Quantifying cybercriminal bitcoin abuse

Research output: ThesisDissertation (TU Delft)

110 Downloads (Pure)


Cybercrime is negatively impacting everybody. In recent years cybercriminal activity has directly affected individuals, companies, governments and critical infrastructure. It has led to significant financial damage, impeded critical infrastructure and harmed human lives. Defending against cybercrime is difficult, as persistent actors perpetually hunt for soft spots in Internet-connected systems, which exist due to either lax vulnerability management or for convenience, complicating adequate detection and mitigation. Cybercriminal actors are financially motivated and for their doings and dealings they rely on Bitcoin. Alternatives exist, but Bitcoin has proven to be the most liquid digital currency, meaning it is easy to swap and to conceal illicit transactions. The magnitude of many cybercriminal activities is largely unknown. However Bitcoin runs on a blockchain - an open, dentralized ledger, allowing virtually everyone to analyze financial transactions, as opposed to traditional banking. Furthermore, contrary to popular belief Bitcoin is pseudonymous, not anonymous and several techniques exist to identify illicit activity. In this thesis, we illuminate three cybercriminal ecosystems that did not receive significant prior research attention: Bitcoin exchange heists, ransomware and single-vendor shops in the Dark Web. For each of these, we gather datasets from open sources. We first focus on the technical behavior and financial impact of attacks on Bitcoin exchange platforms. We also highlight the ransomware ecosystem, showing how it moved from small to large-scale attacks with similar financial impact. We further focus on how small shops in the Dark Web generate significant revenue with niche illicit activity. To understand the financial impact within each of these ecosystems, we analyze associated financial transactions. We also apply heuristics to discover additional Bitcoin addresses controlled by the same actor. We observe that cybercriminal actors successfully extract millions of funds from Bitcoin exchanges through relatively low-level attack vectors. When compared with traditional financial institutions, the lack of sophistication of attacks and the accompanying financial impact is unprecedented. In our analysis of ransomware, we observe attackers have shifted from attacking individual users resulting in relatively small ransom amounts to targeting large organizations with significant financial resources, resulting in multimillion ransom payments. We also find that with this shift, attackers have also improved their operational security in address usage and money laundering. For Dark Web shops, we found that this relatively uncharted territory of the Dark Web as compared to the bigger marketplaces specializes into niches such as sexual abuse material and various forms of financial crime. To allow for future research in this area, we introduce a methodology to estimate illicit revenue based on web scrape results and cluster these on category.
Original languageEnglish
Awarding Institution
  • Delft University of Technology
  • Lagendijk, R.L., Supervisor
  • Smaragdakis, G., Advisor
Award date6 Feb 2023
Publication statusPublished - 2023


  • Bitcoin
  • Cybercrime
  • Cybersecurity


Dive into the research topics of 'Quantifying cybercriminal bitcoin abuse'. Together they form a unique fingerprint.

Cite this