Skill

analyzing-ransomware-payment-wallets

Traces ransomware cryptocurrency payments using Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies wallet clusters, tracks funds through mixers/exchanges for forensics and attribution.

Python

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- An organization has been hit by ransomware and the ransom note contains a Bitcoin or cryptocurrency wallet address that needs investigation

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Analyzing Ransomware Payment Wallets

When to Use

An organization has been hit by ransomware and the ransom note contains a Bitcoin or cryptocurrency wallet address that needs investigation
Law enforcement or incident responders need to trace where ransom payments flowed after the victim paid
Threat intelligence analysts are attributing ransomware campaigns by clustering payment infrastructure across incidents
Investigators need to determine if a ransomware group is reusing wallet infrastructure across multiple victims
Compliance or legal teams need evidence of fund flows for prosecution, sanctions enforcement, or insurance claims

Do not use this skill for live payment interception or to interact directly with ransomware operators. All analysis should be passive and read-only against public blockchain data.

Prerequisites

Python 3.8+ with requests, json, and hashlib libraries
Access to blockchain explorer APIs (blockchain.com, WalletExplorer.com, Blockstream.info)
Familiarity with Bitcoin transaction model (UTXOs, inputs, outputs, change addresses)
Understanding of common obfuscation techniques (mixers, tumblers, peel chains, cross-chain swaps)
Optional: Chainalysis Reactor license for enterprise-grade cluster analysis
Optional: OXT.me for advanced transaction graph visualization

Workflow

Step 1: Extract Wallet Address from Ransom Note

Parse the ransom note to identify the payment address(es):

Common address formats:
  Bitcoin (P2PKH):   1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa  (starts with 1)
  Bitcoin (P2SH):    3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy  (starts with 3)
  Bitcoin (Bech32):  bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq (starts with bc1)
  Monero:            4... (95 characters, much harder to trace)
  Ethereum:          0x... (40 hex chars)

Step 2: Query Blockchain Explorer for Transaction History

Retrieve all transactions associated with the wallet:

import requests

def get_wallet_transactions(address):
    """Query blockchain.com API for address transactions."""
    url = f"https://blockchain.info/rawaddr/{address}"
    resp = requests.get(url, timeout=30)
    resp.raise_for_status()
    data = resp.json()
    return {
        "address": address,
        "n_tx": data.get("n_tx", 0),
        "total_received_satoshi": data.get("total_received", 0),
        "total_sent_satoshi": data.get("total_sent", 0),
        "final_balance_satoshi": data.get("final_balance", 0),
        "transactions": data.get("txs", []),
    }

Step 3: Map Fund Flow and Identify Clusters

Trace outputs from the ransom wallet to downstream addresses:

Fund Flow Analysis:
━━━━━━━━━━━━━━━━━━
Victim Payment ──► Ransom Wallet ──► Consolidation Wallet
                                  ├─► Mixer/Tumbler Service
                                  ├─► Exchange Deposit Address
                                  └─► Peel Chain (sequential small outputs)

Key indicators:
  - Consolidation: Multiple ransom payments aggregated into one wallet
  - Peel chains: Sequential transactions with diminishing outputs
  - Mixer usage: Funds sent to known mixer addresses (Wasabi, Samourai, ChipMixer)
  - Exchange cashout: Deposits to known exchange wallets (Binance, Kraken hot wallets)

Step 4: Cross-Reference with Known Wallet Databases

Check addresses against known ransomware infrastructure:

# Check WalletExplorer for entity identification
def check_wallet_explorer(address):
    url = f"https://www.walletexplorer.com/api/1/address?address={address}&caller=research"
    resp = requests.get(url, timeout=30)
    data = resp.json()
    return {
        "wallet_id": data.get("wallet_id"),
        "label": data.get("label", "Unknown"),
        "is_exchange": data.get("is_exchange", False),
    }

Step 5: Generate Attribution Report

Compile findings into a structured intelligence report:

RANSOMWARE WALLET ANALYSIS REPORT
====================================
Ransom Address:      bc1q...xyz
Family Attribution:  LockBit 3.0 (based on ransom note format)
Total Received:      4.25 BTC ($178,500 at time of payment)
Total Sent:          4.25 BTC (wallet fully drained)
Number of Payments:  3 (likely 3 separate victims)

FUND FLOW:
  Payment 1: 1.5 BTC → Consolidation wallet → Binance deposit
  Payment 2: 1.0 BTC → Wasabi Mixer → Unknown
  Payment 3: 1.75 BTC → Peel chain (12 hops) → OKX deposit

CLUSTER ANALYSIS:
  Related wallets: 47 addresses identified in same cluster
  Total cluster volume: 156.3 BTC ($6.5M USD)
  First activity: 2024-01-15
  Last activity: 2024-09-22

Verification

Confirm wallet address format is valid before querying APIs
Cross-reference transaction timestamps with known incident timelines
Validate cluster associations by checking common-input-ownership heuristic
Compare findings against OFAC SDN list for sanctioned addresses
Verify exchange attribution against multiple sources (WalletExplorer, OXT, Chainalysis)

Key Concepts

Term	Definition
UTXO	Unspent Transaction Output; the fundamental unit of Bitcoin that tracks ownership through a chain of transactions
Cluster Analysis	Grouping multiple Bitcoin addresses believed to be controlled by the same entity using common-input-ownership and change-address heuristics
Peel Chain	A laundering pattern where funds are sent through many sequential transactions, each peeling off a small amount to a new address
CoinJoin/Mixer	Privacy techniques that combine multiple users' transactions to obscure the link between sender and receiver
Common Input Ownership	Heuristic that assumes all inputs to a single transaction are controlled by the same entity

Tools & Systems

Chainalysis Reactor: Enterprise blockchain investigation platform with entity attribution and cross-chain tracing
WalletExplorer: Free tool that clusters Bitcoin addresses and labels known services (exchanges, mixers, markets)
OXT.me: Advanced Bitcoin transaction visualization with UTXO graph analysis
Blockstream.info: Open-source Bitcoin block explorer with full API access
blockchain.com API: Free API for querying Bitcoin address balances and transaction histories
OFAC SDN List: U.S. Treasury sanctioned address list for compliance checking