Cybercrime Bitcoin Revenue Estimations: Quantifying the Impact of Methodology and Coverage

TL;DR

This paper systematically analyzes Bitcoin revenue estimation methods for cybercrime, revealing that some methodologies overestimate revenue and coverage gaps significantly affect estimates, demonstrated through a case study on DeadBolt ransomware.

Contribution

It introduces a tool to replicate estimation methodologies, quantifies their biases, and proposes techniques for high coverage, especially for DeadBolt ransomware, improving revenue estimates.

Findings

Some methodologies overestimate revenue significantly.

Popular address clustering misses 40% of cybercriminal groups.

Enhanced coverage estimates DeadBolt ransomware revenue at $2.47M.

Abstract

Multiple works have leveraged the public Bitcoin ledger to estimate the revenue cybercriminals obtain from their victims. Estimations focusing on the same target often do not agree, due to the use of different methodologies, seed addresses, and time periods. These factors make it challenging to understand the impact of their methodological differences. Furthermore, they underestimate the revenue due to the (lack of) coverage on the target's payment addresses, but how large this impact remains unknown. In this work, we perform the first systematic analysis on the estimation of cybercrime bitcoin revenue. We implement a tool that can replicate the different estimation methodologies. Using our tool we can quantify, in a controlled setting, the impact of the different methodology steps. In contrast to what is widely believed, we show that the revenue is not always underestimated. There exist methodologies that can introduce huge overestimation. We collect 30,424 payment addresses and use them to compare the financial impact of 6 cybercrimes (ransomware, clippers, sextortion, Ponzi schemes, giveaway scams, exchange scams) and of 141 cybercriminal groups. We observe that the popular multi-input clustering fails to discover addresses for 40% of groups. We quantify, for the first time, the impact of the (lack of) coverage on the estimation. For this, we propose two techniques to achieve high coverage, possibly nearly complete, on the DeadBolt server ransomware. Our expanded coverage enables estimating DeadBolt's revenue at $2.47M, 39 times higher than the estimation using two popular Internet scan engines.