How the Dirty Coins from Sextortion Campaigns are laundered

Sextortion scams along with ransomware attacks have been popular ways cybercriminals attempt to flip a quick a profit. Profit is made in both scenarios the cybercriminal will request payment to decrypt files, or in the case of a sextortion scam extort the victim by threatening to release embarrassing content via social media related to the victim’s sexual preferences they may or may not have. In both cases, the preferred method of payment is in one cryptocurrency coin or the other. For the hacker and the scammer, the next phase of their plan would be to turn the cryptocurrency into fiat currency that can be used on a more day to day basis.

In 2017 security researchers set out to follow the money trail to find exactly how hackers, in particular those behind ransomware attack, managed to cash out. Now security researchers have once again set a task to shine a light on how those behind sextortion campaigns carry out the task we often forget about. For the most part, the effort is placed on the analysis of how the scam is spread and conducted with little emphasis placed on how the cybercriminal actually profits.

Security researchers from both SophosLabs and CipherTrace worked together to find out where the extorted coins went after payment. In the subsequent report details of how the scams actually manage to cash out were illuminated upon. Hopefully, in future this information can be used by law enforcement officials to better trace scammers, shut down operations, and make arrests. One of the obstacles faced by law enforcement in these cases is that due to the adult nature of the embarrassing content which might be leaked, in many instances the scammer had no way of gaining access to the content been used to extort the victim, the victim will in many cases not report the incident. Determining the money trail of criminals is one of the methods that law enforcement relies on to uncover and shut down financially operated criminal organizations.

How the Dirty Coins from Sextortion Campaigns are laundered

The investigation began with the analysis of a particularly large campaign that was active from September 2019 to February 2020. During this time frame, millions of spam emails were sent with victims been asked to pay 800 USD worth of Bitcoin into the scammer's cryptocurrency wallets. Researchers estimated that the scam netted approximately 500,000 USD, at the time of writing this is nearly 51 Bitcoin, for the scammers.

In order to send out the massive number of spam email botnets, devices infected with malware in order to carry out specific instructions s be that mass email sending of denial of service attacks. The majority of the emails were sent in English, however, samples were discovered written in Chinese, French, German, and Italian.

Money Trail

The analysis of the cryptocurrency flow was performed by CipherTrace. It was noted by researchers that,

“We shared wallet data extracted from these spam campaigns with CipherTrace, Inc., to get more insight into the flow of digital currency connected to them. The wallet addresses used by the scammers to extract payments from victims were found to have made transactions with dark web marketplaces, stolen credit card data hawkers, and other elements of the cybercriminal economy. Other funds were quickly moved through a series of wallet addresses to be consolidated, put through “mixers” [Platforms used to turn cryptocurrency into fiat currency] in an attempt to launder the transactions, and converted to cash, goods, and services through other channels…While the sextortion scams themselves were hardly innovative, the cryptocurrency flow wasn’t the only thing that suggested a certain sophistication behind some of the attackers. Many of the messages relied on a number of technically interesting obfuscation methods to try to slip by spam filters. And while the vast majority of recipients either never saw the messages or didn’t pay, enough saw and fell for the ploy that wallets associated with the messages pulled in 50.98 BTC during the five-month period…an average of $3,100 a day.”

Researchers traced payments to 328 cryptocurrency wallet addresses with wallets been cycled in and out of use every 15 days or so to make tracing payments more difficult. Of that original number, 12 addresses were linked cryptocurrency exchanges that do not impose Know Your Customer (KYC) rules which are designed to prevent fraud and money laundering. This makes those platforms relatively high risk for investors but favored among those looking to clean stolen money. Other transactions were connected to private, non-hosted wallets. In total, 316 transactions made up to three “hops”, transactions done to muddy the trail, from one original transaction address to the desired endpoint.

Transactions often ended up in places including the Dark Web Hydra Market and credit card dump marketplace FeShop. Funds were also sent to other corners of the underground criminal economy including mixers for conversion to other cryptocurrencies, cash, and services. It was also revealed that the scammers were determined to move coins quickly, the report states,

“There were 13 addresses among the 328 passed to CipherTrace that did not have traceable outbound transactions. But for the remainder, whoever was behind the wallets did not let their cryptocurrency spoils sit for long. Based on the date of the first input (when the first extortion payment transaction occurred) and of the last output (when the last of the value of the wallet's Bitcoin was drained), an average "lifespan" of approximately 32.28 days.”

While data of how the funds were moved could be accessed, determining the geographical location of the scammers proved to be far more difficult. The scammers relied on VPNs and Tor exit nodes to mask location data as well as using global cryptocurrency exchanges to further hide real-world locations. While geographical location will be essential in attributing the scams and helping law enforcement take discernible action, knowing how the money is laundered can help investigations. Further, they illuminate how criminal networks operate.

Yet another Sextortion Scam

As data on how criminals launder their ill-gotten gains, another scam has been seen making the rounds. The scammers are demanding 2,000 USD to be paid in Bitcoin within 24 hours. If this is done then the scammers “promise” to leave the victim alone and guilt-free. The email itself states,

“. . . I know pretty much everything about you. Your entire Facebook contact list, phone contacts along with all the virtual activity on your computer from the past 178 days.
. . . Well the last time you went to see the porn material webpages, my spyware was activated inside your personal computer which ended up logging a lovely video footage of your masturbation play simply by activating your cam.
(you got seriously unusual taste btw lmfao)"

This is fairly standard for sextortion campaigns who rely on social engineering tactics to scare the victim into paying. As to whether the scammer indeed has the material they say they have, it is highly unlikely. Most scammers rely on email dumps associated with major breaches. In this case, it is believed that the emails were harvested from a known dump associated with the Ashley Madison hack which occurred in 2017. Ashley Madison is advertised as a dating site, however, the service became synonymous with married men seeking extramarital affairs. The site was hacked resulting in a massive data breach and subsequent dump of user info. Again users had to pay a sum in order to stop the hackers from publically releasing data which may indicate that the user was involved in affairs.

Much of the data was indeed dumped on the Dark Web and has been used by other scammers to carry out similar sextortion campaigns to the one detailed above. In fighting back against these scams a strict policy of not paying should be followed. When millions of spam emails are sent those behind the scam are reliant on only a small percentage of receivers paying up to prevent further embarrassment. As was mentioned above the likelihood of the scammers actually having material suitable for blackmail is slim.

If even smaller percentages pay it will not be worth the scammer’s effort to carry out the scam in the future. As many of the scammers operate on the Dark Web, they do have relative immunity from prosecution, often law enforcement targets the operations laundering the money. If fewer people pay and money launderers are shut down these scams will slowly disappear until the next trend influences the criminal underworld. However, until a day like that even arrives sextortion scams will be populating inboxes for the foreseeable future.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal