Ransomware Crypto Payments Reached $820M in 2025 Despite 8% Drop From Prior Year

Crypto Ransomware Payments Hit $820M in 2025 Despite 8% Drop From Prior Year

Ransomware victims paid a total of $820 million in cryptocurrency during 2025, according to blockchain analytics firm Chainalysis. While that figure marks an 8% decline from the previous year, the scale of the problem remains staggering — the number of ransomware attacks jumped 50%, and the average ransom payment surged 368%.

The drop in total payouts against a backdrop of sharply rising attack volumes suggests that more companies are refusing to give in to extortion demands. Still, the spike in average payment size points to cybercriminals deliberately going after larger, deeper-pocketed organizations.

Key Figures From the Chainalysis Report: More Attacks, Bigger Ransoms

The 2025 Chainalysis report paints a paradoxical picture: overall payouts fell, but the intensity and sophistication of attacks grew significantly. Here are the headline numbers:

• $820 million — total cryptocurrency paid by ransomware victims;
• -8% — year-over-year decline in total payouts;
• +50% — increase in ransomware attacks, reaching nearly 8,000 recorded incidents;
• +368% — jump in average ransom payment, from $12,738 in 2024 to $59,556 in 2025.

These trends reflect a shift in attacker strategy: rather than casting a wide net with mass attacks on small targets, hackers are increasingly zeroing in on large corporations and critical infrastructure, where the potential payoff is far greater. In effect, cybercriminals are moving from a "spray and pray" model to precision strikes on the most vulnerable and financially attractive targets.

Cryptocurrency remains the go-to payment method for ransomware operators thanks to its relative anonymity and fast transaction speeds. These patterns fit into the broader surge in cybercrime and data breaches affecting both traditional financial institutions and the crypto industry.

Why Cryptocurrency Remains the Extortion Tool of Choice

Ransomware — malicious software that encrypts a victim's data and demands payment for the decryption key — is one of the most widespread forms of cybercrime. Crypto is the preferred payment rail for several key reasons:

• Pseudonymity — blockchain transactions are harder to trace than bank transfers, giving criminals a sense of security;
• Borderless transfers — crypto allows payments from anywhere in the world without financial intermediaries or KYC procedures;
• Speed — funds move in minutes rather than days, which is critical for criminals looking to collect and cash out quickly;
• Low barrier to entry — the average cost of stolen credentials and exploitable vulnerabilities on darknet markets dropped from $1,427 in 2023 to roughly $439 by early 2026, making attacks cheaper to launch than ever.

Fragmentation of the Ransomware Ecosystem

The ransomware market is no longer controlled by a handful of major syndicates. Chainalysis identified at least 85 active groups operating in 2025, most of them small and decentralized outfits. Cheap malware kits, new ransomware variants, and AI-powered automation tools have all fueled this splintering of the criminal ecosystem.

Initial access brokers — middlemen who breach corporate networks and sell that foothold to other criminals — play a major role in keeping the machine running. These brokers pulled in at least $14 million in cryptocurrency over the course of the year.

The Broader Crypto Theft Picture

Ransomware is just one slice of crypto-related crime. CertiK reported that $370.3 million in cryptocurrency was stolen in January alone, primarily through exploits and fraudulent schemes. Of that total, $311.3 million came from phishing attacks.

Tighter regulatory scrutiny and stricter exchange compliance policies are making it harder to launder large illicit sums — and that's directly reshaping how attackers pick their targets and move their money. But the falling cost of attack tools, combined with the growing ranks of smaller threat groups, means ransomware threats are likely to keep escalating.