Sextortion botnet targets more than 200 million compromised accounts

News by Mark Mayne

Researchers have revealed a dedicated "sextortion" scam botnet targeting more than 200 million compromised accounts

A huge sextortion scam has raked in more than £1.25 million in Bitcoin payments for the perpetrators in 2019 alone, according to a team of researchers. 

Security professionals at Cofense discovered a "for rent" botnet in June 2019 used primarily to send sextortion emails to a 200 million strong database of compromised accounts. The campaign uses targeted data from past data breaches, such as usernames and passwords, to imply credibility to the sextortion threats being made.

"This botnet is not infecting computers to acquire new data sets – it is a true "spray and pray" attack reusing credentials culled from past data breaches to fuel legitimacy and panic through sextortion scams," said Aaron Higbee, Cofense co-founder and CTO. "If your email address is found in a target list used by the botnet, it’s highly likely you will receive a sextortion email – if you haven’t already. We felt it was critical to get this information out. We hope that victims receiving a sextortion email will find our resource centre so they can avoid the anxiety and stress of trying to figure out whether to pay a bitcoin ransom."

You can search the database for your company domain, enterprise or personal email address here. Because the information behind the targeted emails is based on old data breaches, it is essential to maintain good data hygiene practices, including using a password manager to create strong and unique passwords, enable two-factor authentication whenever possible, and cover up all computer cameras when not in use.

Jake Moore, cybersecurity specialist at ESET said that the power of the sextortion campaigns was in the targeting: "Long gone are the days of seeing generic large scale phishing emails entering our inboxes as we have become accustomed to them and see the warning signs from a distance. Powers of persuasion can be extremely effective in a well-crafted email and flip slow thinkers into fast thinkers, making them act in ways they would usually not. Such quick decisions and entering credentials can have extremely damaging effects on people and companies.


"It would have been quite a feat to have not had at least one of your passwords stolen in a breach, so it is widely advised to have separate passwords for each account."

Brian Higgins, security specialist, agreed that the attack was not particularly sophisticated, telling SC Media UK that: "This type of sextortion attack is fairly unsophisticated and often relies on the perpetrators having one piece of personally identifiable information, maybe a password, gained through stolen data from a previous breach. That piece of information adds credibility to what is essentially a phishing campaign. Given the vast numbers of compromised email addresses available to cyber-criminals, this is simply an opportunistic ‘spray and pray’ method of making some easy money."

Cofense Labs believes that sextortion attacks are rocketing in popularity, with the company claiming to have analysed more than seven million email addresses impacted by sextortion in the first half of 2019 alone. 

That claim is backed up by a separate analysis by SANS ISC handler Rick Wanner, who tracked a series of known Bitcoin addresses used to collect sextortion revenue, ending up with an astonishing figure of potentially US$ 69 billion (£57 billion). The true figure could be even higher, as Wanner pointed out: "There are very likely many more consolidation addresses in use," he clarified in his Sextortion: Follow the Money - The Final Chapter report. 

In a previous installment of the Follow the Money report, Wanner detailed more than "US$ 40 million (£33 million) of payments being sent into Bitcoin mixers to have the payments laundered for extraction, and that was only a small amount of the value that was in the consolidation addresses."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews