINE
Although ransomware payments fell 35% in 2024, this trend is not simply a result of fewer attacks, it reflects deeper shifts in behavior, law enforcement, and infrastructure.
Crypto-Chain Market markets remain at the heart of this shift, and here are three key factors that are influencing ransomware attacks.
International law enforcement cooperation to combat criminal groups in the crypto-chain market
According to the BBC, global law enforcement agencies, including Europol, the FBI and the UK National Crime Agency (NCA), are increasingly adept at using on-chain analysis techniques to track illegal crypto transactions. In 2024, these efforts ultimately dismantled large ransomware groups such as LockBit.
More Victims Refuse to Pay—Challenging the Crypto-Based Extortion Model
More victims are refusing to pay ransoms – challenging the cryptocurrency-based extortion modelOrganizations are starting to refuse to pay ransoms, fundamentally undermining the economic model that ransomware groups rely on.
According to a new report from Coveware, the payment rate among ransomware victims has dropped to just 29%, the lowest level ever.
There are many factors contributing to this trend: the introduction of mandatory ransomware payment reporting requirements in jurisdictions such as the United States has increased regulatory pressure, while cyber insurers and security consultants have encouraged the refusal to pay as a best practice.
As ransom payments have declined, the total transaction volume of the crypto-chain market has also declined, especially in ransom demands triggered by smart contracts and transactions based on privacy coins.
Leaked Code Fuels Variant Explosion on the Crypto-Chain Market
According to the Chainalysis 2025 Crypto Crime Report , the massive surge in ransomware variants in 2024 can be directly attributed to public leaks of source code from groups such as Conti, Babuk, and LockBit.
These leaks have enabled less sophisticated independent operators or smaller groups to quickly create new ransomware variants using recycled or modified code bases.
They have effectively obscured the flow of ransom payments using privacy coins such as Monero, cross-chain bridges, and DeFi-based mixers, making it increasingly difficult for law enforcement agencies to track funds in the Crypto-Chain Market.
.
While the average ransom demands of these smaller groups tend to be lower, the number of new variants and attacks continues to grow.
COLLAPSE AND MUTATION: HOW RANSOMWARE TRENDS ARE RESHAPING THE CRYPTO-CHAIN MARKET
Akira’s Rise and the Fall of Centralized Ransomware Giants
From January to June 2024, ransomware activity saw a dramatic shift. Among the top ten strains by ransom payments, Akira stood out as the only family to show positive HoH growth (+12%), signaling a strategic expansion while others receded.
In contrast, former powerhouses LockBit and ALPHV/BlackCat suffered near-total collapses—driven by international law enforcement operations and internal disbandment.
Image Source: Chainalysis 2024 Crypto Crime Report
Mid-sized groups such as Play, Underground Team, and Blacksuit also saw sharp declines of 60% to 90%, reflecting sustained external pressure. This mass downturn has left a temporary power vacuum and marked a turning point in the ransomware economy.
Fragmentation and Low-Value Attacks Dominate the Crypto-Chain Market Landscape
The data points to a structural transformation: ransomware is becoming less centralized and more fragmented, with smaller actors launching frequent, low-value attacks.
These groups rely heavily on the Crypto-Chain Market to carry out transactions—utilizing privacy coins, cross-chain bridges, and decentralized mixers to anonymize and move ransom funds.
Although total payment volume is down, the number of microtransactions flowing through blockchain ecosystems is rising, making enforcement more difficult. This evolution challenges traditional security frameworks and demands more sophisticated monitoring tools across the crypto infrastructure.
HOW RANSOMWARE CRIME GROUPS CASH OUT ILLEGAL FUNDS IN CRYPTO-CHAIN MARKET
Crypto-Chain Market play a central role in ransomware crimes, especially in how to launder illegal funds after successful attacks. According to Chainalysis, TRM Labs and CryptoQuant, three key money laundering trends have emerged in 2024.
Cross-chain bridges replace mixers in the Crypto-Chain Market
In the past few years, crypto mixers like Tornado Cash and ChipMixer have been the preferred tools for hiding ransomware funds in the Crypto-Chain Market often handling up to 15% of money laundering traffic.
But by 2024, with the removal of Sinbad and the sanctions on Tornado Cash, ransomware groups began to use cross-chain bridges, a technology that allows assets to be transferred between blockchains, which greatly reduces traceability.
Image Source: Chainalysis 2024 Crypto Crime Report
The dominance of centralized exchanges (CEX) and the rise of cross-chain bridges in the Crypto-Chain Market
According to the figure, centralized exchanges (CEX) remain the main outflow channel, continuing to account for 40% to 60% of the total ransomware outflow. However, a significant change occurred in the second half of 2024: the use of cross-chain bridges rose sharply, especially after September.
This reflects a clear market shift towards mixers and exchanges without KYC protocols – both of which have fallen sharply after multiple law enforcement crackdowns, including Germany’s seizure of 47 Russian-language platforms without KYC protocols.
New Risk-Averse Behaviors Reshape the Crypto-Chain Market Landscape
Ransomware attackers are increasingly storing funds in personal wallets, indicating that they are increasingly reluctant to cash out amid increasing regulatory scrutiny.
This cautious “wait-and-see” behavior shows that threat actors have increased their awareness of operational risks.
In addition, attackers still use sanctioned persons in the minority, which also shows that attackers deliberately avoid high-risk targets. The above-mentioned current criminal psychology is more conservative and cautious, which is completely different from before 2022.
CRYPTO-CHAIN MARKET AT A CROSSROADS IN THE AGE OF RANSOMWARE
A 35% decline in ransomware payments in 2024 may seem optimistic.
However, behind this decline lies a rapid evolution shaped by crypto market dynamics. While increased law enforcement and victim network resilience have undoubtedly played a role, the reality is more nuanced: ransomware actors are adapting.
The rise of ransomware as a service (RaaS), the use of cross-chain bridges, and the growing popularity of privacy coins and personal wallets all indicate a strategic shift away from visibility and traceability.
Crypto-Chain Market remain at the heart of this shift, no longer just a payment conduit, but an ecosystem that enables money laundering, obfuscation, and persistence.
〈Ransomware on the Rise: Is the Crypto-Chain Market Enabling the Next Wave of Cybercrime?〉這篇文章最早發佈於《CoinRank》。
