{"id":28257,"date":"2026-02-26T07:45:02","date_gmt":"2026-02-26T12:45:02","guid":{"rendered":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/?p=28257"},"modified":"2026-03-04T10:05:51","modified_gmt":"2026-03-04T15:05:51","slug":"crypto-ransomware-2026","status":"publish","type":"post","link":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/","title":{"rendered":"Total Ransomware Payments Stagnate  for Second Consecutive Year, While Attacks Escalate"},"content":{"rendered":"<h2>TL;DR<\/h2>\n<ul>\n<li aria-level=\"1\">Ransomware payments stagnated despite record attacks claimed. Total on-chain ransomware payments fell by approximately 8% to $820 million in 2025, even as claimed attacks rose 50%.<\/li>\n<li aria-level=\"1\">Median ransom payment size increased significantly. While aggregate revenue stagnated, the median ransom payment grew 368% year-over-year to nearly $60,000.<\/li>\n<li aria-level=\"1\">Initial Access Broker (IAB) activity can serve as a leading indicator; on-chain analysis indicates that spikes in IAB inflows typically precede increases in ransomware payments and victim leaks by roughly 30 days.<\/li>\n<li aria-level=\"1\">Criminal and state-linked actors share infrastructure. The infrastructure layer has converged, with financially-motivated cybercriminals and state-aligned actors using the same bulletproof hosting providers and residential proxy networks to evade detection.<\/li>\n<li aria-level=\"1\">Disruption efforts focused on the enablement layer. Law enforcement actions and sanctions, as well as private sector efforts, in 2025 increasingly targeted infrastructure services in addition to individual groups, aiming to disrupt the hosting and malware loading tools used across the ecosystem.<\/li>\n<\/ul>\n<div class=\"inline-promo-container\">\n\t\t\t<a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/reports\/crypto-crime-2026\/\" class=\"promo__text\">\n                <h2 class=\"promo__title\">The Chainalysis 2026 Crypto Crime Report<\/h2>\n                <p class=\"promo__subtitle\"><\/p>\n                <span class=\"promo__button\">Download now!<\/span>\n            <\/a><a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/reports\/crypto-crime-2026\/\" class=\"promo__image\"><img decoding=\"async\" src=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2025\/12\/in-line-blog-thumbnail-360x360.png\" alt=\"\" \/><\/a><\/div>\n<p>Ransomware today is best understood not as isolated attacks, but rather as an interconnected marketplace of access, infrastructure, and monetization services. In 2025, total on-chain payments remained relatively stagnant even as claimed attacks increased and median ransom sizes rose. At the same time, coordinated law enforcement actions and sanctions increasingly targeted the infrastructure layer \u2014\u00a0including bulletproof hosting providers \u2014 increasing costs across both cybercrime syndicates and state-linked actors.<\/p>\n<p>In 2025, ransomware actors received more than $820 million in on-chain payments \u2014 an 8% decline year-over-year (YoY) from $892 million, our updated 2024 estimate. The 2025 total is likely to approach or exceed $900 million as we attribute more events and payments, just as our 2024 total grew from our initial $813 million estimate this time last year.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-28304 size-large\" src=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-2-1500x1248.png\" alt=\"\" width=\"1500\" height=\"1248\" srcset=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-2-1500x1248.png 1500w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-2-800x665.png 800w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-2-150x125.png 150w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-2-1536x1278.png 1536w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-2-300x250.png 300w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-2-750x624.png 750w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-2-948x789.png 948w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-2-1200x998.png 1200w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-2-1024x852.png 1024w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-2.png 1920w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<p>Despite the relative stability in total payments, ransomware attacks surged across multiple vectors in 2025, with eCrime.ch data showing a 50% YoY increase in claimed ransomware victims, marking the most active year on record. Thanks to this dynamic, the share of ransoms paid potentially reached an all-time low this year at 28%.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-28307 size-large\" src=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-5-2-1500x1140.png\" alt=\"\" width=\"1500\" height=\"1140\" srcset=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-5-2-1500x1140.png 1500w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-5-2-800x608.png 800w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-5-2-150x114.png 150w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-5-2-1536x1167.png 1536w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-5-2-300x228.png 300w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-5-2-750x570.png 750w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-5-2-948x720.png 948w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-5-2-1200x912.png 1200w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-5-2-1024x778.png 1024w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-5-2.png 1920w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<p>This divergence \u2014 more claimed attacks, but fewer aggregate payments \u2014 reflects complex forces shaping the ransomware economy:<\/p>\n<ul>\n<li aria-level=\"1\">Improved incident response and increased regulatory scrutiny have helped reduce payout frequency.<\/li>\n<li aria-level=\"1\">Effective international action against ransomware operators, infrastructure, and <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/2026-crypto-money-laundering\/\">laundering networks<\/a> has constrained some revenue flows.