Blackmail based scare tactics using email that are designed to frighten recipients into sending cryptocurrency to fraudsters, typically in Bitcoin, have reached even higher levels of attack sophistication. This article is designed to raise awareness of an increasingly popular extortion/sextortion scam that effectively elevates the typical level of fear in an unwitting victim by using the appearance of a highly personalized and dedicated effort.
Sextortion, extortion and blackmail based "phishing" scams through email are not new. The recipient of a message is informed that the scammer is in possession of some type of private and highly sensitive information about the target, often referring broadly to some type of media or evidence relating to a sexual, illegal or otherwise embarrassing act, event or circumstance. Unless an expeditious payment is made to the scammer, a damaging and public disclosure will take place. The scammer will attempt to bolster credibility of the threat by including information that the victim believes is private or not easy to obtain and that the effort is significant and targeted. However, the chances are high that the fraudster is engaging in an automated mass email using tools to compile information that is actually readily available online.
The ominous sounding email included below using one of my primary email addresses and was personalized using my first and name. It includes my telephone number and residential address (others may include a business address and location), an attempt that the fraudster hopes will be intimidating to the recipient. To emphasize the menacing effect and question of whether the fraudster has engaged in surveillance of my home, a photo of the front of my apartment building is included at the bottom. A bitcoin wallet address is included for me to remit payment. It seems as if there is a concerted effort being made to target me personally.
A more likely explanation is that this effort is just one example of a mass email campaign which uses a stolen information database that may have been released online or on the dark web, such as the National Public Data breach which exposed over 2 billion rows of private information of members of the public and over 85% of the members of U.S. House and Senate. A computer program creates a mass mailing list that inserts each person's name, address, and telephone number from this database, or even from commercially available directories which might compile such information from public records. The inclusion of photo of the recipient's home or business address can be accomplished relatively easily using an automated script that performs an address lookup at popular real estate and mapping websites (such as Zillow or Google Maps) and scraping the respective photo for inclusion at the end of the email. After understanding how this fraud magic happens, the effort that seemed substantial and personally directed no longer seems to be a specific targeted campaign.
<Your Name>
I know that calling (212) 000-0000 or visiting 00-00 Fifth Ave would be a better way to reach you if you don't act. Don't try to hide from this. You have no idea what I'm capable of in New York. I suggest you read this message carefully. Take a minute to relax, breathe, and really dig into it. We're talking about something serious here, and I ain't playing games. You do not know anything about me whereas I know you and you must be wondering how, right?
Well, you've been treading on thin ice with your browsing habits, scrolling through those videos and clicking on links, stumbling upon some not-so-safe sites. I placed a Malware on a porn website and you accessed it to watch (know what I mean?). And while you were busy enjoying those videos, your smartphone initiated functioning as a RDP (Remote Protocol) which provided me total control over your device. I can peep at everything on your screen, switch on your cam and mic, and you wouldn't even suspect a thing. Oh, and I have got access to all your emails, contacts, and social media accounts too.
Been keeping tabs on your pathetic life for a while now. It's just your misfortune that I stumbled across your misdemeanor. I invested in more days than I should have digging into your data. Extracted quite a bit of juicy info from your system. and I've seen it all. Yeah, Yeah, I've got footage of you doing embarrassing things in your room(nice setup, by the way). I then developed videos and screenshots where on one side of the screen, there's the videos you had been enjoying, and on the other half, its you jerking off. With just a click, I can send this video to every single of your contacts.
I see you are getting anxious, but let's get real. Genuinely, I'm ready to wipe the slate clean, and allow you to continue with your daily life and forget you ever existed. I will offer you two alternatives. Option One is to turn a deaf ear this mail. Let us see what is going to happen if you choose this path. Your video will get sent to your contacts. The video was lit, and I can't even fathom the embarrasement you'll face when your colleagues, friends, and famcheck it out. But hey, that's life, ain't it? Don't be playing the victim
here.
