{
	"id": "e3bb8883-28f9-4bf4-a5e2-38e2731061aa",
	"created_at": "2026-04-06T00:12:42.441164Z",
	"updated_at": "2026-04-10T13:11:27.717514Z",
	"deleted_at": null,
	"sha1_hash": "180ba4ad8dab42ac6055202a21ac48f9dfe2939f",
	"title": "Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 706350,
	"plain_text": "Blockchain Analysis Shows Connections Between Four of 2020’s\r\nBiggest Ransomware Strains\r\nBy Chainalysis Team\r\nPublished: 2021-02-04 · Archived: 2026-04-05 22:20:43 UTC\r\nThis blog is an excerpt from the Chainalysis 2021 Crypto Crime Report. Click here to download the whole\r\nthing!\r\nAs we’ve covered on our blog, there may be fewer cybercriminals responsible for ransomware attacks than one\r\nwould initially think given the number of individual attacks, distinct strains, and amount stolen from victims.\r\nCybersecurity researchers point out that many RaaS affiliates carrying out attacks switch between different strains,\r\nand many believe that seemingly distinct strains are actually controlled by the same people. Using blockchain\r\nanalysis, we’ll investigate potential connections between four of 2020’s most prominent ransomware strains:\r\nMaze, Egregor, SunCrypt, and Doppelpaymer.\r\nThe four ransomware strains were quite active last year, attacking prominent companies such as Barnes \u0026 Noble,\r\nLG, Pemex, and University Hospital New Jersey, amongst others. All four use the RaaS model, meaning that\r\naffiliates carry out the ransomware attacks themselves and pay a percentage of each victim payment back to the\r\nstrain’s creators and administrators. All four also use the “double extortion” strategy of not just withholding\r\nvictims’ data, but also publishing pieces of it online as an extra incentive for victims to pay the ransom.\r\nBelow, we see the four strains’ revenue since late 2019 broken out quarterly.\r\nNote that Egregor only became active just before Q4 2020 (mid-September to be specific), soon after the Maze\r\nstrain became inactive. Some cybersecurity researchers see this as evidence that Maze and Egregor are linked in\r\nsome way. In early November, Maze’s operators said the strain was shutting down in a press release posted to its\r\nwebsite, following a slowdown in activity. Soon after, most of its affiliates migrated to Egregor, leading some to\r\nhttps://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer\r\nPage 1 of 5\n\nbelieve that the Maze operators have simply rebranded as Egregor and instructed the affiliates to join. This is\r\nrelatively common in ransomware, though it’s also possible that the affiliates have decided for themselves that\r\nEgregor is their best option. It’s even possible that the Maze affiliates became unhappy with the Maze operators,\r\nleading to the split. However, as noted by Bleeping Computer, Maze and Egregor share much of the same code,\r\nthe same ransom note, and have very similar victim payment sites. Cybersecurity firm Recorded Future notes this\r\ntoo, as well as similarities between Egregor and a banking trojan called QakBot.\r\nIt’s not just Egregor either. In another story, Bleeping Computer claims that Suncrypt representatives contacted\r\nthem claiming to be part of the “Maze ransomware cartel” prior to Maze’s shutdown announcement, though Maze\r\nhas denied this. However, the claim of a connection is also supported by a privately circulated report from threat\r\nintelligence firm Intel471 claiming that representatives from SunCrypt described their strain as a “rewritten and\r\nrebranded version of a ‘well-known’ ransomware strain.” Intel471’s report also claims that SunCrypt only works\r\nwith a small number of affiliates at a time, whom the SunCrypt operators interview and vet extensively. Therefore,\r\nwe believe any overlap in affiliates between SunCrypt and other ransomware strains would be more likely to\r\nsuggest a deeper connection between the two strains, rather than just coincidence.\r\nBlockchain analysis suggests affiliate overlap and other possible connections\r\nbetween Maze, Egregor, SunCrypt, and Doppelpaymer\r\nAs we outline above, there’s circumstantial evidence suggesting links between some of these four strains, as well\r\nas reports of affiliate migration. But what links do we see on the blockchain? Let’s start with Maze and SunCrypt.\r\nhttps://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer\r\nPage 2 of 5\n\nThe Chainalysis Reactor graph above provides strong evidence suggesting that a Maze ransomware affiliate is\r\nalso an affiliate for SunCrypt. Starting at the bottom of the graph, we see how Maze distributes funds taken in\r\nransomware attacks. First, the majority of each successful ransom payment goes to the affiliate, as they’re taking\r\non the risk of actually carrying out the ransomware attack. The next biggest cut goes to a third party. While we\r\ncan’t know for sure what that third party’s role is, we believe it’s likely an ancillary service provider who helps\r\nMaze pull off attacks. Ransomware attackers often rely on third parties for tools like bulletproof hosting,\r\npenetration testing services, or access to vulnerabilities in victims’ networks. These ancillary service providers can\r\nbe found peddling their wares on cybercriminal darknet forums, but aren’t necessarily involved in all ransomware\r\nattacks. Finally, the smallest cut of each ransom payment goes to another wallet that we believe belongs to the\r\nstrain’s administrators.