DigitalMint Cyber Fireside Chat with Jackie Koven

Mapping the Modern Ransomware Landscape: Insights from Chainalysis’ Jackie Koven

We are excited to present the first DigitalMint Cyber Fireside Chat. In this series, you will learn about ransomware from industry insiders, experts and leaders. Episodes are hosted by DigitalMint Cyber founder & President, Marc Grens.

Our first guest is Jackie Burns Koven, Head of Cyber Threat Intelligence at Chainalysis. Jackie leads a team tracking cybercriminals and nation state actors stealing, scamming, and extorting cryptocurrency. She is also a member of the Ransomware Task Force, which unites key stakeholders across industry, government, and civil society to innovate new solutions countering the ransomware threat.

Tracking Criminals on the Blockchain

Koven and her team at Chainalysis spend their days tracking malicious actors, tracing ransom payments, and uncovering how these funds are laundered or reinvested into new attack infrastructure.

”It gives us insight into the underground economy that underpins the attacks you see in the headlines.”

With a background in U.S. intelligence, Koven became fascinated by the transparency of blockchain transactions and the unique opportunity it presents to disrupt criminal operations.

Why Ransomware Payments Declined in 2022

Chainalysis’ 2022 ransomware report revealed a significant drop in ransom payments compared to the surge years of 2020 and 2021. Koven attributed this to several factors:

• Greater public awareness and stronger compliance programs across financial and crypto institutions

• Government guidance and sanctions targeting ransomware enablers and illicit exchanges

• Improved cyber hygiene and insurance standards, reducing the need to pay

• Decryptors quietly distributed by the FBI and researchers, saving victims from ransom demands altogether “It’s a testament to the combined efforts of public and private sectors.” she explained.

The Ripple Effect of Sanctions and Seizures

The Russia-Ukraine conflict and resulting sanctions dramatically reshaped ransomware cashout patterns. Russian-linked exchanges like Suex, Garantex, and Hydra were sanctioned or dismantled, pushing threat actors to seek new, often riskier laundering avenues. Chainalysis has since observed increased use of underground exchanges and mixers, though Koven noted that “mixers aren’t as anonymizing as one might think.”

Rebranding, Not Retreating

While payments have dropped, the number of ransomware incidents remains stable. Koven emphasized that many “new” ransomware strains are simply rebrands of existing groups, reusing the same wallets or laundering infrastructure. Blockchain analysis often reveals these connections, helping investigators link emerging variants like Royal, Black Basta, and LockBit 3.0 back to known actors.

Collaboration and Reporting Are Key

Koven encouraged organizations to report ransomware wallet addresses—anonymized—to Chainalysis or law enforcement. “It’s not about naming victims,” she said. “It’s about alerting exchanges and agencies worldwide to watch for those funds.” She highlighted the FBI’s IC3, FinCEN, and CISA as primary reporting channels.

Each report, she added, helps build a broader intelligence picture that can lead to asset seizures or even prevent payments altogether, as seen in recent operations against groups like Hive.

Looking Ahead

As regulatory scrutiny intensifies and exchanges strengthen compliance, ransomware actors are being pushed further underground. But, as Koven put it, “They may be expert hackers, but not always expert launderers.” That gap gives defenders an edge.

Chainalysis will release its 2022 Crypto Crime Report soon, diving deeper into ransomware, sanctions, and illicit finance trends. Organizations can sign up at chainalysis.com to receive it directly.