About a year ago, I generated the Bitcoin addresses derived from single-word passphrases in the English language. I then came across a "top 1000 passwords" list from a large site hack, and added those as well.

Finally, I set up a script that watched Blockchain.info's Websockets endpoint and checked every destination address against the list.

I quickly noticed that there were a large number of ~0.05 BTC transactions to these addresses, and a network analysis showed that many of them ended up in the same handful of addresses. Those addresses were tagged on Blockchain.info as being the destination for coins used to buy off the writer of the ransomware that was making the rounds at the time.

None of the money sat at those addresses for more than a couple of minutes. I'm fairly sure that the coins aren't being stolen from those addresses, but merely quickly run through in a feeble attempt to launder coins.

ETA: I suppose I should add that I didn't take any balances. I was merely satisfying my own curiosity.