13
Dec 18

Spammed Bomb Threat Hoax Demands Bitcoin

A new email extortion scam is making the rounds, threatening that someone has planted bombs within the recipient’s building that will be detonated unless a hefty bitcoin ransom is paid by the end of the business day.

Sources at multiple U.S. based financial institutions reported receiving the threats, which included the subject line, “I advise you not to call the police.”

The email reads:

My man carried a bomb (Hexogen) into the building where your company is located. It is constructed under my direction. It can be hidden anywhere because of its small size, it is not able to damage the supporting building structure, but in the case of its detonation you will get many victims.

My mercenary keeps the building under the control. If he notices any unusual behavior or emergency he will blow up the bomb.

I can withdraw my mercenary if you pay. You pay me 20.000 $ in Bitcoin and the bomb will not explode, but don’t try to cheat -I warrant you that I will withdraw my mercenary only after 3 confirmations in blockchain network.

Here is my Bitcoin address : 1GHKDgQX7hqTM7mMmiiUvgihGMHtvNJqTv

You have to solve problems with the transfer by the end of the workday. If you are late with the money explosive will explode.

This is just a business, if you don’t send me the money and the explosive device detonates, other commercial enterprises will transfer me more money, because this isnt a one-time action.

I wont visit this email. I check my Bitcoin wallet every 35 min and after seeing the money I will order my recruited person to get away.

If the explosive device explodes and the authorities notice this letter:
We are not terrorists and dont assume any responsibility for explosions in other buildings.

The bitcoin address included in the email was different in each message forwarded to KrebsOnSecurity. In that respect, this scam is reminiscent of the various email sextortion campaigns that went viral earlier this year, which led with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid.

I could see this spam campaign being extremely disruptive in the short run. There is little doubt that some businesses receiving this extortion email will treat it as a credible threat. This is exactly what happened today at one of the banks that forwarded me their copy of this email. Also, KrebsOnSecurity has received reports that numerous school districts across the country have closed schools early today in response to this hoax email threat.

“There are several serious legal problems with this — people will be calling the police, and they cannot ignore even a known hoax,” said Jason McNew, CEO and founder of Stronghold Cyber Security, a consultancy based in Gettysburg, Pa.

This is a developing story, and may be updated throughout the day.

Update: 4:46 p.m. ET: Added bit about school closings.

Tags: , , ,

91 comments

  1. two so far (different explosive)(still spam)

    Hello. My man hid an explosive device (Tetryl) ….

    wallet addresses –

    19nShJMkTbP6VCVaoAjzzTQuXLPzXH1Qb7
    1BHasGex1jhRZeY7KyUGGKUNRtVgKedRY8

  2. Robert Nahouraii

    just got this exact email 3 hours ago

  3. I’m curious. What does the attacker get if the bitcoin wallet addresses are all fake or spoofed? Or are they actually creating that many wallet addresses? I’d like to know.

    • Probably copycat hackers who just copy/paste the scam email but include a Bitcoin address they control.

    • There are 2^160 possible bitcoin wallets.

      A fast computer could generate thousands of wallets every second. There is no downside to using unique a bitcoin wallet for every email sent by this scam.

      Ok, one downside: the scammer has to check each bitcoin wallet to see if anyone paid. But again, a fast computer would not take long to check all the wallets.

    • It is very easy to create unlimited nr. of addresses. Even if the attacker will use one mere Bitcoin wallet, he still can generate almost unlimited nr.of functional addresses. By one click and copying it down … followed by another click and copy past the other down etc.

      If he has set of addresses he controls… it gives him the advantages of easily recognizing which of his victims was it, who did sent him the extortion. Or on the contrary who did not.

      It is as if having specific symbol in bank account wiring order.

      That said bitcoin network is pseudonymous, it is not anonymous… so in case he gets something on the address… he will most probably get tracked down later.

  4. The Sunshine State

    My recent extortion bitcoin wallet addresses

    ” 1P55eXM8gxmwjSbqEpBWLBBvJQ7C1BmRH3″

  5. Isn’t Hexogen an explosive used by the Russian military? They were using it to blow up apartment buildings back in 1999 to elect pres. Putin. I don’t think it’s well known outside of Russia. So, here’s your attribution for this extortion scheme, Brian.

    • Good conclusion. Source IP in the header of the emails we received shows the same thing.

      • Wikipedia says Hexogen is RDX, invented in Germany in the 1890’s and used by everybody in WW2. Called hexogen particularly in Russian, French, German and German-influenced languages.

        Hardly a smoking gun.

  6. The type of explosive is different in some of the emails.

  7. We got 2 of these around 12:20 EST. Both have empty bitcoin wallets and both came from different email addresses.

  8. While the scammer claims “they” are not terrorists, (s)he is indeed making a “terroristic threat”.

    Ref: https://definitions.uslegal.com/t/terroristic-threat/
    and https://en.wikipedia.org/wiki/Terroristic_threat

  9. Our institution just got this email. The explosive device was listed as lead azide. All other wording was the same.

  10. Got mine @1:30EST. Dang, I’m only worth $20?!
    I received:
    bomb (Tetryl),
    1Dnw2qJxGFCZdE3PzCaVioBB9zERc7SzRB

  11. Well, yeah. The text definitely looks like it was written (or translated into English) by someone whose command of the English language is wanting and whose first language is Russian. Or by someone who knows how to look Russian

  12. Our workplace just received the same threat. It stated that the explosive is tronitrotoluene or as we know it, TNT.

    • KoSReader6000000

      JD, the spelling should be “explosive is trinitrotoluene” not “explosive is tronitrotoluene.” My spell checker flags tronitotoluene as wrong. If the extortionist uses the wrong spell is that clue that the email fake?

