Bitcoin extortion: Hackers photoshopped nude photos of users and extorted $551 in Bitcoin

During the Spring Festival this year, blockchain practitioner Xiao Ma found a strange email in Japanese when checking his mailbox.

Out of curiosity, he clicked on the email. He didn't understand Japanese, but he suddenly found the word "BTC" and a string of Bitcoin addresses in the email. His professional sensitivity told him that this email was "not a good one."

After using a translator to translate the email into Chinese, Xiao Ma discovered that it was indeed a Bitcoin ransom email.

"Hello! I have bad news," the hacker wrote in the ransom note. "On June 28, 2018, I attacked your operating system and accessed your account..."

What surprised Xiao Ma the most was the chips used by the hackers for blackmail.

"I saw the websites you frequently visit and was shocked. You actually visited adult websites," the hacker wrote in the ransom note in a joking manner. "You are such a pervert."

In the ransom note, the hacker claimed that he had taken control of Xiao Ma's device and obtained Xiao Ma's web browsing history. At the same time, the hacker also used the camera to record Xiao Ma's "happy scenes" when browsing adult websites.

The hacker asked Xiao Ma to pay US$560 (approximately RMB 3,700) in Bitcoin to a designated address, otherwise, the images would be made public to Xiao Ma's relatives, friends and colleagues.

In the ransom note, the hacker also kindly instructed Xiao Ma on how to buy Bitcoin and complete the transfer. Finally, the hacker also promised to destroy the "evidence" after receiving the transfer and advised Xiao Ma "not to be angry."

"This is so funny," Xiao Ma said. In his opinion, the chips used by hackers for extortion are worthless. This "humorous" extortion letter made him laugh and cry.

But even so, the hacker still received "hush money" from others. Bitcoin block information shows that the address left by the hacker has received 9 transfers, earning a total of 0.77 bitcoins, which is about RMB 19,500 based on the current price of the currency.

Obviously, the hackers used the method of mass emailing to cast a wide net and catch more fish. On social platforms such as Weibo, many netizens reported that they had also received similar ransom emails.

The addresses left by the hacker in these ransom emails are different, which shows that the hacker may have earned much more than 19,500 yuan.

Using such a funny blackmail reason, Bitcoins can still be "scammed". Xiao Ma believes that this is related to a message left by the hacker in the email.

In the ransom letter Xiao Ma received, the hacker said that he had obtained Xiao Ma's email account password through a Trojan virus, and directly pointed out his password: 19XXXXXXX. In order to attract the blackmail target, the hacker even directly changed the recipient's name to this password.

Xiao Ma no longer uses this password, but he is still shocked by the authenticity of the information the hacker possesses.

How did the hacker get the email password of the blackmail target?

Information collected by a blockchain reporter shows that the victims who received the ransom email basically covered the mainstream mailboxes of domestic users, including QQ mailbox, 163 mailbox, 126 mailbox, etc.

"The possibility of hackers breaking into Tencent and NetEase and obtaining users' plaintext passwords is extremely small," Zhang Hongwen, a network security engineer, told a blockchain reporter. "If, as the hacker said, he obtained the passwords through a Trojan horse, he should have used a virus to extort money directly, rather than using the lowest threshold email."

Zhang Hongwen believes that the means by which hackers obtain account passwords most likely come from "data packets" that are common in the hacker circle.

"Historically, some platforms have leaked user account names and plain text passwords for various reasons. Some hackers packaged them into 'data packages' and sold them publicly on the dark web," said Zhang Hongwen. "Most of these accounts are email addresses, so hackers can send mass emails to extort money."

Since most users are accustomed to using the same password on multiple platforms, hackers can often use leaked passwords to obtain more information about victims.

The victim Xiao Ma recalled that his account name and password were probably leaked from an IT community, CSDN. The password he had used on the CSDN platform was exactly the same as the password given by the hacker in the email.

At the end of 2011, CSDN suffered a password leak incident, and 6 million user information was leaked. Later, the password leak incident spread to websites such as Tianya Forum, and 40 million account passwords were leaked one after another. And these passwords were all leaked in plain text, becoming an excellent tool for hackers to extort money.

"In the hacker circle, CSDN's 'data package' has become a resource that everyone has a copy of due to its age." In Zhang Hongwen's opinion, the hacker who sent the ransom note is "a bit poor" and may not be able to afford the latest data package.

"Using mass emails to extort money is just the most common form of extortion," Ma Gang, co-founder of security company Huorong, told a blockchain reporter. "What's more dangerous is customized extortion targeting specific extortion targets."

In the security circle, this customized extortion method is called "sniper extortion." Japanese ransomware emails have also seen similar upgrades.

A report in Henan Business Daily in December 2018 showed that Cheng Cheng (pseudonym), a male college student in Zhengzhou, had received a similar Japanese ransom email. But unlike Xiao Ma, the ransom email Cheng Cheng received came with a "nude photo".

Cheng Cheng told Henan Business Daily that this "nude photo" was very crude, "It was obviously photoshopped. The head is me, but the body is obviously not. It was in a room I don't know where, and in some of the photos, she was wearing clothes I have never seen before."

The blackmailer demanded that he transfer $551 to a Bitcoin account within 50 hours, otherwise he would destroy his computer and send the pictures to his contacts.

Who sent this series of ransom emails?

