Crypto Ransomware Tax Statistics for 2026

As 2026 unfolds, crypto ransomware has moved squarely into the domain of tax authorities, regulators, and compliance professionals. The convergence of escalating attack volumes, record-setting ransom revenues in prior years, and a rapidly evolving web of federal reporting mandates means that ransomware is no longer merely a cybersecurity problem. It is a tax and regulatory compliance problem, one with real consequences for victims, facilitators, insurers, and incident-response firms alike.

The IRS issued Chief Counsel Advice memorandum 202511015 in March 2025 to clarify when crypto theft and scam losses qualify for deduction under IRC Section 165. CISA is finalizing mandatory ransom payment reporting rules under CIRCIA with a final rule expected to take effect in 2026. FinCEN published its first comprehensive ransomware trend analysis spanning 2022 to 2024 in December 2025. And OFAC continues to sanction cryptocurrency exchanges that process ransomware proceeds, carrying strict liability penalties for victims who inadvertently pay sanctioned actors.

At KoinX, we work with investors and tax professionals navigating the intersection of crypto and compliance, and the data compiled in this article reflects exactly why robust reporting infrastructure has become non-negotiable for any organization operating in the digital asset space.

Scope and Methodology

This article was compiled against the following methodological standards:

• Source universe and inclusion criteria: Only sources that produced their own underlying data were considered. This includes U.S. government agencies (IRS, FinCEN, CISA, OFAC, FBI/IC3, Treasury), blockchain analytics firms publishing primary on-chain research (Chainalysis), and major proprietary research sponsors (IBM/Ponemon Institute). Aggregator blogs, news outlets, and secondary summaries were excluded regardless of how authoritative they appear.
• Recency enforcement: All statistics were drawn from reports published within the two-year window ending April 2026. Where a statistic references data from an earlier study year (e.g., 2022 or 2023 baseline figures in a 2025 report), the original study year is retained in the bullet. No figure older than the 2022 calendar year is included unless it anchors a trend reported in a 2024 or 2025 primary document.
• Geographic scope: This article is primarily U.S.-focused given the concentration of regulatory guidance (IRS, FinCEN, CISA, OFAC) and the availability of verifiable on-chain ransomware data from Chainalysis. Global statistics from Chainalysis and IBM are included where they provide essential context for the U.S. enforcement and tax landscape.
• Material limitation: FBI IC3 ransomware loss figures represent reported losses only and do not capture incidents reported directly to FBI field offices or incidents that went unreported entirely. FinCEN SAR data similarly captures only what financial institutions reported under Bank Secrecy Act obligations. Both figures are acknowledged lower bounds.

Ransomware Attack Revenue at a Glance: 2026 Statistics

• Ransomware attackers received approximately $813.55 million in cryptocurrency payments from victims in 2024, a 35% decrease from 2023’s record-setting $1.25 billion, based on a 2025 report by Chainalysis.
• Ransomware inflows during the first half of 2024 reached $459.8 million, approximately 2.38% higher than the same period in 2023, based on a 2024 mid-year update by Chainalysis.
• Only 25% of ransomware victims paid a ransom in Q4 2024, a historic low, based on a 2025 quarterly report by Coveware.
• The FBI IC3 received 3,156 ransomware complaints in 2024, a 9% increase from 2023, contributing to $1.571 billion in total cyber-threat losses, based on the 2024 Annual Report by the FBI Internet Crime Complaint Center.
• The FBI IC3 received more than 3,600 ransomware complaints in 2025, with losses exceeding $32 million reported directly to IC3, based on the 2025 Internet Crime Report by the FBI.
• FinCEN received 7,395 Bank Secrecy Act reports related to 4,194 ransomware incidents totaling more than $2.1 billion in payments during the 3-year review period from January 2022 through December 2024, based on a 2025 Financial Trend Analysis by FinCEN.
• The largest single ransomware payment recorded in 2024 was $75 million, paid to the Dark Angels group, based on a 2025 report by Chainalysis.
• The average ransomware payment in Q4 2024 was $553,959, up 16% quarter-over-quarter, while the median fell 45% to $110,890 in the same period, based on a 2025 quarterly report by Coveware.
• The global average cost of a data breach involving ransomware reached $4.91 million in 2024, above the overall breach average of $4.88 million, based on a 2024 Cost of a Data Breach Report by IBM and Ponemon Institute.
• Ransomware incidents reported to FinCEN decreased to 1,476 in 2024, reflecting $734 million in the aggregate value of reported payments in BSA reports, based on a 2025 Financial Trend Analysis by FinCEN.

