{
	"id": "d49ad4b2-0cec-44df-a1a1-5896b1e9f2b8",
	"created_at": "2026-04-06T00:06:53.986525Z",
	"updated_at": "2026-04-10T03:21:12.82659Z",
	"deleted_at": null,
	"sha1_hash": "0b15e57945df6827ddf15c6f4ff47f0c11ad7db5",
	"title": "Sodinokibi Ransomware to stop taking Bitcoin to hide money trail",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1980811,
	"plain_text": "Sodinokibi Ransomware to stop taking Bitcoin to hide money trail\r\nBy Lawrence Abrams\r\nPublished: 2020-04-11 · Archived: 2026-04-05 17:08:58 UTC\r\nThe Sodinokibi Ransomware has started to accept the Monero cryptocurrency to make it harder for law enforcement to track\r\nransom payments and plans to stop allowing bitcoin payments in the future.\r\nIn a 2019 webinar titled \"The functionality of privacy coins\", Europol stated that the use of both Tor and Monero made it\r\nimpossible to trace the funds or the actors who received them.\r\n“Since the suspect used a combination of TOR and privacy coins, we could not trace the funds. We could not trace the IP\r\naddresses. Which means, we hit the end of the road. Whatever happened on the Bitcoin blockchain was visible and that’s\r\nwhy we were able to get reasonably far. But with Monero blockchain, that was the point where the investigation has ended.\r\nSo this is a classical example of one of several cases we had where the suspect decided to move funds from Bitcoin or\r\nEthereum to Monero,\" Europol's Jerek Jakubcek said in a webinar.\r\nhttps://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nLast month, the ransomware operators behind the Sodinokibi/REvil ransomware posted to a hacker and malware forum that\r\nthey are starting to accept the Monero cryptocurrency to make it harder for law enforcement to trace them. \r\n\"This principle has led to allegations that Monero could be used for drug trafficking, the dissemination of child pornography\r\nand more. In this regard, Europol in 2017 expressed concern about the growing popularity of Monero. In 2020, Europol\r\nmade an official statement - Monero is impossible to track.\r\nDue to CryptoNote and the obfuscation added to the protocol, passive mixing is provided: all transactions in the system are\r\nanonymous, and all participants in the system can use plausible denial in case of capture.\r\nThe combination of an anonymous browser Tor and Monero can quite successfully make a person’s financial activity\r\ncompletely invisible to the police and government agencies. We are extremely worried about the anonymity and security of\r\nour adverts, so we began a “forced” transition from the BTC to Monero.\"\r\nThe operators go on to say that they will eventually remove bitcoins as a payment option and that victims need to start to\r\nlearn more about Monero and how to acquire it.\r\n\"In this regard, we inform you that after a while the BTC will be removed as a payment method. Victims need to begin to\r\nunderstand the new cryptocurrency, as well as other interested parties who work with us,\" the threat actors warned.\r\nTor ransom payment site uses Monero by default\r\nOn the Sodinokibi Tor payment site, the ransomware operators have already started to move away from bitcoin by making\r\nMonero the default payment currency.\r\nIf a victim wants to use bitcoin to make a ransom payment, the amount is increased by 10%.\r\nTor payment site accepting Monero\r\nThe ransomware operators are also offering \"partners\" who help victims pay the ransom a discount that will make them\r\n\"pleasantly surprised\".\r\nhttps://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/\r\nPage 3 of 4\n\n\"Companies that assist our victims in acquiring the decryptor will be pleasantly surprised by the% discount on the amount of\r\nthe ransom. In order to start working with us, it is enough to write in a chat and introduce yourself as a company of this type\r\nof activity. Our collaboration is completely anonymous. We do not disclose the data of our partners,\" the ransomware\r\noperators offered.\r\nMany of these \"data recovery\" companies add a significant surcharge to victims they help, and with this additional discount,\r\nthey stand to make a much larger profit by helping Sodinokibi switch to Monero.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/\r\nhttps://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/"
	],
	"report_names": [
		"sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail"
	],
	"threat_actors": [],
	"ts_created_at": 1775434013,
	"ts_updated_at": 1775791272,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b15e57945df6827ddf15c6f4ff47f0c11ad7db5.pdf",
		"text": "https://archive.orkl.eu/0b15e57945df6827ddf15c6f4ff47f0c11ad7db5.txt",
		"img": "https://archive.orkl.eu/0b15e57945df6827ddf15c6f4ff47f0c11ad7db5.jpg"
	}
}