We built a five-year census of 65,907 exposed databases on the public internet. 30,515 of them (46.3%) carry a ransom or wipe marker. We then validated every bitcoin address inside those notes, ending with 514 distinct attacker wallets. When we priced the 512 we could resolve on-chain, 318 had received zero bitcoin. The 9.78 BTC (around $753,000) that did move concentrated into a handful of operators. Mass database extortion is industrial, automated, mostly unpaid, and still doing enormous damage.
Ransomnews Research Team. Census window: May 2021 to 13 May 2026. Wallet enrichment via mempool.space, priced at BTC = $76,992 on the lookup date.
Key takeaways
- Scale of the corpus. 65,907 exposed databases observed, 30,515 (46.3%) ransomed or wiped, an estimated more than 215 billion records destroyed across ransomed instances.
- Exposure equals compromise. Of every MongoDB, MySQL, Elasticsearch and Kibana instance we found exposed directly to the internet, between 98% and 100% already carried a ransom note when we observed it.
- The damage is real even when the ransom fails. Of 512 wallets traced on-chain, 318 (62%) received zero BTC. The data was still destroyed, exfiltrated, or held for ransom on every one of those instances.
- The money that moves is brutally concentrated. The top 1 wallet captured 9.1% of all bitcoin received, the top 10 captured 43%, and the top 50 captured 82.8%. A handful of operators run the entire profitable end of the business.
- Today’s operators want payment, not destruction. The
read_me_to_recoverfamily alone covers 17,908 instances; the 2020meowwiper that defined the early era of the genre now matches only 53 notes in the corpus. - One wallet, 49 countries, one demand. A single address appears in 1,283 notes across 1,234 victim IPs in 49 countries, every one demanding exactly 0.01 BTC. The clearest single proof of automation in the dataset.

How big is the database ransom epidemic?
Database extortion is the most consistently overlooked corner of the ransomware economy because it does not have a brand. There is no leak-site countdown, no encrypted-files spectacle, no PR-friendly group name. There is only a small text file dropped into the database itself, demanding a few thousandths of a bitcoin to restore the data the attacker has already taken or deleted.
To size it, we built a corpus of every exposed database we could observe between May 2021 and 13 May 2026: 65,907 distinct instances across MongoDB, MySQL, Elasticsearch, Kibana, and a long tail of HTTP-fronted admin panels. 30,515 of them (46.3%) already carried a ransom or wipe note by the time we saw them. Summing the pre-attack row counts on those instances, the corpus represents more than 215 billion individual records destroyed, exfiltrated, or held for ransom. That is an order-of-magnitude figure rather than an audit, but the order is correct.

The shape of the curve matters. The first hits in 2021 were rare, single-operator experiments. By 2023 the volume had jumped sixteen-fold, and the rough plateau across 2024 and 2025 reflects how much of the internet’s exposed-database surface is already saturated. The 2026 figure is partial and already higher than the 2025 total. New databases are exposed faster than old ones are taken down.
Wreckage without revenue
It is tempting to read the 62%-earn-nothing finding as good news. It is not. The wallets receiving zero bitcoin are not campaigns that failed to fire. They are campaigns that did fire. The database was already accessed, the existing tables were already dropped or copied out, the ransom note was already pasted in. The only thing that did not happen is payment. The damage is identical whether the victim pays or not.

Stack the two columns side by side. On the damage side: 30,515 production databases with a ransom or wipe marker, an estimated more than 215 billion records on those instances, 14,935 notes pasted into live systems, and a near-deterministic 100% compromise rate on exposed Mongo and MySQL. On the revenue side: 9.78 BTC, around $753,000, across five years, with 62% of the wallets sitting on zero. Spread the revenue across the 30,515 hit instances and operators are earning roughly $25 per ransom-marked database. The economic surplus they extract per victim is trivial; the operational harm they cause is not.
That is the central narrative of the genre. The campaigns are cheap to run, the unit economics are bad, and the operators do not particularly care because the script does not stop. A scanner finds an open port, a templated note is dropped, the data is dropped or copied out, and the campaign moves on. If anyone pays, that is a bonus. If nobody pays, the wreckage is unchanged. That is what “industrial” looks like at the bottom of the ransomware funnel.
Why exposure equals compromise

