The Sextortion Bitcoin Email Scam

Brian Krebs in July:

Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.

Adam Engst, TidBits:

But not this message. The believability of this blackmail hinges on the fact that — in theory — only you know your password. If the blackmailer can know your password, you think, perhaps their other claims are true too. They’re not, but even people whose browsing habits are always G-rated often report a moment of panic. I presume those who still use ancient insecure passwords experience more than a moment of panic, and well they should.

The problem is that old stolen passwords are just the tip of the iceberg when it comes to information about us that’s readily available online. This blackmail spam combines only two bits of information — your email address and password. What happens when similar attacks expand the amount of information they use?

I’ve noticed a steady flow of these emails falling into my junk mail folder. They’re hilarious, but also deeply convincing. It’s trivial to find evidence that they seem to work, too, because you can look up someone’s Bitcoin wallet address in a blockchain explorer. While some of the Bitcoin addresses report an empty balance with no transactions, at least one of the ones I received had amassed over four Bitcoin from nearly forty deposits. That’s tens of thousands of dollars in just one wallet. Even if the wallet receives deposits from other sources, there is still a lot of money being made from this scam.