At the moment, we’re seeing all kinds of sextortion emails. The scam is cheap to run, easy to automate, and apparently profitable enough that cybercriminals keep using it. Some criminals put more effort into their messages than others.
Sextortion emails are messages claiming that scammers recorded you through your webcam while you watched pornography and now demand payment. They have been around for years and keep evolving with small changes in wording and fake technical detail.
What hasn’t changed is the basic truth: there is no malware, no recording, and no credible evidence behind the threat. Despite seeing countless versions of these emails over the years, I’ve yet to encounter one that was backed up by the evidence the sender claimed to have.
Below, we’ll walk through the email line by line, interrupting the scammer’s story with commentary that explains where the claims come from and why they don’t stand up to scrutiny.
“Hi there!
I regret to inform you about some sad news for you. Approximately a month or two ago I have succeeded to gain a total access to all your devices utilized for browsing internet. Moving forward, I have started observing your internet activities on continuous basis.”
The opening sets the tone. “Total access to all your devices” is an immediate red flag because it’s extremely unlikely and technically vague. Real attackers tend to be more specific about what they accessed (which device, which OS, which app), whereas scammers deliberately keep it broad so anyone can think it applies to them.
“Go ahead and take a look at the sequence of events provided below for your reference: Initially I bought an exclusive access from hackers to a long list of email accounts (in today’s world, that is really a common thing, which can arranged via internet). Evidently, it wasn’t hard for me to proceed with logging in your email account (<REDACTED_EMAIL>). “
Here the scammer claims to have bought access to a “long list of email accounts.” That’s a warped reference to real initial access brokers (IABs) and credential markets, where criminals trade stolen passwords or session tokens. In this email, however, no password, login time, or IP address is provided—just an email address they already knew. So, there’s no actual evidence of account takeover or compromise.
“Within the same week, I moved on with installing a Trojan virus in Operating Systems for all devices that you use to login to email. Frankly speaking, it wasn’t a challenging task for me at all (since you were kind enough to click some of the links in your inbox emails before). Yeah, geniuses are among us.”
The “Trojan virus” claim echoes what we’ve seen in other sextortion campaigns that name‑drop random malware families or exploits to sound believable. Again, there is no specific malware name, file path, or exploit described—just a generic story designed to scare anyone who’s ever clicked on a link.
“Because of this Trojan I am able to gain access to entire set of controllers in devices (e.g., your video camera, keyboard, microphone and others). As result, I effortlessly downloaded all data, as well as photos, web browsing history and other types of data to my servers. Moreover, I have access to all social networks accounts that you regularly use, including emails, including chat history, messengers, contacts list etc. My unique virus is incessantly refreshing its signatures (due to control by a driver), and hence remains undetected by any type of antiviruses.”
This section tries to sound technical by mentioning things like “controllers,” “drivers,” “refreshing signatures.” But none of this is how security products or malware actually work. Modern Trojans and spyware may use drivers, persistence mechanisms, or encryption, but claims like “any type of antiviruses” and “incessantly refreshing its signatures” are pure bluff aimed at non‑technical readers.
“Hence, I guess by now you can already see the reason why I always remained undetected until this very letter… “
This line tries to explain away a major inconsistency. If the attacker truly had full control and had been monitoring the victim for “a month or two,” why is the only evidence an email with no logs, screenshots, or sample video? If someone genuinely has compromising material, they will provide at least some proof, because that’s what forces victims to take it seriously.
“During the process of compilation of all the materials associated with you, I also noticed that you are a huge supporter and regular user of websites hosting nasty adult content. Turns out to be, you really love visiting porn websites, as well as watching exciting videos and enduring unforgettable pleasures. As a matter of fact, I was not able to withstand the temptation, but to record certain nasty solo action with you in main role, and later produced a few videos exposing your masturbation and cumming scenes.”
Here comes the classic sextortion hook: “I recorded you while you watched porn.” We’ve seen variations of this wording since at least 2018, often reused word-for-word across huge spam campaigns. The scam relies on shame and fear rather than technical credibility. The goal is to make victims panic into paying.
“If until now you don’t believe me, all I need is one-two mouse clicks to make all those videos with everyone you know, including your friends, colleagues, relatives and others. Moreover, I am able to upload all that video content online for everyone to see.”
Again, note the lack of proof. There’s no preview image, no sample video, no mention of a specific social media account—just a threat to send it to “everyone you know.” It’s deliberately vague. The same message needs to work for millions of recipients with completely different social circles.