The single most useful number for a defender is the per-engine ransom rate. Of 3,532 MongoDB instances we found exposed on a default port, 3,525 were carrying a ransom note. The same is true of MySQL (2,930 of 2,931), Elasticsearch (6,055 of 6,185), and Kibana (3,739 of 3,821). For these engines, exposure is not a probability of compromise. It is compromise.
HTTP-fronted database admin panels behave differently (around 26% ransom-marked) because most of them sit behind authentication, even if it is weak. The interesting class is everything else, the engine port left open with no auth at all. That class is fully owned, and scanners find it within hours of exposure.
What the ransom notes actually say
The 30,515 ransom-marked instances are not 30,515 distinct campaigns. They are a small number of note templates pasted in at industrial scale. We ran a multi-label classifier across the corpus and most instances match more than one family, which is itself a signal: operators copy templates from each other constantly.

- read_me_to_recover (17,908 instances). The default template across the genre. “Your data is gone, read THIS file to recover it.” Almost always pairs with one of the other families.
- btc_ransom_note (14,714). Contains a structured BTC address and a numeric demand. This is the family that gives us the 514 wallets and the entire on-chain analysis.
- read_me_generic (14,709). Plain-text variant without a structured payment template. Often pasted in alongside the BTC family as a fallback.
- email_contact (5,667). Routes the victim to a privacy-mail address. The recurring addresses (Tutanota, OnionMail, Keemail, Cock.li, Proton) pair tightly with the top wallets.
- restore_decrypt (250). Promises decryption against payment. Rare in this corpus because most attacks here are exfiltrate-and-delete, not encryption.
- gdpr_threat (151). Threatens to report the victim to the EU regulator for the data exposure if the ransom is not paid. A signal that operators read the news; not yet at scale.
- meow / wiper (53). The signature of the 2020 Meow campaign that destroyed databases without demanding anything. Now a rounding error.
The takeaway is editorial. Today’s mass-extortion operators want payment, not destruction. The pure-destructive Meow strategy died because it generated no revenue. Even the campaigns earning zero per-victim today (the 62% above) have the option to collect from the small minority who pay. Destruction without that option does not survive.
Who is actually getting paid?
Of the 514 distinct valid bitcoin wallets we extracted from ransom notes, 512 resolved on-chain. We then asked the simplest possible question: how much bitcoin has each of them ever received?

318 of the 512 wallets received nothing. No deposit, no transaction, no ransom paid. 62% of the attacker wallets in this census are revenue-zero campaigns. That number is the lower bound on the inefficiency of mass database extortion, and it is much higher than the popular image of ransomware as a uniformly lucrative racket.
Of the 194 wallets that did receive bitcoin, the concentration is brutal. The total receipts across the entire dataset come to 9.78 BTC, around $753,000 at the lookup price. The top 1 wallet alone captured 9.1% of that total. The top 10 captured 43%. The top 50 captured 82.8%. The other 144 paid wallets, by definition, share what is left.
The single biggest earner, 1Di1cM1QgTxZuwsxp9nRBc6UXUAhbMN7YX, received 0.89 BTC (about $68,000) from just 13 notes demanding between 0.1 and 0.13 BTC each. That is a different operator profile from the median: a small number of victims paying a relatively high demand, rather than thousands of victims being asked for crumbs.
The figure is also a confirmed minimum, not a ceiling. We counted only addresses we could validate and price. Some notes contained truncated or malformed addresses our extractor could not recover, and Monero is excluded by design because the chain is private. So $753K is the floor for what these 512 wallets pulled in. The actual total is higher, but probably not by a factor that changes the conclusion.
One wallet, 49 countries: the automation signature