<\/li>\n<li aria-level=\"1\">In some cases, the introduction of strains like VolkLocker, <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/thehackernews.com\/2025\/12\/volklocker-ransomware-exposed-by-hard.html\">notable<\/a> for a cryptographic weakness that allowed free decryption in some cases, illustrates how technical vetting by defenders can occasionally disrupt a ransomware strain.<\/li>\n<li aria-level=\"1\">Marked fragmentation of major ransomware-as-a-service (RaaS) operations and decreasing centralization in the ransomware market have led to a proliferation of smaller, independent ransomware actors, with some analyses tracking <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/blog.checkpoint.com\/research\/the-state-of-ransomware-in-q3-2025\/\">as many as<\/a> 85 active extortion groups.<\/li>\n<\/ul>\n<p>The shift from a large handful of dominant strains to a more decentralized and volatile landscape has made attribution, response, and long-term tracking as important as ever. According to the founder of <a href=\"https:\/\/2.zoppoz.workers.dev:443\/http\/ecrime.ch\">eCrime.ch<\/a>, Corsin Camichel, \u201cWe&#8217;re seeing a structural shift in targeting: fewer large, headline-grabbing intrusions and more volume focused on small and medium enterprises. The assumption is simple \u2014 smaller victims pay faster. However, Chainalysis\u2019 data shows payments trending downward despite an all-time high in public claims. That divergence is important. It suggests attackers are working harder for diminishing returns.\u201d<\/p>\n<p>This overall trend is a major win against the ransomware ecosystem. Fewer victim payments mean more work for less for attackers, an important step in shifting the economic incentives.<\/p>\n<h2>Median ransom payments and shifting extortion tactics<\/h2>\n<p>While total payments flatlined, media n payment sizes increased significantly in 2025. In particular, the median payment increased 368%, from $12,738 in 2024 to $59,556 in 2025. This dynamic mirrors <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.veeam.com\/company\/press-release\/coveware-by-veeam-reveals-q2-2025-ransomware-surge-social-engineering-and-data-exfiltration-drive-record-payouts.html\">reports<\/a> from incident response firms that median payouts more than doubled in certain quarters.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-28305 size-large\" src=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-2-1500x1279.png\" alt=\"\" width=\"1500\" height=\"1279\" srcset=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-2-1500x1279.png 1500w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-2-800x682.png 800w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-2-150x128.png 150w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-2-1536x1310.png 1536w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-2-300x256.png 300w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-2-750x639.png 750w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-2-948x808.png 948w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-2-1200x1023.png 1200w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-2-1024x873.png 1024w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-2.png 1920w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<h2>High-impact incidents shaped the ransomware landscape<\/h2>\n<p>Several widely publicized trends \u2013 from zero-day exploits to social engineering \u2013 made 2025 another devastating year for ransomware\u2019s global scale and impact:<\/p>\n<ul>\n<li aria-level=\"1\">One of 2025\u2019s most economically disruptive cyber events was the cyberattack on Jaguar Land Rover, which halted production lines across multiple countries and <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.bbc.com\/news\/articles\/cy9pdld4y81o\">inflicted<\/a> an estimated \u00a31.9 billion (approximately $2.5 billion) in economic damage, the costliest cyber event in UK history.<\/li>\n<li aria-level=\"1\">Retail and services sectors also felt ransomware\u2019s impact. Major British multinational retailer Marks &amp; Spencer grappled with prolonged disruption after <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.probablypwned.com\/article\/top-10-cyber-stories-2025-year-in-review\">a breach<\/a> by the Scattered Spider ransomware group forced extended operational outages and wiped hundreds of millions of pounds of market value.<\/li>\n<li aria-level=\"1\">Healthcare providers remained lucrative targets. For example, kidney dialysis company DaVita Inc. <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.comparitech.com\/news\/worldwide-ransomware-roundup-2025-end-of-year-report\/\">experienced<\/a> one of the most serious healthcare ransomware breaches, resulting in the exposure of almost 2.7 million patient records and substantial loss of allegedly 1.5 TB of clinical data.<\/li>\n<\/ul>\n<p>Beyond individual companies, mass exploitation events continued to illustrate ransomware\u2019s reach. For example, Cl0p <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/socradar.io\/blog\/top-10-ransomware-attacks-2025\/\">leveraged<\/a> a zero-day exploit in Oracle E-Business Suite to orchestrate widespread enterprise extortion campaigns that affected hundreds of organizations.<\/p>\n<p>Ransomware actors remain highly opportunistic. They do not consistently favor a specific sector at a given time of year. Instead, they exploit exposed services and misconfigurations as they arise, and capitalize on newly disclosed vulnerabilities.<\/p>\n<h2>Fingerprinting strains by financial behavior<\/h2>\n<p>By isolating the primary laundering channels for the top 10 ransomware strains of 2025, we can begin to &#8220;fingerprint&#8221; these groups based on their distinct on-chain signatures. While the malware they deploy may share code or builders, their exit strategies reveal unique operational preferences.