Ransomware threat actors often demand bitcoin as payment due to its perceived anonymity and lack of regulation. For instance, bitcoin transactions are recorded on a public ledger (blockchain), but the parties involved remain pseudonymous, making it difficult for law enforcement to trace the payment. However, this anonymity is not absolute, and law enforcement has successfully traced and seized bitcoin payments in several high-profile cases.

For example, in 2021, the US Department of Justice (DOJ) seized over $2 million in bitcoin paid to the Colonial Pipeline attackers, and in 2022, the DOJ seized over $3.6 billion in bitcoin linked to the 2016 Bitfinex hack. Additionally, in 2020, European law enforcement seized over €1 million in bitcoin paid to the EncroChat ransomware gang. These cases demonstrate that bitcoin’s anonymity is not impenetrable, and law enforcement can trace and recover bitcoin payments with the right expertise and resources.

Despite these risks, the use of bitcoin remains a popular choice for ransomware threat actors due to its ease of use and the perceived difficulty in tracking payments.