The crypto crash is bad news for ransomware criminals

As the price of bitcoin and other crypto tokens has tumbled, even criminals have felt the pinch.

A stock photo of a man in shadow sitting at a table staring at several computer monitors displaying blurred-out information

The number of ransomware attacks fell 20% sequentially in the second quarter.

Photo: Eclipse Images via Getty Images

The crypto crash, which has wiped out about $2 trillion in value and upended a once-fast-growing industry, has an unexpected twist: Even criminals are feeling the pinch.

Ransomware attacks have dropped sharply this year as perpetrators grapple with an economic downturn, the Ukraine war and the dramatic plunge in the prices of cryptocurrencies they’ve been routinely using to commit crimes.

“There is never any single reason why anything happens in cybersecurity [but] in this case, the thought that volatility in the crypto markets is a contributor to the drop in ransomware attacks makes sense,” said James Lee, chief operating officer of the Identity Theft Resource Center.

The number of ransomware attacks fell 20% sequentially in the second quarter, the first quarter-on-quarter drop since the ITRC began tracking ransomware attacks in 2018, the nonprofit organization said.

It’s not just the drop in the value of crypto. Enforcement efforts are having some impact, according to SonicWall, which recorded 236 million ransomware attempts globally in the first half of 2022. That’s down 23% year-over-year. On top of falling prices, “increased government and law-enforcement focus impacted both who cybercriminals chose to attack and how well they were capable of carrying out those attacks,” SonicWall said.

Ransomware had become such a big problem that the Biden administration last year urged U.S. businesses to focus more on securing their networks. Crypto’s rise has made curbing the attacks more challenging. Lee said that, since 2018, cryptocurrencies have been “the preferred method of monetizing ransomware attacks because of the difficulty in clawing back funds and the — up to recently — ever-increasing value of the coins.”

Last year, the Justice Department recovered $2.3 million in bitcoin ransom paid to DarkSide, the criminal group that hacked Colonial Pipeline. The DOJ subsequently announced the creation of a crypto enforcement team to go after criminal actors using cryptocurrencies.

Besides the drop in attacks, there are other signs of declining interest in laundering ransomware proceeds through crypto networks. Kenneth Goodwin, director of regulatory and institutional affairs at Blockchain Intelligence Group, said the crypto compliance and forensics company has recorded a decline in mixers typically used to obfuscate blockchain transactions, especially in illicit transactions.

It’s important to note that accumulating cryptocurrency itself is “not the end goal” of ransomware perpetrators, said Mark Manglicmot, senior vice president of security services at Arctic Wolf. After the victim pays the ransom, the criminals typically seek to convert it to fiat.

That becomes trickier “with fewer outlets for disposing of cryptocurrencies due to bankruptcies and reduction in crypto value,” Lee said. “It makes sense cybercriminals would look for other ways to make money that involve less risk.”

Price volatility clearly poses a problem for ransomware criminals, said Alma Angotti, a partner at Guidehouse. “They could just ask for more bitcoin, right?” she told Protocol. “They could just ask for 20 bitcoin instead of 10 or whatever. But if the price is gonna drop even further after they get it, that's probably a factor.”

The crypto slump is definitely not the only factor, Angotti said.

Many companies have also balked at paying up in ransomware attacks “because their insurance companies may not cover it,” she said, or they could get charged for violating the law.

“You could now also be hit with a sanctions violation besides having the money that you lost to the ransomware, so that's a problem,” she said.

Manglicmot argues that the Ukraine war probably plays a key role in the decline. “A lot of the threat actors are known to be based in Eastern Europe,” he said, which leads him to suspect that the decline in ransomware attacks is “likely because of where the attackers are based.”

Not everyone is convinced the data shows a long-term trend.

Sam Curry, chief security officer at Cybereason, said the more recent dip in ransomware attacks “might also have to do with summer slowdowns in IT — and people who might otherwise click on the wrong thing might just be on the beach with their families.”

Rick Holland, chief information security officer at Digital Shadows, agreed, saying “any perceived slowdown in extortion” should be considered “as a blip, not a trend.”

“The summer months typically see slower extortion activity,” he told Protocol. “Criminals take vacations too.”


Upstart has a new plan to sell Wall Street on its loans

The AI-powered lender will hold some loans on its balance sheet as it seeks partners for long-term capital.

Despite the current struggles, Upstart views the marketplace model as the best way to write to keep its loan business growing.