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-28303 size-large\" src=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-1500x1343.png\" alt=\"\" width=\"1500\" height=\"1343\" srcset=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-1500x1343.png 1500w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-800x716.png 800w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-150x134.png 150w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-1536x1375.png 1536w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-300x269.png 300w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-750x671.png 750w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-948x849.png 948w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-1200x1074.png 1200w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-1024x917.png 1024w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy.png 1920w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<p>This divergence across strains allows investigators to distinguish between groups based not only on their attack, extortion, and negotiation TTPs, but also their on-chain behavior. We can also track ransomware actors who work with multiple strains based on their unique laundering patterns.<\/p>\n<h2>Leak site activity underscores geographic concentration<\/h2>\n<p>Analysis of leak site disclosures throughout 2025 shows continued disproportionate geographic concentration in developed economies. Data leak site-claimed ransomware incidents grew by 50% YoY \u2014 an all-time high.<\/p>\n<p>Among the countries for which there is a clear geographical tag, the United States remains the most heavily targeted jurisdiction, followed by Canada, Germany, the UK, and other parts of Europe. Manufacturing and finance\/professional services were the most heavily compromised in most of these jurisdictions, with Canada and Germany having a particularly high compromise rate within supply chains, logistics and critical infrastructure.<\/p>\n<p>One important caveat is that not all data leak site claims are legitimate. Furthermore, data leak site posts may mean that a party has been victimized, but not necessarily that they failed to pay. Incident response firm Arete told us, \u201cThis year, we saw several groups reposting old victims or posting victims from other groups\u2019 data leak sites, which skewed data leak site posting rates. However, we continue to see fewer victims making ransom payments as the adoption of security best practices improves, including better backups and the use of security technologies like endpoint detection and response, which disrupt threat groups before they can fully achieve their objectives.\u201d<\/p>\n<p>Arete elaborated that some threat groups responded to this decrease in payments by becoming more aggressive during negotiations, which has included contacting employees and even customers of victimized organizations. Other groups responded by focusing on data exfiltration and even analyzing exfiltrated data to identify what was stolen. By analyzing the exfiltrated data, the threat actors can make more specific threats about the consequences of data exposure.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-28317 size-large\" src=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-4-1500x815.png\" alt=\"\" width=\"1500\" height=\"815\" srcset=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-4-1500x815.png 1500w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-4-800x435.png 800w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-4-150x81.png 150w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-4-1536x834.png 1536w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-4-300x163.png 300w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-4-750x407.png 750w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-4-948x515.png 948w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-4-1200x652.png 1200w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-4-1024x556.png 1024w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-4.png 1920w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<p>Not only was the United States hit heavily across sectors; every sector saw increased targeting YoY. Claimed victims from critical infrastructure, supply chains and logistics, and government increased YoY by between 45% and 56%. In other words, the United States is the most targeted nation globally, and the rate of intrusions has increased significantly relative to 2024. Ransomware actors continue to view U.S.-based organizations as high-value and high-liquidity targets.<\/p>\n<h2>The ransomware supply chain: initial access brokers (IABs)<\/h2>\n<p>Ransomware does not occur in isolation, but rather is supported by a broader cybercrime supply chain, including Initial Access Brokers (IABs) and other specialized services. As their name suggests, IABs facilitate entry to compromised networks, enabling affiliates to deploy ransomware with relative ease.<\/p>\n<p>The size of this enablement ecosystem is increasing over time. In 2025, we estimate that IABs received at least $14 million in on-chain payments \u2014 roughly flat YoY, although we expect this total to grow as attributions improve. Although modest relative to ransomware totals, this figure represents a critical enabling function. Total ransomware payments of approximately $820 million in 2025 represent nearly 58 times the value flowing to IABs, suggesting a substantial return on investment within this segment of the cybercrime supply chain.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-28302 \" src=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-3-1500x1286.png\" alt=\"\" width=\"1500\" height=\"1286\" srcset=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-3-1500x1286.png 1500w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-3-800x686.png 800w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-3-150x129.png 150w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-3-1536x1317.png 1536w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-3-300x257.png 300w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-3-750x643.png 750w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-3-948x813.png 948w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-3-1200x1029.png 1200w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-3-1024x878.png 1024w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-3.png 1920w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<p>It is important to note that not all IAB payments are made by ransomware operators. IABs certainly trade and buy access among themselves and some malicious actors have TTPs and objectives other than ransomware. Another important caveat is that not all ransomware incidents can be traced to IABs \u2014 there are a number of different ways to gain access to victim networks. With those caveats in mind, we can draw a connection between criminal investments and the ransomware attacks that follow.