{
	"id": "40b94765-751d-49dd-84a9-533653c6f9a7",
	"created_at": "2026-04-06T01:31:56.123925Z",
	"updated_at": "2026-04-10T13:11:48.702377Z",
	"deleted_at": null,
	"sha1_hash": "ff9629eb1c05a8c5d1219b580b4133ac719daef7",
	"title": "The Bitcoin Ransomware Detective Strikes Again: The UCSF Case",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 885939,
	"plain_text": "The Bitcoin Ransomware Detective Strikes Again: The UCSF Case\r\nBy Tal Be'ery\r\nPublished: 2020-09-03 · Archived: 2026-04-06 00:51:19 UTC\r\nTL;DR: Hunting for real-world incidents in blockchain data sometimes leads to interesting insights and\r\nfindings. In this case, we were able to find UCSF’s $1.14M ransom payment on the blockchain and correlate\r\nit to an additional $700K transaction. This potentially increases the paid UCSF ransom to over $1.8M.\r\nFollowing our recent article on the $4M Bitcoin CWT ransomware payment, we continued to hone our blockchain\r\nhunting skills. Usually, these skills are used to protect Zengo customers.\r\nThis time, however, we had a different focus. We managed to track down the $1.14M ransom paid by the\r\nUniversity of California San Francisco (UCSF). \r\nYou might remember this case. \r\nIt gained widespread exposure because ransom negotiations between UCSF’s negotiator and hackers were made\r\npublic and covered by popular media outlets like BBC and Bloomberg. \r\nIn this article, we’ll share our findings and some additional insights we were able to infer from the Bitcoin\r\nblockchain data. We’ll also describe our methods so other security researchers can explore similar incidents in the\r\nfuture and possibly create a safer environment for all of us. \r\nHow to find a ransomware transaction\r\nAccording to the threatpost, UCSF paid a $1.14 million ransom to recover data related to academic work. This\r\ndata was encrypted after the NetWalker ransomware hit the medical school at the university.\r\nUnlike the CWT case linked to above, public reports on UCSF ransomware did not include the attackers’ Bitcoin\r\naddress, supposedly preventing researchers from analyzing the money trail. This made our investigations a little\r\nmore cumbersome. However, we did not give in.\r\nAs we should all know by now, Bitcoin data is pseudonymous, not anonymous. Users are represented by mostly\r\nmeaningless addresses, however all transactions between these addresses can be watched by anyone. With this in\r\nmind, we knew it would be possible to find the address if we could obtain enough information on the transaction\r\ndetails and money trail “pattern” (more on that below).\r\nDiving into the media stories, we found two technical details that assisted in our investigation. The paid ransom\r\nsum was 116.4 BTC ($1.14M at the time), and the payment took place on the 12th of June.\r\nWhile sending such a large and specific amount of money in a particular time period may seem like enough to\r\nidentify the transaction, we wanted to be sure. To have an even higher level of certainty, we required the\r\ntransaction to be part of the following blockchain “pattern”.\r\nhttps://zengo.com/bitcoin-ransomware-detective-ucsf/\r\nPage 1 of 6\n\nRansomware payments usually follow a distinct pattern: \r\n1. Negotiators buy the exact amount of Bitcoin requested by attackers, from a large liquidity provider. The\r\nnegotiators use a “fresh” address, with no previous history to prevent any data leakage, for this transaction.\r\n2. Negotiators then immediately transfer this full amount to the attackers’ fresh address. The transfer is done\r\nrapidly as negotiators don’t want to keep so much money in their possession for a long time. (Sometimes,\r\nnegotiators will send a small transaction first to make sure they have the right address and then send the\r\nfull amount.) \r\n3. Once the payout lands in the attackers’ initial address, the attackers split the loot. In the case of the\r\nNetWalker ransomware, this split is very distinct. The NetWalker gang worked in a “Ransomware-as-a-service” (RaaS) model. The gang operates the infrastructure, while the affiliate drives the operation and\r\ninfects the victim. Thanks to ciphertrace research, we know that this model creates a “four arms” pattern,\r\ndepicted below. The NetWalker gang operators get 20% of the loot, split into 10%, 5%, and 5% payments\r\nto known addresses. The remaining 80% goes to the RaaS affiliate.\r\nNetWalker’s “four arms” Bitcoin payment pattern (source: ciphertrace) \r\nFinding the transaction\r\nUsing BlockChair’s interface, we could query the Bitcoin blockchain for transactions on the date and the reported\r\nsum. We provided a slightly bigger range for both dates and sums to allow some flexibility in case the details in\r\nthe story were not exact. We created a query to retrieve transactions where the sum is between 116 and 117\r\nBitcoin, and the date is between the 12th and 13th of June:\r\nhttps://blockchair.com/bitcoin/outputs?