The most-reused wallet in the corpus is bc1qaua9cwrp0g2nqg2txn86e7k376v0xm4m0yfcfq. It appears in 1,283 ransom notes across 1,234 distinct victim IPs in 49 countries. Every observed note demands exactly the same amount: 0.01 BTC. The first instance is October 2023; the last is May 2026. For two and a half years, one address has been pasted into thousands of compromised databases across most of the world, asking for the same trivial sum.
That is what an industrial campaign looks like under a microscope. It is not a group with a brand. It is a script that scans for an open MongoDB port, drops a templated note containing the same wallet, and moves on. The 0.01 BTC demand is set deliberately low (around $760 at today’s price) because the operator is betting on volume rather than per-victim leverage. Pay-and-forget pricing, optimised for the bottom of the funnel.
The top 10 wallets all show the same pattern at different volumes. Same demand across thousands of victims, same email addresses paired to the same wallet, same span of years. They are not 10 operators. They are likely two or three operations running multiple wallets in rotation.
How these operations actually run
The contact channels in the notes tell a complementary story. We extracted around 2,100 distinct contact addresses after cleaning. The recurring high-volume ones cluster on disposable privacy mail providers: Tutanota, OnionMail, Keemail, Proton, Cock.li, Airmail, Mailnesia. The four highest-volume contact addresses we found:
[email protected], appears in 1,374 notes[email protected], 1,045 notes[email protected], 528 notes[email protected], 306 notes
Those addresses pair tightly with the top wallets. The same email address turns up across thousands of ransom notes alongside the same wallet, scan after scan, year after year. The operator economy here is small, the tooling is reused, and very little of the activity is ad-hoc.
Telegram handles and onion contacts appear in single digits across the entire corpus. These are not human-curated negotiation operations. They are throwaway-email campaigns optimised for one-shot interactions: pay the wallet, send a receipt to the email, hope you get something back. The infrastructure cost is essentially zero.
Where the exposed databases sit
The top ten countries by raw ransom-marked database count are China (11,874), the United States (4,194), Germany (2,026), France (1,595), India (1,182), Singapore (987), South Korea (867), Russia (778), Hong Kong (604), and Canada (455). These are raw counts, not per-capita figures, and they track cloud-hosting density rather than national negligence. A cheap MongoDB on a Chinese cloud is no more or less likely to be misconfigured than the same instance on AWS US-East. There are just more of them in the first place.
What this means for defenders
The whole defensive lesson collapses into a single line. Never expose a database engine port directly to the internet. Bind to localhost or to a private VPC subnet, put the engine behind an authenticated gateway, and put network controls (security group, firewall, allowlist) on the perimeter. The MongoDB and Elasticsearch ransom rates in our census are not a probability distribution. They are a deterministic outcome: if it is open, it is gone.
For an organisation that finds itself looking at a ransom note in a production database, the next decision is whether to pay. The economics here argue strongly against it. 62% of the wallets in our dataset received nothing, which means the median ransom note has a payout rate of roughly zero, and even where operators do collect, the median receipt is small enough that there is no real economic recovery to be had. The damage to your data is already done; paying mainly funds the small group of operators who occupy the top of the chart. Restoring from offline backups, accepting the data loss, and closing the exposure is almost always the right call.
The deeper structural lesson is for the security community. Mass database extortion looks like a high-volume threat (and the 30,515 ransom-marked instances confirm that it is), but the criminal economy underneath is a small one. A handful of operators run it. They are reachable through their wallets, the email addresses they reuse, and the templates they paste. Defensive cooperation does not need to scale to thousands of adversaries; it needs to scale to roughly ten.
Frequently asked questions
How many exposed databases get ransomed?
In our 5-year census of 65,907 exposed instances, 30,515 (46.3%) carried a ransom or wipe marker. For engines exposed on a default port (MongoDB, MySQL, Elasticsearch, Kibana), the per-engine rate is between 98% and 100%. Exposure is effectively the same as compromise for those.
If most wallets received nothing, are the campaigns harmless?
