analyzing-ransomware-payment-wallets

# Analyzing Ransomware Payment Wallets ## When to Use - An organization has been hit by ransomware and the ransom note contains a Bitcoin or cryptocurrency wallet address that needs investigation - Law enforcement or incident responders need to trace where ransom payments flowed after the victim paid - Threat intelligence analysts are attributing ransomware campaigns by clustering payment infrastructure across incidents - Investigators need to determine if a ransomware group is reusing wallet infrastructure across multiple victims - Compliance or legal teams need evidence of fund flows for prosecution, sanctions enforcement, or insurance claims **Do not use** this skill for live payment interception or to interact directly with ransomware operators. All analysis should be passive and read-only against public blockchain data. ## Prerequisites - Python 3.8+ with `requests`, `json`, and `hashlib` libraries - Access to blockchain explorer APIs (blockchain.com, WalletExplorer.com, Blockstream.info) - Familiarity with Bitcoin transaction model (UTXOs, inputs, outputs, change addresses) - Understanding of common obfuscation techniques (mixers, tumblers, peel chains, cross-chain swaps) - Optional: Chainalysis Reactor license for enterprise-grade cluster analysis - Optional: OXT.me for advanced transaction graph visualization ## Workflow ### Step 1: Extract Wallet Address from Ransom Note Parse the ransom note to identify the payment address(es): ``` Common address formats: ...