Photo: Upstart

After a revenue drop its CEO called “unacceptable,” the leadership at fintech lender Upstart is making a bet on the strength of its ability to underwrite loans with AI.

The San Mateo company is planning to leave some loans on its balance sheet that investors do not want to buy, as concerns about the economy shift Wall Street away from backing riskier consumer debt. Rather than pull back on its lending in response, the company said it will hold some loans as it seeks longer-term capital partners.

Keep Reading Show less
Ryan Deffenbaugh
Ryan Deffenbaugh is a reporter at Protocol focused on fintech. Before joining Protocol, he reported on New York's technology industry for Crain's New York Business. He is based in New York and can be reached at
Sponsored Content

How cybercrime is going small time

Blockbuster hacks are no longer the norm – causing problems for companies trying to track down small-scale crime

Cybercrime is often thought of on a relatively large scale. Massive breaches lead to painful financial losses, bankrupting companies and causing untold embarrassment, splashed across the front pages of news websites worldwide. That’s unsurprising: cyber events typically cost businesses around $200,000, according to cybersecurity firm the Cyentia Institute. One in 10 of those victims suffer losses of more than $20 million, with some reaching $100 million or more.

That’s big money – but there’s plenty of loot out there for cybercriminals willing to aim lower. In 2021, the Internet Crime Complaint Center (IC3) received 847,376 complaints – reports by cybercrime victims – totaling losses of $6.9 billion. Averaged out, each victim lost $8,143.

Keep Reading Show less
Chris Stokel-Walker

Chris Stokel-Walker is a freelance technology and culture journalist and author of "YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars." His work has been published in The New York Times, The Guardian and Wired.


Does your boss sound a little funny? It might be an audio deepfake

Voice deepfake attacks against enterprises, often aimed at tricking corporate employees into transferring money to the attackers, are on the rise. And at least in some cases, they’re succeeding.

Audio deepfakes are a new spin on the impersonation tactics that have long been used in social engineering and phishing attacks, but most people aren’t trained to disbelieve their ears.

Illustration: Christopher T. Fong/Protocol

As a cyberattack investigator, Nick Giacopuzzi’s work now includes responding to growing attacks against businesses that involve deepfaked voices — and has ultimately left him convinced that in today's world, "we need to question everything."

In particular, Giacopuzzi has investigated multiple incidents where an attacker deployed fabricated audio, created with the help of AI, that purported to be an executive or a manager at a company. You can guess how it went: The fake boss asked an employee to urgently transfer funds. And in some cases, it’s worked, he said.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at


Binance’s co-founder could remake its crypto deal-making

Yi He is overseeing a $7.5 billion portfolio, with more investments to come, making her one of the most powerful investors in the industry.

Binance co-founder Yi He will oversee $7.5 billion in assets.

Photo: Binance

Binance co-founder Yi He isn’t as well known as the crypto giant’s colorful and controversial CEO, Changpeng “CZ” Zhao.

That could soon change. The 35-year-old executive is taking on a new, higher-profile role at the world’s largest crypto exchange as head of Binance Labs, the company’s venture capital arm. With $7.5 billion in assets to oversee, that instantly makes her one of the most powerful VC investors in crypto.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at or via Google Voice at (925) 307-9342.


Trump ordered social media visa screening. Biden's defending it.

The Knight First Amendment Institute just lost a battle to force the Biden administration to provide a report on the collection of social media handles from millions of visa applicants every year.

Visa applicants have to give up any of their social media handles from the past five years.

Photo: belterz/Getty Images

Would you feel comfortable if a U.S. immigration official reviewed all that you post on Facebook, Reddit, Snapchat, Twitter or even YouTube? Would it change what you decide to post or whom you talk to online? Perhaps you’ve said something critical of the U.S. government. Perhaps you’ve jokingly threatened to whack someone.

If you’ve applied for a U.S. visa, there’s a chance your online missives have been subjected to this kind of scrutiny, all in the name of keeping America safe. But three years after the Trump administration ordered enhanced vetting of visa applications, the Biden White House has not only continued the program, but is defending it — despite refusing to say if it’s had any impact.

Keep Reading Show less
Anna Kramer

Anna Kramer is a reporter at Protocol (Twitter: @ anna_c_kramer, email:, where she writes about labor and workplace issues. Prior to joining the team, she covered tech and small business for the San Francisco Chronicle and privacy for Bloomberg Law. She is a recent graduate of Brown University, where she studied International Relations and Arabic and wrote her senior thesis about surveillance tools and technological development in the Middle East.

Latest Stories