Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Sextortion - Follow the Money - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sextortion - Follow the Money

With the latest Sextortion campaign still in the wild, a couple of us at the ISC decided to try to follow the money. Starting very early in the campaign, we started collecting  Bitcoin addresses from the sextortion emails and, using the blockchain.com API  Didier used in his diary, all it took was a simple script to be able to monitor payments coming into the BTC addresses associated with this campaign. Initially I was just interested in how long after the campaign began would the bad guys move the money out of these addresses, but it soon became obvious there was much more to be gleaned from this data.

Within a couple of days, we were able to cobble together nearly 20 BTC addresses to monitor. We were happy with that. Then contacts far and near bought into the project and it took on a life of its own to the point where are now monitoring 334 BTC Addresses that we are reasonably confident are part of this campaign.

What sort of things has the monitoring revealed?

~17% - percentage of the BTC addresses with payments. (56 out of 334)

123 – number of payments received on the 56 BTC addresses with payments.

~$235,000 USD - Total value of all the payments stored in the 56 BTC Addresses. The 334 addresses we are tracking are thought to be an insignificant subset of those involved in the campaign, so the overall value of this campaign will be many times higher.

9 – Most number of payments on one BTC address. While most BTC addresses have zero or one payment, there is definitely BTC address reuse in the campaign.

~$1900 USD – average payment.

~$700 USD – lowest payment. (I did see one campaign email requesting $600 USD)

~$4900 – highest payment

$0 – amount of money the bad guys have moved out of these addresses. (although there appears to be a double payment and a refund on one address)

This campaign started a little over two weeks ago (July 10th), and the bad guys still haven’t collected the money. Campaign emails, and payments appear to have slowed substantially, so maybe soon. With the amount of press this sextortion campaign has gotten I believe the bad guys will soon reach the point of diminishing returns.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

286 Posts
ISC Handler
Is there anyway we can get a list of the bitcoin wallets? Could be a useful way to monitor and block these or other malicious emails.
Anonymous
Sure thing. I intentionally did not track the attribution. I would be willing to share the addresses I have with anyone who can make a legitimate case for use. Please email me at rwanner(at)isc.sans.edu.
Rick

286 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!