{
	"id": "1610c4cf-970c-43b7-b68f-28723383bf6f",
	"created_at": "2026-04-06T00:20:18.215779Z",
	"updated_at": "2026-04-10T03:20:30.875236Z",
	"deleted_at": null,
	"sha1_hash": "5717e39bae9816ca59daf0adadc3258c8256c52e",
	"title": "Chainalysis in Action: U.S. Authorities Disrupt NetWalker Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1377465,
	"plain_text": "Chainalysis in Action: U.S. Authorities Disrupt NetWalker\r\nRansomware\r\nBy Chainalysis Team\r\nPublished: 2021-01-27 · Archived: 2026-04-05 23:41:28 UTC\r\nToday, the U.S. Department of Justice (DOJ) announced a coordinated international law enforcement action to\r\ndisrupt the NetWalker ransomware, including the seizure of nearly half a million dollars in cryptocurrency, the\r\ndisablement of a dark web resource used to communicate with NetWalker ransomware victims, and the arrest of a\r\nCanadian national, Sebastien Vachon-Desjardins, who obtained tens of millions of dollars by acting as a\r\nNetWalker affiliate.\r\nThis case highlights the sophistication with which NetWalker operated, the global impact of ransomware attacks,\r\nand the substantial funds ransomware actors steal from their victims.\r\nChainalysis congratulates our government partners for their success in disrupting NetWalker’s operations, and\r\nwe’re proud that Chainalysis investigative tools helped them track down ransomware funds. We’re also proud to\r\nprovide exchanges with the transaction monitoring tools necessary to prevent these funds from being traded on\r\ntheir platforms.\r\nHomepage of the seized dark web communications site\r\nhttps://blog.chainalysis.com/reports/netwalker-ransomware-disruption-arrest\r\nPage 1 of 9\n\nBelow, we’ll break down what blockchain analysis tells us about the NetWalker strain of ransomware and\r\nhighlight specific elements of the investigation to show how law enforcement was able to trace the illicit funds.\r\nRansomware’s Growth and Increasing Sophistication\r\nChainalysis data shows that the total amount paid by ransomware victims increased 311% in 2020 to reach nearly\r\n$350 million worth of cryptocurrency. This number is a lower bound of the true total, as underreporting means we\r\nlikely haven’t categorized every victim payment address in our datasets.\r\nMany strains, including NetWalker, function on the Ransomware as a Service (RaaS) model, in which attackers\r\nknown as affiliates “rent” usage of a particular ransomware strain from its creators or administrators, who in\r\nexchange get a cut of the money from each successful attack affiliates carry out. RaaS has led to more attacks,\r\nmaking it even more difficult to quantify the full financial impact. But the trend is clear; no other category of\r\ncryptocurrency-based crime had a higher growth rate than ransomware in 2020.\r\nNetWalker was a top ransomware strain by revenue this year, along with Ryuk, Maze, Doppelpaymer, and\r\nSodinokibi.\r\nhttps://blog.chainalysis.com/reports/netwalker-ransomware-disruption-arrest\r\nPage 2 of 9\n\nChainalysis has traced more than $46 million worth of funds in NetWalker ransoms since it first came on the\r\nscene in August 2019. It picked up steam in mid-2020, growing the average ransom to $65,000 last year, up from\r\n$18,800 in 2019.\r\nAccording to U.S. authorities, NetWalker has impacted at least 305 victims from 27 different countries, including\r\n203 in the U.S.\r\nhttps://blog.chainalysis.com/reports/netwalker-ransomware-disruption-arrest\r\nPage 3 of 9\n\nWhat Blockchain Analysis Tells Us about NetWalker Operations and Financials\r\nTypically, there are four roles that receive proceeds from NetWalker attacks: the likely administrator or developer\r\n(8-10%), the affiliate (76-80%), and two commissioned roles (2.5%-5% each). An affiliate, like Vachon-Desjardins, is usually responsible for obtaining access to the victim network and deploying the malware. There are\r\nalso cases when one wallet gets 100% of the payment, which we believe belongs to the NetWalker administrator\r\nand indicates that he or she may also be directly involved in some of the attacks.\r\nhttps://blog.chainalysis.com/reports/netwalker-ransomware-disruption-arrest\r\nPage 4 of 9\n\nThis screenshot of Chainalysis Reactor shows the typical transfer of funds from the ransom payment address to\r\nthe different NetWalker actors.\r\nhttps://blog.chainalysis.com/reports/netwalker-ransomware-disruption-arrest\r\nPage 5 of 9\n\nBlockchain analysis reveals that there were actually fewer than 20 unique affiliates. Of those affiliates, some\r\nrarely deployed NetWalker. Some moved on to other RaaS strains, and we can use the Chainalysis Reactor\r\nexposure wheel to show that some affiliates have received payments from other variants.