From Ransom Note to Binance

It Started With a Ransom Note

On March 26, 2026, someone — or more accurately, some thing — found an internal development platform's Elasticsearch instance sitting on port 9200 with no authentication. Docker Compose had bound the port to 0.0.0.0, and Docker's direct iptables manipulation meant every UFW firewall rule on the host was irrelevant. The bot connected over HTTP, wiped 31.4 million records, and left behind a single index called read_me.

Your database has been deleted from your server, but all the information remains stored on our cluster. You must send 0.0061 BTC to the following wallet: bc1q38rjul6gdamfflf6p4ukz0ymtvfgfv2j9saf6r. Then, you must send an email to wendy.etabw@gmx.com with the following code: 0SH7HH1Q72JL. You have 48 hours to complete the steps.

The "information stored on our cluster" claim is a lie — and a well-documented one. In their 2025 NDSS paper, van Liebergen et al. deployed honeypot databases and confirmed that these bots delete without exfiltrating. Pure destruction, followed by an empty promise.

In our case, it didn't matter. Elasticsearch serves as a disposable read-only projection in a CQRS architecture. The canonical data lives in Neo4j. The indexes were rebuilt in hours. No ransom was paid, no data was lost, and the bot moved on to its next target.

But the wallet address stayed behind. And that's where this investigation begins.

Six Transactions and a Pattern

The ransomware wallet bc1q38rjul6gdamfflf6p4ukz0ymtvfgfv2j9saf6r turned out to be a short-lived address — active for just 12 days in early February, more than a month before it appeared in our ransom note. Six transactions told a clear story:

#	Date (UTC)	Type	Amount	Counterparty	Turnaround
1	Feb 2, 05:52	Deposit	+410,000 sat	Distribution wallet `bc1qgsp5...`	—
2	Feb 4, 12:40	Withdrawal	-409,661 sat	`1PucLK...ovVd` (aggregation)	55 hours
3	Feb 7, 00:08	Deposit	+372,427 sat	Via pass-through `1LdjJK...`	—
4	Feb 7, 00:34	Withdrawal	-371,636 sat	Same aggregation address	26 minutes
5	Feb 14, 09:07	Deposit	+608,500 sat	Binance hot wallet	—
6	Feb 14, 12:57	Withdrawal	-608,500 sat	Across Protocol (cross-chain)	3h 50m

Three deposits in, three sweeps out. Total take: about $1,320. Deposit 5 — 608,500 satoshis, or 0.006085 BTC — closely matches the 0.0061 BTC ransom demand. Someone paid the ransom via Binance, which means Binance has KYC records for that victim. The 26-minute sweep on transaction 4 confirmed what the ransom note already suggested: this is automated infrastructure, not a human operator checking a wallet.

The two outflow paths diverged immediately. Path A sent funds to an aggregation address and onward to what we'd later identify as a Binance deposit. Path B — the final withdrawal — embedded an Ethereum address in an OP_RETURN field and routed the funds through a cross-chain bridge. Two blockchains, two laundering strategies, from the same twelve-day wallet.

A Network Built on Multisig

Following the aggregation address upstream led to a far more active wallet: a P2WSH 2-of-3 multisig address with 119 transactions and $7,600 in throughput, active from October 2024 through March 2026. This wasn't a personal wallet — it was a workhorse. Ninety-eight of its 119 transactions involved Binance addresses, and WalletExplorer's co-spend analysis confirmed it shared cluster 0000001bce8b8aa0 with five other consolidation addresses.

Combined, the cluster told a much bigger story: ~36 BTC in throughput across 4,814+ transactions. The multisig design — requiring two of three key holders to sign — meant this was an organized group, not a solo operator.

Then we found the co-signers. The multisig wallet had 307 unique co-signing addresses, each itself a 2-of-3 multisig. Each one was another victim-facing wallet in the operation. Three hundred and seven ransom wallets, all linked by shared signing keys.

