Sextortion Campaigns Net Cybercriminals Nearly $500K in Five Months

Tracking the cryptocurrency paid by victims finds that, even with a low rate of payout, the scheme netted a cool half million for the various groups involved.

4 Min Read
Dark Reading logo in a gray background | Dark Reading

A simple fraud scheme that spams out extortion demands threatening to reveal the online porn habits of victims can be very profitable when usernames and passwords are included in the messages, according to an analysis published by cybersecurity firm Sophos on April 22. 

The company analyzed so-called "sextortion" spam caught in its email filters over five months, capturing the Bitcoin wallet address sent to victims for payments, and found that the campaigns cumulatively raked in $473,000, about $3,100 a day. Email messages used in the sextortion fraud scheme accounted for 4.23% of all observed spam traffic over the five months, and only 0.5% of the Bitcoin wallets used in the campaigns received a payment, Sophos stated in its advisory.

"It was a microscopic response rate, but it was still enough for them to make a profit," says Sean Gallagher, senior threat researcher with Sophos.

The research shows that a simple fraud scheme can have big payoffs for the groups behind the cybercrimes. 

Sextortion scams usually center on a simple fraud: threatening to reveal the private porn habits of would-be victims using usernames and passwords leaked from previous data breaches to add credence to the threats. Those compromised credentials usually come from massive breaches and have nothing to do with people's surreptitious activities online, but the inclusion of a once-valid username and password can frighten the recipient, Gallagher says.

"People still reuse passwords, and people still react in fear when they see something come in from someone that shows a valid username and password," he says. "So people who are doing risky behavior online — such as going to porn sites — they feel seen, they feel exposed, they immediately panic and respond."

Typically, groups will just send a single email to the victims using information from a compromised account. The scam can be profitable, because like other spam campaigns, only a small fraction of recipients need to respond to make the scam pay for itself.

The attackers used 10 to 20 campaigns, usually occurring on the weekends and, a handful of times, exceeding 20% of the spam volume detected by Sophos, according to the researchers' analysis

The researchers analyzed spam activity connected to the sextortion scams between September 1, 2019, and January 31, 2020, finding transactions totaling nearly 51 Bitcoins, which at the average daily price of the cryptocurrency, tallied up to about $473,000.

Embracing the well-worn adage of "follow the money," the researchers teamed up with CipherTrace to track the nearly 50,000 Bitcoin wallets to see whether victims paid the extortion demands and how much. Each wallet address was only included in the extortion email messages for an average of 2.6 days. Only 261 of the wallets received payment, which averaged out to 0.20 Bitcoins per address, according to the researchers.

Sophos and CipherTrace tracked the Bitcoin wallets for three transactions, or "hops," and found that they tended to cluster into seven different groups, suggesting that there may be seven cybercriminal groups involved in the spam campaigns that the companies tracked.

"It is really hard to tell once you put [Bitcoin] into an exchange or a mixer, where the connections begin and end," Gallagher says. "We can't really say when stuff goes into an exchange where they go, because exchanges tend to mix things together making it hard to say how connected these groups are beyond that."

The spam campaigns used some interesting techniques to work around email filtering technology and obfuscate their purpose. 

Some messages, for example, had invisible random strings or white "garbage text" to break up the message and prevent spam filters from matching specific strings. Other messages had non-ASCII characters that look similar to the regular English alphabet or concealed the message in the HTML style tags to, the attacker hoped, escape classification by a spam filter. 

While the companies had difficulty tracking the ultimate destination of the money used in the scam, at least some of the money was used to buy stolen credit card data, according to Gallagher.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."

About the Author

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights