Updated Jan 23rd 2019 to include latest variations on this scam.
You may have arrived at this post because you received an email from a purported hacker who is demanding payment or else they will send compromising information—such as pictures sexual in nature—to all your friends and family. You’re searching for what to do in this frightening situation.
Don’t panic. Contrary to the claims in your email, you haven't been hacked (or at least, that's not what prompted that email). This is merely a new variation on an old scam which is popularly being called "sextortion." This is a type of online phishing that is targeting people around the world and preying off digital-age fears.
We’ll talk about a few steps to take to protect yourself, but the first and foremost piece of advice we have: do not pay the ransom.
We have pasted a few examples of these emails at the bottom of this post. The general gist is that a hacker claims to have compromised your computer and says they will release embarrassing information—such as images of you captured through your web camera or your pornographic browsing history—to your friends, family, and co-workers. The hacker promises to go away if you send them thousands of dollars, usually with bitcoin.
What makes the email especially alarming is that, to prove their authenticity, they begin the emails showing you a password you once used or currently use.
Again, this still doesn't mean you've been hacked. The scammers in this case likely matched up a database of emails and stolen passwords and sent this scam out to potentially millions of people, hoping that enough of them would be worried enough and pay out that the scam would become profitable.
EFF researched some of the bitcoin wallets being used by the scammers. Of the five wallets we looked at only one had received any bitcoin, in total about 0.5 bitcoin or $4,000 at the time of this writing. It’s hard to say how much the scammers have received in total at this point since they appear to be using different bitcoin addresses for each attack, but it’s clear that at least some people are already falling for this scam.
Here are some quick answers to the questions many people ask after receiving these emails.
They have my password! How did they get my password?
Unfortunately, in the modern age, data breaches are common and massive sets of passwords make their way to the criminal corners of the Internet. Scammers likely obtained such a list for the express purpose of including a kernel of truth in an otherwise boilerplate mass email.
If the password emailed to you is one that you still use, in any context whatsoever, STOP USING IT and change it NOW! And regardless of whether or not you still use that password it's always a good idea to use a password manager.
And of course, you should always change your password when you’re alerted that your information has been leaked in a breach. You can also use a service like Have I Been Pwned to check whether you have been part of one of the more well-known password dumps.
Should I respond to the email?
Absolutely not. With this type of scam, the perpetrator relies on the likelihood that a small number of people will respond out of a batch of potentially millions. Fundamentally this isn't that much different from the old Nigerian prince scam, just with a different hook. By default they expect most people will not even open the email, let alone read it. But once they get a response—and a conversation is initiated—they will likely move into a more advanced stage of the scam. It’s better to not respond at all.
So, I shouldn’t pay the ransom?
You should not pay the ransom. If you pay the ransom, you’re not only losing money but you’re encouraging the scammers to continue phishing other people. If you do pay, then the scammers may also use that as a pressure point to continue to blackmail you, knowing that you’re are susceptible.
What should I do instead?
As we said before, for sure stop using the password that the scammer used in the phishing email, and consider employing a password manager to keep your passwords strong and unique. Moving forward, you should make sure to enable two-factor authentication whenever that is an option on your online accounts. You can also check out our Surveillance Self-Defense guide for more tips on how to protect your security and privacy online.
One other thing to do to protect yourself is apply a cover over your computer’s camera. We offer some through our store, but a small strip of electrical tape will do.
We know this experience isn't fun, but it's also not the end of the world. Just ignore the scammers' empty threats and practice good password hygiene going forward!
I am aware one of your passphrase: password. Lets get directly to point. Not a single person has compensated me to investigate about you. You do not know me and you are probably wondering why you're getting this e mail?
actually, I actually installed a software on the adult vids (sex sites) site and you know what, you visited this web site to have fun (you know what I mean). When you were viewing videos, your internet browser initiated working as a Remote control Desktop that has a key logger which provided me access to your display screen and also web cam. Right after that, my software program collected your complete contacts from your Messenger, FB, and email . After that I created a double-screen video. 1st part shows the video you were viewing (you've got a good taste haha . . .), and 2nd part shows the view of your webcam, and its u.
You do have only 2 alternatives. We are going to understand these types of choices in aspects:
1st solution is to disregard this message. In this case, I am going to send your actual video clip to just about all of your contacts and thus you can easily imagine about the disgrace you feel. Not to mention should you be in a relationship, just how it will eventually affect?
Number two choice will be to pay me $3000. We will think of it as a donation. As a consequence, I most certainly will without delay eliminate your videotape. You will keep going on your daily life like this never happened and you will not hear back again from me.
You'll make the payment through Bitcoin (if you do not know this, search for "how to buy bitcoin" in Google).
I write yоu becаusе I put а mаlware оn the wеb раge with porn whiсh yоu hаve visitеd.
My virus grаbbed all your рersonal infо аnd turnеd on yоur сamеrа which сaрtured the рroсеss оf your onаnism. Just aftеr that the soft savеd yоur соntaсt list.
I will dеlеte thе сompromising video and infо if you pаy me 999 USD in bitcoin. This is address fоr рaymеnt : 1K2jNTLdbHEwaALQWKMeGoKLWD67Cb6q8B
I give yоu 30 hоurs aftеr you ореn my mеssаge for making the trаnsactiоn.
As sоon аs yоu reаd the mеssаgе I'll see it right awаy.
It is nоt necessary tо tell mе thаt you hаve sеnt money to me. This address is соnneсtеd tо yоu, my systеm will dеlete еverything automаtically aftеr trаnsfer соnfirmаtiоn.
If yоu nееd 48 h just reрly оn this letter with +.
Yоu сan visit thе pоlicе stаtion but nobоdy cаn hеlp yоu.
If you try to dеceive mе , I'll sеe it right аway !
I dont live in yоur соuntry. So they саn nоt track my lосаtiоn evеn for 9 months.
Goodbyе. Dоnt fоrget аbоut thе shame and tо ignore, Yоur life can be ruined.
If you were more vigilant while playing with yourself, I wouldn't worry you. I don't think that playing with yourself is very bad, but when all colleagues, relatives and friends get video record of it- it is obviously for u.
I adjusted virus on a porn web-site which you have visited. When the victim press on a play button, device begins recording the screen and all cameras on your device starts working.
мoreover, my program makes a dedicated desktop supplied with key logger function from your device , so I could get all contacts from ya e-mail, messengers and other social networks. I've chosen this e-mail cuz It's your working address, so u should read it.
Ì think that 730 usd is pretty enough for this little false. I made a split screen vid(records from screen (u have interesting tastes ) and camera ooooooh... its awful ᾷF)
Ŝo its your choice, if u want me to erase this сompromising evidence use my ƅitсȯin wᾷllеt aďdrеss- 1JEjgJzaWAYYXsyVvU2kTTgvR9ENCAGJ35
Ƴou have one day after opening my message, I put the special tracking pixel in it, so when you will open it I will know.If ya want me to share proofs with ya, reply on this message and I will send my creation to five contacts that I've got from ur contacts.
P.S... You can try to complain to cops, but I don't think that they can solve ur problem, the investigation will last for several months- I'm from Estonia - so I dgf LOL
I know, password, is your pass word. You may not know me and you're most likely wondering why you are getting this e mail, correct?
In fact, I placed a malware on the adult vids (porn material) web-site and you know what, you visited this website to have fun (you know what I mean). While you were watching video clips, your internet browser initiated operating as a RDP (Remote Desktop) that has a keylogger which provided me access to your screen and also webcam. Immediately after that, my software program gathered your entire contacts from your Messenger, social networks, as well as email.
What did I do?
I made a double-screen video. 1st part shows the video you were watching (you have a good taste lmao), and 2nd part shows the recording of your webcam.
exactly what should you do?
Well, I believe, $2900 is a fair price for our little secret. You'll make the payment by Bitcoin (if you don't know this, search "how to buy bitcoin" in Google).
BTC Address: 1MQNUSnquwPM9eQgs7KtjDcQZBfaW7iVge
(It is cAsE sensitive, so copy and paste it)
You have one day in order to make the payment. (I have a specific pixel in this email message, and at this moment I know that you have read through this email message). If I do not get the BitCoins, I will definitely send out your video recording to all of your contacts including family members, coworkers, etc. However, if I do get paid, I'll destroy the video immidiately. If you want to have evidence, reply with "Yes!" and I will certainly send out your video to your 14 contacts. This is the non-negotiable offer, so please don't waste my personal time and yours by responding to this email message.
