Follow the money: Revealing risky nodes in a Ransomware-Bitcoin network

Abstract

This paper demonstrates the use of network analysis to identify core nodes associated with ransomware attacks in cryptocurrency transaction networks. The method helps trace the cyber entities involved in cryptocurrency attacks and supports intelligence efforts to identify and disrupt cryptocurrency networks. A data corpus is built by the unsupervised machine learning graph algorithm 'DeepWalk' [1]. DeepWalk evaluates the position of nodes within networks. It compares the relative position of different nodes (similarity) and identifies those whose removal would most affect the network (riskiness). This method helps identify on the blockchain the key nodes that are involved in the execution of a ransomware attack. When applied to the ransomware “cash out” graph, the method derived “riskiness” scores for specific nodes. Analysing the derived “riskiness” at a community level (groups of nodes in the network) provides an enhanced granularity for identifying and targeting influential nodes. Such insight could potentially support both intelligence and forensics investigations.