[sgeisler]

Well, the problem with that strategy is that there are many such explorers and returning wrong data isn't in their best interest. Remember that the recipient address doesn't need to be owned by the attacker, it could be one of a big exchange which is of interest. Also the whole process of getting stuff blocked fine granular enough to be viable may slow down blocking enough to be very profitable.

[theamk]

Well, generally blocking bot c&c accounts isn’t in anyone’s “best interest”. The amount of traffic those bots generate is negligible, and there is a non-zero overhead to read an email from cybersecurity company, decide if this is legit, and enact the block in question. Still, most companies cooperate. (Thinking about it, I am not quite sure why.. is it a desire to be a good internet citizen? Or fear of being blocked by corporate firewall?)

Who owns the recipient address is completely immaterial. So is the existence of other exporters. No one says they have to mess with blockchain or the site’s database - all they need is one api endpoint. How many non-malware accesses are there that use v1 api, query that specific address, use curl user agent, and send ?limit=2 query? I bet none. That script is not flexible at all, it has a single hardcoded URL.

Finally, regarding the slow blocking : it is a valid concern, but it exists no matter if there is a blockchain or not. Remember that story about bots using invisible characters in the comments below someone’s Instagram account? I wonder how long it took researchers to explain that those innocuous looking comments from fresh accounts are actually malware related. Or imagine using some sort of foreign-language web forum as C&C: the admins there might not want to cooperate with US-based cyber security researchers at all.