The Ransomware Crypto Payment Tracker is a blockchain forensics tool designed to analyze cryptocurrency wallet activity and identify suspicious transaction patterns commonly associated with ransomware operations and financial crime.
It transforms raw blockchain data into an interactive investigation dashboard, enabling analysts to:
- Track fund movements across wallets
- Visualize transaction networks as interactive graphs
- Detect and score suspicious financial behavior
- Understand potential laundering and obfuscation patterns
Ransomware attackers increasingly demand cryptocurrency payments due to:
- Pseudonymous wallet identities
- Complex fund movement across multiple addresses
- Lack of accessible, affordable tooling for tracing and interpretation
Enterprise solutions like Chainalysis cost tens of thousands of dollars annually, putting them out of reach for small security teams, independent analysts, and growing companies. This project bridges that gap.
A simplified but capable blockchain forensics platform combining:
- Real-time wallet data retrieval via public APIs
- Graph-based transaction visualization
- Weighted, rule-based anomaly detection engine
- Per-wallet risk scoring (0–100)
- Structured investigation workflows accessible without specialist training
| Layer | Technology |
|---|---|
| Frontend | React + TypeScript, TailwindCSS, Cytoscape.js, Axios |
| Backend | Node.js, Express.js |
| Data Source | Etherscan API (V2) |
- Fetches live transaction data from the Ethereum blockchain
- Calculates total sent, total received, and transaction count per wallet
Each wallet is assigned a risk score from 0 to 100 built from weighted pattern signals rather than simple flag counts. Scores map to:
| Score | Level |
|---|---|
| 0–39 | Low Risk |
| 40–69 | Medium Risk |
| 70–100 | High Risk |
The score is aggregated per wallet across all detected patterns and capped at 100, giving a single comparable number per address.
Five detection modules run in parallel on every analysis:
Detects wallets distributing funds to multiple unique receivers within a 24-hour sliding window.
- 3–5 unique receivers → +25 pts
- 6+ unique receivers → +40 pts
Detects wallets that forward received funds onward, with extra weight for speed.
- Funds forwarded within 1 hour of receipt → +35 pts (rapid layering)
- Funds forwarded outside 1 hour → +15 pts (general chaining)
Flags high-value outflows relative to common thresholds.
-
1 ETH → +20 pts
-
5 ETH → +35 pts
Flags wallets with unusually high transaction frequency.
- More than 5 transactions in any 1-hour window → +25 pts
Flags suspiciously round ETH values — a known structuring and layering signal.
- Transactions matching round values (0.1, 0.5, 1, 2, 5, 10... ETH) → +10 pts each
Every flagged address gets its own consolidated profile showing:
- Aggregate risk score with a visual progress bar
- All pattern types detected as chips
- HIGH / MEDIUM / LOW severity classification
Automatically generated plain-language summaries describing:
- Fund distribution patterns
- Possible layering or obfuscation behaviour
- Indicators of ransomware cash-out activity
- Interactive network graph powered by Cytoscape.js
- Color-coded nodes: target wallet, suspicious wallets, normal wallets
- Edge thickness proportional to transaction value
- Pan, zoom, and click interactions
- Full transaction history for any searched wallet
- Color-coded by direction (incoming / outgoing)
- Timestamped with copy-to-clipboard and Etherscan deep-link per transaction
- Chronological event log combining transactions and detection flags
- Severity badges on flagged events
- Filters out noise — only surfaces significant activity
- Falls back to a preloaded demo dataset when the Etherscan API is unavailable
- Ensures uninterrupted demos and local testing
User enters wallet address
↓
Backend fetches transactions from Etherscan API
↓
Transactions are cleaned and normalised
↓
Detection engine runs 5 parallel pattern modules
↓
Per-wallet risk profiles are built with weighted scores
↓
Frontend renders: risk ring, alerts, graph, timeline
git clone https://github.com/your-username/crypto-tracker.git
cd crypto-trackernpm installCreate a .env file in the root directory:
ETHERSCAN_API_KEY=your_api_key_hereGet a free key at etherscan.io/apis.
Start the server:
node server.jscd frontend
npm install
npm run devOpen http://localhost:5173 in your browser.
This project demonstrates how blockchain transparency can be operationalised to:
- Trace ransomware payment flows
- Identify fund obfuscation techniques (splitting, chaining, structuring)
- Support threat intelligence and incident response workflows
- Provide accessible forensic capability without enterprise tooling costs
- Multi-chain support — Bitcoin, Solana, Tron
- ML-based anomaly detection — replace rule weights with trained classifiers
- Real-time monitoring — webhook alerts on new suspicious transactions
- Wallet clustering — heuristic-based address attribution
- Exportable reports — PDF/CSV investigation summaries
This project is intended for educational and research purposes only. It performs read-only analysis of publicly available blockchain data and does not guarantee investigative accuracy. It should not be used as the sole basis for legal or financial decisions.
- Etherscan API
- Cytoscape.js
- Lucide Icons
- Open-source community