ShinyHunters / AT&T ransom payment traced on-chain — paper draft, seeking arXiv cs.CR endorsement

News
Yanac

Across all major ShinyHunters campaigns (AT&T/Snowflake, Salesforce, Canvas/Instructure), only one event has both a publicly stated payment amount and a known approximate settlement date: the May 2024 AT&T payment of ~5.7 BTC (~$370K), confirmed by Wired but never published with a transaction hash. I use that as the analytical anchor for an end-to-end on-chain analysis using only free public data. Pipeline (5 stages): BigQuery bulk filter on amount and time window → 500 candidates. Recipient profiling via Blockstream Esplora (lifetime tx count, spend shape). Sender-side cluster analysis using common-input ownership; looking for broker-aggregation patterns. Depth-12 concurrent forward trace, top-K=4 fan-out. Terminal attribution via OKLink, BitInfoCharts, WalletExplorer. Result: A single highest-fit candidate: 5.71997804 BTC paid 2024-05-17 22:04 UTC to a fresh recipient, spent in 6 min, laundered through a 6-cycle automated peel chain, terminating at an exchange deposit cluster. Funding side shows broker-aggregation fingerprint (4× 1.147 BTC peels in a 90-min window pre-payout). Upstream hub addresses appear reused across multiple victims of the same laundering service, active through 2025. Paper closes with the legal pathway from chain endpoint to indictment and a scoped compliance-request template. Limitations (explicit in §5): Ranking under a scoring scheme, not positive ID. No off-chain ground truth. Documented OKLink vs. Arkham label conflict on the dominant terminal, resolved via behavioural audit. No formal null-distribution analysis yet. Score weights are author judgements. Asking for: Technical feedback / methodology critique. arXiv cs.CR endorsement — endorsement code: ZQXBSQ github.com/tr4m0ryp/shinyhunters-gotta-catch-em-all/blob/main/Gotta_Catch_Em_All_ShinyHunters.pdf Tooling and dataset released for reuse submitted by /u/Visual_Course6624 [link] [comments]Technical Information Security Content & DiscussionRead More