Staying Safe Online – Recognizing a Bitcoin Scam Email

What does this have to do with insurance… not a lot, unless you’re a business worried about Cyber Liability Coverage or you’re one of our clients that we really hope to educate on keeping you safe. With that said, what I bring to you today is a spear phishing scam that I first encountered about a year ago, but we’re seeing more of this scheme in the last few weeks. I’m writing this as a guide to our internal staff, our clients and partners and finally, you, the random internet reader that might have found this in a google search or shared on social media.

So, here’s the email (redacted information is contained in asterisks):

Subject: **my old username & password**

Btw, I ca‌me‌ to‌ kno‌w the‌ sne‌a‌ky se‌cre‌ts. I wi‌ll no‌t re‌ve‌a‌l yo‌u‌ ju‌st wha‌t e‌xa‌ctly I ca‌me‌ to‌ kno‌w, I’ve‌ go‌t a‌ll the‌ i‌nfo‌ wi‌th me‌. To‌ sho‌w my po‌i‌nt, si‌mply le‌t myse‌lf te‌ll yo‌u‌ tha‌t o‌ne‌ o‌f yo‌u‌r se‌cu‌ri‌ty pa‌sswo‌rds i‌s **old password**. Pa‌y me‌ $‌1000 vi‌a‌ *Bi‌tco‌i‌n* to‌ the‌ a‌ddre‌ss 1Q7qYw8n1hMhDzv7PDP4KgCGh8Lg7esSXz i‌n the‌ ne‌xt 44 ho‌u‌rs. Le‌t me‌ ma‌ke‌ o‌ne‌ thi‌ng cle‌a‌r, tha‌t I wi‌ll wre‌ck yo‌u‌r li‌fe‌ e‌nti‌re‌ly i‌f I do‌ no‌t ge‌t the‌ pa‌yme‌nt. As lo‌ng a‌s I do‌ ge‌t the‌ pa‌yme‌nt, I’m go‌i‌ng to‌ re‌mo‌ve‌ e‌a‌ch de‌ta‌i‌ls I ha‌ve‌ wi‌th me‌, a‌nd i‌’ll go‌ a‌wa‌y a‌nd yo‌u‌ wi‌ll ne‌ve‌r he‌a‌r a‌nythi‌ng fro‌m me‌. Thi‌s i‌s a‌ctu‌a‌lly the‌ fi‌rst a‌nd a‌lso‌ la‌st e‌-ma‌i‌l fro‌m me‌ a‌s we‌ll a‌s the‌ o‌ffe‌r ca‌n no‌t be‌ ne‌go‌ti‌a‌te‌d, the‌re‌fo‌re‌ do‌ no‌t a‌nswe‌r to‌ thi‌s e‌-ma‌i‌l.

To review, here’s what a spear phishing email actually is:

  • Email containing loosely or highly targeted information that some readers may find relevant to their life or family. Other readers who find the email baseless will discard without any thought. An example of this would be a notice from Bank of America. Had I been a client of Bank of America, this might look real, but if I bank at Chase, I would immediately know that this Bank of America email is a scam.
  • A nefarious call to action to benefit an unknown or compromised third party. This may be a hidden call to action, such as click here to login into your itunes or bank account, not realizing that the entire website is a facade to harvest usernames and passwords to real websites.

What our friend here is doing:

  • They assume I have secrets I don’t want out, little do they know, I air everything out on social media anyway. Other than that, I’m an open book but you could see how this could scare someone that is doing something that they might want hidden from the public. Also, notice how vague it is. This could be targeted to someone that took some paperclips home last week from the office supply room to someone that did something REALLY bad and has been hiding it for years. I’ve even seen emails stating that they turned on a webcam on a laptop or mobile device and “saw the websites you visit.” The motive across all of these emails is to incite fear and credibility.
  • The call to action in this email is to pay the sender in bitcoin, something that is difficult, albeit not impossible, to trace. Chances are, this email is originating overseas anyway so it’s not like our laws are going to apply to them anyway. In fact we can check this by tracing the IP address of the email in the email properties. This particular email came from a US-based server ( but the user could be located anywhere in the world. The account may even be a real account to a real US-based user but their account may have been compromised by a third-party who is using it for criminal reasons.
  • Asks for no future contact or replies. In fact, their email has been disabled by the email provider.

To me, this email in question is equipped with something that no other email phishing attempt has. My username and password, albeit a password I haven’t used in 10 years, in the subject of the email. This checks a box in my mind that “Hey, they’ve got something here that I recognize” and it IMMEDIATELY leads me to believe that this email could be credible. Had I not practiced good password hygiene and this was still my current password, I would be pretty paranoid right now.

So how did they get my information?

The dark web.

When websites are hacked, the typical purpose of the hack is to harvest hundreds of thousands of emails, usernames, passwords, personally identifiable information, payment information, and anything that they can get their hands on that may be worth something on the dark web. In some cases, this sensitive data is encrypted or passwords could be salted, meaning they’re not clearly readable in plain text. Every once in a while, a hacker will uncover something with a treasure-trove of user information in plain text. That information is sold on the dark web through a website that looks much like an untraceable eBay and paid for with an untraceable cryptocurrency like Ripple. There’s even a technical support number to call with a helpdesk if you have problems buying your bundle of hacked user data.

I know for a fact my information has been sold on the dark web. My university was hacked years after I graduated, thanks, I appreciate that. Target was hacked. LinkedIn was hacked. What’s interesting here is the password referenced in the email was one that I specifically used for LinkedIn. I know this because years ago I made it a standard practice to put the initials of the website the password was for in the password and this password contains the characters “LI” indicating this was a password I made for the social media website. This leads me to believe that someone sold my information on the dark web and our author friend here decided to do something cleaver to try to extort money from me and probably thousands of other users.

Going a bit further…

Since bitcoin is built on blockchain, bitcoin wallets are publicly searchable for transactions and balances. Think of it as a way of seeing everyone’s bank balance and register but not knowing who owns which account or who they paid or received money from. This user could be dynamically creating bitcoin wallet addresses, that’s the way I would have done it, with each email sent or they could be using the same wallet address for each attempt. I can tell you so far, no one has paid the extortion amount to this bitcoin wallet as of this writing.

Other emails I’ve seen were much more successful. The email I previously mentioned that stated they had seen what “naughty websites” the recipient had visited, activated the device’s webcam with a threat to publish their viewing habits and webcam all over social media had over 14,000 USD in bitcoin on that bitcoin wallet address in 24 hours. It turns out, crime does pay.

So, what should we be doing to combat this and other online threats? Good password hygiene.

  • Routinely change your password, at minimum, every 60 days
  • Never use the same password twice or the exact same password for multiple systems
  • Use the trick above about putting the name of the site in your password so you can recognized the source of any compromised passwords: FB****** (facebook), LI****** (linkedin), WK****** (for work), GM****** (gmail)
  • Do not keep your passwords in an excel sheet that is not encrypted or protected or stored in a location that is not encrypted or protected
  • Do not physically print out a list of passwords
  • Do use password apps such as Lastpass or Keepass
  • Be suspicious of any email sent from someone you don’t know and be even more suspicious of email from people you do know encouraging you to click a link
  • Hover over any outbound links to recognize the website URL you would visit if you did click the link
  • Enable two-factor authentication on any device, website, or service that allows it

If you found this helpful, do me a favor and throw us some love with a like on our Facebook Page. We are THIS (holds up fingers really close together) to 500 likes. That shows me that people are seeing this information and are finding it useful. Until then, stay safe out there!

Related Posts