Multiple works have leveraged the public Bitcoin ledger to estimate the revenue cybercriminals obtain from their victims. Estimations focusing on the same target often do not agree, due to the use of different methodologies, seed addresses, and time periods. These factors make it challenging to understand the impact of their methodological differences. Furthermore, they underestimate the revenue due to the (lack of) coverage on the target's payment addresses, but how large this impact remains unknown. In this work, we perform the first systematic analysis on the estimation of cybercrime bitcoin revenue. We implement a tool that can replicate the different estimation methodologies. Using our tool we can quantify, in a controlled setting, the impact of the different methodology steps. In contrast to what is widely believed, we show that the revenue is not always underestimated. There exist methodologies that can introduce huge overestimation. We collect 30,424 payment addresses and use them to compare the financial impact of 6 cybercrimes (ransomware, clippers, sextortion, Ponzi schemes, giveaway scams, exchange scams) and of 141 cybercriminal groups. We observe that the popular multi-input clustering fails to discover addresses for 40% of groups. We quantify, for the first time, the impact of the (lack of) coverage on the estimation. For this, we propose two techniques to achieve high coverage, possibly nearly complete, on the DeadBolt server ransomware. Our expanded coverage enables estimating DeadBolt's revenue at $2.47M, 39 times higher than the estimation using two popular Internet scan engines.

翻译：多篇研究利用公开的比特币账本估算网络犯罪分子从受害者处获取的收入。针对同一目标的估算结果往往不一致，这是由于采用了不同的方法学、种子地址和时间段。这些因素使得理解方法学差异的影响充满挑战。此外，由于对目标支付地址的覆盖范围不足（或缺乏覆盖），收入被低估，但这种影响的程度尚不明确。本研究首次对网络犯罪比特币收入的估算进行了系统性分析。我们开发了一款工具，可复现不同的估算方法学。借助该工具，我们能够在受控环境下量化不同方法学步骤的影响。与普遍认知相反，我们证明收入并非总是被低估——某些方法学可能导致显著的高估。我们收集了30,424个支付地址，用于比较6类网络犯罪（勒索软件、剪贴板劫持器、色情勒索、庞氏骗局、赠品诈骗、交易所诈骗）及141个网络犯罪团体的财务影响。研究发现，流行的多输入聚类方法未能发现40%团体的关联地址。我们首次量化了覆盖范围不足对估算的影响。为此，我们提出两种技术以实现DeadBolt服务器勒索软件的高覆盖（可能接近完全覆盖）。覆盖范围的扩展使DeadBolt收入估算值达到247万美元，较使用两种流行互联网扫描引擎的估算值高出39倍。