In brief

  • For now, Chainalysis estimates $602 million in ransomware payments from 2021—less than for 2020.
  • But it expects the final number to rise substantially.

Chainalysis—a blockchain data firm—has found that value stolen through crypto ransomware attacks likely rose from 2020 to 2021—it just hasn't accounted for it all yet. 

According to a preview of the company's 2022 Crypto Crime Report, it's identified $602 million in ransomware payouts for 2021, compared to $692 million for 2020. However, it believes the 2021 figure to be an "underestimate" given that it has revised its initial 2020 estimate upward by nearly 50%.

"Anecdotal evidence, plus the fact that ransomware revenue in the first half of 2021 exceeded that of the first half of 2020, suggests to us that 2021 will eventually be revealed to have been an even bigger year for ransomware," the report states.

Ransomware is a type of malicious software that blocks access to computer files until the attacker’s requests are fulfilled. Hackers often ask for hundreds of thousands or millions of dollars in funds—typically paid in cryptocurrency so it doesn't have to go through traditional payment routes. There are various versions or types of ransomware, called “strains." 


According to Chainalysis, the Russian-based group Conti was easily the biggest ransomware strain last year in terms of revenue. Using a ransomware-as-a-service model (RaaS), Conti operators extorted over $180 million from their victims. 

DarkSide was also listed. It's the strain that perpetrated the infamous attack on the U.S. Colonial Pipeline, leading to fuel shortages in some areas. The company was forced to shell out $5 million in Bitcoin to their hackers at the time. Throughout the year, DarkSide seized at least $75 million in similar hacks.

Since cryptocurrency payments are peer-to-peer, hackers are continuing to abuse them as a method of escaping interruptions from third-party intermediaries. In traditional finance, banks and payment providers can not only reverse criminal transactions, but also easily identify those users and ban them from their platforms. 


Yet that doesn’t make Bitcoin a criminal paradise either. In fact, thanks to Bitcoin's public blockchain, the U.S. Justice Department was able to track and seize almost half of the money DarkSide stole from the pipeline. That’s why some ransomware attackers choose to use privacy-based coins such as Monero to facilitate these transactions instead.  

The number of active strains in 2021 rose to 140, up from 119 in 2020, and just 79 in 2019. The activity of most of these strains “comes and goes in waves,” Chainalysis identified Conti as the only strain that stayed active throughout the year.  

Along with the number of strains, average ransomware payment size also increased in 2021, up to $118,000 from just $88,000 in 2020.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.