Crypto Extortion on the Rise, Says Academic Study

Crypto-based extortion – basically the process of using spam-flinging botnet armies to "ransom" dirty pictures and compromising information in exchange for bitcoin – has turned virtual crime into child's play.

Speaking this week at the Advances in Financial Technology conference in Zurich, an international team comprised of researchers from the Austrian Technology Institute and security provider GoSecure sampled a population of email spam and found that the extortion process was quick, easy, and very lucrative.

Using public data hack info, the researchers found that a single instance of the popular Necurs botnet launched over 80 campaigns and in the 4.3 million emails surveyed by the team. In almost all cases the criminals had no incriminating information on the victims.

The team said that the botnet was surprisingly lucrative. By renting a botnet for $10,000 per month, the extortionists have been making at least $130,000. Compared to most extortion schemes, the spam campaign is incredibly simple, largely due to its employment of cryptocurrencies, said GoSecure's Masarah Paquet-Clouston.

As such, the researchers expect crypto-backed email extortions to increase.

"If you look at traditional [product] spam, it's much more complicated ... [crypto] extortion spam is much simpler," Paquet-Clouston said.

Examples provided in the paper describe an email informing the victim that the hacker will release compromising personal information if bitcoin isn’t provided in a timely manner. For example, one email claimed the hackers were performing surveillance via malware:

"Hello! As you may have noticed, I sent you an email from your account. This means that I have full access to your account. I’ve been watching you for a few months now. The fact is that you were infected with malware through an adult site that you visited."

Tracking the bitcoin addresses used and languages employed in emails allowed the researchers to further understand how botnets operate. For instance, whoever was behind the botnet charged certain nationalities higher prices than others, with English speakers topping out around $745 per recipient compared to Spaniards on the lowest end at $249.

The botnet reused bitcoin addresses, backing up similar research which saw one address used 3 million times. The researchers speculate address re-use is employed to increase the tactics overall simplicity.

Only 0.135 percent of bitcoin extorted could be traced to publicly verifiable wallets on exchanges, signifying the use of CoinJoins and other measures to mask transactions before off-ramping funds into fiat currency.

Knowledge about bitcoin and methods to track payments have lead botnet campaigns to other cryptos, the team said, particularly litecoin. Counterintuitively, privacy coins like monero and zcash are not being heavily used.

Hacker image via Shutterstock

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.