\r\ns=spending_time(desc)\u0026q=value(11600000000..11700000000),spending_time(2020-06-12..2020-06-13)#\r\nhttps://zengo.com/bitcoin-ransomware-detective-ucsf/\r\nPage 2 of 6\n\nBlockchair query results\r\nResults returned six possible candidates, but it was easy to identify the relevant ransom transaction, as it followed\r\nour assumptions detailed above.\r\nThe ransom money trail: Binance → Negotiator → NetWalker → NetWalker Affiliate (all times\r\nUTC)\r\nAs we had expected, we found the Negotiators (address 36YWNH, shortened for readability) buying 116.4 BTC\r\nfrom Binance exchange (address 19JyAkHKh, associated with Binance according to Clank) into a fresh address\r\non the 12th of June at 20:13 (All times UTC), then paying immediately to a fresh NetWalker address (address\r\n36kmJZj).\r\nNegotiators (address 36YWNH) purchasing 116.4 BTC from Binance (address 19JyAkHKh) then\r\npaying to NetWalker (address 36kmJZj)\r\nThe NetWalker address immediately split the ransom money, sending 20% to the known NetWalker address in the\r\nusual split (5%, 5%,10%) and 80% to the NetWalker affiliate (address 1C7FeXMf1).\r\nhttps://zengo.com/bitcoin-ransomware-detective-ucsf/\r\nPage 3 of 6\n\nThe “four arms” payment: 80% goes to the NetWalker affiliate (address 1C7FeXMf1)\r\nThe additional “four arms” transaction\r\nWe discovered the ransom money trail, and verified the media story by cross-checking it with Bitcoin blockchain\r\ndata. \r\nHowever, we weren’t done yet. \r\nWe discovered a similar “four arms” payment to the same affiliate address, made only 19 hours before the UCSF\r\npayment. \r\nThe two payments to the NetWalker affiliate, with only 19 hours between them (source: blockchair)\r\nOddly enough, the money trail followed a similar path from the same Binance address to the same NetWalker\r\naffiliate. The Negotiators bought 70.5 BTC (about $700K) from the same provider (Binance, address\r\n19JyAkHKh) and put it into a fresh address on the 11th of June at 23:41. They then transferred it immediately to a\r\nfresh NetWalker address, that was split to the same NetWalker affiliate (address 1C7FeXMf1).\r\nhttps://zengo.com/bitcoin-ransomware-detective-ucsf/\r\nPage 4 of 6\n\nThe two ransom paths: On the top side the known UCSF payment (addresses denoted as #2), on the\r\nbottom side the unknown payment (addresses denoted as #1)\r\nThis extra payment to the same attacker could be related to the UCSF incident or another unrelated ransomware\r\nincident. However, after talking to ransom negotiation experts, the former option is much more likely. This puts\r\nthe total ransom paid by UCSF to the attackers closer to $2M (187 BTC, or $187K at the time). \r\nAccording to these experts, in many cases, payments are not paid at once but tranched in return for certain\r\n“milestones” to build rapport between parties—for example, one payment to delete exfiltrated information or get\r\nmore information on the penetration method used by attackers and a second to receive a decryption key.\r\nHaving the same liquidity provider (Binance), the same negotiator wallet “technology”  (type of address and other\r\ntechnical optional fields) together with the payment to the same affiliate, which was conducted only 19 hours\r\nbefore the UCSF payment provides a strong, albeit circumstantial, support to this theory too. . \r\nAdditionally, the alternative explanation, that connects the first payment to another unrelated ransomware incident\r\nby the same NetWalker affiliate happening in parallel is unlikely. These two ransom transactions are the only\r\nNetWalker “four arms” transactions for this NetWalker affiliate. It doesn’t seem likely this NetWalker affiliate\r\nwould have conducted two independent ransomware campaigns in parallel with the same address, and then\r\ncompletely disappeared.\r\nSumming up\r\n“Big game hunting” ransomware incidents targeting large enterprises are all over the financial news. However, in\r\nmany cases, the details are often left in the shadows, as both attackers and victims want to keep the incidents from\r\npublic view. Using Bitcoin blockchain research can help fill this information gap and reveal vital information on\r\nransomware incidents.\r\nAt Zengo, our customers’ security is our top priority. That’s why we try to learn from every crypto-related security\r\nincident. In our experience, we’ve found that observing incidents is always useful and often leads to some\r\ninteresting insights. We believe understanding this incident may increase the awareness of law enforcement and\r\nhelp them detect and stop such underworld payments in the future.\r\nhttps://zengo.com/bitcoin-ransomware-detective-ucsf/\r\nPage 5 of 6\n\nSource: https://zengo.com/bitcoin-ransomware-detective-ucsf/\r\nhttps://zengo.com/bitcoin-ransomware-detective-ucsf/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://zengo.com/bitcoin-ransomware-detective-ucsf/"
	],
	"report_names": [
		"bitcoin-ransomware-detective-ucsf"
	],
	"threat_actors": [],
	"ts_created_at": 1775439116,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff9629eb1c05a8c5d1219b580b4133ac719daef7.pdf",
		"text": "https://archive.orkl.eu/ff9629eb1c05a8c5d1219b580b4133ac719daef7.txt",
		"img": "https://archive.orkl.eu/ff9629eb1c05a8c5d1219b580b4133ac719daef7.jpg"
	}
}