Macquarie University
01whole.pdf (6.16 MB)

Addressing The Intelligence Applications of Bitcoin Payments Related to Ransomware

Download (6.16 MB)
posted on 2023-08-08, 01:06 authored by Adam Brian Turner

This thesis addresses the evolving threat of the use of cryptocurrency in ransomware attacks. These attacks are a form of cyber extortion in which malicious software (malware) is used to infect, encrypt, and render systems unusable unless the victims pay a ransom. Such attacks can cripple the capabilities of business-critical systems as well as critical infrastructure. Increasingly, ransom payments are being demanded in hard-to-trace cryptocurrency formats such as Bitcoin.  This thesis by publication, comprising four published research papers, a published conference proceeding paper, and two research papers submitted for journal publication, demonstrates the utility of taking a target centric approach to intelligence collection and analysis of a ransomware-cryptocurrency network. Utilising graph analysis techniques applied to data gathered from the Bitcoin blockchain, this research addresses challenges security researchers face in preventing the propagation of ransomware payments throughout cryptocurrency networks as well as determining the accountability of such payments.  The first paper provides a general perspective on analysis techniques relating to illicit Bitcoin transactions and ransomware incidents, and the second paper develops a target-centric intelligence approach to a specific Bitcoin ransomware incident (WannaCry 2.0). The third study explores the possibility of using a common sharing standard such as STIX to share ransomware payment related cyber intelligence, while the fourth paper discerns Bitcoin payment patterns from well-known ransomware attacks (WannaCry, CryptoDefense, and NotPetya). The fifth paper examines graph embeddings in more IV   detail to reveal risky nodes in a ransomware-Bitcoin network, and the sixth paper develops a novel methodology to systematically identify ransomware transactions within cryptocurrency payment networks.  By undertaking target network modelling and analysis, this research provides a basis for analysing payment patterns generated by ransomware-Bitcoin transactions as a graph. Furthermore, to enhance the understanding of the ransomware-Bitcoin environment and any points of vulnerability, blockchain data collection is used to populate the target network model. This allows for the development of a knowledge graph for understanding the relationship between data assets in the ransomware-Bitcoin payment network and provides context to the machine learning systems used in this research.


Australian Government Research Training Program (RTP) Scholarship


Table of Contents

Chapter 1. Introduction -- Chapter 2. Analysis Techniques for Illicit Bitcoin Transactions -- Chapter 3. A Target-Centric Intelligence Approach to Wannacry 2.0 -- Chapter 4. Ransomware-Bitcoin Threat Intelligence Sharing Using Structured Threat Information Expression (Stix) -- Chapter 5. Discerning Payment Patterns in Bitcoin from Ransomware Attacks -- Chapter 6. Follow the Money: Revealing Risky Nodes in a Ransomware-Bitcoin Network -- Chapter 7. Classifying Ransomware-Bitcoin Nodes Using Graph Embeddings -- Chapter 8. Conclusion -- Appendices -- References


Thesis by publication Additional Supervisor 3: Muhammad Ikram

Awarding Institution

Macquarie University

Degree Type

Thesis PhD

Department, Centre or School

Department of Security Studies and Criminology

Year of Award


Principal Supervisor

Alex Simpson

Additional Supervisor 1

Allon Uhlmann

Additional Supervisor 2

Stephen McCombie


Copyright: The Author Copyright disclaimer:




310 pages

Usage metrics

    Macquarie University Theses


    Ref. manager