      • You have to keep in mind that just because you are reading Spinglish (Spam English) – that doesn’t mean it is Just a Hoax. You have to consider that regardless of the background of an Extortionist – it would be pointless them sending you as an English speaking person something in Russian or any other language – you would just junk it immediately.

        Their intentions are Extortion – which means whether there are really explosives or not – they want their Money, so they need to be sure that you can understand their intentions. Some bad Grammar here or there – yes we know this is Tick number one on the “This Must be Spam” when we get something from some arse claiming to be needing to give away 3 Million Pound Sterling, etc. However regardless of how “Spamish” it is – you should always act in the appropriate manner and seek to investigate further. i.e. check the wording, check with spam reporting sites, check IP sources of the email, etc. And regardless you should still enact the Emergency Procedures of your organisation.

  13. reported the bitcoin address for “Fraud”

  14. One of our tenants just received this same email this morning. Police confirmed at least 10-15 businesses from Orange County down to San Diego were reporting the same email.

  15. Wow, that is profoundly stupid. Rather than continue with the porn scam or something similar, which we know law enforcement will completely ignore, let’s threaten to blow up buildings to ensure the FBI’s full involvement!

    I have the feeling some of these guys are about to have their anonymity OPSEC seriously tested…

  16. Have anyone of you that received the threat email have a membership account with Marriot? Wondering if it is all connected.

  17. I got this email, too. Interestingly, it was sent to an email address that I only used on a forum impacted by the Verticalscope breach.

  18. address in my version of the email: 1Dnw2qJxGFCZdE3PzCaVioBB9zERc7SzRB , not a lot of profits so far.

  19. The writer’s first language is not English, and many of the details are mangled by a bad translation. But one thing universal is time. Why every 35 min? Did they mean to say every half an hour, but decided to give a bonus 5 minutes?

    • The 35 minute time is _not_ universal. One threat said: “my
      warranty will become valid only after 3 confirms in blockchain network”.

      Never use absolutes. Never ever.

    • >The writer’s first language is not English

      How would you know that? This is obviously spintax.

    • As these criminals have several Bitcoin wallets to scan to see when a transfer arrives, the 35 minutes is probably how long it takes for them to check all the wallets, then start over. “Several” could be hundreds.

      It is rather dumb of them to expect people will see the email as soon as it arrives. Also dumb of them to think people in America do not talk to each other, or to law enforcement. But if these criminals themselves are trying to evade attention from their own local law enforcement, that might explain their ignorance.

  20. We got one of these at my work email today – we’re a small nonprofit for heaven’s sake. They were asking for $20,000 USD in BTC. As if. I reported it to the local FBI field office; by the time I finished reading and she finished reading back text from other similar emails, we were both laughing. I also reported it to ic3.gov.

    Honestly. I don’t know many nonprofits of our type that deal in BTC!

  21. So, Smashing Security just did a podcast on George Duke-Cohen this morning, and then these hoaxes start going out today. I wonder if there is a connection.
    https://www.theregister.co.uk/2018/12/07/george_duke_cohan_sentenced_3_years/

    • I thought the exact same thing when I started hearing about the threats. The fact that he was just sentenced, and the similarity in the tactics has to be more than a weird coincidence.

  22. I think the only way to fix this is to regulate crypto all over the world. Forbidding it won’t work, but there is a need to force all exchanges to do real KYC on their users.

  23. If you received a bomb threat email, please let me know the BTC address in the message and I’ll add it to the spreadsheet: https://docs.google.com/spreadsheets/d/1Xk8M9P0oK3JR3kx9KqkMRzktuUdeNQJQc5AeEv9giig/edit?usp=sharing

  24. Hi,

    Can anybody post IPs from headers that are transmitting these e-mails? BitCoin addresses are one angle but I wonder who’s doing the delivery. Seeking more information to correlate two domains that were provided to me by a large MSP on the East Coast.

    https://blog.infostruction.com/2018/12/13/bomb-theat-e-mails/

    -Matthew

    • I’ve correlated a total of 4 domains now that are all in the 194.58.x.x and belong to REG.RU a Russian Host.

      • Please tweet headers of the e-mails to @briankrebs or @infostruction we want to see the various hosts and IPs delivering if possible.

  25. Folks, this is a headline push.

    Go to cnn.com, and look at the other top headlines.
    1. Trump at illegal meeting
    2. Inaugural committee under criminal investigation
    3. Cohen wasn’t directed…

    What’s missing? the Maria Butina guilty plea for conspiracy with NRA, (it’s small and too the right).

    This is too loud of a campaign to be an effective moneymaking scam, and it would require significant infrastructure to effectively reach soo many institutions in such a short period of time.

    This is an influence effort to shape news coverage, not a financial scam.

    • I was thinking the same thing considering the Clinton Foundation is back in the news again. None of my contacts here in Australia have reported receiving said email, doesn’t mean others haven’t tho. Local news hasn’t had any reports of buildings evacuated here due to the threat.

      Seems odd for an opportunity scammer to target one county tho, unless as you said, it’s to manipulate the news.

    • Doubtful.

      1. The story about Maria Butina is still on the CNN home page at 0600 CST on Friday, Dec 14, 2018. It is further down the page under politics.

      2. Several years ago, long before Bitcoin, some criminal blasted out emails threatening to kill the recipients if money was not paid. I got one.

      Death threat emails still continue. This bomb threat is just a variant.

      See : https://www.newsweek.com/email-scams-now-coming-death-threats-fbi-nigerian-prince-773651

  26. I got one this morning:

    Sender:
    From: “Penelope Patterson”
    Received: from blackened.com (blackened.com [194.58.39.215])

    BC Address: 15qH84uLC49CmC6jRE958Qjcf9WRZ2rMuM