December 13, 2018

A new email extortion scam is making the rounds, threatening that someone has planted bombs within the recipient’s building that will be detonated unless a hefty bitcoin ransom is paid by the end of the business day.

Sources at multiple U.S. based financial institutions reported receiving the threats, which included the subject line, “I advise you not to call the police.”

The email reads:

My man carried a bomb (Hexogen) into the building where your company is located. It is constructed under my direction. It can be hidden anywhere because of its small size, it is not able to damage the supporting building structure, but in the case of its detonation you will get many victims.

My mercenary keeps the building under the control. If he notices any unusual behavior or emergency he will blow up the bomb.

I can withdraw my mercenary if you pay. You pay me 20.000 $ in Bitcoin and the bomb will not explode, but don’t try to cheat -I warrant you that I will withdraw my mercenary only after 3 confirmations in blockchain network.

Here is my Bitcoin address : 1GHKDgQX7hqTM7mMmiiUvgihGMHtvNJqTv

You have to solve problems with the transfer by the end of the workday. If you are late with the money explosive will explode.

This is just a business, if you don’t send me the money and the explosive device detonates, other commercial enterprises will transfer me more money, because this isnt a one-time action.

I wont visit this email. I check my Bitcoin wallet every 35 min and after seeing the money I will order my recruited person to get away.

If the explosive device explodes and the authorities notice this letter:
We are not terrorists and dont assume any responsibility for explosions in other buildings.

The bitcoin address included in the email was different in each message forwarded to KrebsOnSecurity. In that respect, this scam is reminiscent of the various email sextortion campaigns that went viral earlier this year, which led with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid.

I could see this spam campaign being extremely disruptive in the short run. There is little doubt that some businesses receiving this extortion email will treat it as a credible threat. This is exactly what happened today at one of the banks that forwarded me their copy of this email. Also, KrebsOnSecurity has received reports that numerous school districts across the country have closed schools early today in response to this hoax email threat.

“There are several serious legal problems with this — people will be calling the police, and they cannot ignore even a known hoax,” said Jason McNew, CEO and founder of Stronghold Cyber Security, a consultancy based in Gettysburg, Pa.

This is a developing story, and may be updated throughout the day.

Update: 4:46 p.m. ET: Added bit about school closings.


91 thoughts on “Spammed Bomb Threat Hoax Demands Bitcoin

  1. Criz

    I think best is just pay the bill.
    World are grazy.. People are grazy bettee to pay you can always earn more money!
    Just pay if the money is not too much!!
    If its few hubdred.. Who cares just pay its not big money

    1. Soy Tenley

      We will interpret your post to mean you are one of the criminals involved in this extortion attempt.

      1. Dan Nungesser

        I’m sure law enforcement isn’t exactly pleased with your post. You probably spooked him.

      2. worth_a_bit

        bill? or did you mean billS? you know, the one now and the 100,000,000 bills in the near future at escalating prices – or at least until the bill payers are bankrupt…

    2. asdsfd

      Which part of $20,000 did you not understand? That’s not a few hundred!

      Also businesses and schools especially cannot take a chance on this and pay it. The school and law enforcement will have far more than $20,000 in costs to check over buildings.
      For instance, would you want to take a chance with your kids? Even if that chance is only 1%?

      This was a terrible choice by criminals as a target demographic, almost no one will pay, and they will draw tons of law enforcement attention.

      As compared to ransomeware encrypting some files where many people pay. And few contact law enforcement, and most don’t bother investigating.

    3. jimmy

      To trust someone who is making bomb threats is a fallacy in logic. If it were real, there’s no reason this terrorist couldn’t collect money and use the bomb.

  2. Bryce

    The nature of the threats, broad range of institutions targeted in the US, and near instantaneous timing of the threats made it extremely likely that local, state, and federal law enforcement would be involved and would quickly determine these threats were all related and were NOT credible, disseminate this information and thereby make payouts by the targeted organizations extremely unlikely.

    Combined that extremely low likelihood of payout with the timing of the attack shortly after the Maria Butina plea deal as well as threat email header IP addresses resolving back to Russia, and it sounds more like this “hoax” was form of a cyber attack against the US.

