Classifying ransomware-Bitcoin nodes using graph embeddings

This research develops a methodology to identify transactions through data-driven tracking and analysis of ransomware-Bitcoin payment networks [30]. We demonstrate the methodology by applying the GraphSAGE embedding algorithm to the WannaCry ransomware-Bitcoin cash-out network. The paper takes a data-driven approach to building a machine learning system that allows analysts to define features relevant to ransomware-Bitcoin payment networks. An additional feature, exposure, is developed to describe the amount of exposure nodes have to the facilitation of ransomware payments. We use the exposure feature in combination with other Bitcoin payment network features, including graph algorithms such as pageRank, to determine a set of graph embeddings that can be used to predict the classification of ransomware network nodes. We perform tests on a dataset of 299 Bitcoin nodes and derive three distinct clusters. We also evaluate the performance of the clustering method on a dataset of 59 nodes. Our proposed method achieves 80% of true-positive predictions. Further, examining the False Positives (FPs) and False Negatives (FNs) created greater analytical insight for investigators due to their anomalous nature. We also explore how the proposed method can be leveraged by law enforcement to investigate suspicious activities such as money-laundering and ransomware payments via Bitcoin.