Second wise option is to pay me, and be confidential about it. We will name it my "privacy charges". Now let me tell you what will happen if you select this path. Your filthy secret will remain private. I'll wipe everything clean once you send payment. You'll transfer the payment by Bitcoins only. I want you to know I'm aiming for
a win-win here. I will keep my end of the bargain.
Transfer Amount: $2000
BTC ADDRESS: 17Mpkmmmmmmmmmm
Once you pay up, you'll sleep like a baby. I keep my word.
And of course: You have one day in order to transfer the amount and I will only accept Bitcoin. I've a unique pixel in this email message, and now I've been notified that you've read this mail. This email and Bitcoin address are custom-made for you, untraceable. If you are unfamiliar with Bitcoin, google it. You can buy it online or through a Bitcoin ATM in your neighborhood. There's no point in replying to this email or negotiating, it's pointless my price is fixed. As soon as you send the complete payment, my system will inform
me and I will wipe out all the dirt I got on you. Remember if I notice that you've shared or discussed this message with anyone else, the video will instantly start getting sent to your contacts and I will post a physical tape to all of your neighborhood next week. And don't even think about turning off your phone or resetting it to factory settings. It's pointless. I don't make mistakes, <Your First Name>.
See you here? <Photo of the building at the above addressed location>
Extortion, sextortion, and blackmail are now an automated crypto phishing fraud
Sextortion, extortion and blackmail based "phishing" scams through email are not new. The recipient of a message is informed that the scammer is in possession of some type of private and highly sensitive information about the target, often referring broadly to some type of media or evidence relating to a sexual, illegal or otherwise embarrassing act, event or circumstance. Unless an expeditious payment is made to the scammer, a damaging and public disclosure will take place. The scammer will attempt to bolster credibility of the threat by including information that the victim believes is private or not easy to obtain and that the effort is significant and targeted. However, the chances are high that the fraudster is engaging in an automated mass email using tools to compile information that is actually readily available online.The ominous sounding email included below using one of my primary email addresses and was personalized using my first and name. It includes my telephone number and residential address (others may include a business address and location), an attempt that the fraudster hopes will be intimidating to the recipient. To emphasize the menacing effect and question of whether the fraudster has engaged in surveillance of my home, a photo of the front of my apartment building is included at the bottom. A bitcoin wallet address is included for me to remit payment. It seems as if there is a concerted effort being made to target me personally.
A more likely explanation is that this effort is just one example of a mass email campaign which uses a stolen information database that may have been released online or on the dark web, such as the National Public Data breach which exposed over 2 billion rows of private information of members of the public and over 85% of the members of U.S. House and Senate. A computer program creates a mass mailing list that inserts each person's name, address, and telephone number from this database, or even from commercially available directories which might compile such information from public records. The inclusion of photo of the recipient's home or business address can be accomplished relatively easily using an automated script that performs an address lookup at popular real estate and mapping websites (such as Zillow or Google Maps) and scraping the respective photo for inclusion at the end of the email. After understanding how this fraud magic happens, the effort that seemed substantial and personally directed no longer seems to be a specific targeted campaign.