Ransomware Payment Volume and Attack Frequency Statistics

• Bitcoin (BTC) accounted for 97% of reported ransomware-related payment transactions in FinCEN’s 3-year review dataset from 2022 to 2024, with Monero (XMR) cited in 2% of reports, based on a 2025 Financial Trend Analysis by FinCEN.
• The median amount of a single ransomware transaction was $124,097 in 2022, $175,000 in 2023, and $155,257 in 2024, based on a 2025 Financial Trend Analysis by FinCEN.
• The 10 ransomware variants with the highest cumulative payment amounts in FinCEN’s 2022 to 2024 dataset accounted for approximately $1.5 billion in suspicious activity, based on a 2025 Financial Trend Analysis by FinCEN.
• FinCEN identified more than 200 ransomware variants reported in Bank Secrecy Act data between 2022 and 2024, based on a 2025 Financial Trend Analysis by FinCEN.
• LockBit saw H2 2024 payment volumes decrease by approximately 79% following law enforcement disruption by the UK’s National Crime Agency and the FBI in early 2024, based on a 2025 report by Chainalysis.
• Approximately 30% of ransomware negotiations in 2024 actually led to payments or victims deciding to pay, based on a 2025 report by Chainalysis.
• Organizations with between 101 and 1,000 employees experienced the highest rate of ransomware attack in Q4 2024 at 41.53% of reported incidents, with those between 11 and 100 employees accounting for 29.66%, based on a 2025 quarterly report by Coveware.

IRS Guidance on Victim Tax Obligations

• IRS Chief Counsel Advice memorandum 202511015, issued March 2025, addressed 5 hypothetical scam scenarios to determine which taxpayers may deduct crypto theft losses under IRC Section 165, with 3 of the 5 scenarios qualifying for a full deduction and 2 disqualified under the 2018 to 2025 TCJA personal casualty loss restriction, based on a 2025 memorandum by the Internal Revenue Service.
• The TCJA disallows personal casualty and theft losses for individual taxpayers for tax years 2018 through 2025 under IRC Section 165(h)(5), covering an 8-year period during which ransomware victims with non-profit-motive losses received $0 in deductible relief absent a federally declared disaster, based on a 2024 National Taxpayer Advocate Purple Book by the IRS Office of the Taxpayer Advocate.
• Voluntary self-disclosure of a ransomware payment with a potential OFAC sanctions nexus can result in a 50% reduction in the base amount of a proposed civil penalty, based on guidance referenced in a 2025 memorandum by the Internal Revenue Service.
• Under IRS final digital asset broker regulations, brokers must report gross proceeds on Form 1099-DA for all transactions on or after January 1, 2025, with basis reporting requirements phasing in for transactions on or after January 1, 2026, covering custodial exchange operators across 16 categories of covered broker types, based on a 2024 final rule announcement by the Internal Revenue Service.

FinCEN SAR Filing and Ransomware Reporting Statistics

• During the 9-year period from 2013 through the end of 2021, FinCEN received 3,075 Bank Secrecy Act reports totaling approximately $2.4 billion in ransomware payments, compared with $2.1 billion across just 3 years from 2022 through 2024, based on a 2025 Financial Trend Analysis by FinCEN.
• Financial services was the sector most affected by ransomware payments in FinCEN’s 2022 to 2024 review period, accounting for approximately $365.6 million in total payments across all reported BSA incidents, based on a 2025 Financial Trend Analysis by FinCEN.
• FinCEN received 7,395 BSA reports tied to ransomware across the 2022 to 2024 review period, averaging approximately 2,465 ransomware-related filings per year, based on a 2025 Financial Trend Analysis by FinCEN.

CISA CIRCIA Ransomware Payment Reporting Requirements

• The CISA Notice of Proposed Rulemaking under CIRCIA, published April 4, 2024 at 89 FR 23644, proposes that covered entities in 16 critical infrastructure sectors must report ransomware payments to CISA within 24 hours of making the payment, based on a 2024 Federal Register publication by the Cybersecurity and Infrastructure Security Agency.
• Under the CIRCIA proposed rule, covered entities must report covered cyber incidents to CISA within 72 hours of reasonably believing a covered incident has occurred, with a separate 24-hour deadline triggered by any ransomware payment, based on a 2024 Federal Register publication by the Cybersecurity and Infrastructure Security Agency.
• CISA estimated implementing the CIRCIA reporting program would cost $116 million in FY2025 and require 70 full-time positions to manage program operations, rulemaking support, and ransomware mitigation, based on a 2024 Congressional Research Service brief citing CISA’s own program cost projections.
• CISA’s proposed CIRCIA rule requires covered entities to preserve records relating to each reported cyber incident or ransomware payment for 2 years following submission of the most recently filed CIRCIA report, based on a 2024 Notice of Proposed Rulemaking by the Cybersecurity and Infrastructure Security Agency.
• As of September 2025, CISA delayed the CIRCIA Final Rule to a May 2026 target publication date, falling 6 months past the statutory 18-month deadline that required final rule publication by October 2025, based on the Spring 2025 Unified Agenda of Regulatory and Deregulatory Actions published by the Cybersecurity and Infrastructure Security Agency.