There is nothing hidden that is not shown – you`ll see what I mean in just a moment.
Recently you were browsing a website that has pornographic content and yes, I saw you masturbating.
It is not my duty to teach you what to do or how to do it
I want you to pay me to keep this thing private
You`ll have to take care of this finance-related issue
Before you question yourself how did that happened, I`ll tell you
How did I get it?
While you were browsing porn sites email@example.com accidentally installed the malware I used to hack the website
So consequently I`ve hacked your computer
I`ve got all your names and passwords, access to your email, messengers and other things
If you want to know my secret, I used keylogger
When I got ahold of your desktop I immediately installed keylogger on your system
There was one other program involved, I’m not gonna tell you which but it gave me access to your webcam so I recorded all the things you did in front of the computer
Guess what I filmed? You masturbating
I am sure your friends and family will be delighted to see you do your dirty business, a long time will pass before you can get clean of all this mess
Okay, here is what you should do (if you do exactly what I ask, I will delete that embarrassing video and let you be)
You must send 650 us dollars To my bitcoin wallet 1FXTXQEWFaPukDUWcMYnbgae1FpPtYNyA6
That`s it, it`s all you have to do
Don`t waste your time replying to this email I`m not gonna read it but the system will notify me when you make the payment. After you read this message, you have 24 hours to make the payment. You can reply to this email in case you need more time (48 hours max) to collect the money.
I hope you understand everything I`ve mentioned. Sorry for my English, it isn’t particularly popular in my country
P.S. I`am expecting to see the money on my account within 24 hours
ATTN: <email address>
THIS IS NOT A JOKE - I AM DEAD SERIOUS!
The last time you visited a p0rnographic website with teens,
you downloaded and installed software I developed.
My program has turned on your camera and recorded
the process of your masturbation.
My software has also downloaded all your email contact lists
and a list of your friends on Facebook.
I have both the '<name>.mp4' with your masturbation
as well as a file with all your contacts on my hard drive.
You are very perverted!
If you want me to delete both the files and keep the secret,
you must send me Bitcoin payment. I give you 72 hours for payment.
If you don't know how to send Bitcoins, visit Google.
Send 2.000 USD to this Bitcoin address immediately:
(copy and paste)
1 BTC = 3,580 USD right now, so send exactly 0.564369 BTC
to the address provided above.
Do not try to cheat me!
As soon as you open this Email I will know you opened it.
This Bitcoin address is linked to you only,
so I will know if you sent the correct amount.
When you pay in full, I will remove the files and deactivate my program.
If you don't send the payment, I will send your masturbation video
to ALL YOUR FRIENDS AND ASSOCIATES from your contact list I hacked.
Here are the payment details again:
Send 0.564369 BTC to this Bitcoin address:
You саn visit police but nobody will help you. I know what I am doing.
I don't live in your country and I know how to stay anonymous.
Don't try to deceive me - I will know it immediately - my spy ware is
recording all the websites you visit and all keys you press.
If you do - I will send this ugly recording to everyone you know,
including your family.
Don't cheat me! Don't forget the shame and if you ignore this message your
life will be ruined.
I am waiting for your Bitcoin payment.
If you need more time to buy and send 0.564369 BTC,
open your notepad and write '48h plz'.
I will consider giving you another 48 hours before I release the vid.
Example 7 - Variant: Someone Has Hired Me to Throw Acid In Your Face
I have a website in the darkweb, I perform all kinds of services - basically it is destruction to property and injury. Basically, all but the shooting. Often main reasons are rejected love or competition at workplace. This week she contacted me and set me the mission of splashing acid in your face. Default practice - quickly, painfully, for life. Without too much fuss. I get receive only after finishing the order. Thus, now I propose you pay me to be inactive, I propose this to nearly all the victims. If I do not receive money from you, then my person will fulfill the mission. If you give me money, besides to my inactivity, I will provide you the info that I have about the client. After finishing the mission, I always lose the performer, so I have a selection, to get $2000 from you for info about the customer and my inaction, or to receive $ 4000 from the customer, but with a big probability of spending the performer.
I’m getting paid in Bitcoin, here’s my bitcoin address - 14PV6Scc7G8NzZnAhAK7rQApqFQWgD7fVm
The amount I indicated above.
36 hours to decide and pay.
Support Online Rights and Privacy Education