“I sincerely think, you certainly would not wish such incidents to take place, in view of the lustful things demonstrated in your commonly watched videos, (you absolutely know what I mean by that) it will cause a huge adversity for you. There is still a solution to this matter, and here is what you need to do: You make a transaction of $1490 USD to my account (an equivalent in bitcoins, which recorded depending on the exchange rate at the date of funds transfer), hence upon receiving the transfer, I will immediately get rid of all those lustful videos without delay. After that we can make it look like there was nothing happening beforehand. Additionally, I can confirm that all the Trojan software is going to be disabled and erased from all devices that you use. You have nothing to worry about, because I keep my word at all times.”
The price point and payment method—just under $1,500, paid in Bitcoin—are typical for this kind of scam. Cryptocurrency is popular with scammers because payments are difficult to reverse and can be moved quickly. Despite its reputation, Bitcoin is not anonymous, and law enforcement has successfully traced many criminal transactions.
“That is indeed a beneficial bargain that comes with a relatively reduced price, taking into consideration that your profile and traffic were under close monitoring during a long time frame. If you are still unclear regarding how to buy and perform transactions with bitcoins – everything is available online. Below is my bitcoin wallet for your further reference: <REDACTED_ACCOUNT> All you have is 48 hours and the countdown begins once this email is opened (in other words 2 days).”
Short deadlines and countdown language are psychological pressure tactics, not technical realities. Scammers want you panicking, not thinking, because a calm reader is more likely to spot the holes in the story.
“The following list includes things you should remember and avoid doing:
> There’s no point to try replying my email (since this email and return address were created inside your inbox).
> There’s no point in calling police or any other types of security services either. Furthermore, don’t you dare sharing this info with any of your friends. If I discover that (taking into consideration my skills, it will be really simple, because I control all your systems and continuously monitor them) – your nasty clip will be shared with public straight away.
> There’s no point in looking for me too – it won’t result in any success. Transactions with cryptocurrency are completely anonymous and untraceable.
> There’s no point in reinstalling your OS on devices or trying to throw them away. That won’t solve the issue, since all clips with you as main character are already uploaded on remote servers.”
This section is essentially objection handling. The scammer anticipates common reactions—talking to someone, calling the police, reinstall your system—and tries to shut them down. The claim that the email address was “created inside your inbox” is particularly revealing. It’s an attempt to make a generic sender address look like evidence of compromise.
“Things that may be concerning you:
> That funds transfer won’t be delivered to me. Breathe out, I can track down everything right away, so once funds transfer is finished, I will know for sure, since I interminably track down all activities done by you (my Trojan virus controls all processes remotely, just as TeamViewer).”
Referencing TeamViewer, a legitimate remote‑access tool, is another tactic we’ve seen in recent sextortion emails.. It helps the scammer anchor their story to something users may have heard of or used at work. But there is still no evidence of remote access, and the claim that the malware “controls all processes” ignores how real operating systems and security controls work.
“> That your videos will be distributed, even though you have completed money transfer to my wallet. Trust me, it is worthless for me to still bother you after money transfer is successful. Moreover, if that was ever part of my plan, I would do make it happen way earlier! We are going to approach and deal with it in a clear manner! In conclusion, I’d like to recommend one more thing… after this you need to make certain you don’t get involved in similar kind of unpleasant events anymore! My recommendation – ensure all your passwords are replaced with new ones on a regular basis.”
Ending with security advice is a manipulative touch. By offering helpful recommendations, the scammer tries to appear credible and trustworthy rather than criminal. It doesn’t change the fact that the email contains no evidence that any of the claims are true.
How to react to sextortion emails
This example is unusually badly written, but many sextortion emails are far more polished and convincing. Regardless of how professional they look, they should be treated the same way: as unsubstantiated threats designed to scare victims into paying.
- First and foremost, never reply to emails of this kind. Responding confirms that someone is actively reading messages sent to that address and may encourage further scam attempts.
- Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes. Ask for advice if you’re not sure.
- An attachment is not proof. Most sextortion emails contain no evidence at all, and cybercriminals often use attachments to spread malware or make their threats appear more convincing.
- If the email includes a password you have used before, change it immediately anywhere it’s still in use. Then enable two-factor authentication wherever possible. If you are having trouble organizing your passwords, consider using a password manager.
- Delete the message, report it as spam, and move on.
While these sextortion emails are almost always bluffs, if you’re concerned about webcam spying, Malwarebytes Webcam Monitoring can alert you when applications attempt to access your camera.