Threat Level: green Handler on Duty: Lorna Hutcheson

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Bombstortion?? Boomstortion??

Published: 2018-12-14
Last Updated: 2018-12-14 13:58:52 UTC
by Rick Wanner (Version: 3)
2 comment(s)

First sextortion, now bombstortion?

Today we have received a couple of reports of a new email based extortion message being delivered to email boxes.  In clumsy English, the message threatens that a bomb has been planted in your building, and if you don't pay $20000 in bitcoin, by the end of the day the bomb will be exploded.  This threat has caused a great deal of excitement, leading to lockdowns and evacuations in numerous cities in North America.

Sample email looks like:

Subject: Think twice

  There is the bomb (tronitrotoluene) in the building where your business is located. My recruited person constructed an explosive device under my direction. It has small dimensions and it is hidden very well, it is impossible to damage the supporting building structure by my bomb, but there will be many wounded people if it detonates.
My man is controlling the situation around the building. If any unnatural behavior, panic or emergency is noticed he will power the device.
I want to suggest you a deal. You send me $20'000 in Bitcoin and the bomb will not detonate, but do not try to fool me -I warrant you that I have to call off my man solely after 3 confirmations in blockchain network. 

My payment details (Bitcoin address)- 149oyt2DL52Jgykhg5vh7Jm1QpdpfuyVqd

You must pay me by the end of the workday. If the working day is over and people start leaving the building explosive will explode.
This is just a business, if I do not see the money and the bomb detonates, next time other commercial enterprises will send me a lot more, because this is not a single incident.
I wont enter this email. I check my Bitcoin wallet every 40 min and after seeing the payment I will order my mercenary to leave your district.

If an explosion occurred and the authorities see this letter:
We arent a terrorist society and do not assume responsibility for explosions in other places.


Other versions have shown the explosive as "Hexogen".

If anyone is willing to share email headers and/or BTC addresses from these messages I would appreciate it.  Please send to rwanner(at)  If you could also include your location country, that could be interesting information.  

So far the bitcoin addresses I have seen show no payments.

This campaign is receiving a lot of interest from mainstream press as well. 

CNN (1) (2)

Brian Krebs has also posted.

US-CERT/NCCIC - has provided guidance on what you should do if you receive one of the bomb extortion emails.


Note: Sorry, I misread the original message and stated the ransom was 20000 BTC, when in fact it is $20000 in BTC. 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

Keywords: extortion
2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Phishing Attack Through Non-Delivery Notification
Dec 13th 2018
2 days ago by Xme (0 comments)

Yet Another DOSfuscation Sample
Dec 12th 2018
2 days ago by DidierStevens (0 comments)

Microsoft December 2018 Patch Tuesday
Dec 11th 2018
3 days ago by Richard (0 comments)

Arrest of Huawei CFO Inspires Advance Fee Scam
Dec 10th 2018
5 days ago by Johannes (0 comments)

Quickie: String Analysis is Still Useful
Dec 9th 2018
5 days ago by DidierStevens (0 comments)

Reader Malware Submission: MHT File Inside a ZIP File
Dec 8th 2018
6 days ago by DidierStevens (1 comment)

View All Diaries →

Latest Discussions

Securing AV/IoT best practice question
created Dec 10th 2018
4 days ago by Anonymous (0 replies)

Dedicated development team
created Dec 5th 2018
1 week ago by Anonymous (0 replies)

virtual server design
created Nov 28th 2018
2 weeks ago by Anonymous (0 replies)

Intern needs help
created Nov 23rd 2018
3 weeks ago by Anonymous (0 replies)

CVE Links Are Broken
created Nov 17th 2018
3 weeks ago by George (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
11 months ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)