<\/p>\n<p>Looking 30-days out from sizable IAB payment inflow events (days within 2025 in the top 25% of all days), we see a significant effect on both global ransomware payments and claimed US victims totals as measured by leak site posts. The chart below plots the cumulative abnormal returns relative to the average day in 2025, and shows an almost immediate and sizable growth in abnormal global ransomware payments (more payments than expected). And, after around a 10-day lull, a similar growth in leak site posts about US victims.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-28301 size-large\" src=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-2-1500x1209.png\" alt=\"\" width=\"1500\" height=\"1209\" srcset=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-2-1500x1209.png 1500w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-2-800x645.png 800w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-2-150x121.png 150w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-2-1536x1238.png 1536w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-2-300x242.png 300w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-2-750x605.png 750w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-2-948x764.png 948w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-2-1200x968.png 1200w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-2-1024x826.png 1024w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-3-copy-2.png 1920w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<p>Cybercrime prevention firm Darkweb IQ told us that, from Q1 2023 to Q1 2026, the average price for victim access declined from approximately $1,427 to $439. This drop reflects a market characterized by more competitive pressure and automation as the core shaping force. \u201cWe are seeing industrialized access pipelines, AI-assisted tooling, and a proliferation of infostealer logs that lower the barrier to entry, which has resulted in an oversupply of cheap but operationally constrained inventory that floods the market and depresses pricing. While average pricing has declined due to increased volume and automation, validated, high-privilege enterprise access (e.g., domain-level control) still commands premium pricing, indicating a bifurcated and still competitive market.\u201d<\/p>\n<figure id=\"attachment_28318\" aria-describedby=\"caption-attachment-28318\" style=\"width: 1500px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-28318 size-large\" src=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-copy-1500x724.png\" alt=\"\" width=\"1500\" height=\"724\" srcset=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-copy-1500x724.png 1500w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-copy-800x386.png 800w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-copy-150x72.png 150w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-copy-1536x742.png 1536w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-copy-300x145.png 300w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-copy-750x362.png 750w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-copy-948x458.png 948w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-copy-1200x579.png 1200w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-copy-1024x494.png 1024w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/r-charts-ccr-2026-4-copy.png 1920w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><figcaption id=\"caption-attachment-28318\" class=\"wp-caption-text\">Source: Darkweb IQ<\/figcaption><\/figure>\n<table>\n<tbody>\n<tr>\n<td><b>Month<\/b><\/td>\n<td><b>Privately offered access (count)<\/b><\/td>\n<td><b>YoY change (as stated)<\/b><\/td>\n<td><b>MoM change<\/b><\/td>\n<\/tr>\n<tr>\n<td>2025-01<\/td>\n<td>646<\/td>\n<td>+114%<\/td>\n<td>\u2013<\/td>\n<\/tr>\n<tr>\n<td>2025-02<\/td>\n<td>614<\/td>\n<td>+117%<\/td>\n<td>-32<\/td>\n<\/tr>\n<tr>\n<td>2025-03<\/td>\n<td>621<\/td>\n<td>+201%<\/td>\n<td>+7<\/td>\n<\/tr>\n<tr>\n<td>2025-04<\/td>\n<td>739<\/td>\n<td>+278%<\/td>\n<td>+118<\/td>\n<\/tr>\n<tr>\n<td>2025-05<\/td>\n<td>725<\/td>\n<td>+87%<\/td>\n<td>-14<\/td>\n<\/tr>\n<tr>\n<td>2025-06<\/td>\n<td>1,127<\/td>\n<td>+154%<\/td>\n<td>+402<\/td>\n<\/tr>\n<tr>\n<td>2025-07<\/td>\n<td>1,019<\/td>\n<td>+48%<\/td>\n<td>-108<\/td>\n<\/tr>\n<tr>\n<td>2025-08<\/td>\n<td>860<\/td>\n<td>+41%<\/td>\n<td>-159<\/td>\n<\/tr>\n<tr>\n<td>2025-09<\/td>\n<td>715<\/td>\n<td>+1%<\/td>\n<td>-145<\/td>\n<\/tr>\n<tr>\n<td>2025-10<\/td>\n<td>706<\/td>\n<td>+37%<\/td>\n<td>-9<\/td>\n<\/tr>\n<tr>\n<td>2025-11<\/td>\n<td>460<\/td>\n<td>-35%<\/td>\n<td>-246<\/td>\n<\/tr>\n<tr>\n<td>2025-12<\/td>\n<td>641<\/td>\n<td>-76%<\/td>\n<td>+181<\/td>\n<\/tr>\n<tr>\n<td>2026-01<\/td>\n<td>675<\/td>\n<td>+4%<\/td>\n<td>+34<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><i>Growth in privately offered access YoY<\/i><\/p>\n<p><i>Source: Darkweb IQ<\/i><\/p>\n<p>We can also visualize these trends on-chain, as shown in the Reactor graph below. This example illustrates both the varying prices of access being purchased by ransomware strains over time and the fact that IABs are also frequently purchasing access from other IABs.