Valéry Rieß-Marchive explains how LeMagIT staff tracked Conti and Avaddon in 2021 using available tools and Blockchain activity and how developments since then have made tracking easier in some respects. He writes, in part (machine translation):
A major development has occurred in the past two years, besides the Conti Leaks : awareness of bitcoin ransom payment addresses has improved significantly.
The Ransomwhe.re initiative of Jack Cable, now Senior Technical Advisor to the US Cybersecurity and Infrastructure Security Agency (CISA), has collected and made available, in open source, more than 7 500 addresses that were used for ransom payments. The CISA itself has made some public, for example for the Karakurt group in June 2022.
Read more at LeMagIT.