This is the most depressing thing I’ve written. I hope I am proven wrong
on all counts.
In the beginning
It started out fairly slow. A couple thousand people received the
same poorly-worded email, coming from email@example.com:
Hello. Your name is Bob Jones. You live in Cityville, ST. On these dates you accessed porn from these sites: January 24: pornhub.com [list with titles, headline screenshots, exact times accessed] January 25: pornhub.com [list with titles, headline screenshots, exact times accessed] [continued over a period of a few weeks] In exactly 14 days we will send this list to following people: Jane Jones, your wife, email jjones@... Martha Jones, your mother, email mjones@... Bill Jones, your father, email bjones@... Melinda Smith, your coworker, email msmith@... [the list continued with coworkers, friends, family members] To stop us from doing this, you must send us following Bitcoin payments. 0.012383 BTC to [wallet hash 1] 0.018344 BTC to [wallet hash 2] 0.018113 BTC to [wallet hash 3] IT IS IMPORTANT THAT YOU SEND EXACT AMOUNTS LISTED TO ALL THREE WALLETS OR YOUR PAYMENT WILL NOT BE PROCESSED CORRECTLY. Failure to to so will result in incriminating email going out. There is no way to contact us. Any email sent back will not be read.
When reached, Google confirmed that firstname.lastname@example.org was only
accessed once from an IP address belonging to a webcam pointing at a
vacant construction lot in Romania, and then never logged into again.
All outgoing emails were purged from the “Sent Mail” folder, but the
company was forced to disable the account anyway and set up an
auto-responder stating that they were in no way associated with the
blackmailer (or blackmailers) and recommending that all affected parties
contact law enforcement in appropriate jurisdictions.
When the deadline came, the attacker delivered the threat as promised.
Messages came in from various throwaway email accounts:
Hello. Your name is Jane Jones. Your are wife of Bob Jones, who lives in Cityville, ST. On these days, Bob Jones accessed following porn sites: (same list with dates and times) This information is true and not fake. We have access to Bob Jones's router (D-Link AC750, serial number #####) and monitored web traffic. We email this to you because Bob Jones chose not to pay the small sum we asked in exchange for our silence.
The news were reported with a mix of horror and amusement. The FBI asked
all affected parties to contact them and were able to verify that
victims’ routers were indeed broken into, and a simple SSL-strip proxy
was installed to downgrade secure https traffic going out to popular
porn sites in order to get the exact videos accessed by victims. The
logs were sent to multiple IPs across the world, almost all belonging
to webcams and other “internet of things” devices that were since purged
Pornhub got flack for disabling HSTS in their site headers and home
router manufacturers got well-deserved flack for their abysmal patching
and security practices. Tracing bitcoin transactions proved futile and
meaningless, as the attackers set up multiple wallets and even used some
accounts that appeared to belong to completely unrelated individuals
either as a way to create a false trail or because the whole setup was a
test of the larger things to come.
The media loved it. Among the affected were several notable conservative
politicians and religious leaders, now gleefully paraded as hypocrites
despite their adamant denials.
Technology sites filled with content advising how to set up VPNs in
order to hide your “naughty traffic” and how to download and install the
Tor browser. Security professionals were quick to warn that, if not
done right, this can make the situation worse — and were right.
Services offering “free anonymous VPN” proliferated and the number of
domains with every possible way of writing “get-tor-browser.com” popped
up, all offering downloads of the popular privacy suite (with a few
The next attack came a few months later and was almost word-for-word
similar. Victims were again asked to send 3 payments of bitcoins,
amounting to $100-$200 dollars in total, or have their embarrassing
browsing habits sent to their family and coworkers. When not paid, the
attackers meticulously delivered the payload, but appeared to fulfil
their promise of keeping quiet when the blackmail request was accepted
and bitcoin payments sent.
In the payload emails they again disclosed how they got the data — in
order to add weight to their statements. There were still quite a few
routers there, but also a significant number of fake VPN services and
trojaned Tor browser downloads, which were now all collecting data for
the attackers while masquerading as privacy tools.
