The crypto industry experienced a significant decline in ransomware payments in 2024, according to Chainalysis’ 2025 Crypto Crime Report. Ransomware payments dropped by 35% to $813 million from the previous year’s $1.25 billion, marking the most substantial annual decrease in ransomware revenue over the past three years.
Despite an initial increase in attacks during the first half of 2024, with one victim reportedly paying $75 million to the Dark Angels group, ransomware payments plummeted in the latter half of the year. This decline was attributed to stricter law enforcement action, stronger international cooperation, and growing victim resistance.
Global authorities have stepped up their efforts to crack down on cybercrime by targeting platforms that facilitate illicit transactions. For example, the US and allied countries imposed sanctions on Russia-based crypto exchange Cryptex for enabling money laundering and ransomware-related activities.
Although there was a rise in ransomware incidents, fewer victims chose to pay the ransom. Approximately 30% of negotiations resulted in a ransom payment, with many opting for decryption tools or restoring from backups instead.
The report also highlighted a widening gap between the demanded ransom amounts and the actual payments made. In the second half of 2024, attackers demanded more than what victims ultimately transferred, with payments falling short by 53%. Those who did pay sent an average of $150,000 to $250,000, which was significantly lower than the initial demands.
As ransomware payments declined, attackers adapted their laundering techniques. Traditionally, ransomware actors relied on mixing services to obscure fund flows, but crackdowns on platforms like Tornado Cash, ChipMixer, and Sinbad led to a drop in mixer usage in 2024.
Instead, ransomware operators turned to cross-chain bridges to move funds covertly. Centralized exchanges (CEXs) remained a primary off-ramping channel, accounting for 39% of ransomware-related transactions. Surprisingly, a significant portion of ransom funds remained in personal wallets rather than being cashed out, indicating increased caution among ransomware actors.
Law enforcement’s crackdown on no-KYC exchanges had a significant impact on illicit fund flows. In September 2024, German authorities seized 47 Russian-language no-KYC crypto exchanges, while sanctions targeted Cryptex. This led to a decrease in ransomware-related inflows to no-KYC platforms, demonstrating the effectiveness of regulatory actions in combating illicit activities.