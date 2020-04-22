Spam and spam emails are a constant plague on our outboxes, but more recently, sexortion campaigns have appeared on the radar.

This particular brand of fraud is trying to capitalize on how some of us view adult content – a personal and private matter, and one of which we would not necessarily need contact with as friends or family or to know our viewing. preferences.

These emails often say that someone has been watching you through the webcam at the same time as you are watching pornography or live cams, and that they not only know what you have been watching and when but also have obtained the family contact information. and collaborators.

Emails can also include a password from an online account, stolen by a data breach and posted online in the data repositories, to look more authentic.

Next, cybercriminals will require victims to pay in cryptocurrencies such as Bitcoin (BTC) or Ethereum (ETH) to stop images of the victim who are apparently watching pornography leak.

Given the adult nature of these threats, some sextext emails recipients will pay for this tactic and pay. But where is the cryptocurrency going?

SophosLabs researchers, along with analysts at CipherTrace, decided to find out.

On Wednesday, companies released a research report on a large sextortion campaign that was active from September 2019 to February 2020.

During this time, millions of sextorion spam emails have been sent. Victims were asked to pay up to $ 800 in BTC at the addresses of the fraudulent wallets, which accumulated approximately $ 500,000 in the amount of 50,000 – 50.98 BTC in cybercriminals over the life of the scam.

The system used computer-generated botnets worldwide to send spam. Most of the emails were sent in English, but some were also sent in Italian, German, French, and Chinese.

Sextorion campaign is a reduction above most, as scammers used obfuscation techniques to bypass spam filters, including white junk text blocks, random strings and add words to the script. in Cyrillic to confuse the scanners.

The following is an example of a sextorion message:

Research teams analyzed the portfolio addresses associated with the campaign, which resulted in an estimated $ 3,000 a day in revenue. The portfolios that received the deposits were recycled every 15 days or so.

In total, 328 addresses were tracked, 12 of which were connected to online cryptocurrency exchanges and online portfolio services, many of which are already considered “high risk” as they do not impose knowledge requirements on the your client (KYC), making them useful in money laundering.

Cryptocurrency exchanges including Binance, LocalBitcoins and Coinpayments were also “unknown participants” in cryptocurrency launches, which move funds to clear dirty routes, according to researchers.

Other transactions were connected to private and non-hosted portfolios. In total, 316 transactions were made up to three “jumps” from an original transaction address, ending in sites such as the Dark Web Hydra Market and the FeShop Credit Card Sales Market. Funds were also sent to other corners of the underground criminal economy, including mixers for conversion to other cryptocurrencies, cash and services.

A wallet that was used in the sextorion scheme was also linked to a BTC transaction linked to the 2019 Binance hack.

“The report states that ‘there were 13 addresses out of the 328 that went to CipherTrace which had no outgoing traceable transactions.'” “But for the rest, the ones behind the portfolios did not let their cryptocurrency spoilers stay for a long time. Based on the date of the first entry (when the first extortion payment transaction took place) and the last exit (when the last value transaction occurred. The bitcoin in the wallet was cleared) (there are a “shelf life of about 32.28 days.”

Tracking real-world sextorial campaign funds is a difficult prospect, not only because of wallet anonymization factors but also in the use of IP masking and VPNs.

Of the 328 addresses, CipherTrace was able to trace IP data of 20 addresses, but each of them was connected to a VPN or Tor outbound nodes. Most deposits ended up in global cryptocurrency exchanges, and the use of these solutions can bypass geographical constraints, which allows teams little to do with getting to know the true locations of threatening actors.

“Given that some of the transfers were used to obtain stolen credit card information or other criminal services, likely including more botnet services for spamming, payments for sextaking campaigns fund another round. of fraud and fraud, “the researchers said. said.

Earlier this month, cybercriminals stole more than $ 25 million in cryptocurrencies from Lendf.me. It is believed that a combination of security flaws and blockchain features were joined together in an attack that allowed threat players to make repeated withdrawals.

Three days after the assault, cyber attackers returned all of the funds after a IP address was leaked during the attack and negotiated directly with the cryptocurrency exchange.

