This is what happens to cryptocurrency paid out in sextortion campaigns

Researchers have followed the trail of dirty coins generated through extorting sextortion spam victims.
Written by Charlie Osborne, Contributing Writer

Spam and phishing emails are a constant plague in our inboxes, but more recently, sextortion campaigns have also appeared on the radar. 

This particular brand of fraud attempts to capitalize on how some of us view adult content -- a personal and private matter, and one of which we would not necessarily want contacts such as friends or family to know about, or to become acquainted with our viewing preferences. 

Often, these emails will claim that someone has been watching you through your webcam at the same time you are watching pornography or live cams and they not only know what you have been watching and when, but have also obtained the contact information of friends, family, and co-workers. 

Emails may also include a password from an online account, stolen through a data breach and published online in data dumps, to appear more authentic. 

See also: France asks Apple to relax iPhone security for coronavirus tracking app development

Cybercriminals will then demand a payment from victims in cryptocurrency such as Bitcoin (BTC) or Ethereum (ETH) to stop footage of the victim apparently watching pornography from being leaked. 

Given the adult nature of these threats, some recipients of sextortion emails do fall for this tactic and pay up. But where does the cryptocurrency go? 

Researchers from SophosLabs, together with analysts from CipherTrace, decided to find out

On Wednesday, the companies published an investigative report on a large sextortion campaign that was active from September 2019 to February 2020. 

Millions of sextortion spam emails were sent during this timeframe. Victims were asked to pay up to $800 in BTC into wallet addresses owned by the fraudsters, amassing the cybercriminals roughly $500,000 -- 50.98 BTC -- during the scam's lifetime.  

The scheme employed botnets made up of compromised PCs worldwide to send out spam. The majority of the emails were sent in English, but some were also sent in Italian, German, French, and Chinese. 

The sextortion campaign appears to be a cut above most as the fraudsters used obfuscation techniques to bypass spam filters, including white garbage text blocks, random strings, and adding words in Cyrillic script to confuse scanners. 

An example of the sextortion message is below:


The research teams analyzed the wallet addresses associated with the campaign which pulled in an estimated $3,1000 a day in proceeds. Wallets that received deposits were cycled every 15 days or so.  

In total, 328 addresses were tracked, 12 of which were connected to online cryptocurrency exchanges and online wallet services -- many of which already considered "high-risk" as they do not impose Know Your Customer (KYC) requirements, making them useful in money laundering. 

Cryptocurrency exchanges including Binance, LocalBitcoins, and Coinpayments were also "unknowing participants" in cryptocurrency washes, in which funds are moved around to clean up dirty trails, according to the researchers. 

Other transactions were connected to private, non-hosted wallets. In total, 316 transactions made up to three 'hops' from one original transaction address, ending up in places including the Dark Web Hydra Market and credit card dump marketplace FeShop. Funds were also sent to other corners of the underground criminal economy including mixers for conversion to other cryptocurrencies, cash, and services.  

One wallet used in the sextortion scheme was also connected to a BTC transaction linked to the 2019 Binance hack

"There were 13 addresses among the 328 passed to CipherTrace that did not have traceable outbound transactions," the report says. "But for the remainder, whoever was behind the wallets did not let their cryptocurrency spoils sit for long. Based on the date of the first input (when the first extortion payment transaction occurred) and of the last output (when the last of the value of the wallet's Bitcoin was drained), [there is] an average "lifespan" of approximately 32.28 days."

Tracking the funds from the sextortion campaign in the real world is a difficult prospect, not only due to the anonymization factors of wallets but also due to the use of IP masking and VPNs. 

CNET: Senator asks Google and Apple CEOs to be personally liable for COVID-19 tracking project privacy

Out of all 328 addresses, CipherTrace was able to track the IP data of 20 addresses, but each of these was either connected to VPNs or Tor exit nodes. The majority of the deposits ended up in global cryptocurrency exchanges and the use of these solutions can bypass geographical restrictions, giving the teams little to work with when it comes to honing in on the true locations of threat actors. 

"Given that some of the transfers were used to obtain stolen credit card data or other criminal services -- probably including more botnet services for sending spam -- the payouts from the sextortion campaigns are funding yet another round of scams and fraud," the researchers said. 

TechRepublic: Security teams want new tools but lack the budget to experiment

Earlier this month, cybercriminals stole over $25 million in cryptocurrency belonging to Lendf.me. It is believed that a combination of security flaws and blockchain features were strung together in an attack that allowed the threat actors to repeatedly make withdrawals. 

Three days after the assault, the cyberattackers returned all of the funds following the leak of an IP address during the attack and direct negotiation with the cryptocurrency exchange.

Cybersecurity reads for every hacker's bookshelf

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards