While some ransomware operators continue to ask for Monero (XMR), Bitcoin remains the dominant payment method in most ransomware incidents. Threat actors prefer Monero because its privacy-by-default architecture makes transaction tracing significantly more difficult than on transparent blockchains such as Bitcoin. However, according to research from TRM Labs, widespread exchange delistings, regulatory pressure, and reduced liquidity have made Monero less accessible through mainstream cryptocurrency platforms in recent years.
Consequently, Bitcoin continues to account for the majority of ransomware payments despite its greater traceability. The combination of widespread exchange support, deep liquidity, and ease of acquisition makes Bitcoin the most practical cryptocurrency for large-scale ransom payments.
That does not mean Bitcoin transactions are easy to follow from end to end. Historically, ransomware groups frequently relied on cryptocurrency mixers to obscure transaction trails. However, recent reporting from Chainalysis’ Crypto Crime research shows that law enforcement actions and sanctions have disrupted many prominent mixing services, forcing cybercriminals to adopt alternative laundering techniques.
Today, threat actors increasingly rely on cross-chain swaps, decentralized exchanges (DEXs), instant exchange services, and intermediary wallets to complicate blockchain investigations. Academic research examining modern ransomware payment ecosystems has similarly documented how ransomware groups move funds through multiple wallets and cash-out mechanisms to reduce attribution opportunities, as detailed in Showing the Receipts: Understanding the Modern Ransomware Ecosystem and Inside LockBit: Technical, Behavioral, and Financial Anatomy of a Ransomware Empire.
The tension between privacy and usability continues to influence ransomware payment negotiations. While Monero remains attractive because of its strong privacy protections, practical limitations surrounding acquisition and liquidity often push both victims and attackers toward Bitcoin. As long as Bitcoin remains the most accessible and liquid cryptocurrency, it is likely to remain the primary currency of ransomware payments despite ongoing criminal interest in privacy-focused alternatives.