A nearly infinite number of Bitcoin wallet addresses can randomly generated
The Bitcoin wallet address included in the email is similar in form to a bank account number at a bank, without anyone being required to identify themselves as the owner. These account numbers or "wallet addresses" can be randomly generated - approximately 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976 unique Bitcoin addresses with a corresponding access credential called a "private key." Chainalysis reported that approximately 460 million such addresses existed in December 2018, which represents a minute fraction of the remaining possibilities. The point of this exercise is to illustrate how easy it is for an experienced fraudster to create unique wallet addresses to be used just once without worrying about depleting supply and risk tracing by law enforcement. Instead of worrying about this ostensibly menacing phishing message, time may be better served by classifying the email as spam (and phishing) and educating others who may not be aware of this scam, most especially seniors and those who have relatively low technology capacity and literacy.Once cryptocurrency or Bitcoin is sent, the transaction is generally irreversible
Unlike the traditional banking and monetary system, a payment that is transmitted using blockchain technology - such as on the Bitcoin blockchain - typically results in a relatively immediate and permanent transfer and settlement of funds. Since there is no bank, financial institution or trusted intermediary facilitating the transaction, there is no authority that can or will reverse the transaction. Accordingly, once the process is complete, the transaction may only be reversed by the recipient of the funds voluntarily sending the funds back to the sender - which is highly unlikely. However, in certain situations involving cryptocurrencies that make use of financial institutions and cryptoassets such as "stablecoins", there may be additional recourse to the victim of a crypto fraud. Regardless of the circumstances, in the event you find yourself the victim of a crypto or blockchain-based fraud, you should contact relevant authorities (typically federal, such as the U.S. Secret Service to address crimes related to digital assets), a knowledge professional or a lawyer who has a particular expertise and experience with blockchain technology, cryptocurrency and digital assets. Best to take caution and protect yourself to avoid needing help later, for which remedies may be limited.The Bitcoin Extortion/Sextortion Letter
<Your Name>
I know that calling (212) 000-0000 or visiting 00-00 Fifth Ave would be a better way to reach you if you don't act. Don't try to hide from this. You have no idea what I'm capable of in New York. I suggest you read this message carefully. Take a minute to relax, breathe, and really dig into it. We're talking about something serious here, and I ain't playing games. You do not know anything about me whereas I know you and you must be wondering how, right?
Well, you've been treading on thin ice with your browsing habits, scrolling through those videos and clicking on links, stumbling upon some not-so-safe sites. I placed a Malware on a porn website and you accessed it to watch (know what I mean?). And while you were busy enjoying those videos, your smartphone initiated functioning as a RDP (Remote Protocol) which provided me total control over your device. I can peep at everything on your screen, switch on your cam and mic, and you wouldn't even suspect a thing. Oh, and I have got access to all your emails, contacts, and social media accounts too.
Been keeping tabs on your pathetic life for a while now. It's just your misfortune that I stumbled across your misdemeanor. I invested in more days than I should have digging into your data. Extracted quite a bit of juicy info from your system. and I've seen it all. Yeah, Yeah, I've got footage of you doing embarrassing things in your room(nice setup, by the way). I then developed videos and screenshots where on one side of the screen, there's the videos you had been enjoying, and on the other half, its you jerking off. With just a click, I can send this video to every single of your contacts.
I see you are getting anxious, but let's get real. Genuinely, I'm ready to wipe the slate clean, and allow you to continue with your daily life and forget you ever existed. I will offer you two alternatives. Option One is to turn a deaf ear this mail. Let us see what is going to happen if you choose this path. Your video will get sent to your contacts. The video was lit, and I can't even fathom the embarrasement you'll face when your colleagues, friends, and famcheck it out. But hey, that's life, ain't it? Don't be playing the victim
here.
Second wise option is to pay me, and be confidential about it. We will name it my "privacy charges". Now let me tell you what will happen if you select this path. Your filthy secret will remain private. I'll wipe everything clean once you send payment. You'll transfer the payment by Bitcoins only. I want you to know I'm aiming for
a win-win here. I will keep my end of the bargain.
Transfer Amount: $2000
BTC ADDRESS: 17Mpkmmmmmmmmmm
Once you pay up, you'll sleep like a baby. I keep my word.
And of course: You have one day in order to transfer the amount and I will only accept Bitcoin. I've a unique pixel in this email message, and now I've been notified that you've read this mail. This email and Bitcoin address are custom-made for you, untraceable. If you are unfamiliar with Bitcoin, google it. You can buy it online or through a Bitcoin ATM in your neighborhood. There's no point in replying to this email or negotiating, it's pointless my price is fixed. As soon as you send the complete payment, my system will inform
me and I will wipe out all the dirt I got on you. Remember if I notice that you've shared or discussed this message with anyone else, the video will instantly start getting sent to your contacts and I will post a physical tape to all of your neighborhood next week. And don't even think about turning off your phone or resetting it to factory settings. It's pointless. I don't make mistakes, <Your First Name>.
See you here? <Photo of the building at the above addressed location>
- Legal Practice
- Computers - Computer Fraud
- Jurisdiction
- US Federal
- US State Law