OFAC Sanctions and Ransomware Payment Compliance Statistics

• On March 6, 2025, U.S. law enforcement froze over $26 million in cryptocurrency controlled by Garantex, a cryptocurrency exchange that processed over $100 million in transactions linked to illicit activities including ransomware since 2019, based on a 2025 press release by the U.S. Department of the Treasury.
• The maximum civil penalty for violations of the International Emergency Economic Powers Act by entities that make ransomware payments to sanctioned parties can exceed $368,000 per violation or twice the transaction amount, whichever is greater, based on guidance published by the U.S. Department of the Treasury Office of Foreign Assets Control.
• OFAC’s September 2021 designation of SUEX OTC found that over 40% of the exchange’s known transaction history was associated with illicit actors, making it the 1st OFAC sanctions designation against a virtual currency exchange for facilitating ransomware transactions, based on a 2021 press release by the U.S. Department of the Treasury.
• OFAC designated Grinex, a successor exchange created by Garantex employees following the March 2025 law enforcement action, after Grinex facilitated billions of dollars in cryptocurrency transfers within weeks of its creation, with Garantex users transferred losses equivalent to their seized balances in the A7A5 ruble-backed token, based on a 2025 press release by the U.S. Department of the Treasury.

Ransomware Laundering Methods and Blockchain Forensics Statistics

• Mixing services captured between 10% and 15% of ransomware quarterly money laundering flows historically before declining substantially in 2024 following enforcement actions against Chipmixer, Tornado Cash, and Sinbad, based on a 2025 report by Chainalysis.
• 50% of wallets used in ransomware attacks and stolen fund activity receive no additional inflows after the initial incident, reflecting a pattern of minimal infrastructure reuse across episodic cybercrime, based on a 2025 analysis by Chainalysis.
• As of July 2025, illicit entity balances of BTC, ETH, and stablecoins held on-chain reached approximately $15 billion, a 359% surge from the relatively modest balances observed in 2020, based on a 2025 analysis by Chainalysis.
• Direct transfers from illicit entities to exchanges collapsed from approximately 40% of quarterly value in 2021 to 2022 to around 15% in Q2 2025, indicating increased laundering complexity among ransomware cash-out operations, based on a 2025 analysis by Chainalysis.
• Ransomware launderers paid an average fee premium of 14.5 times the typical on-chain transaction fee in 2025 to move funds through mixers, privacy chains, and cross-chain bridges, up from 2.58 times in 2021, based on a 2025 mid-year update by Chainalysis.

Ransomware Victim Total Cost and Law Enforcement Engagement Statistics

• Ransomware victims who involved law enforcement saved on average nearly $1 million in total breach costs, and 63% of those who involved law enforcement avoided paying a ransom entirely, based on a 2024 Cost of a Data Breach Report by IBM and Ponemon Institute.
• The average total cost of a ransomware breach without law enforcement involvement was $5.37 million, compared to $4.38 million when law enforcement was engaged, excluding any ransom payment from both figures, based on a 2024 Cost of a Data Breach Report by IBM and Ponemon Institute.
• The global average cost of a data breach in 2024 was $4.88 million, a 10% increase from $4.45 million in 2023 and the largest year-over-year spike since the pandemic, based on research conducted across 604 organizations in 16 countries by Ponemon Institute and published in a 2024 report by IBM.
• Organizations that extensively used AI in security prevention workflows incurred an average of $2.2 million less in breach costs compared to those with no AI use in prevention, based on a 2024 Cost of a Data Breach Report covering 604 organizations globally by IBM and Ponemon Institute.
• Cryptocurrency-related cybercrime complaints to the FBI IC3 in 2024 totaled approximately 150,000 complaints amounting to $9.3 billion in losses, a 66% increase from 2023, based on the 2024 Annual Report by the FBI Internet Crime Complaint Center.
• The FBI IC3 received 181,565 cryptocurrency-related complaints in 2025 totaling more than $11 billion in losses, a 22% increase from 2024, with an average individual loss of $62,604 per crypto-related complaint, based on the 2025 Internet Crime Report by the FBI.

References

• https://www.chainalysis.com/blog/crypto-crime-ransomware-victim-extortion-2025/
• https://www.chainalysis.com/blog/2024-crypto-crime-mid-year-update-part-1/
• https://www.coveware.com/blog/2025/1/31/q4-report
• https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
• https://www.fbi.gov/news/press-releases/cryptocurrency-and-ai-scams-bilk-americans-of-billions
• https://www.fincen.gov/news/news-releases/fincen-issues-financial-trend-analysis-ransomware
• https://newsroom.ibm.com/2024-07-30-ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs
• https://www.irs.gov/pub/irs-wd/202511015.pdf
• https://www.taxpayeradvocate.irs.gov/wp-content/uploads/2024/12/ARC24_PurpleBook_08_MiscRecs_54.pdf
• https://www.irs.gov/newsroom/final-regulations-and-related-irs-guidance-for-reporting-by-brokers-on-sales-and-exchanges-of-digital-assets
• https://www.federalregister.gov/documents/2024/06/03/2024-12084/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements-correction
• https://www.congress.gov/crs_external_products/R/HTML/R48025.web.html
• https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia
• https://home.treasury.gov/news/press-releases/sb0225
• https://ofac.treasury.gov/sanctions-programs-and-country-information/sanctions-related-to-significant-malicious-cyber-enabled-activities
• https://home.treasury.gov/news/press-releases/jy0364
• https://www.chainalysis.com/blog/landscape-of-seizable-crypto-assets-2025/
• https://www.chainalysis.com/blog/2025-crypto-crime-mid-year-update/