The BitCoin Sex Trap Email Extortion Scam

Published by

Tony Redmond

July 29, 2018

An Odd and Very Demanding Message

Last Friday night, I received a note from “Hyman Cipolletta” using the Outlook.com account rriivoryorz@hotmail.com. The message header shows that the message originated in a North American server (Namprd12.prod.outlook.com) in the common Office 365 infrastructure shared by Exchange Online and Outlook.com.

My interest was tweaked by the subject, composed of an old password and my Gmail account name. The message (Figure 1) started off:

“I won’t beat around the bush. I am aware xxxx is your password. Moreover, I know about your secret and I’ve evidence of your secret. You do not know me personally and nobody hired me to investigate you.”

Porn bitcoin email scam — Figure 1: The message demanding a Bitcoin payment

The Scam

0.75 BTC is EUR5,276 or US$6,147 at today’s rate, so the sender of this note had serious intentions. They demonstrated that they knew something about me (my Gmail address and an old password) and laid out a rational explanation for what might had happened. The flaw in the argument was that I knew I hadn’t been near any adult video sites, so the description of a keylogger being installed on my PC couldn’t have happened. And without the keylogger, no contacts from Facebook, Messenger, and email could have been gathered.

But if you had been tempted to go near such sites, it’s possible that what was described might have happened, which is why scammers lay out a plausible story in the hope that some of the millions of people they send email to will panic and believe that their watching habits would soon become public.

Internet to the Rescue

You might blame the internet for making porn easy to access. When it comes to scam, the internet is pretty fast at reporting their techniques and letting people know what’s really happening. A quick search revealed many descriptions of similar emails. Here are two:

Brian Krebs broke the story on July 12 and it seems like since then scammers have been working their way through a store of stolen email addresses and passwords to try and convince as many as they can to send them various sums of money. I guess I should feel good that my demand was at the high end of the spectrum as others have been asked for far less.

Payments Flowing In

What’s distressing is that some people are paying the scammers. @SecGuru has been able to keep track on some payments (Figure 2) and it seems like the scam is profitable.

Bitcoin sex email scam results — Figure 2: Cash flows in for the scammers

How Did the Scammers Get My Data?

If you go to Troy Hunt’s Have I Been Pwned site, you can find a list of sites where attackers have stolen email addresses and passwords. Looking through the list, I find sites that I use, like LinkedIn, where over 164 million addresses were compromised, and Disqus, also with sites that I occasionally used, like Ancestry.com. A simple check revealed that my email address is on 4 breached sites, so the scammers have a choice of sources where they can find my address.

What to Do

In any case, the password cited in the email is an old one that I don’t use today. This means that the combination isn’t worth much to hackers, especially as I use multi-factor authentication (MFA) whenever possible to protect any important site that I use.

If you receive an email that contains a password you still use, you should obviously change that password on any site where it is still active. And if possible, take the choice to use multi-factor authentication to improve security. Services like Gmail, LinkedIn, and Office 365 support MFA.

Above all, don’t respond to the scam. Ignore the message, unless you feel that you should report it to the local police force (as recommended by some experts). Personally, I don’t think that most police forces can do much about this kind of scam. I reported the email to Microsoft (use Outlook’s Report Message add-in) so that they can improve their ability to block rubbish like this in their anti-malware tools.

Scams are a Pain

The popularity of email as the lingua franca for communication across the internet means that attackers like finding new ways of poking at human vulnerability to make money. This is just another example of a scam that’s popular right now. Do the right thing and secure your passwords and you’ll be fine. Stay safe!

Follow Tony on Twitter @12Knocksinna.

9 responses to “The BitCoin Sex Trap Email Extortion Scam”

Chris G.

July 30, 2018

Thanks for bringing some attention to this recent scam. As a corporate e-mail admin, I take responsibility for minimizing the impact these types of attacks have on my users. When I learned about 3 of my users receiving similar messages last Monday, I quickly gathered the messages and started analyzing the headers in order to determine if I could create a transport rule to quarantine any future messages. Since they are all coming from “legitimate” systems (every one was from a Microsoft hosted outlook.com or hotmail.com sender), that was a dead end. So I turned my attention to the content and found the text “BTC address” in each message. My rule quarantines and notifies when it finds that text in the message body. Hardly a perfect solution, but appropriate for my business which doesn’t do any BitCoin transactions. I’m calling it a marginal success, since it has caught several more messages.

However, since every reported instance I have seen is originating from a Microsoft hosted account, I’m curious what steps MS is taking to help mitigate this. Any insights you can share?

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  July 30, 2018
  
  I’ve asked Microsoft if they can do anything. I’ll report here if they can say anything in public.
  
  Reply
  1. albertwt
    
    November 19, 2018
    
    Yes please Tony,
    
    The below servers to name a few is the source of the phishing email that my users typically getting attacked from:
    
    Received: mail-eopbgr70051.outbound.protection.outlook.com [40.107.7.51]
    Received: mail-sn1nam01on0040.outbound.protection.outlook.com [104.47.32.40] Received: mail-pu1apc01on0105.outbound.protection.outlook.com [104.47.126.105] Received: mail-pu1apc01on0080.outbound.protection.outlook.com [104.47.126.80] Received: mail-eopbgr60067.outbound.protection.outlook.com [40.107.6.67]
    
    What would be the best way to mitigate the Spear Phishing coming from the Exchange Online Protection server?
Alex

February 19, 2019

I’ve had a couple of those too and I copied the BTC addresses into a BTC tracker to see fortunately no one had made any payments to the addresses I was told to send to…

Reply
terry

May 10, 2019

I got one i couldn’t help but reply , I told them I wasn’t to clever about bitcoin but if they forwarded an address id send a cheque or money order

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  May 10, 2019
  
  Terrific!
  
  Reply
Ryan Louis Cooper

September 19, 2019

ryanluke2032@gmail.com

Reply
Helen Guerrero

February 10, 2021

Trying to open my email to get a code that was sent to this email and can’t pull it up

Reply
Lucas Leo

September 28, 2024

I want to use this Medium to say big thanks to Recoveryhacker101. In 2021, I met someone online, and we started dating. He told me how he was making money in the crypto world and got me involved. At first, I was making money until I invested up to $210,000 in this investment scheme. When it came time to take my profit after the end of the contract, they asked for a commission, which I paid another $10,000. They kept asking for more until I talked to a friend about it. She promised to speak to her husband, who happened to know a company specializing in recovering assets lost through fake investment companies.
They gave me the contact for recoveryhacker101. After reaching out to them on WhatsApp, they asked for all the necessary details about the investment and got to work. They kept giving me follow-up updates, and I can’t describe my relief when they called me after two days to say that my investment and profit had been completely recovered.
I just had to post this on every page I can to let people know that they can still recover their lost investment. I highly recommend recoveryhacker101. or email them at recoveryhacker101@gmailcom

Reply