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-28308 size-large\" src=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-1-1500x1327.png\" alt=\"\" width=\"1500\" height=\"1327\" srcset=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-1-1500x1327.png 1500w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-1-800x708.png 800w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-1-150x133.png 150w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-1-1536x1358.png 1536w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-1-300x265.png 300w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-1-750x663.png 750w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-1-948x838.png 948w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-1-1200x1061.png 1200w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-1-1024x906.png 1024w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-1.png 1920w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<p>Emerging tools and frameworks hint at a future where automation not only influences price, but also accelerates compromise and extortion cycles. For example, researchers documented ransomware groups <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.axios.com\/2025\/07\/29\/ransomware-gang-ai-chatbot-negotiate\">experimenting<\/a> with AI-driven negotiation interfaces in mid-2025, mirroring developments in <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-scams-2026\/\">the AI-enabled scam<\/a> ecosystem.<\/p>\n<h2>Infrastructure enables both criminal syndicates and state-linked threat actors<\/h2>\n<p>Ransomware infrastructure \u2014 including bulletproof hosting and residential proxy networks, and malware loaders\u2014 is not used exclusively by financially motivated criminal syndicates nor exclusively used for criminal aims. The same service-based ecosystem also supports state-linked threat actors conducting espionage, influence operations, and financially motivated campaigns.<\/p>\n<p>According to data leaked in 2025, Iran-linked cyber threat actors, including groups commonly tracked as <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.crowdstrike.com\/en-us\/adversaries\/charming-kitten\/\">Charming Kitten<\/a>, the espionage and influence operations focused branch of Iran\u2019s Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization, continue to rely on commercially available hosting, proxy services, and compromised infrastructure to obscure attribution and blend into criminal traffic patterns. The increasing commoditization of access and anonymization services lowers the barrier between state and non-state cyber operations, allowing espionage campaigns to operate within the same technical substrate as ransomware affiliates.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-28309 size-large\" src=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-2-1500x1259.png\" alt=\"\" width=\"1500\" height=\"1259\" srcset=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-2-1500x1259.png 1500w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-2-800x672.png 800w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-2-150x126.png 150w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-2-1536x1290.png 1536w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-2-300x252.png 300w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-2-750x630.png 750w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-2-948x796.png 948w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-2-1200x1008.png 1200w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-2-1024x860.png 1024w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-2.png 1920w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<p>This blurring of lines is not unique to Iranian operations, as Russia- and China-linked actors similarly exploit these infrastructure layers to support both financial crime and state-sponsored objectives.<\/p>\n<ul>\n<li aria-level=\"1\">In 2025, authorities <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/ofac-targets-russian-cybercrime-infrastructure-ransomware-november-2025\/\">sanctioned<\/a> Media Land, LLC,\u00a0 also known as Yalishanda, a Russia-based bulletproof hosting provider associated with cybercriminal services. Sanctions targeting infrastructure providers \u2014 rather than individual operators alone \u2014 reflect a growing recognition that hosting and routing layers are force multipliers for ransomware and state-backed campaigns alike.<\/li>\n<li aria-level=\"1\">Microsoft\u2019s <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/blogs.microsoft.com\/on-the-issues\/2025\/05\/21\/microsoft-leads-global-action-against-favored-cybercrime-tool\/\">disruption<\/a> of the Russia-centric Lumma Stealer ecosystem further illustrates this convergence. While Lumma was widely used for credential theft in financially motivated campaigns, its infrastructure also enabled access brokering and downstream ransomware deployment. Targeting such tooling constrains both criminal monetization and state-aligned credential harvesting.<\/li>\n<li aria-level=\"1\">As discussed in greater detail below, researchers also highlighted the role of Chinese proxy providers operating multiple residential proxy brands \u2014 including ABCProxy and 360Proxy \u2014 which offer large-scale IP rotation and anonymization services. These networks can be used to evade detection, conduct reconnaissance, and facilitate intrusion activity across both cybercrime and state-linked operations.<\/li>\n<\/ul>\n<p>The overlap is significant: infrastructure providers can often advertise neutrality, serving any paying customer, although they may in some cases claim to ban CSAM. As a result, dismantling or sanctioning infrastructure nodes can generate cascading effects across ransomware affiliates, scammers, and state-aligned operators simultaneously.<\/p>\n<p>This convergence reinforces a core dynamic of the modern cyber threat landscape: infrastructure is the strategic center of gravity. Disrupting it raises costs across the entire ecosystem \u2014 from extortion-driven syndicates to geopolitically motivated threat actors.<\/p>\n<h2>Public and private sectors making strides in disrupting ransomware\u2019s enablement layers<\/h2>\n<p>In 2025, the fight against ransomware moved beyond targeting specific gangs to dismantling the shared services that power the broader cybercrime economy. \u201cLoyalty and brand names matter less than access, tooling, and negotiation capability. For defenders and policymakers, this creates a moving target \u2014 disruption of one group no longer guarantees meaningful ecosystem-wide impact. Increasingly, the most effective pressure points appear to be upstream: initial access brokers and the shared tooling relied on across actors, as recent coordinated law enforcement operations have demonstrated,\u201d says Camichel.