Security Alert
Jonathan Crowe
Oct 2018

Sextortion Email Scam Nets Criminals $4 Million, Continues to Evolve


Photo by Mohamed Mazouz

One of the most successful email scams in years has added new tricks and shows no sign of stopping.

Key Details

  • What's happening:

    Criminals are continuing to successfully trick people into thinking their computers have been infected with malware that recorded videos of them watching porn. The criminals threaten to share the videos with all the victim's contacts unless they receive payment in Bitcoin. 

  • New tricks:

    To make their claim more believable, criminals have been revealing they know a real password the victim has used. On top of that, new versions of the scam are spoofing victims’ email addresses, making it appear the messages are being sent from the victim’s own “hijacked” account.

  • All a big bluff:

    The criminals aren't actually infecting victims with malware. They've simply gained access to email addresses and passwords previously leaked in large data breaches (ex: the 2012 LinkedIn breach).  People who receive these emails should NOT pay.

  • $4 million and counting:

    Unfortunately, the scam has been remarkably effective. Criminals have netted over $4 million in Bitcoin payments over the span of just three months.

  • empty
  • empty
  • empty
  • empty

Not all attacks need cutting-edge malware or zero-day exploits to be successful. Often, a dead simple scam can be just as effective. 

Take, for example, the latest variation of the classic "I know what you've been doing" sextortion scam that has been attempting to convince millions of would-be victims they've been infected with malware and recorded watching pornography. We first covered the scam in mid-July, roughly two weeks after it appeared. At that point, it had already generated criminals at least $250,000 in extorted Bitcoin. 

Sextortion scams are nothing new, but as others including Brian Krebs pointed out, what initially set this latest version apart is criminals have been referencing passwords that the would-be victims have actually used (though often years in the past). It's a new twist designed to make recipients think their computers really may have been hacked, but it's just a ruse. 

How do the criminals know recipients' passwords?

These criminals have NOT infected recipients' systems with malware. Instead, what they've done is simply gained access to email and password combinations gathered from large data breaches.

Many recipients of these emails have pointed out the password the criminals cite is an old one they hadn't used in years. That fact, combined with the massive scope of these campaigns, has lead some experts to suspect at least a portion of the stolen info is coming from the 2012 LinkedIn data breach, which resulted in a hacker selling 117 million email and password combinations on a dark web marketplace.  

Unfortunately, massive data breaches have been anything but a rarity, so the LinkedIn breach is just one of many hauls of stolen data the criminals may be utilizing. Whatever the source, the result of citing real passwords as "proof" the recipient's computer has been compromised has been incredibly effective. 

But the criminals haven't stopped there. 

Criminals now spoofing recipients' email addresses, too 

As commenters on our previous blog post informed us, it appears that criminals are now using another old trick to make the scam even more convincing. They are spoofing would-be victims' email addresses to make it look like the messages are coming from the recipient's own account:  


I'm a member of an international hacker group.

As you could probably have guessed, your account [redacted email address] was hacked, because I sent message you from it.

Now I have access to you accounts!
For example, your password for [redacted email address] is [redacted password]

Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we've created, through an adult website you've visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we've gotten full dumps of these data.

We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one...

Transfer $700 to our Bitcoin wallet: 1Lughwk11SAsz54wZJ3bpGbNqGfVanMWzk
If you don't know about Bitcoin please input in Google "buy BTC". It's really easy.

I guarantee that after that, we'll erase all your "data" :D

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

You should always think about your security. We hope this case will teach you to keep secrets.
Take care of yourself.

Here's another example:


Hi, dear user of [redacted email domain]
We have installed one RAT software into you device.
For this moment your email account is hacked (see on <from address>, I messaged you from your account).
Your password for [redacted email domain]: [redacted password]

I have downloaded all confidential information from your system and I got some more evidence.
The most interesting moment that I have discovered are videos records where you masturbating.

I posted my virus on porn site, and then you installed it on your operation system.
When you clicked the button Play on porn video, at that moment my trojan was downloaded to your device.
After installation, your front camera shoots video every time you masturbate, in addition, the software is synchronized with the video you choose.

For the moment, the software has collected all your contact information from social networks and email addresses.
If you need to erase all of your collected data, send me $800 in BTC (crypto currency).
This is my Bitcoin wallet: 1PuYAe7BLxNE6F6zE2PeVthfXCeYH88PmQ
You have 48 hours after reading this letter.

After your transaction I will erase all your data.
Otherwise, I will send video with your pranks to all your colleagues and friends!!!

And henceforth be more careful!
Please visit only secure sites!

Spoofing the recipient's email address is simply another trick designed to convince the recipient that their account was compromised. That isn't the case, but it's easy to see how this trick, combined with the criminal referencing a real password, is successfully fooling large numbers of victims. 

A $4 million-dollar scam

New estimates indicate criminals received at least $3.5 million from the scam in September alone. According to Bitcoin Who's Who, the scam has reached victims in 42 countries, with almost a third of reports coming from the United States. 


The sextortion scam has been sent to targets in 42 countries. Source: Bitcoin Who's Who Blog

Tracking more than 600 Bitcoin addresses used in the campaigns, Bitcoin Who's Who found that the bulk of transactions (417) are tied to one address in particular, 1JsACYBoRCYkz7DSgyKurMyibbmHwcHbPd. At the end of September, that address had 540.28 BTC, or roughly $3,357,835. At the time of this publication on October 12, the amount received had increased to 648.65 BTC, or $4,031,353.

To give that some perspective, last year's massive WannaCry ransomware outbreak is estimated to have generated just shy of $150,000. 

With the scam clearly working and massively profitable, there's no reason to expect it will be going away any time soon. $4 million is more than enough incentive for criminals to continue launching and making adjustments to campaigns to make them even more effective. 

What to do if you receive one of these emails 

Rest assured if you receive one of these emails, it is no indication your computer has actually been infected. This is a scam. Do not fall for it and do not make any payments. 

Receiving this scam isn’t a sign that your computer has been infected, rather, it’s a sign that your email address and a password associated with it have been exposed in a previous data breach.

The only thing to do now is to ensure you're not using the password cited in the email for any of your online accounts, and that you're abiding by good password hygiene, in general. Even better, use a password manager. 

If you're curious and want to check to see what breaches your email address has been exposed in, you can visit researcher Troy Hunt's site

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Don't be the last to know about new attacks

Join a group of 10,000 IT and security pros who get clear, actionable takes on malware and infosec news.



Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.