  3. Newbie

    As someone new to the cyber security field, I find it incredible how the professionals in this field collaborate and work hard to track and mitigate these attacks. Very Cool! Happy hunting.

  4. Ken M

    Also seeing some new ones relating to threats of acid in the face. One to my work address, one to my gmail thus far. Haven’t seen anything on the web showing one in this vein, but it does sound like a modification of the recent bomb one.

    Hi

    I have a forum in the deep web, I perform all sorts of services – in the main it is destruction to property and harm. above all, all but the shooting. Often this happens because of rejected love or competition at workplace. This week she talked me and gave me the order of pour out acid in your face. Default task – fast, hurts, for life. Without too much fuss. I get receive only after doing the task. Therefore, now I propose you send money to me to be inactive, I offer this to almost all the victims. If I do not get money from you, then my person will fulfill the order. If you give me money, in addition to my inactivity, I will give you the information that I have about the customer. After finishing the mission, I often lose the performer, so I have a choice, to get $1500 from you for information about the customer and my inaction, or to get $ 4000 from the customer, but with a high probability of waisting the performer.

    I’m getting payments in BTC, here’s my Bitcoin address – 1HC8WeVMMazR9hVjTDJha17EU9Sj1czcGw

    The summary I indicated above.

    Two days to decide and pay.

    1. Esteban

      I received the same email today with a different bitcoin #.

      1. Jira M

        I run a forum in the darkweb, I perform all sorts of services –
        in general it is damage to bussiness and injury. In general, all but the killings.
        Often main reasons are rejected love or competition at bussiness.
        This week she contacted me and set me the mission of splashing acid in your visage.
        Standard order – fast, painfully, forever. Without too much fuss.
        I get money only after doing the order. Thus, now I suggest you send money to me to be inactive,
        I offer this to nearly all the victims. If I do not see money from you, then my person will fulfill the task. If you transfer me money, in addition to my inactivity, I will provide you the info that I have about the customer. After completing the task, I often spend the performer, so I have an option, to get $1500 from you for info about the customer and my inaction, or to get $ 4000 from the customer,
        but with a big probability of waisting the performer.

        1. Jira M

          that’s the email i received well happy hunting for them 🙂

    2. Timothy

      Noticed a similar one below sent today.

      “Hello

      I host a site in the deep web, I produce all sorts of services – basically it is damage to property and harm. Basically, all but the homicide. Often this happens because of unrequited love or competition at bussiness. This month she contacted me and set me the task of splashing acid in your visage. Default practice – fast, hurts, for life. Without too much fuss. I get receive only after doing the task. So, now I suggest you send money to me to be inactive, I suggest this to nearly all the victims. If I do not see money from you, then my performer will fulfill the task. If you give me money, in addition to my inaction, I will give you the info that I have about the client. After completing the order, I often lose the performer, so I have a choice, to get $1500 from you for information about the customer and my inaction, or to receive $ 4000 from the customer, but with a high probability of losing the performer.

      I’m getting transfers in bitcoins, its my Bitcoin address – 1FnTQHffH42iS15FMYNZxmNdbXtmb8WChF
      The amount I told above.
      Two days to transfer. “

    3. Adrian

      >>> a high probability of waisting the performer.

      OMG – he is going to put a girdle on someone. Anything but that, suggest you pay!

    4. sberner

      Confirming the “acid in your face” threat reached Australia. Extremely poor English, sent from an Argentinian webhost. Bitcoin address 1HhyNsEx2YJ3zhz7wHm6CTdSqCeCssfkdE. Wants $1900.

      Apparently, some unrequited love or my business competition. Gotta laugh, since it is obvious the sender is absolutely clueless.

  5. Jack

    Our organization received this as well (US), different BTC address and the time that they check their wallet was 20 minutes vs. 35. 20K? who do they think they have, Chelsea Clinton?

    My mercenary has carried the bomb (Hexogen) into the building where your business is conducted. It is assembled according to my instructions. It is compact and it is hidden very carefully, it can not destroy the supporting building structure, but you will get many wounded people if it explodes.