<\/p>\n<p>In May 2025, international authorities <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.europol.europa.eu\/media-press\/newsroom\/news\/operation-endgame-strikes-again-ransomware-kill-chain-broken-its-source\">expanded Operation Endgame<\/a>, a coordinated action involving Europol, the FBI, Germany\u2019s BKA, the UK\u2019s NCA, and other partners, targeting core malware loaders and ransomware infrastructure used by multiple criminal groups. The operation resulted in server seizures, arrests, and the disruption of several key malware families that functioned as entry points in some ransomware campaigns. These types of actions demonstrate that coordinated, cross-border disruption can materially degrade ransomware monetization pipelines while increasing operational friction and forcing actors to rebuild trusted tooling, hosting, and laundering relationships.<\/p>\n<p>Beyond malware delivery systems, authorities also intensified pressure on the hosting environments that sustain these operations. Continued sanctions and indictments chipped away at bulletproof hosting providers (BPH) and laundering services, highlighting how these infrastructure components themselves have become targets for disruption and increasing risk for cybercriminals seeking to monetize extortion. For example, OFAC sanctions in July against <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/ofac-sanctions-aeza-group-bulletproof-hosting-crypto-payments-july-2025\/\">AEZA Group<\/a>, a BPH provider linked to high-volume abuse, demonstrated how crypto payments continue to flow through shielded infrastructure that facilitates ransomware and related attacks. Likewise, the sanctioning in February of <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/ofac-sanctions-zservers-ransomware-attacks-lockbit-february-2025\/\">Zservers<\/a>, a provider associated with LockBit and other ransomware actors, underscored the degree to which infrastructure providers are embedded in ransomware monetization.<\/p>\n<p>In parallel with sanctions and infrastructure seizures, the private sector in 2025 also drove significant disruptions of large-scale proxy services underpinning both ransomware and adjacent cybercrime activity. One notable case involved IPIDEA, a China-based residential proxy service advertising millions of proxy endpoints available for rent in any given week. Google\u2019s blog on the takedown <a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/cloud.google.com\/blog\/topics\/threat-intelligence\/disrupting-largest-residential-proxy-network\">detailed<\/a> how the service facilitated botnets including Aisuru and Kimwolf, and how its infrastructure was leveraged by threat actors engaged in espionage and information operations alongside financially-motivated campaigns. Google\u2019s analysis found that several residential proxy brands shown below were controlled by the same actors behind IPIDEA reinforcing how a relatively small set of operators can service a wide range of illicit customers across the threat landscape.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-28310 size-large\" src=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-3-1500x1236.png\" alt=\"\" width=\"1500\" height=\"1236\" srcset=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-3-1500x1236.png 1500w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-3-800x659.png 800w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-3-150x124.png 150w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-3-1536x1266.png 1536w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-3-300x247.png 300w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-3-750x618.png 750w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-3-948x781.png 948w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-3-1200x989.png 1200w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-3-1024x844.png 1024w, https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ransomware-3.png 1920w\" sizes=\"auto, (max-width: 1500px) 100vw, 1500px\" \/><\/p>\n<p>On-chain data complement this technical analysis by revealing the financial interconnectedness of these services. Our analysis reveals shared consolidation wallets and deposit addresses at exchanges, suggesting overlapping ownership and coordinated fund flows. We also observed wallets connected with this network making deposits to a well-known cybercrime forum, and several proxy brands associated with this cluster maintained an advertising presence on multiple darknet markets, explicitly marketing services for anonymity and abuse.<\/p>\n<p>Ultimately, this infrastructure-centric approach could change the economic calculus for attackers. While these disruptions have not translated into a drastic reduction in attack volume, they have imposed operational costs and increased friction for threat actors, who are facing coordinated pressure from governments and the private sector alike.<\/p>\n<h2>Contraction in revenue, but expansion in harm<\/h2>\n<p>The ransomware narrative of 2025 cannot be told through revenue figures alone. While payments declined modestly, the scale, sophistication, and strategic impact of attacks continued to expand. Organizations large and small \u2014 from global automakers to regional healthcare systems \u2014 faced extortion that disrupted operations, eroded trust, and faced systemic costs that far exceeded on-chain ransom totals.<\/p>\n<p>In this context, the ransomware landscape in 2025 is best characterized by adaptation rather than retreat: extortion tactics continue to evolve, enabling actors to extract value and damage beyond traditional payment streams. For defenders and policymakers alike, this underscores a central truth of the modern ransomware era \u2014 effective response requires both robust defenses and strategic resilience to limit the total harm inflicted by these multifaceted threats.