July 12, 2018

Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.

The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded. But this one begins with an unusual opening salvo:

“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation.

The rest is formulaic:

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

KrebsOnSecurity heard from three different readers who received a similar email in the past 72 hours. In every case, the recipients said the password referenced in the email’s opening sentence was in fact a password they had previously used at an account online that was tied to their email address.

However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers.

It is likely that this improved sextortion attempt is at least semi-automated: My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.

I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e. email addresses) and passwords stolen in some of the biggest data breaches to date.

Alternatively, an industrious scammer could simply execute this scheme using a customer database from a freshly hacked Web site, emailing all users of that hacked site with a similar message and a current, working password. Tech support scammers also may begin latching onto this method as well.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).


1,076 thoughts on “Sextortion Scam Uses Recipient’s Hacked Passwords

  1. Joseph Lochner

    Yes, got one of these too. It appears to be using email addresses and passwords from the old LinkedIn exploit, among others. Demands $3000 to a Bitcoin address, or they’ll send their video to my “13 contacts.” The plain text email also claims to have a “unique pixel” in it, somehow…

    1. LinkedIn User

      Mine also appears to be a old LinkedIn account pw as well. These clowns are clever, using Porn as a way to get into someone’s mind and scare the crap out of them. I can imagine if they are really doing these things and are not aware of these scams, they might just pay up without doing any homework first.

  2. Tonton

    Got one today from a fine gentleman named Fyodor Herschbach. Bitcoin wallet (empty for now): 1MfuD779dBunRBsjptPRVrJrdearb235pT

  3. Mevitt

    Same – just got mine from
    Deirdre Glass for $3k as well. Old password from 12 years ago as the article mentions

  4. WorriedOrNot

    Got the same email with my username and pass that aren’t usually used together and are old for few years.
    The guy named Ripley Perrin with an email ileanaodtyd@outlook.com is also looking for $3.000 on bitcoin acc 14vV5r269zMEEHZm3mBzy7tQ5cM7BTgbBk which was empty this morning but has one transaction so far with around $2.200.

  5. Benji

    Got mine too from Bêla Vines. And i.m french btw.

  6. JackieBee

    Got one today from Selena Lyndon
    Bitcoin:
    BTC Address: 1CgutBNnK6gkJVn85mRLur42kPN1uyvobR

    $3000

    Not applicable to me.

  7. Joel

    I got one for $3,000 from Lammond Hoshchild. Normally I ignore these but the old password was alarming.

  8. Buddy

    I got mine today..exact same wording as above but for $3000. It seemed like they were bluffing..I don’t go to porn sites or have a web cam and the password quoted was definitely very old but I did recognize it otherwise I would have immediately dismissed the email. I wish I could remember what site I used that password for. Thanks for researching this and calling out these scammers!

  9. Buddy

    I got mine today..exact same wording as above but for $3000. It seemed like they were bluffing..I don’t go to porn sites or have a web cam and the password quoted was definitely very old but I did recognize it otherwise I would have immediately dismissed the email. I wish I could remember what site I used that password for. Thanks for researching this and calling out these scammers! Oh yeah…mine was from “Garvy Hellman” lol!

  10. Mat

    I already got two of them. It seems my email (with an old password) was hacked 2012 from LinkedIn. Thanks for the article.

  11. Alex

    Got one from Isiah Vyse

    Amount to be paid: $ 3200
    Receiving Bitcoin Address: 1B9UNT4Msaw5f2fvuwKcazDuj9MMSPLa8x
    (It’s case sensitive, so you should copy and paste it).

    Reported to Microsoft.

  12. Terry

    Got the same message 12 hours ago from Wilburt Adourian. I am Japanes now based in Tokyo.

  13. Lauren

    I just called the FBI. They said to submit this on http://www.ic3.gov. There’s a spot for submitting internet fraud. Follow the prompts. They want the information.

  14. Bob

    Received same email today as noted above.
    Glad to see I’m one of many they’re trying
    Scam to no avail..That’s why we have “delete”
    And @trash” buttons on computers.
    This one is similar to an earlier one threatening
    To expose infidelity but only with a new twist

  15. Bob

    This one is similar to an earlier one
    Sent via the mails threatening to
    Expose infidelity but with a new twist.
    That one can via the mail.

