Flag Ransomware Payment Flows
“Which addresses will receive funds from ransomware-tagged wallets in the next 30 days?”
Book a demo and get a free trial of the full platform: data science agent, fine-tune capabilities, and forward-deployed engineer support.
By submitting, you accept the Terms and Privacy Policy.
Loved by data scientists, ML engineers & CXOs at
A real-world example
Which addresses will receive funds from ransomware-tagged wallets in the next 30 days?
WannaCry (2017), Colonial Pipeline (2021). Attackers demand crypto then rapidly move funds through intermediaries. By the time exchanges react, funds have hopped 3–4 addresses. Predicting downstream contamination from ransomware wallets lets exchanges freeze incoming deposits before tainted funds arrive.
How KumoRFM solves this
Graph-powered fraud intelligence
Kumo’s filtered link prediction learns flow patterns from labeled ransomware addresses. It predicts which exchange-hosted addresses will receive contaminated funds 1–2 hops downstream, using transaction timing, amount patterns, and intermediate address behavior. ADDR001 (exchange deposit address) is predicted to receive funds from ADDR099 (ransomware, Chainalysis confidence 0.97).
From data to predictions
See the full pipeline in action
Connect your tables, write a PQL query, and get predictions with built-in explainability — all in minutes, not months.
Your data
The relational tables Kumo learns from
Addresses
| address_id | first_seen | entity_type | chain |
|---|---|---|---|
| ADDR001 | 2024-03-10 | exchange | ETH |
| ADDR002 | 2024-08-22 | unknown | BTC |
On-Chain Transfers
| txn_hash | from_address | to_address | amount | timestamp |
|---|---|---|---|---|
| 0xc3... | ADDR099 | ADDR001 | 12.5 | 2025-01-10 |
| 0xd4... | ADDR099 | ADDR002 | 8.2 | 2025-01-12 |
Labels
| address_id | tag | source | confidence |
|---|---|---|---|
| ADDR099 | ransomware | Chainalysis | 0.97 |
Write your PQL query
Describe what to predict in 2-3 lines — Kumo handles the rest
PREDICT LIST_DISTINCT(ON_CHAIN_TRANSFERS.FROM_ADDRESS WHERE LABELS.TAG = "ransomware", 0, 30, days) FOR EACH ADDRESSES.ADDRESS_ID
Prediction output
Every entity gets a score, updated continuously
| ADDRESS_ID | CLASS | SCORE | TIMESTAMP |
|---|---|---|---|
| ADDR001 | ADDR099 | 0.88 | 2025-02-01 |
| ADDR002 | ADDR099 | 0.75 | 2025-02-01 |
Understand why
Every prediction includes feature attributions — no black boxes
Address ADDR001
Predicted: 88% probability of receiving funds from ADDR099 (ransomware)
Top contributing features
Transfer amount from ADDR099
12.5 ETH
37% attribution
Label tag (source)
ransomware (Chainalysis)
27% attribution
Label confidence
0.97
18% attribution
Entity type
exchange
11% attribution
Address first_seen recency
10 months
7% attribution
Feature attributions are computed automatically for every prediction. No separate tooling required. Learn more about Kumo explainability
PQL Documentation
Learn the Predictive Query Language — SQL-like syntax for defining any prediction task in 2-3 lines.
Python SDK
Integrate Kumo predictions into your pipelines. Train, evaluate, and deploy models programmatically.
Explainability Docs
Understand feature attributions, model evaluation metrics, and how to build trust with stakeholders.
Bottom line: Flag addresses 1–2 hops downstream from ransomware wallets. Enable exchanges to freeze incoming deposits before tainted funds arrive.
Related scenarios
Explore more fraud predictions
Topics covered
One Platform. One Model. Predict Instantly.
KumoRFM
Relational Foundation Model
Turn structured relational data into predictions in seconds. KumoRFM delivers zero-shot predictions that rival months of traditional data science. No training, feature engineering, or infrastructure required. Just connect your data and start predicting.
For critical use cases, fine-tune KumoRFM on your data using the Kumo platform and Data Science Agent for 30%+ higher accuracy than traditional models.
Book a demo and get a free trial of the full platform: data science agent, fine-tune capabilities, and forward-deployed engineer support.
