Why criminals are switching to Monero for ransom demands

If you are hit by a ransomware attack, the chances are that the hacker will demand payment in Bitcoin. However, a growing number of threat actors are starting to ask for Monero. Here’s a closer look at this privacy-focused token, its place in the wider crypto landscape, and the reasons for its growth in popularity.  

Recent FBI bust highlights Bitcoin’s limitations

“Bitcoin transactions are anonymous and pretty much non-traceable.” At least, that’s the perception. However, a recent operation in the US demonstrated that in some circumstances, it is possible for law enforcers to track complex bitcoin payment trails and recover ransom money.  

In May, a major East Coast fuel pipeline was temporarily shut down as a result of a ransomware attack by Russian-based criminal gang, DarkSide. Colonial Pipeline Co paid a bitcoin ransom worth $4.4 million. 

A few weeks later, the Justice Department confirmed that $2.3 million worth of this ransom had been recovered. How exactly this was achieved has not been revealed, but it seems that agents identified a bitcoin wallet Darkside had used to collect payment, tracked the ransom as it moved through a maze of at least two dozen electronic accounts, before seizing the money.

There are a couple of takeaways from this episode: 

With bitcoin, personal anonymity does not mean that transactions leave no footprint. Bitcoin ownership is anonymous, and transactions are not linked to personal information. However, when bitcoin is sent and received, certain details are recorded permanently on the blockchain. Analysis can reveal if a coin has been used for illegal purposes in the past, including ransomware extortion. 

Criminals are already focusing on alternatives. “Bitcoin is far more public than most people realize”, according to Justin Ehrenhofer, a member of the Monero Space Workgroup. “Criminals and non-criminals alike enjoy using Monero because it’s private, fungible money”. The use of Monero for ransomware payments has increased significantly in 2020 and 2021, and some criminal organizations actually offer a discount of between 10 and 20 percent to victims who pay their ransom in Monero instead of Bitcoin. Ehrenhofer expects that in the future, many will stop accepting Bitcoin altogether for smaller ransoms.

Monero vs Bitcoin: what’s the difference?

What is Monero? 

Monero was released in 2014 by a consortium of developers as a “privacy-centric” alternative to Bitcoin. 

Here’s how the two currencies differ… 


On the Bitcoin blockchain, there’s an element of transparency. It is possible to see what wallet addresses were involved in a transaction, how many Bitcoins were involved, where the money came from, and where it’s going. 

The Monero blockchain hides virtually all transaction details. Details of the wallet address, the transaction amount and details of the counterparty are all obfuscated.

Stealth addresses 

Stealth addresses on Monero require users to create random one-time addresses for every transaction. By using stealth addresses, only the sender and receiver can determine where a payment was sent - and these addresses cannot be linked back to either party’s identity. 

Some Bitcoin wallets (Samouri Wallet, for instance) offer stealth wallet capabilities, but these are an optional extra rather than a default feature.

Ring Confidential Transactions (RingCT) 

Monero’s RingCT function consists of a combination of two elements: ring signatures and confidential transactions. Ten “decoy” funds are mixed into each transaction, making it pretty much impossible for anyone analyzing transaction activity to determine which particular funds have been transferred. Additionally, algorithmic encryption makes it impossible for anyone to know how much Monero has actually changed hands (except for the sender and receiver). 

Bitcoin has a similar coin-mixing option called ZeroLink. However, it doesn’t hide transaction amounts. And in any case, all Bitcoin transactions are publicly recorded on the blockchain. 


The ten dollar bill in your pocket is just as good as the same value note in your wallet. Even if it’s been involved in something illegal, the bill still works. This is fungibility: the crucial idea that one unit of money is interchangeable with any other unit, without its legitimacy being questioned.

Bitcoin is backed by a relatively open blockchain. It’s hard to establish the real-world identities of the individuals behind transactions. However, through analysis, BTC units can be tracked back all the way back to their creation. If a coin has been used for illicit purposes in the past, this information will be contained in the blockchain. Some Bitcoin exchanges now block or close accounts that have received Bitcoin used for unsavoury purposes. 

Criminals don’t want to extort money from someone, only to find that the funds are non-usable. With Monero however, even if the coins in your possession were used for something shady in the past, it’s extremely difficult for anyone to know this.

Find out more  

The growth in Monero’s popularity for ransoms shows how criminals will always switch up their techniques. As always, they’re looking for maximum gain with the minimum of risk and hassle. 

So how do you stay ahead? ​Take ​The Complete Cyber Security Course​​ ​ which covers privacy, anonymity and security in-depth. 

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

  • LTS Secure says:

    Sometimes, unscrupulous people steal the log in credentials of the employees of an organization in order to hack into the servers and steal the data. Compromised identities of employees are new threats for corporate organizations to counter.

    • Rey says:

      Multi factor authentication and regularly mandated password changes. Or better yet, tokens and smart cards…

  • Ariyarathi says:

    Multi factor authentication and regularly mandated password changes. thanks for sharing blog

  • rawatnimisha says:

    Nice! This information is very useful. Thanks for sharing this , keep sharing such information…

  • it support for your business

    Why criminals are switching to Monero for ransom demands

  • office phones dallas

    Why criminals are switching to Monero for ransom demands

  • >