Dark web

Most cyberattacks in the crypto space involve hackers finding a way around the security of crypto exchange platforms and gaining access to users’ funds. Last year saw the entry of a new breed of cyber extortionists that seems to be gaining ground, so much so that they were able to steal over $300,000 in bitcoin (BTC) tokens in 2018.

According to a report by research and risk assessment firm Digital Shadows, this scam was committed through a wide array of “sextortion” blackmail strategies, which included the weaponization of emails.

The report, which was titled “A Tale of Epic Extortions: How Cybercriminals Monetize Our Online Exposure,” revealed that the scam started back in 2017. However, it only gained mainstream notoriety in the middle of 2018, after its list of victims continued to grow.

Digital Shadows was able to track over 792,000 targeted emails, where it discovered the loss of about $300,000 worth of bitcoin, which was stolen from over 3,000 bitcoin wallet addresses.

How They Operate

The goal of the cybercriminals is to convince the victim that their system had been hacked, allowing them to obtain valuable information that could expose their intimate activities.

To look convincing, the extortionists provide the victim with a known password, also known as “proof” of compromise — this is meant to offer evidence of the hack. Then they claim to have footage of the victim watching porn online, urging them to pay a ransom in bitcoin or risk exposure.

As with most email scams, the composition of the emails is often a problem. Per the report from Digital Shadows, the construction of the email could make the difference between one that gets past a spam filter and the one that doesn’t. Some sophisticated criminals go to great lengths to distribute emails at scale by using freshly minted outlook.com addresses.

“Across the emails we collected, there was a variation in the capabilities displayed by the attackers. Certain spammers showed little understanding of how to craft and distribute emails on scale, sending malformed emails that would never make it past a mail server or spam filter,” the report reads.

Based on the examination of their IP addresses, the firm noted that the scam wasn’t localized to a single region. Scammers operated across a wide array of locations, with the highest percentage of the emails being sent from a position in Vietnam (amounting to 8.5 percent of the total emails sent); 5.3 percent of the emails were sent from somewhere in Brazil and India came third with 4.7 percent of the total email count.

Targeting Married and “High Net Worth” Individuals

The cybercriminals targeted individuals with high net worth, as they believe these groups could easily pay the ransom without “dragging the process for too long.”

The scammers also targeted married individuals. The criminals often use marriage as extra leverage over the victims, providing an additional incentive to convince the victim to make the payment.

Online Crowdfunding Campaigns

The Dark Overlord (TDO), a prominent extortionist group which, after a brief break, returned in 2018 with a new modus operandi, was featured in the report.

The criminal group changed its model from extorting victims directly to selling “stolen data in batches to other users on criminal forums, and adopted an altogether more unusual tactic: online crowdfunding campaigns.” Using online crowdfunding campaigns, extortionist groups like TDO can raise the ransom the victim would have paid from members of the public desperate to unlock the troves of data in their possession.

The extortionist group reportedly started its career selling data on TheRealDeal, a forum on the dark web. When the forum folded, they went on a spree of extortions, including directly contacting their victims and threatening to expose their private information if their demands weren’t met.

TDO kept providing regular updates of their operations via their Twitter page. The group went back to the dark web in September 2018, recruiting extra accomplices and selling their acquired data on KickAss, another criminal forum. They set up The Dark Overlord Sales, a subsection of KickAss, to sell their data to other parties on the platform.

The cybercriminals victims included insurance provider Hiscox, which lost over 10GB of sensitive data related to the 9/11 bombings to the group. Their operation pattern shows the effectiveness of using crowdfunding platforms to gain more publicity online, while also generating sustainable revenue.