Security Alert
Jonathan Crowe
Jul 2018

New Sextortion Scam Flaunts Real Passwords, Rakes in $250,000 in Two Weeks


Photo by Jay Wennington

New take on old email scam references recipients' actual passwords in attempt to make bogus claims more believable.

Key Details

  • What's happening? Criminals are sending out scam emails claiming they have recordings of the receivers watching porn.  
  • Why is this any different than similar scams? The criminals are referencing real passwords associated with the recipient's email account. UPDATE 10/15/18: Criminals are also now spoofing recipient email addresses, too. As a result, the emails appear as though they're being sent from the recipient's own account. 
  • Are these actually working? Unfortunately, yes. According to one security researcher tracking Bitcoin addresses tied to the campaigns, criminals have made over $250,000 in two weeks. UPDATE 10/15/18: New estimates show the amount received has exceeded $4 million
  • What should you do if you or a user gets one of these emails? Do not respond or pay the ransom. The criminals are simply using email address and password data pulled from older data breaches.
  • empty
  • empty
  • empty
  • empty

UPDATE: The scam is evolving. See our newer post for more details.
Get the details

In a new twist to an old scam, criminals are sending out emails claiming they've infected the recipients’ computers with malware and have used their webcam to record video of them watching porn. Unless the recipient pays the criminal in Bitcoin, the emails explain, the criminals will send copies of the video to the recipients’ contacts.

What’s different about this latest variation of the scam is that, in order to make it more believable, criminals are opening their emails by referencing a real password associated with the recipient’s email address.

When Brian Krebs broke this story he included an example of one of these emails, which reads as follows:

I am aware [PASSWORD REDACTED] is your password. You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)


You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

There have been other variations on this format that have been spotted. Another example can be found here. 


To be clear: These emails are scams. Do not fall for them and do not make any payments.

The inclusion of what may very well be a valid password is a trick designed to make these emails more frightening and convincing, but it doesn’t mean the claims are actually valid.

This scam isn’t a sign that your computer has been infected, rather, it’s a sign that your email address and a password associated with it have been exposed in a previous data breach. 

How criminals are able to reference a valid password

While the exact methods are unconfirmed, it’s very likely that criminals are referencing a database of passwords and email addresses collected from a large data breach that may have taken place years ago. Several of Krebs' readers who received variations of this email said the passwords the criminals referenced were ones they'd used close to ten years ago (even more reason to regularly update your password and avoid password reuse). 

There are unfortunately a growing number of "megabreaches" these email addresses and passwords could be associated with, but a number of recipients (including readers of this blog post) have pointed to the LinkedIn hack of 2012, which included the theft of 167 million account details, as a strong possible source. 

To check to see what breaches your email address has been exposed in, you can visit researcher Troy Hunt's site

Unfortunately, these scams appear to be working

What makes these new scam attempts interesting is they represent a clever new approach to monetizing the email addresses and passwords obtained via data breaches. What makes them especially disturbing is that they appear to be (at least to some extent) working.

The Bitcoin address referenced in Krebs' blog post has one deposit for roughly $2,140. A second address we found has one deposit for roughly $2,300. A third address has four deposits from this week alone, totaling roughly $3,189.

These may not be huge sums, but they serve as more than enough encouragement for criminals to continue investing in and widening the scope of these schemes. As a result, we can expect to see more of these emails and variations of them in the near future. 

UPDATE, 7/19/18: As reported at Bleeping Computer, researcher SecGuru has been tracking Bitcoin addresses used in these campaigns and discovered that at least 30 victims have paid a total of over $50,000 so far. 

UPDATE, 7/26/18: The latest count suggests the payment total is at least $250,000.

With this initial success, it's virtually a guarantee more scams like this will be popping up.  

UPDATE, 10/15/19: New variations of the scam are utilizing email spoofing, a tactic that makes it look like the emails are being sent from the recipient's own account. The goal is to provide recipients with another reason to believe their accounts may really have been hacked, even though that's not the case. To see screenshots of what the new variations look like, see our new blog post.  

Thank you to the commenters below for drawing our attention to the new variants!

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Don't miss updates on the latest threats

Join a group of 7,000 IT and security pros who get clear, actionable takes on malware and infosec news.



Stay informed!

Get the latest security news, tips, and trends straight to your inbox.