New-and-improved sextortion scam emails are being used to target people in the US and Canada, employing a more personalized and invasive approach than ever seen before.
Many have received that email before—the one were the scammer claims to have footage of you in “compromising situations” and you need to pay up to avoid being exposed. However, not everyone has received such an email with images of their actual home. Creepy, to say the least. These emails contain highly personalized information aimed at manipulating targets into believing that their privacy has been breached—good old social engineering. The attackers demand payment to avoid the release of “humiliating” videos, a tactic commonly referred to as sextortion. Targets receive an email with a PDF document attached. The document contains automatically generated text, including personal details such as the target’s name, phone number, or home address. This information is likely obtained from publicly available databases following large-scale data breaches. In a new twist, some PDFs include images of the target’s house, taken from Google Maps Street View, to make the threat more credible and put undue pressure on whom they’re aiming the attack.
In the document, the attacker asserts that they have gained access to the device, using the notorious spyware Pegasus and employing a remote desktop protocol. However, Pegasus is typically used against high-profile targets by intelligence agencies. Its use in these scams is almost certainly fabricated, intended to frighten their targets into compliance. All these name-drops are to bolster the attacker’s claims, intended to convince their target that they have full control over their device. Often, they threaten to release compromising videos allegedly recorded while the target was watching NSFW content. This is purely a scare tactic, as there is no evidence to support these claims. The attacker demands a ransom payment in Bitcoin (BTC) with the wallet address and a QR code—conveniently included in the PDF document to facilitate payment. Our experts are currently tracking more than 15,000 unique BTC wallets associated with this campaign. However, this is likely just the tip of the iceberg, as there could be millions of wallets involved in this extensive operation. So far, only two wallets we’re monitoring have recorded transactions: one with $1,532 and another with $2,142. Both transactions lead to a single attacker wallet and occurred on the same day, September 23, 2024. This primary attacker wallet consolidates 104 inputs, which suggests that many more payments have been made to different wallets, all ultimately converging here. The total value in this wallet is approximately $128,114 (2.02 BTC), which highlights the widespread nature of the scam. Given that less than $4,000 was tracked across the 15,000 monitored wallets and that this main wallet has accumulated over $128,000, this suggests that the true scale of the scam is much larger and that many other wallets and transactions are yet to be uncovered. These emails are classic examples of phishing and extortion tactics. If you receive such a message: Sextortion scams often rely on personal information gathered from data breaches. To minimize the risk of being targeted: This new sextortion campaign represents a disturbing evolution in social engineering tactics, leveraging publicly available data to create highly convincing and personalized threats. Awareness and vigilance are critical in combating these scams. Remember, no matter how intimidating these messages may seem, they are based on lies and deception. Stay informed, stay safe and protect your digital life. How does this scam work?
The attacker’s claims
The ransom demand
How to protect yourself
Prevention is key
Always question suspicious emails
Indicators of Compromise (IoC)