Three Years in the Dark

The trail kept going backward. A "pre-Binance funder" address had been feeding the consolidation cluster since before it switched to Binance deposits — and its first transaction dated to April 23, 2023. This wasn't a recent campaign. It had been running for nearly three years.

Even more revealing was what we found one hop further back. A tiny 15-transaction personal wallet — Arkham Cluster f834 — connected to the pre-Binance funder through just three transactions. Its funding source was an institutional entity (Arkham Cluster cf3b) with a $3.6 million portfolio, $19.85 million in transactions with Jump Crypto, and $4.46 million with Coinbase Prime Custody. Someone in this operation has deep ties to legitimate crypto finance.

Two Blockchains, One Operation

Remember transaction 6 — the final withdrawal from our ransomware wallet, the one with an Ethereum address embedded in an OP_RETURN field? That thread led across blockchains entirely.

The funds moved through TeleSwap, converting BTC to USDT on Polygon, then crossed to Ethereum via the Across Protocol bridge. Seventeen minutes after leaving Bitcoin, 418.81 USDT arrived in the attacker's Trust Wallet on Ethereum. From there, 100 USDT was forwarded to a Bitpie-funded wallet — one that receives from eight separate KYC-verified exchanges: Coinbase (~$28K), OKX (~$18K), Binance (~$12K), Kraken, Revolut, Crypto.com, MEXC, and CoinSpot. Each one of those exchanges holds identity records for whoever owns that wallet.

The Bitpie wallet's outflows were even more telling. It consolidates $300K+ to a single address that sends every dollar to OKX — the confirmed Ethereum-side cash-out exchange, with $239K+ in USDT deposited.

The Circle Closes at Binance

This was the moment the investigation transformed. We had been tracking what appeared to be a "mega laundering hub" — an address with 316,701 transactions and 13 fraud reports on BitcoinWhosWho. When Arkham Intelligence resolved it, the hub turned out to be Binance's own hot wallet.

The attacker wasn't using a separate mixer or tumbler. The entire operation runs through Binance in a circular loop:

The Binance Circular Loop

Victim pays ransom via Binance → Attacker's victim-facing wallet → Aggregation → Binance Deposit → Binance Hot Wallet → Back to the attacker's own Binance account. 107+ BTC confirmed flowing this path. Binance holds records for both victim and attacker.

Arkham resolved every exchange in the investigation: Binance (primary — deposits, withdrawals, the entire circular loop), Bybit (secondary BTC cash-out, 30 deposits), and OKX ($239K Ethereum-side cash-out). No unknown exchanges remain.

Fund Flow Overview

flowchart LR
    subgraph INPUT["Money In"]
        V["Victims
(via Binance)"]
    end
    subgraph COLLECTION["Collection"]
        RW["Ransomware
Wallets"]
        MS["307 Multisig
Wallets"]
    end
    subgraph CONSOLIDATION["Consolidation"]
        CL["Cluster
0000001bce
(~36 BTC)"]
    end
    subgraph CASHOUT_BTC["BTC Cash-Out"]
        BIN["Binance
(primary)"]
        BYB["Bybit
(secondary)"]
    end
    subgraph BRIDGE["Cross-Chain"]
        AC["Across Protocol
(via Polygon)"]
    end
    subgraph CASHOUT_ETH["ETH Cash-Out"]
        TW["Trust Wallet"]
        BP["Bitpie Wallet
($44K, 8 exchanges)"]
        OK["OKX
($239K+)"]
    end
    subgraph FIAT["Fiat Currency"]
        CASH["$$$ Cash Out"]
    end
    V --> RW
    V --> MS
    RW --> CL
    MS --> CL
    CL --> BIN
    CL -->|"pre-Binance
funder"| BYB
    RW -->|"cross-chain
swap"| AC
    AC --> TW
    TW --> BP
    BP --> OK
    BIN --> CASH
    BYB --> CASH
    OK --> CASH
    style INPUT fill:#6c757d,color:#fff
    style COLLECTION fill:#dc3545,color:#fff
    style CONSOLIDATION fill:#fd7e14,color:#fff
    style CASHOUT_BTC fill:#F0B90B,color:#000
    style BRIDGE fill:#E67E22,color:#fff
    style CASHOUT_ETH fill:#627EEA,color:#fff
    style FIAT fill:#28a745,color:#fff

An Invisible Thirty-Third Group

With the full network mapped, we cross-referenced every identified address against the NDSS 2025 dataset — the most comprehensive academic study of database ransom attacks, covering 60,427 compromised servers and 32 identified threat groups. Zero matches. Our attacker is a previously unidentified 33rd group, operating with a distinct GMX email pattern and victim-code format that appears nowhere in the academic literature.

OSINT confirmed the campaign is still active. LeakIX scans found 20+ Elasticsearch servers with read_me indexes at the time of investigation. The ransom email and victim code had zero public footprint — disposable identifiers rotated per wave. Thirteen fraud reports on the Binance hot wallet from other victims on BitcoinWhosWho confirmed this is not an isolated incident.

One more thread worth noting: the attacker deposits to Binance addresses that share a cluster with a DPRK-attributed address. Whether this is coincidence or connection remains an open question for professional chain analysis firms.

Complete Attacker Infrastructure

graph TB
    subgraph VICTIMS["VICTIMS"]
        V1[/"Victim pays ransom via Binance withdrawal"/]
    end
    subgraph BINANCE["BINANCE (Primary Infrastructure)"]
        BHW["Binance Hot Wallet
bc1qm34l...j77s3h
2.17M txns, 57,577 BTC"]
        BHW2["Binance Hot Wallet (bc1qg)
Arkham Cluster 3476
316,701 txns"]
        BD1["Binance Deposit (1M61m)
Arkham Cluster 3476
2,887 txns, 30.77 BTC"]
    end
    subgraph ATTACKER_BTC["ATTACKER BITCOIN NETWORK"]
        subgraph VICTIM_WALLETS["Victim-Facing Wallets"]
            RW["Ransomware Wallet
bc1q38rj...saf6r
6 txns, $1,320"]
            MS["Multisig (2-of-3)
bc1qyu6s...yc8p4
119 txns, $7,600"]
            MS307["307 Additional
Multisig Wallets"]
        end
        subgraph CLUSTER_1BCE["Cluster 0000001bce (~36 BTC)"]
            AGG["Aggregation
1PucLK...ovVd"]
            CON1["14Px4j...7GX
981 txns"]
            CON2["1KhFRv...wRPa
850 txns, 4.17 BTC"]
            CON3["1PfPmi...gzo
670 txns"]
            CON5["bc1qgdkw57...
599 txns, 11.1 BTC"]
        end
        subgraph ORIGIN["Origins (Since Apr 2023)"]
            PBF["Pre-Binance Funder
bc1quxrf32...
First tx: Apr 2023"]
        end
        PW["Personal Wallet
Arkham Cluster f834"]
    end
    subgraph BYBIT["BYBIT"]
        BYD["Bybit Deposit
30 deposits"]
    end
    subgraph INSTITUTIONAL["INSTITUTIONAL ENTITY"]
        CF3B["Cluster cf3b
$3.6M portfolio
Jump Crypto: $19.85M
Coinbase Prime: $4.46M"]
    end
    subgraph CROSS_CHAIN["CROSS-CHAIN LAUNDERING"]
        SWAP["TeleSwap + Across Protocol
BTC → Polygon → Ethereum
17-minute settlement"]
    end
    subgraph ATTACKER_ETH["ATTACKER ETHEREUM NETWORK"]
        ETH_WALLET["Trust Wallet
0x4E1DE10f...
$350 USDT"]
        BITPIE["Bitpie Wallet
0x72dF19D5...
8 KYC exchanges"]
        CONSOL["$300K+ → OKX"]
    end
    subgraph OKX_EX["OKX ($239K+ cash-out)"]
        OKX_HW["OKX Hot Wallet 5"]
    end
    V1 -->|"Ransom payment"| BHW
    BHW -->|"608,500 sat"| RW
    BHW -->|"98 of 119 txns"| MS
    RW -->|"Sweeps"| AGG
    RW -->|"Cross-chain"| SWAP
    MS -->|"57 sweeps"| CON2
    MS307 -.->|"co-signed"| MS
    AGG --> BD1
    CON1 --> BD1
    CON2 --> BD1
    CON3 --> BD1
    BD1 --> BHW2
    BHW2 -->|"107+ BTC circular loop"| BHW
    PBF -->|"38 txns"| CON1
    PBF -->|"30 txns"| BYD
    CF3B -->|"batch withdrawals"| PW
    PW -->|"3 txns"| PBF
    SWAP -->|"418.81 USDT"| ETH_WALLET
    ETH_WALLET -->|"100 USDT"| BITPIE
    BITPIE --> CONSOL
    CONSOL --> OKX_HW
    classDef binance fill:#F0B90B,stroke:#000,color:#000,font-weight:bold
    classDef bybit fill:#F7A600,stroke:#000,color:#000
    classDef okx fill:#121212,stroke:#fff,color:#fff
    classDef attacker fill:#dc3545,stroke:#000,color:#fff
    classDef personal fill:#ff6b6b,stroke:#000,color:#fff
    classDef ethereum fill:#627EEA,stroke:#000,color:#fff
    classDef victim fill:#6c757d,stroke:#000,color:#fff
    classDef institutional fill:#9B59B6,stroke:#000,color:#fff
    classDef crosschain fill:#E67E22,stroke:#000,color:#fff
    class BHW,BHW2,BD1 binance
    class BYD bybit
    class OKX_HW okx
    class RW,MS,MS307,AGG,CON1,CON2,CON3,CON5,PBF attacker
    class PW personal
    class ETH_WALLET,BITPIE,CONSOL ethereum
    class V1 victim
    class CF3B institutional
    class SWAP crosschain