    My recruited person is watching the situation around the building. If any strange behavioror emergency is noticed the device will be blown up.

    I can call off my mercenary if you make a transfer. 20.000 dollars is the value for your safety and business. Tansfer it to me in BTC and I guarantee that I have to call off my mercenary and the bomb will not explode. But do not try to fool me- my warranty will become actual only after 3 confirms in blockchain network.

    It is my btc address : 149oyt2DL52Jgykhg5vh7Jm1QpdpfuyVqd

    You must solve problems with the transaction by the end of the workday, if the workday is over and people start leaving the building the bomb will explode.

    This is just a business, if you don’t send me the bitcoins and the explosive device detonates, next time other companies will send me more bitcoins, because this isnt a one-time action.

    To stay anonimous I will not enter this email account. I check my Bitcoin address every 20 minutes and if I receive the transaction I will give the command to my person to get away.

    If an explosive device detonates and the authorities notice this message:

    We are not terrorists and dont assume responsibility for explosions in other buildings.

  6. mark

    Saw a number that claimed the bomb was lead azide… which, according to wikipedia, a) is used as a secondary detonator, not the explosive itself; b) is worked underwater, and c) will explode if dropped 6″

  7. bweber93

    We’ve seen these with variations in the bomb type and the bitcoin address posted by Sys Admins at Spiceworks.com, As well as the Acid one now being posted today, all with IP’s pointing to Russia as well as ACID attacks in general seem to be more common in eastern Europe and Asia.

    A single person being listed as controlling a building seems laughable and very obvious, plus the sheer generaliness of the email makes it very obviously a scam, but I don’t think it will be very successful, similarly to the Assassin’s emails that used to get sent out.

  8. MJG

    Has the time come to hunt the perps down and give them a horrible and filmed punishment.

    1. Mahhn

      Yes!
      if my expenses are covered, I’ll help for the satisfaction.

  9. Readership1

    People need to stop responding to these anonymous threats. They’re no more credible than spam and telemarketers calling about free medical devices and credit card offers.

    Outside the US, modern bomb threats have been either identifiable and true (e.g. the IRA and some Middle East groups), or anonymous and false.

    The most recent, anonymous — and true — bomb threat in the US occurred at the University of Wisconsin. The bomb was in the math building, during the Vietnam War.

    Since 1970, there hasn’t been a single, credible anonymous bomb threat in the US. [1]

    It’s time for government to stop endangering us with their overreactions and disruptions. Police guns and speeding police vehicles kill more Americans each year than terrorists. [2, 3, and 4]

    Spend less effort worrying about the false threats of anonymous jerks. Instead, wake up to the fact that it’s government’s enforcers that put the “safety of others at risk.” [4]

    [1] https://m.inlander.com/Bloglander/archives/2015/04/10/idle-threats-expert-says-bomb-threats-are-pretty-much-always-duds

    [2] https://www.usatoday.com/story/news/2015/07/30/police-pursuits-fatal-injuries/30187827/

    [3] https://krebsonsecurity.com/2017/12/kansas-man-killed-in-swatting-attack/

    [4] https://www.vox.com/identities/2016/8/13/17938170/us-police-shootings-gun-violence-homicides

  10. Criz

    Guys swich off your computers… Live real life!!
    For me is real.. My good health, the money in my pocket!
    And my family and good friends!!
    Other things are just illusion.
    Bomb… Threat…. Cmon… Use your head!!

  11. Criz

    Let me tell you guys something… I been using internet and computer a lot.
    And i never been victim of cybercrime!!!
    I think its your own mistakes… Use your head and brain school education not help you if you cant analyse life and use ur head more often.
    … Would you guys think its normal if you pay for some nonsense cyber thief???
    If its me i will send e mail back!!
    Like… Go f yourself!!
    Be men the society is full of snow flakes.
    Thats it.
    Swich off ur pc and go take walk or go to gym… Get out from your own created prison matrix.

    You see i have no education but i have knowldge and brain.
    My point is use your head more!!

