Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Sextortion Bitcoin on the Move

Published: 2019-01-18
Last Updated: 2019-01-18 23:05:32 UTC
by John Bambenek (Version: 1)
0 comment(s)

We've gotten a few reports of the latest round of sextortion emails demanding bitcoin in exchange for deleting incriminating videos. These emails and wallets have piled up for some time. Usually the criminal doesn't move the bitcoin immediately, so checking the bitcoin wallet isn't helpful. But a week or so after such emails are sent, it becomes possible to see what miscreants are doing with their ill-gotten gains. So for this, I took an e-mail I received on Jan 8th, "Your account is being used by another person" that listed bitcoin wallet 1GjZSJnpU4AfTS8vmre6rx7eQgeMUq8VYr as the place to send money to protect "my little secret".

The first thing to realize about bitcoin is that you have good enough anonymity... as long as you stay in the blockchain. Bitcoin is very decentralized. What isn't at all decentralized is the places where you can turn your fake anarchist digital money into real money. So they key in these kind of investigations is to find what they do with their cryptocurrency to get investigative leads. Sometimes those leads involve finding wallets that are discussed publicly or on forums (i.e. how I track neonazi cryptocurrency online), sometimes it could be just finding where to send the subpoena.

With the wallet above, it has earned about $12,000 for spamming planet earth with these extortion threats. The wallet itself is part of a cluster of 5 addresses, all linked to similar scams (17YKd1iJBxu616JEVo15PsXvk1mnQyEFVt, 18Pt4B7Rz7Wf491FGQHPsfDeKRqnkyrMo6, 1G1qFoadiDxa7zTvppSMJhJi63tNUL3cy7, 1PH5CYMeD4ZLTZ2ZYnGLFmQRjnptyLNqcf) which you can research at Bitcoin abuse which is making tracking this much easier.

There are lots of tentacles of where these coins end up. Some end up cashed out at but the intrigued transaction happened yesterday with an approximately $12,000 transaction into a Binance wallet (transaction here).

The inputs to these criminals are commodity bitcoin exchanges as well, and it might be helpful if those reputable exchanges simply prohibit any transaction with these wallets. That said, knowing where the money is coming out provides leads to investigations looking to bring these actors to justice.  I've been estimating these scams are making about $100,000 a week or so, but much more work needs to be done to aggregate all the abusive wallets and then attribute them to specific actors or groups.

If you see these scams, please report them to to allow researchers and investigators to have that data for more correlation.

John Bambenek
bambenek \at\ gmail /dot/ com

Keywords: bitcoin sextortion
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Emotet infections and follow-up malware
Jan 16th 2019
4 days ago by Brad (2 comments)

Microsoft Publishes Patches for Skype for Business and Team Foundation Server
Jan 15th 2019
4 days ago by John (0 comments)

Microsoft LAPS - Blue Team / Red Team
Jan 14th 2019
5 days ago by Rob VandenBrink (3 comments)

Still Running Windows 7? Time to think about that upgrade project!
Jan 14th 2019
5 days ago by Rob VandenBrink (0 comments)

View All Diaries →

Latest Discussions

sextortion Mail
created Jan 10th 2019
1 week ago by Anonymous (0 replies)

Internet security needed!
created Jan 3rd 2019
2 weeks ago by Anonymous (0 replies)

Security industry and Root Cause Analysis
created Dec 28th 2018
3 weeks ago by Anonymous (0 replies)

Disposable e-mail address service status?
created Dec 26th 2018
3 weeks ago by Anonymous (0 replies)

PDF vs. DOCX in phishing mails
created Dec 14th 2018
1 month ago by sciurium (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (13 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)