Decentralized cryptocurrency commonly demanded by ransomware operators for ransom payments due to its pseudonymous nature and ease of cross-border transfer without banking intermediaries.
Bitcoin became the ransomware payment currency of choice because it enabled attackers to receive payments without traditional banking infrastructure. Bitcoin transactions are pseudonymous — associated with wallet addresses rather than real identities — and can be received from anywhere in the world without bank approval. This made it ideal for criminals operating across borders. The emergence of Bitcoin in 2009 was a key enabler of the modern ransomware economy, making it practical for attackers to monetize their operations at scale.
However, Bitcoin is not truly anonymous. Every transaction is permanently recorded on the public blockchain, and law enforcement agencies have developed sophisticated techniques for tracing Bitcoin flows through chain analysis. This has led some ransomware groups to shift toward privacy-focused cryptocurrencies like Monero, which offer stronger anonymity features. Despite this trend, Bitcoin remains the most commonly demanded cryptocurrency for ransomware payments because of its liquidity, mainstream accessibility, and the fact that victims can more easily acquire it.
The FBI and CISA recommend against paying ransoms because payment funds criminal enterprises, does not guarantee data recovery, and may violate OFAC sanctions if the ransomware group is associated with sanctioned entities. Organizations considering payment should involve legal counsel, law enforcement, and their cyber insurance provider. The best strategy is to invest in defenses and backup capabilities that make payment unnecessary — every dollar spent on prevention and recovery preparedness has a far higher return than paying a ransom.