No. The 62%-earn-nothing finding is about revenue, not damage. The data was destroyed, exfiltrated, or held for ransom on every one of those 30,515 instances regardless of whether the attacker collected. Operators run the campaigns anyway because the unit cost is essentially zero and the small fraction who pay covers the work.
Do victims who pay get their data back?
The dataset does not let us answer that directly because we cannot observe restoration. What we can observe is that the median ransom wallet received zero. 318 of 512 traced wallets (62%) never received a single payment. Paying a tiny demand mainly funds the small group of operators who do collect, with no guarantee of recovery.
How much do attackers actually make?
Across all 512 traced wallets, on-chain receipts total 9.78 BTC, around $753,000 at the lookup price. That is a confirmed minimum. The top 10 wallets captured 43% of it; the top 50 captured 82.8%. Spread across the 30,515 hit instances, revenue per ransom-marked database is roughly $25. The economy is much smaller than the volume of attacks suggests.
What are the most common ransom note types?
The biggest family is read_me_to_recover (17,908 instances), followed by btc_ransom_note (14,714, the one with a structured BTC demand) and read_me_generic (14,709). email_contact covers 5,667 instances; gdpr_threat (“pay or we report you to the regulator”) covers 151. The 2020 Meow wiper signature now matches only 53 instances.
Is the Meow wiper attack still active?
No, effectively. Only 53 notes in the entire 5-year corpus match the Meow signature, against 14,714 structured BTC-demand notes. Mass-extortion operators today want payment, not destruction.
How do I protect an exposed database?
Never expose the engine port to the public internet. Bind to localhost or a private VPC subnet, require authentication, and use network controls (security groups, firewalls, allowlists) on the perimeter. For the rare case where direct access is required, gate it behind a hardened bastion with strong auth. See our backup picks and business ransomware protection reviews for the layered controls that surround this.
How is this different from named ransomware groups like LockBit or Akira?
Database extortion sits in a different layer of the ecosystem. There is no leak site, no brand, no group name, no human negotiation. It is high-volume automation against open ports, asking for thousandths of a bitcoin. Our Ransomtracker covers the leak-site economy where named groups operate; this census covers the underlying mass-extortion layer that runs beneath them.
Sources and methodology
- Ransomnews exposed-database census, May 2021 to 13 May 2026 (65,907 instances).
- On-chain enrichment via mempool.space; BTC priced at $76,992 on the lookup date.
- Wallet validation: Base58Check and Bech32; 309 candidate strings were quarantined as invalid (regex false positives), leaving 514 distinct valid BTC addresses.
- Ransom-note family classifier is multi-label: an instance can match more than one family. Counts therefore do not sum to 30,515.
- Reuse counted by distinct victim IPs, not raw notes, because the underlying scan corpus rescans hosts. Demand statistics aggregated across all observed notes.
- Monero excluded by design: the chain is private and a single XMR candidate was negligible. ETH candidates were too few to price meaningfully.
Related Ransomnews coverage
- Ransomtracker, our live index of leak-site ransomware operations and their published victims.
- Stealercheck, free domain-level exposure check against the stealer-log economy.
- Initial access brokers 2026, the upstream market that feeds named ransomware affiliates.
- Ransomware ditched encryption in May 2026, on the shift to pure data extortion at the high-profile end of the spectrum.
- Best ransomware protection for business 2026, layered defences ranked.
- Best ransomware-resistant backup, the last line of defence when prevention fails.
- About the Ransomnews Research Team.
Keywords: database ransom census 2026, MongoDB ransom wallets, MySQL exposed database extortion, Elasticsearch ransom note, Kibana ransom note, BTC ransom wallet concentration, on-chain ransomware economics, ransom note families, read_me_to_recover, btc_ransom_note, gdpr_threat ransom, Meow wiper extinct, automated database extortion 2026, ransomware payment rates, 62% wallets unpaid, top BTC ransom wallets, wreckage without revenue, ransomware research 2026, Ransomnews Research Team.
This report is based on a 5-year exposed-database census and primary on-chain enrichment of every valid wallet found in the notes. Counts are conservative and reflect distinct instances and distinct victim IPs to avoid rescan inflation. Wallet receipts are a confirmed minimum, not a ceiling, because some addresses are unrecoverable from corrupted notes and Monero is unobservable by design. Ransomnews will update the article if methodology changes or new data is added to the corpus.