\r\nIn this case, however, we see that the Maze affiliate also sent funds — roughly 9.55 Bitcoin worth over $90,000\r\n— via an intermediary wallet  to an address labeled “Suspected SunCrypt admin,” which we’ve identified as part\r\nof a wallet that has consolidated funds related to a few different SunCrypt attacks. This suggests that the Maze\r\naffiliate is also an affiliate for SunCrypt, or possibly involved with SunCrypt in another way.\r\nAnother Reactor graph shows links between the Egregor and Doppelpaymer ransomware strains.\r\nIn this case, we see that an Egregor wallet sent roughly 78.9 BTC worth approximately $850,000 to a suspected\r\nDoppelpaymer administrator wallet. Though we can’t know for sure, we believe that this is another example of\r\naffiliate overlap. Our hypothesis is that the Egregor-labeled wallet is an affiliate for both strains sending funds to\r\nthe Doppelpaymer administrators.\r\nFinally, the Reactor graph below shows what we believe is an instance of Maze and Egregor administrators using\r\nthe same money laundering infrastructure.\r\nhttps://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer\r\nPage 3 of 5\n\nBoth strains’ victim payments’ wallets have sent funds to two deposit addresses at a prominent cryptocurrency\r\nexchange via intermediary wallets. Based on their transaction patterns, we believe that both deposit addresses\r\nbelong to over-the-counter (OTC) brokers who specialize in helping ransomware operators and other\r\ncybercriminals trade illicitly-gained cryptocurrency for cash. In the case of Maze, those funds first flow through\r\nanother suspected money laundering service before reaching the OTC addresses — it’s unclear whether Maze\r\nreceives cash from that service or from the OTCs themselves, and it’s also possible that the OTC broker and those\r\nrunning the laundering service are one in the same.\r\nWhile this doesn’t suggest that Maze and Egregor share the same administrators or affiliates, it’s still an important\r\npotential lead for law enforcement. Cryptocurrency-related crime isn’t worthwhile if there’s no way to convert ill-gotten funds into cash. By going after bad actors like the money laundering service or corrupt OTC brokers on the\r\ngraph above — the latter of whom, again, operate on a large, well-known exchange — law enforcement could\r\nsignificantly hamper the ability of Maze and Egregor to operate profitably without actually catching the strains’\r\nadministrators or affiliates. It’s not just those specific ransomware strains either.\r\nhttps://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer\r\nPage 4 of 5\n\nThe suspected laundering service has also received funds from the Doppelpaymer, WastedLocker, and Netwalker\r\nransomware strains, taking in nearly $2.9 million worth of cryptocurrency from the category as a whole. Likewise,\r\nit’s received nearly $650,000 worth of cryptocurrency from darknet markets such as Hydra and FEShop. The two\r\nOTC broker addresses on the graph have similar criminal exposure as well.\r\nWhat does this mean for ransomware?\r\nWhile we can’t say for sure that Maze, Egregor, SunCrypt, or Doppelpaymer have the same administrators, we\r\ncan say with relative certainty that some of them have affiliates in common. We also know that Maze and Egregor\r\nrely on the same OTC brokers to convert cryptocurrency into cash, though they interact with those brokers in\r\ndifferent ways.\r\nRegardless of the exact depth and nature of these connections, the evidence suggests that the ransomware world is\r\nsmaller than one may initially think given the number of unique strains currently operating. This information can\r\nbe a force multiplier for law enforcement. If they can identify and act against groups controlling multiple\r\nransomware strains, or against OTCs enabling multiple ransomware strains to cash out their earnings, then they’ll\r\nbe able to halt or impact the operations of several strains with one takedown.\r\nThis blog is an excerpt from the Chainalysis 2021 Crypto Crime Report. Click here to download the whole\r\nthing!\r\nSource: https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer\r\nhttps://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer"
	],
	"report_names": [
		"ransomware-connections-maze-egregor-suncrypt-doppelpaymer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434362,
	"ts_updated_at": 1775826687,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/180ba4ad8dab42ac6055202a21ac48f9dfe2939f.pdf",
		"text": "https://archive.orkl.eu/180ba4ad8dab42ac6055202a21ac48f9dfe2939f.txt",
		"img": "https://archive.orkl.eu/180ba4ad8dab42ac6055202a21ac48f9dfe2939f.jpg"
	}
}