<\/p>\n<div class=\"inline-promo-container\">\n\t\t\t<a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/reports\/crypto-crime-2026\/\" class=\"promo__text\">\n                <h2 class=\"promo__title\">The Chainalysis 2026 Crypto Crime Report<\/h2>\n                <p class=\"promo__subtitle\"><\/p>\n                <span class=\"promo__button\">Download now!<\/span>\n            <\/a><a href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/reports\/crypto-crime-2026\/\" class=\"promo__image\"><img decoding=\"async\" src=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2025\/12\/in-line-blog-thumbnail-360x360.png\" alt=\"\" \/><\/a><\/div>\n<p><i>This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively \u201cChainalysis\u201d). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.\u00a0<\/i><\/p>\n<p><i>This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient\u2019s use of this material.<\/i><\/p>\n<p><i>Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.<\/i><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TL;DR Ransomware payments stagnated despite record attacks claimed. Total on-chain ransomware payments fell by approximately 8% to $820 million in&hellip;<\/p>\n","protected":false},"author":75,"featured_media":28259,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[88],"tags":[1804,1896,1895,1894,159,183,245,102],"class_list":["post-28257","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-report","tag-2026-crypto-crime-report","tag-hosting","tag-iab","tag-initial-access-broker","tag-law-enforcement","tag-malware","tag-public-sector","tag-ransomware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/2.zoppoz.workers.dev:443\/https\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Crypto Ransomware: 2026 Crypto Crime Report<\/title>\n<meta name=\"description\" content=\"In 2025, total on-chain ransomware payments fell by approximately 8% to $820 million in 2025, even as claimed attacks rose 50%.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Crypto Ransomware: 2026 Crypto Crime Report\" \/>\n<meta property=\"og:description\" content=\"In 2025, total on-chain ransomware payments fell by approximately 8% to $820 million in 2025, even as claimed attacks rose 50%.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/\" \/>\n<meta property=\"og:site_name\" content=\"Chainalysis\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-26T12:45:02+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-04T15:05:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ccr-2026-blog-ransomware.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1800\" \/>\n\t<meta property=\"og:image:height\" content=\"700\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Chainalysis Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@chainalysis\" \/>\n<meta name=\"twitter:site\" content=\"@chainalysis\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chainalysis Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/blog\\\/crypto-ransomware-2026\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/blog\\\/crypto-ransomware-2026\\\/\"},\"author\":{\"name\":\"Chainalysis Team\",\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/#\\\/schema\\\/person\\\/4ed70fba9f5648f5455073859cb3d471\"},\"headline\":\"Total Ransomware Payments Stagnate for Second Consecutive Year, While Attacks Escalate\",\"datePublished\":\"2026-02-26T12:45:02+00:00\",\"dateModified\":\"2026-03-04T15:05:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/blog\\\/crypto-ransomware-2026\\\/\"},\"wordCount\":2979,\"publisher\":{\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/blog\\\/crypto-ransomware-2026\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.chainalysis.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/ccr-2026-blog-ransomware.jpg\",\"keywords\":[\"2026 Crypto Crime Report\",\"Hosting\",\"IAB\",\"Initial Access Broker\",\"Law enforcement\",\"Malware\",\"Public Sector\",\"Ransomware\"],\"articleSection\":[\"Report\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/blog\\\/crypto-ransomware-2026\\\/\",\"url\":\"https:\\\/\\\/www.chainalysis.com\\\/blog\\\/crypto-ransomware-2026\\\/\",\"name\":\"Crypto Ransomware: 2026 Crypto Crime Report\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/blog\\\/crypto-ransomware-2026\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/blog\\\/crypto-ransomware-2026\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.chainalysis.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/ccr-2026-blog-ransomware.jpg\",\"datePublished\":\"2026-02-26T12:45:02+00:00\",\"dateModified\":\"2026-03-04T15:05:51+00:00\",\"description\":\"In 2025, total on-chain ransomware payments fell by approximately 8% to $820 million in 2025, even as claimed attacks rose 50%.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/blog\\\/crypto-ransomware-2026\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.chainalysis.com\\\/blog\\\/crypto-ransomware-2026\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/blog\\\/crypto-ransomware-2026\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.chainalysis.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/ccr-2026-blog-ransomware.jpg\",\"contentUrl\":\"https:\\\/\\\/www.chainalysis.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/ccr-2026-blog-ransomware.jpg\",\"width\":1800,\"height\":700},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/blog\\\/crypto-ransomware-2026\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.chainalysis.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Total Ransomware Payments Stagnate for Second Consecutive Year, While Attacks Escalate\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/#website\",\"url\":\"https:\\\/\\\/www.chainalysis.com\\\/\",\"name\":\"Chainalysis\",\"description\":\"The Blockchain Data Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.chainalysis.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/#organization\",\"name\":\"Chainalysis\",\"url\":\"https:\\\/\\\/www.chainalysis.