On Weibo, some netizens said they had received two ransom notes with the same content. The first one was in English, while the second one was in Japanese as mentioned above.

"The Japanese ransom letter is incoherent and obviously not written by a Japanese person," said Cong An, a Japanese language enthusiast, to a blockchain reporter. "For example, Japanese people rarely use the second-person pronoun 'you (あなた)', and this letter is more like the result of a machine translation."

In his opinion, the reason why the hacker used Japanese emails to blackmail Chinese people is very strange. Perhaps, the only way to describe this hacker is that his skills are not good enough.

In the history of digital currency, Bitcoin is favored by hackers due to its anonymity and difficulty to track. Blackmail cases related to Bitcoin are common and varied.

According to statistics from the OpenLaw website, since 2014, there have been 327 domestic judicial documents related to Bitcoin, and the number has been increasing year by year.

Statistics of the time of judgment of Bitcoin-related cases

(Note: Due to the time limit for public disclosure of judicial documents, the data for 2018 is incomplete)

In most of these criminal cases, criminals used Bitcoin only as a means of money laundering, while there were nine cases where Bitcoin was used for extortion.

Among them, the most well-known case is the one in which Du blackmailed Tianjin Hongri Pharmaceutical Co., Ltd.

In December 2014, Du sent a blackmail email to Hongri Pharmaceutical, threatening to expose an internal document of the company, demanding RMB 3 million and specifying that payment should be made in Bitcoin.

In May 2015, Hongri Pharmaceutical was forced to accept Du's request and used 3 million yuan to purchase 2,099.7 bitcoins, which were transferred to the bitcoin address provided by Du. Du thus cashed in more than 2 million yuan in stolen money.

In court, Du argued that "Bitcoin is not property protected by my country's criminal law," and therefore could not prove that he had accepted 3 million yuan in property from Hongri Pharmaceutical.

However, the court held that Bitcoin was only a means for Hongri Pharmaceutical to pay Du with property, and whether Bitcoin had property attributes was not the focus of the case. In the end, Du was sentenced to 13 years in prison.

In fact, extortion cases related to digital currencies are not uncommon abroad, and the sources of many Bitcoin ransomware are pointed to foreign countries.

In May 2017, the ransomware WannaCry broke out. According to Europol statistics, more than 200,000 computers in more than 150 countries around the world were attacked.

All the attacked computers were locked by the virus. The virus prompted that the computer files had been encrypted and locked and would be deleted after 7 days.

The hacker said that there is only one way to avoid the destruction of the files - paying $300 worth of Bitcoin. If it is not paid within three days, the "ransom" will be doubled.

"WannaCry" has become one of the most influential viruses in computer history.

FedEx, Germany's Federal Railways, and Russia's Ministry of Internal Affairs were all affected. China's education network became the worst-hit area, with many students' graduation theses "destroyed" by the virus.

"According to statistics, the global computer crashes caused by 'WannaCry' resulted in direct losses of approximately US$8 billion (approximately RMB 55 billion)," George, chief technology officer of Cyence, a Silicon Valley cyber risk modeling company, said in an interview with The Wall Street Journal.

However, the mastermind behind this cyber disaster was ridiculed by the outside world. According to statistics from a US cybersecurity company, a week after the virus spread, the hacker received about 75 bitcoins, which was only worth $116,000 at the price of the currency at that time.

Compared with "WannaCry", some teams engaged in "sniper extortion" have more "sophisticated" methods and make more profits.

Research results from US cybersecurity companies CrowdStrike and FireEye show that since August 2018, a mysterious organization has made nearly $4 million through Bitcoin extortion.

This organization has a clear goal. They first use the Trojan "Trickbot" to attack corporate networks in a scattershot manner. After locking the target, they release the ransomware "Ryuk" and demand a huge ransom.

As of January this year, the group had conducted 52 transactions, from which it obtained Bitcoin worth approximately $3.7 million.

However, not all Bitcoin extortionists are "skilled". Some, like the hackers behind the "Japanese Mail" attack, use rather naive methods.

According to Seattletimes, some wealthy men in Maryland, USA, received Bitcoin blackmail emails in August last year.

The hacker threatened that he had mastered the blackmail target's secrets and demanded a Bitcoin "confidentiality fee" worth $15,750. If they did not comply, these secrets would be revealed to their wives.

Interestingly, some of these wealthy people are still unmarried, while others have chosen to confess to their wives to seek leniency. The hacker miscalculated.

The most extreme case of Bitcoin extortion occurred in December 2018.

Corporate offices and universities across the United States suddenly received Bitcoin ransom emails from anonymous people.

"Pay $20,000 worth of Bitcoin or I will blow up the building you are in," the attacker threatened.

The US police took this very seriously, but did not find any explosives. Most people thought the threat was just a prank.

"We have been investigating various Bitcoin extortion cases, but this is the first time we have encountered a threat of detonating a bomb," said an American security researcher. "Obviously, this method is too stupid."

The devil is one foot high, but the Tao is ten feet high.

At present, mainstream antivirus software has already achieved comprehensive detection and elimination of various ransomware viruses. It is not difficult to solve various common security problems faced by individuals and enterprises.

In unknown dark corners, hackers who use Bitcoin for extortion still exist. But obviously, the opportunities left for them will become fewer and fewer.