\r\nThe NetWalker administrator, who goes by the moniker “Bugatti” on darknet forums, posted an advertisement in\r\nMay 2020 on a forum seeking additional Russian-speaking affiliates as vacancies had “freed up,” which confirms\r\nhttps://blog.chainalysis.com/reports/netwalker-ransomware-disruption-arrest\r\nPage 6 of 9\n\nour assessment of affiliates migrating to other strains.\r\nBlockchain analysis can also show ransomware actors paying for services they need to operate their criminal\r\nenterprise. For example, we can see below that NetWalker actors paid for cloud storage hosting with\r\ncryptocurrency, likely used to host stolen victim data for further extortion. Indeed, NetWalker ramped up its\r\nextortion efforts in May 2020 by not only locking victims out of their data, but also by stealing it. Before\r\nencrypting computer files on a victim’s network, NetWalker actors began to steal the data and automatically\r\npublish victim data on a leak site if the ransom was not paid by the deadline, another growing trend among several\r\nransomware strains.\r\nHow Authorities Used Blockchain Analysis to Trace the Flow of NetWalker Funds\r\nAccording to the indictment unsealed today, Vachon-Desjardins was charged with intentional damage to a\r\nprotected computer and transmitting a demand in relation to it. This involved a NetWalker ransomware attack\r\nagainst a victim company located in Florida.\r\nhttps://blog.chainalysis.com/reports/netwalker-ransomware-disruption-arrest\r\nPage 7 of 9\n\nBlockchain analysis revealed at least 345 addresses associated with Vachon-Desjardins going back to February\r\n2018 with transactions continuing to the date of this writing (January 27, 2021). He allegedly received more than\r\n$14 million worth of Bitcoin at the time of receipt of the funds, ultimately possessing at least $27.6 million given\r\nits rising value.\r\nAccording to government partners, Vachon-Desjardins was involved in at least 91 attacks using NetWalker\r\nransomware since April 2020, deploying the malware as an affiliate and receiving 80% of the ransom.\r\nIn addition to NetWalker, we suspect Vachon-Desjardins was involved in the deployment of other RaaS strains\r\nlike Sodinokibi, Suncrypt, and Ragnarlocker. This is relatively common; we often see affiliates migrate to\r\ndifferent strains over time. Additionally, the NetWalker admin Bugatti has listed proof of prior hacking experience\r\nas a prerequisite to become a NetWalker affiliate, so it would make sense that affiliates like Vachon-Desjardins\r\nwould have a track record.\r\nThe Chainalysis Reactor graphs above show NetWalker affiliates with exposure to Sodinokibi and Ragnar Locker\r\nransomware strains.\r\nGovernment and industry must work together against ransomware\r\nIt’s important that cryptocurrency exchanges and government agencies continue to work together to prevent\r\nransomware actors from cashing out their ill-gotten gains. We look forward to continuing to supply governments\r\nhttps://blog.chainalysis.com/reports/netwalker-ransomware-disruption-arrest\r\nPage 8 of 9\n\nand businesses around the world with the blockchain analysis tools necessary to accomplish those goals.\r\nChainalysis has labeled in our products all NetWalker victim payment addresses, and Chainalysis KYT and\r\nKryptos customers with exposure to these addresses will receive alerts in real-time.\r\nWant to learn more about how law enforcement used Chainalysis to investigate ransomware? We have limited\r\nspots available for demos. Sign up for one to see for yourself — a Chainalysis specialist can walk you through the\r\nReactor graphs we show above and answer all your questions.\r\nTo learn more about the latest trends in ransomware and more, sign up to get our full 2021 Crypto Crime report\r\nemailed to your inbox when it’s released in February.\r\nSource: https://blog.chainalysis.com/reports/netwalker-ransomware-disruption-arrest\r\nhttps://blog.chainalysis.com/reports/netwalker-ransomware-disruption-arrest\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.chainalysis.com/reports/netwalker-ransomware-disruption-arrest"
	],
	"report_names": [
		"netwalker-ransomware-disruption-arrest"
	],
	"threat_actors": [],
	"ts_created_at": 1775434818,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5717e39bae9816ca59daf0adadc3258c8256c52e.pdf",
		"text": "https://archive.orkl.eu/5717e39bae9816ca59daf0adadc3258c8256c52e.txt",
		"img": "https://archive.orkl.eu/5717e39bae9816ca59daf0adadc3258c8256c52e.jpg"
	}
}