  16. Santiago_M

    I received this same message in Spain. He has been reported to the police.

  17. Noor

    I received exactly same email message showing my 15 year old password.
    I have deleted it. Any other suggestions?

  18. Freek

    I received almost the same email message showing a 10 year old password too. I have deleted it. Any other suggestions?
    $ 3.000,-

  19. James

    Got a pretty same Email today. Password was for an old account that I had created 11 years ago! asked for $3000 🙂

  20. wasscared

    I’ve received the same email 3 times now and still freaked me out with an outdated password. Reported it already and have changed all my passwords just in case.

    Today Pasqual Band
    Amount to be paid: $3600
    Send To This Bitcoin Address: 1FBSyZix1mKsJDW6xSwnb8UoXu8DMC19fE

    Yesterday
    Tyrell Oda
    Required Amount: $ 1900
    Receiving Bitcoin Address: 1B8xgnKGBYaaXjjxYVADwcRLkF2gytanjQ

    and Saturday
    Kearney Stols
    Required Amount: $1900
    Bitcoin Address to Send to: 1Je5CbHkcdjnMfbna78y4FfomRHQX2xawU

  21. Natalie

    My mum, who is over 70 years old just received that email.
    Of course she got super worried how someone could know her password and forwarded it to me. Obviously I knew it was a scam because my mum doesn’t have any of the things he mentions (i.e. facebook) and I know for a fact that she doesn’t watch porn movies on the Internet. The part about recording with the webcam is also a lie, since I taped her webcam ages ago.
    But still, it makes me angry. Taking advantage of old people like that instead of just trying to work for money like the rest of us do. I would love to be able to track that person and go all Liam Neeson on him.

  22. Michele

    Same story in Italy. I received it on July 17th. The password was an old one (I believe I have not been using it since 2008). I have informed the Italian Police, they replied to ignore it and that hundreds of guys in Italy have received the same threat. Of course I have neither paid not replied. I copy and paste the bitcoin address indicated in the email.

    Required Amount: $3200
    Send To This Bitcoin Address: 1AeMyWdsjHk4rAexuAz46R6yjPjvHTLyB9
    (It is CASE sensitive, so you should copy and paste it carefully)

    1. Massi

      Ricevuta anche io oggi, ovviamente non ho pagato nulla.
      Immagino sia una bufala giusto??

  23. Joanna Benn

    have received this email 3 times now. from different addresses.

  24. Matilda

    I also got one. Almost exactly like the one in the blog post. I also deleted it.

  25. Artur

    Hi Everybody.
    I received that e-mail twice over last coule of days.The second one was sent from a different address and showed some strange a bit name of the sender and of course a higher amount to pay. I am in Poland by the way. The strange for me was that it had my real password but NEVER attributed to the e-mail address that the e-mail was sent to. First what came to my mind is to check my other e-mail addresses. In fact there were two absolutely not used for years which had such a password, but the e-mail was sent to a different one which I have been using in a daily life. Then it came to my mind that maybe a data leak was from one of the other suppliers eg. newspaper accunt and the like. I checked and what I found. In 2007 or 2006 I was a subscriber to the Economist and had exactly the credentials that were used: password and the current e-mail address. So maybe it is somehow a trace of a leak. I mean that maybe it is any different contemnt supplier that was attacked and robbed off but not our e-mail address provider. Very often a login name is given en e-mail address and people tend to repeat the same password as assuming that the content is not releevant even if stolen. Neverthe less: I deleted those two old not used e-mail addressess that had the password used in the blackmail e-mail. I changed my assword to the Economist content and informed the Economist itself. Maybe my message helped a bit. best regards

  26. 27heaven

    I have been receiving one of these daily in one variation or another for about a week. I know it’s a hack because the email address listed and the password were part of the Adobe breach that happened a few years back.

    What I find so interesting is the dollar amount requested is so very high, ranging from 2500 – 5000.

    1. Amelia

      My password was used on 55+ websites 🙁 Adobe included.

  27. Rufus Deuchler

    I got a very similar email today. I figured out it had an old password I used for last.fm 10 years ago.

  28. Larry

    I got this exact email yesterday with an old email password in the subject line along with my name except they up the payoff amount to $3K in bitcoin. I have already filed a report with the FBI iC3 Division.

Comments are closed.