In the crypto industry, ransomware payments fell by 35% in 2024 and fell to $ 813 million compared to the $ 1.25 billion of the previous year, according to the Crypto Crime Report of Chainalysis’ 2025.
According to the company, this marks the most important annual fall in the ransomware income in the past three years.
Crypto Ransomware 2024
Despite a first increase in attacks during the first half of 2024 – a victim reportedly paid $ 75 million to the Dark Angels Group – Ransomware payments fell in the second half of the year. The report has credited the decline in stricter action of law enforcement, stronger international cooperation and growing resistance of victims.
Moreover, the global authorities have increased their actions against cyber crime, aimed at platforms that facilitate illegal transactions. A good example is the US and Allied countries that impose sanctions on crypto exchange Cryptex in Russia for making money laundering and ransomware-related activities possible.
It is interesting, although ransomware incidents rose, fewer victims chose to pay. About 30% of the negotiations resulted in a ransom payment, with a lot of opting for decoding tools or recovering from back -ups instead.
In the meantime, the report also emphasizes an increasing gap between letting go and actual payments. In the second half of 2024, attackers demanded much more than a few victims eventually switched, with payments of 53%failing. Those who paid sent on average $ 150,000 to $ 250,000 – significantly lower than the initial requirements.
Money laundering of tactics evolve
As ransomware payments fell, attackers have adjusted their money wachnics. Traditionally, ransomware actors relied on the mixing of services to cover up fund flows, whereby these platforms process between 10% and 15% of illegal transactions.
Local enforcement drop on services such as Tornado Cash, chip mixer and Sinbad, however, the use of the mixer declined considerably in 2024.
Instead, ransomware operators turned to cross-chain bridges to secretly move funds. Centralized fairs (CEXS) remained a primary off-disaster channel, accounting for 39% of the ransomware-related transactions light above the average of 37% observed between 2020 and 2024.
In the meantime, an unexpected trend arose as a considerable part of the ransom funds in personal portfolios instead of being invented. The shift suggests increased caution under ransomware actors, which may fear unpredictable law enforcement actions that focus on illegal transactions.
The action of the law enforcement against no-KYC exchanges had a significant influence on illegal fund flows. In September 2024, the German authorities seized 47 Russian-language no-kyc crypto exchanges, while sanctions were aimed at Cryptex.
Shortly thereafter, ransomware-related inflow to NO-KYC platforms demolished, which enhances the effectiveness of regulatory actions.