    1. Mahhn

      Criz – we iz the peeps dat helps the peeps that don’t knowz betterz. You-z telling uz whut 2 du meanz zilcho

  12. Norbert

    And an alternative, threating with an acid attack.
    My response was to laugh at the stupid email. We have it printed in a large font on a sheet of A2 paper on stuck to the wall of the IT dept here to educate!

    Received: from sarafun.net ([185.178.47.124]) by xxxmungedxxx with
    xxxmungedxxx; Fri, 14 Dec 2018 15:53:06 +0000
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=key1; d=sarafun.net;
    h=Date:From:Message-ID:To:Subject:MIME-Version:Content-Type:
    Content-Transfer-Encoding; i=noreply@sarafun.net;
    bh=zBfERusnSwLq+LhTWgA1uWXc8wMaZwHoTXU7eASrpew=;
    b=oojQB/ZY3aAV1qMM7NympjhjRwFoUxCqy3q/cgr93iZwKJkurAC0LiQ38YFo/XzXEPmEjxOusKY0
    HOMW7+9j7Mm6ldfJ0cAqPZQREXqXC0IGwP50f/ifGIQC3OVBFhTtxyVt1fAn046Tg4dlhKFkt3mg
    Tx+WxToVpiU/xTcKCnk=
    Date: Fri, 14 Dec 2018 15:30:52 +0000
    From: “=?utf-8?Q?Sparrow_Miceli?=”
    Organization: ddkca
    X-Priority: 3 (Normal)
    Message-ID:
    To: xxxmungedxxx@xxxmungedxxx
    Subject: =?utf-8?Q?_No_need_to_be_heroic__14=2F12=2F2018_05=3A30=3A46?=
    MIME-Version: 1.0
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 8bit
    X-ME-CountryOrigin: UA
    X-ME-Bayesian: 0.003475
    Return-Path:

    Hi

    I have a site in the darkweb, I perform all kinds of services – in the main it is destruction to property and injury. In general, all but the homicide. Often main reasons are unrequited love or competition at bussiness. This month she talked me and gave me the mission of pour out acid in your visage. Default order – quickly, hurts, forever. Without too much fuss. I get money only after doing the task. Therefore, now I offer you pay me to be inactive, I propose this to nearly all the victims. If I do not see money from you, then my man will fulfill the mission. If you give me money, in addition to my inactivity, I will give you the info that I have about the client. After completing the task, I often spend the performer, so I have a selection, to get $1350 from you for info about the customer and my inaction, or to get $ 4000 from the customer, but with a big probability of spending the performer.

    I’m getting paid in Bitcoin, here’s my Bitcoin address – 1Ebf2rrLxVuMGKkwi2PeZtjBEEiidxrkkL
    The sum I told above.
    36 hours to decide and pay.

  13. Dave

    I was actually the first to respond to this article with a very supportive comment. But for some reason, I seem my comments don’t seem to get posted. I have no idea why. I run Firfox Nightly with NoScript and Ublock Origin. Ideas?

    1. Readership1

      Some comments are held back until manually reviewed. It’s got nothing to do with your browser or what you write. Just be patient.

      The fact that THIS comment appeared shows you aren’t being blocked.

      You can also contact the author directly by clicking “About the author,” at the top of the page. He actually reads his mail.

  14. Anthony

    Yeah, I just found one of the acid attack ones in my spam folder:

    Hi there.

    I run a website in the deep web,I sell all kinds of services – above all it is damage to property and harm.In general,all but the murder.Often this happens because of rejected love or competition at work.This month he talked me and gave me the order of splashing acid in your face.Standard task – fast,hurts,for life.Without too much fuss.I get receive only after completing the order.Therefore, now I offer you pay me to be inactive,I suggest this to nearly all the victims.If I do not receive money from you, then my man will fulfill the task.If you transfer me money,in addition to my inaction,I will give you the info that I have about the client.After completing the task, I often lose the performer,so I have an option,to get $1200 from you for info about the customer and my inaction,or to get $ 6000 from the customer,but with a high probability of spending the performer

    I’m getting money in BtC,here’s my bitcoin address – REDACTED
    The amount I indicated above

    36 hours to transfer, and remember that time clock is beating

Comments are closed.