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.chainalysis.com\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/chainalysis-social-share.png\",\"contentUrl\":\"https:\\\/\\\/www.chainalysis.com\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/chainalysis-social-share.png\",\"width\":2400,\"height\":1260,\"caption\":\"Chainalysis\"},\"image\":{\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/chainalysis\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/chainalysis\",\"https:\\\/\\\/www.youtube.com\\\/c\\\/Chainalysis\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.chainalysis.com\\\/#\\\/schema\\\/person\\\/4ed70fba9f5648f5455073859cb3d471\",\"name\":\"Chainalysis Team\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Crypto Ransomware: 2026 Crypto Crime Report","description":"In 2025, total on-chain ransomware payments fell by approximately 8% to $820 million in 2025, even as claimed attacks rose 50%.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/","og_locale":"en_US","og_type":"article","og_title":"Crypto Ransomware: 2026 Crypto Crime Report","og_description":"In 2025, total on-chain ransomware payments fell by approximately 8% to $820 million in 2025, even as claimed attacks rose 50%.","og_url":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/","og_site_name":"Chainalysis","article_published_time":"2026-02-26T12:45:02+00:00","article_modified_time":"2026-03-04T15:05:51+00:00","og_image":[{"width":1800,"height":700,"url":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ccr-2026-blog-ransomware.jpg","type":"image\/jpeg"}],"author":"Chainalysis Team","twitter_card":"summary_large_image","twitter_creator":"@chainalysis","twitter_site":"@chainalysis","twitter_misc":{"Written by":"Chainalysis Team","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/2.zoppoz.workers.dev:443\/https\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/#article","isPartOf":{"@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/"},"author":{"name":"Chainalysis Team","@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/#\/schema\/person\/4ed70fba9f5648f5455073859cb3d471"},"headline":"Total Ransomware Payments Stagnate for Second Consecutive Year, While Attacks Escalate","datePublished":"2026-02-26T12:45:02+00:00","dateModified":"2026-03-04T15:05:51+00:00","mainEntityOfPage":{"@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/"},"wordCount":2979,"publisher":{"@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/#organization"},"image":{"@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/#primaryimage"},"thumbnailUrl":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ccr-2026-blog-ransomware.jpg","keywords":["2026 Crypto Crime Report","Hosting","IAB","Initial Access Broker","Law enforcement","Malware","Public Sector","Ransomware"],"articleSection":["Report"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/","url":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/","name":"Crypto Ransomware: 2026 Crypto Crime Report","isPartOf":{"@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/#primaryimage"},"image":{"@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/#primaryimage"},"thumbnailUrl":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ccr-2026-blog-ransomware.jpg","datePublished":"2026-02-26T12:45:02+00:00","dateModified":"2026-03-04T15:05:51+00:00","description":"In 2025, total on-chain ransomware payments fell by approximately 8% to $820 million in 2025, even as claimed attacks rose 50%.","breadcrumb":{"@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/#primaryimage","url":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ccr-2026-blog-ransomware.jpg","contentUrl":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2026\/02\/ccr-2026-blog-ransomware.jpg","width":1800,"height":700},{"@type":"BreadcrumbList","@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/blog\/crypto-ransomware-2026\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/"},{"@type":"ListItem","position":2,"name":"Total Ransomware Payments Stagnate for Second Consecutive Year, While Attacks Escalate"}]},{"@type":"WebSite","@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/#website","url":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/","name":"Chainalysis","description":"The Blockchain Data Platform","publisher":{"@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/#organization","name":"Chainalysis","url":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/#\/schema\/logo\/image\/","url":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2022\/08\/chainalysis-social-share.png","contentUrl":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-content\/uploads\/2022\/08\/chainalysis-social-share.png","width":2400,"height":1260,"caption":"Chainalysis"},"image":{"@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/2.zoppoz.workers.dev:443\/https\/x.com\/chainalysis","https:\/\/2.zoppoz.workers.dev:443\/https\/www.linkedin.com\/company\/chainalysis","https:\/\/2.zoppoz.workers.dev:443\/https\/www.youtube.com\/c\/Chainalysis"]},{"@type":"Person","@id":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/#\/schema\/person\/4ed70fba9f5648f5455073859cb3d471","name":"Chainalysis Team"}]}},"_links":{"self":[{"href":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-json\/wp\/v2\/posts\/28257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-json\/wp\/v2\/users\/75"}],"replies":[{"embeddable":true,"href":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-json\/wp\/v2\/comments?post=28257"}],"version-history":[{"count":0,"href":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-json\/wp\/v2\/posts\/28257\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-json\/wp\/v2\/media\/28259"}],"wp:attachment":[{"href":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-json\/wp\/v2\/media?parent=28257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-json\/wp\/v2\/categories?post=28257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/2.zoppoz.workers.dev:443\/https\/www.chainalysis.com\/wp-json\/wp\/v2\/tags?post=28257"}],"curies":[{"name":"wp","href":"https:\/\/2.zoppoz.workers.dev:443\/https\/api.w.org\/{rel}","templated":true}]}}