What the Thread Unraveled

Starting from a single Bitcoin address in a boilerplate ransom note, this investigation traced the attacker's financial infrastructure through 14 phases across two blockchains. Here's what we found:

Binance is the attacker's entire financial backbone — 107+ BTC flows through a confirmed circular loop. They have both victim and attacker accounts.
Three exchanges identified by name: Binance (primary), Bybit (secondary), OKX ($239K Ethereum cash-out).
An institutional entity funds the personal wallet — $3.6M portfolio, $19.85M with Jump Crypto, $4.46M Coinbase Prime Custody.
Cross-chain laundering in 17 minutes — BTC → TeleSwap → Polygon → Across Protocol → Ethereum → Trust Wallet → Bitpie → $300K to OKX.
8 KYC exchanges on the Bitpie wallet — each subpoenable: Coinbase, OKX, Binance, Kraken, Revolut, Crypto.com, MEXC, CoinSpot.
307 victim-facing multisig wallets — the full operational network.
A previously unidentified 33rd threat group — absent from the NDSS dataset of 60,427 compromised servers.
Campaign is still active — 20+ infected Elasticsearch servers found via LeakIX.
No law enforcement action has been reported against any database ransom operator as of this writing.

All Known Addresses

Bitcoin — Attacker-Controlled

Ransomware Wallet	bc1q38rjul6gdamfflf6p4ukz0ymtvfgfv2j9saf6r
Multisig (2-of-3)	bc1qyu6sfpfc67h8enml7renc4028r743jyxrtfkjdwkg6wusjqc7eyqqyc8p4
Pre-Binance Funder	bc1quxrf32zkvj388x795rmtjssf30e5dsnxugnruz
Personal (f834)	1KWnV7eRyWRamtvpvKfUFPUfZHvY7Q61dR
Aggregation (1bce)	1PucLKPAvJLTxLB1FuJT4ypvEAu3yzovVd
Consolidation (1bce)	14Px4j46kDfu9BsYiJ5wFABm4KztS4P7GX
Consolidation (1bce)	1KhFRvhGMHELrdeVg8HkYjV5McaqKDwRPa
Operational (1bce)	1PfPmioBWgmviGZXYC84EY4B8f1NypGgzo
Operational (1bce)	18Mu9qWJZskLoBwnxJWJyPprLPwfx63nft
Operational	bc1qgdkw57awxylked0ulgpp0y675j0cczrguecur5
Network	+ 307 multisig co-signer victim-facing wallets

