
On-chain ransomware payments fell to about $820 million in 2025, while claimed attacks rose 50%.
Chainalysis’s report on ransomware trends said total on-chain ransomware payments declined by approximately 8% to US$820 million in 2025, even as claimed ransomware attacks rose 50% year-on-year.
While aggregate payments remained relatively flat, the report said the median ransom payment increased 368%, rising from US$12,738 in 2024 to US$59,556 in 2025. Instead of isolated attacks, ransomware is interpreted as an interconnected marketplace of access, infrastructure, and monetisation services.
The divergence between more claimed attacks and lower overall payments to factors is attributed to improved incident response and regulatory scrutiny, as well as increased international action against operators, infrastructure, and laundering networks.
Furthermore, there is market fragmentation within the scam ecosystem, with smaller groups proliferating and some analyses tracking as many as 85 active extortion groups.
Initial access brokers (IABs) also form a key part of the ransomware supply chain, estimating they received at least US$14 million in on-chain payments in 2025. It said spikes in IAB inflows typically preceded increases in ransomware payments and victim leaks by around 30 days.
Criminal and state-linked actors increasingly share infrastructure such as bulletproof hosting and residential proxy networks, and disruption efforts increasingly target the enablement layer,
including infrastructure services used across the ecosystem, through law enforcement actions, sanctions, and private sector takedowns.
The scale, sophistication, and impact of ransomware attacks will continue to expand, and an effective response requires robust defences and strategic resilience.
Stay updated on crypto and AI by following our socials.


