Users around the world have been receiving bitcoin extortion emails for a long time, one of the most notorious being a “sextortion” threat to show a computer-eye view of you watching adult videos to the world. The latest threat is more alarming: the sender claims to have a bomb planted at the recipient’s business. Financial institutions in New York began receiving bomb threat emails demanding payment of $20,000 in Bitcoin in early December.
New York City Police warned via Twitter that they were monitoring multiple bomb threats on December 13 and reports soon came in of threats emailed to Philadelphia, Las Vegas, Huntsville, Alabama, and Columbus, Ohio.
The subject line of most of these bitcoin scam emails is: “I advise you not to call the police.” Some emails received in Canada came with a subject line of “Think Twice.”
One copy of the email, which has been sent to multiple recipients, reads:
“My man carried a bomb (Hexogen) into the building where your company is located. …. I can withdraw my mercenary if you pay. You pay me 20.000 $ in Bitcoin and the bomb will not explode, but don’t try to cheat – I warrant you that I will withdraw my mercenary only after 3 confirmations in blockchain network.”
KrebsOnSecurity describes the emails as extremely disruptive spam. The emails have been received by thousands of governmental organizations, businesses, educational, and health care institutions around the world.
Hexogen is a chemical term for RDX, the explosive component in the military plastic explosive C-4.
The National Cybersecurity and Communications Integration Center (NCCIC) released a bulletin about the emails on December 13. NCCIC recommends that if you receive the email:
Bitcoin bomb threat emails are an obvious extortion scam. No bombs have gone off in any location where the threats have been received.
The scammers aren’t completely unsophisticated, although the threats are poorly-worded and no hacking is involved. Each email security experts have examined uses a different Bitcoin address to send the demanded payment. This is not quite as convincing as the “sextortion” emails, which included a real password that targets had used at some point in the past.
Paul Bischoff, a privacy advocate with Comparitech.com, said: “even though bomb threats are scary, this is amateur scamming.”
After multiple evacuations, the FBI and local police have failed to find any explosive devices. Most law enforcement officials termed the threats “not credible.”
The likelihood of a bomb being present in any building receiving the threat is low.
Scams like the “sextortion” emails and the rash of Bitcoin bomb threats threaten to dull awareness to concrete security threats. They also demand attention and safety precautions even though they are nearly 100% certain to be fake.
Multiple threats received in Toronto brought police out around the city and shut down the King subway station. Schools and colleges in New York and several other U.S. cities shut down early after receiving the threats.
The Bitcoin bomb threat extortion likely yielded no cryptocurrency for the scammers. Costs in law enforcement investigative time, lost instructional time at closed schools, and lost business at commercial locations which were forced to shut down add up to far more than what the scammers could hope to obtain from recipients who don’t follow NCCIC’s instructions.
Unlike the “sextortion” scams which were alarming but personal, Bitcoin bomb threat emails to organizations have to be taken seriously enough to confirm that employees and customers — or students, faculty and hospital staff and patients — are safe from harm.
The identical, amateurish emails are sent to thousands of targets, so in one sense, there’s safety in numbers. It’s highly unlikely any email scammer could plant C-4 explosives in thousands of locations around the world.
Bitcoin email bomb threats are very unlikely to be serious, real bomb threats, yet no organization can afford to take a bomb threat lightly. As long as they continue, they will remain a costly and aggravating nuisance.