The growth of ransomware attacks has tracked the growing use of crypto-currencies, and especially Bitcoin, as the payment medium of choice among cyber-criminals. Although Bitcoin’s transparency provides traceability, pseudonymity complicates the attribution of malicious activity. In this work, we present a robust machine learning framework for detecting ransomware in the Bitcoin blockchain, grounded in fundamental blockchain principles and utilizing the BitcoinHeist dataset. We integrate graph-based transactional features, engineered behavioral indicators, and a twostage classification pipeline to detect both ransomwarerelated addresses and their malware families. We overcome the challenges of class imbalance and sparse malicious samples using the SMOTETomek technique and verify improvements in separability using unsupervised clustering (K-Means and DBSCAN). For classification, we benchmark traditional and ensemble models including Random Forest, XGBoost, LightGBM, CatBoost, and a Stacking Ensemble for classification. The ensemble model delivers state-of-the-art performance with an F1-score of 98.07% while maintaining reasonable training time. Evaluation is also extended to include resource utilization metrics such as memory, CPU usage, and training time. Our results show the feasibility of integrating machine learning-based forensics at the transactional layer, supported by a foundation in blockchain’s core mechanisms, enabling proactive threat mitigation and transparent blockchain intelligence.

Keywords