Bitcoin — Exchanges (Arkham-Confirmed)

Binance Hot Wallet	bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h
Binance: Hot (bc1qg)	bc1qgzrva028eym96uax90j28qj3aqhh3dy8gk6qvp
Binance Deposit	1M61mJd3AtmJRHGUG9a7v1LaKfNUNs77rB
Bybit Deposit	1L2q4sfzAVViHCt6UziR6dx5ox8GEv6jVf
Cluster cf3b	bc1qsatlphjcgvzlt9xhsgn0dnjus5jgwg83dr05c6

Ethereum

Trust Wallet	0x4E1DE10f343fA44a69AC13087f0F4d898f72193A
Bitpie Wallet	0x72dF19D55881551bB9107cF851Cc1ce2310B8c02
OKX Consolidation	0x0cabafd4fb87bfE212876F2afEE8AF811a9f7576
OTC Intermediary	0xFDF4A080650Cf82e5B88c32133D2d54f94d73A81
Polygon Depositor	0x3a54f61C8115EE886FBB65cF6Bc6DC625D540BAE

Other IOCs

Ransom Email	wendy.etabw@gmx.com
Victim Code	0SH7HH1Q72JL

Who They Are

Organized	2-of-3 multisig requires 2+ keyholders per transaction
Long-running	Active since April 2023 — three years of operation
Large scale	307 victim-facing wallets, ~36+ BTC through consolidation
Automated	Low ransom ($580), generic email, 26-minute sweeps
China-connected	Bitpie wallet, CoinSpot (Australia), 47.5% Chinese victims per NDSS
Binance-centric	Primary infrastructure: circular loop processing 107+ BTC
Cross-chain	BTC → Polygon → Ethereum via TeleSwap + Across Protocol
No recovery	NDSS honeypots confirmed: data is deleted, never stored

What Comes Next

Every exchange in this investigation is identified by name. Every identified address exists on a public blockchain with immutable transaction history. The attacker's Binance account sits at the center of a circular loop that processes over 107 BTC — and Binance, under its KYC obligations, holds the identity behind that account.

The immediate priority is abuse reporting across ChainAbuse, BitcoinWhosWho, and the Bitcoin Abuse Database for all identified addresses, plus a formal report to FBI IC3 (ic3.gov) and GMX abuse for the ransom email.

For law enforcement, the strongest leads are Binance (primary target — the circular loop means they hold both victim and attacker records), OKX ($239K USDT Ethereum cash-out), Bybit (30 BTC deposits), and the US-based exchanges Coinbase and Kraken on the Bitpie wallet — the easiest subpoena path in US jurisdiction.

Professional chain analysis firms (Chainalysis, Elliptic, TRM Labs) can take this further: identifying the institutional entity behind Cluster cf3b, expanding the 307-wallet network, and tracing the full Polygon-side conversion path that our tools couldn't fully resolve.

As of this writing, no law enforcement action has been reported against any database ransom operator. The campaign is still running. The addresses are still active. And the circular loop at Binance is still turning.

References

van Liebergen et al. "All Your (Data)base Are Belong To Us." NDSS Symposium 2025.
Secureworks. "Unsecured Elasticsearch Data Replaced with Ransom Note."
BleepingComputer. "Hundreds of Elasticsearch Databases Targeted in Ransom Attacks."
Wiz. "Database Ransomware Research."
Arkham Intelligence — Exchange identification and cluster analysis.
WalletExplorer — Bitcoin address clustering via co-spend analysis.
Etherscan — Ethereum token transfers and contract identification.
BitcoinWhosWho — Public fraud reports on identified addresses.
LeakIX — Internet-wide database vulnerability scanning.
Across Protocol — Cross-chain bridge fill transaction analysis.