The quiet before the storm
The next few months were quiet — at least on the surface. Some
jurisdictions passed legislation that required ISPs to offer timely
security updates and free consultation for clients in order to improve
home networking security. Technology sites were now more cautious
mentioning “a VPN service” and were instead recommending several notable
leading providers, strongly advising against “free VPN.” Search engines
started offering “Assured site” markup for anyone searching for “Tor
browser” with heavy filtering of all other results. Porn sites started
providing “privacy bundles” that set up Tor browser when downloaded, and
the sites themselves displayed a warning when you browsed from a non-Tor
connection (with limited success, because with the increase of Tor
traffic without the increase in Tor exit nodes, streaming videos became
However, the security field was abuzz, because someone was paying a lot
of money buying account passwords and all sorts of stolen database
dumps. They also put up bounties — tens of dollars for security camera
footage; hundreds of dollars for ISP client databases and social site
logins; thousands for medical records and DMV vehicle registrations. The
vaunted Russian face tracking database sold for a staggering 6-figure
number paid to what was almost certainly an insider from the FSB. All
paid with Bitcoin, all impossible to trace, embargo, or seize.
Someone was receiving all this data, meticulously correlating it… and
biding their time.
The big con
Suddenly, extortion notices were everywhere. Men with embarrassing STDs
were asked if $200 was worth their coworkers knowing exactly when and
after what trip they got their genital herpes. Teenagers were asked if
their parents and classmates should know that they have logins on gay
dating sites. Pastors were asked if their church members should know how
frequently their car ends up parked two blocks away from a Thai massage
place in the neighbouring city. Moscovites faced the dilemma of paying
up or having their wives know exactly how often they are seen in the
company of a certain female coworker.
Then it got downright horrifying. Women were asked if $100 is worth not
sending their photos, names, addresses, and exact routes they take to
get to work from being sent to known sex offenders living in their area.
Parents were asked what price was too large to keep private the bath
time videos they took of their kids. Women who had abortions were
blackmailed to pay up or have all their Facebook friends know exactly
when and at what stage of pregnancy they chose to terminate.
And there was always the same request. Three fairly small cryptocoin
payments to three different wallets. Or else. There, of course, was no
guarantee that you were off the hook once you paid — or that you
wouldn’t have to pay again in the future.
The big too late
People were terrified, and this time nobody smugly proclaimed that they
needn’t worry because they didn’t have anything to hide — because it
was obvious that everyone did. In the age of mass surveillance and data
collection almost every aspect of people’s lives was recorded somewhere
and could be sold, bought, correlated using massive computational powers
of modern cloud computing — and then used for extortion and blackmail.
Data protection legislation extolling huge fines on companies that
collect citizens’ personal data was passed, but proved too late and too
ineffective. It was too late because so much of it was already in
malicious hands, and it was ineffective because a lot of this data came
from law enforcement and anti-terrorist mass surveillance databases
themselves — and because the bounties offered by blackmailers continued
to increase, multiplying insider leaks. The irony that the tools that
were supposed to make the populace more safe were now used to terrorize
it was not lost on anyone.
Attempts to ban bitcoin were futile — not only because it was not
technically possible, but because by then so many powerful interests
were invested in it, including most narco cartels. Since the
blackmailers were careful never to cash out the payments, finding them
proved impossible, and by then it was also obvious that the number of
copycats was multiplying daily. There were massive blackmail campaigns
in China, Russia and other parts of the world where mass surveillance
went hand in hand with meticulous record keeping by the state.
Nobody knew what measures to take in order for it all to stop. However,
one thing was clear: entire generations of people lost the war for their
private lives, and there was no way to put that genie back into the
The only way to stop was to start from scratch.
Source From: fedoraplanet.org.
Original article title: Konstantin Ryabitsev: The coming cryptocoin blackmail market.
This full article can be read at: Konstantin Ryabitsev: The coming cryptocoin blackmail market.