Modus Operandi of CRYPTO-EXTORSION — A Detailed Case Study

We have seen many use-cases of CryptoExtorsion in the form of Ransomware, Blackmail Emails, Sextortion Emails etc. All these methods yields maximum success rate to the criminals, which ensures them to adopt it as a part of their livelihood.

All they need to do is:- Sit Back and Send a Well-Crafted Email to a large number (which can easily be gathered from Pastebin, Scribd and much more) and wait for the money to hit their crypto-wallets.

Google Image Search Courtesy

The most shocking fact to note here is: The Victims pays the ransom even without realizing whether these criminals does actually have any of their data in possession or not. Hence attackers get on this gravy train often to become millionaires.

Let’s discuss a real-time scenario where many of the victims fell for the trap of a blackmail email demanding Bitcoin, received in their inbox.

CASE STUDY

SPAM Email received on Personal Accounts

This exquisite email (with more technical insights) from the spammer makes the victims to fell prey easily, ultimately losing their digital currency.

Let’s dive into the technicalities.

PART 1 — SINGLE PUBLIC BITCOIN ADDRESS FOR MASS SPAMMING

The Bitcoin Address used by the Spammer is:- 18Jro9LNFqBQarcc63WYGf3w7PdDAiwXpk

On a simple search, it can be found that a whopping amount of $12,400+ had been hit on this single wallet address(ATTOW).

Seriously???

Total Amount received by the Attacker for this address

Since this email garnered large number of traction as many of the victims reports the same on Social Media Platforms or Complaint Forums, hence this Bitcoin Address also got blacklisted in BTC Abuse Database (This would help the newbie to check whether the address is SCAM Alerted).

While checking the existence of this Bitcoin Address, following things are found:-

Type of Bitcoin Address: P2PKH

(Pay-to-PubKey Hash is the original Address Format used in Bitcoin. These addresses always starts with “1” and they are not SegWit Compatible)

Each Transaction Amount with Timeline

By looking at the transaction history, it is evident that this Bitcoin Address begins to appear on 24th February, 2020.

BTC Address Timeline

As we can see, though there are 16 incoming transactions (paid by victims till now), however the spammer had only transferred $3,867 to another wallet address.

Wait, to which address?

A batch of Workers transfers Victim funds to Master Address

It is found that all these addresses had transferred the victimized funds to 3NbeS1bAV9Kh3arFNBtVfmKgE5zZSaHHXX on 26th February, 2020 in which 18Jro9LNFqBQarcc63WYGf3w7PdDAiwXpk was also a part of this 14-Set batch.

Wait! 14-Set Worker Batch?

1BcpAGfamAy81enJtHahKedaWx1yATTXT7 (Scam Alert: 14)
1CK7GVufSxzVbsc8HgxgeAZRKuvmAFAKTZ (Scam Alert: 4)
1LM5VLTv7p57zwwABoveAw4hPSVMcL97YX (Scam Alert: 4)
1EMQ94wN7SDJDaws85V75VqWKzqDsvVCkR (Scam Alert: 16)
1K8DQbAupiGg95FdU9YVPoM3ANSHZ9EGgT (Scam Alert: 10)
13EB15QkdBpvakv1MZdG1cLdDhy7sP5heJ (Scam Alert: 7)
1BzPiae7dMLej6Svyb18dXejY5pP17cAxj (Scam Alert: 7)
1Fnjx9acfxzh9jaL21nsxbx2rrMHydtpLd (Scam Alert: 5)
1PvKmMQA5JoWJAye57P6gw4PwzLDxtcBsQ (Scam Alert: 0) — 51.68.36.57
1EMQ94wN7SDJDaws85V75VqWKzqDsvVCkR (Scam Alert: 16) — 51.68.36.57
1GZ35FmEHDD1dvrHAnUUwEv5G4X3WFBi5r (Scam Alert: 1) — 51.68.36.57
18Jro9LNFqBQarcc63WYGf3w7PdDAiwXpk (Scam Alert: 26)
1GXDt3MAyT5D7Sjwa9MShLCDdPKx9mpDNZ (Scam Alert: 11)
1GgPWdeYxnrCRzs4LgHrr2TdN2qgRWNqFw (Scam Alert: 0) — 51.68.36.57

At this moment, we came to know that this is a perpetuated coordinated extortion campaign sewn by a group of people (mostly targeting Europe).

Google Image Search Courtesy

It is notable that each of the above listed address had done single transaction to their Master (3NbeS1bAV9Kh3arFNBtVfmKgE5zZSaHHXX). And moreover, each of these bitcoin addresses targets each countries such as Netherlands, Sweden, Russia, Romania, Croatia etc as the language of the extortion mail changes with each above listed Bitcoin address.

The IP Address 51.68.36.57 is the last to relay an output transaction involving in these addresses. Hence, it may be spammer’s IP or a relayed path or a C2C hosted by the spammer. Following many more IP Addresses are covered as it also falls under same category as relayed path.

PART 2 — WHO DOES MASTER CONTACT TO?

Bitcoin Address: 3NbeS1bAV9Kh3arFNBtVfmKgE5zZSaHHXX
Type of Bitcoin Address: P2SH
Total Received Amount: $65,169.76
IP: 192.99.13.87 (Montreal, Canada)
Scam Alert: None

(P2HS stands for Pay-to-Script Hash in which Multisignature is enabled. This address is created for multi-signature wallets, where more than 1 key required to authorize a transaction (M-of-N Transactions). Like configuring 2 of 4 authorized signatures. This means at least 2 signatures to be verified in order to complete the transaction. All the P2SH addresses starts with “3”)

Yeah, Criminals are working in harmony.

Transaction History of “Master”

As the Master is using multisignature enabled bitcoin address, there is a high probability that s(he) may be using secure wallets such as Armory or Electrum where Multisignature functionality is enabled.

Multisig is a way to divide the bitcoins equally among multiple people. In simple terms, its a joint account.

On analyzing this Master’s Bitcoin Address, it is notable that this address’s first seen and last seen falls on same day — 26th February, 2020.

Timeline of 3NbeS1bAV9Kh3arFNBtVfmKgE5zZSaHHXX

Upon receiving the victimized funds from 14-Set Worker Batch, the Master had moved the entire fund to other 2 addresses in 3 hours on the same day.

PART 3 — FOLLOW THE RABBIT

Master had transferred the entire funds ( 6.96987089 BTC) to the following addresses:-

39tMpWZW8HeabT94TDfNwPFWnBEJw7xhV9 (Sent 5.14083616 BTC)
3DUPNK4wUGGtJbziGWWSpAsodz7QwRiEEE ( Sent 1.82899734 BTC)

Master Transferred to 2 BTC Addresses

On Analyzing 39tMpWZW8HeabT94TDfNwPFWnBEJw7xhV9

Bitcoin Address: 39tMpWZW8HeabT94TDfNwPFWnBEJw7xhV9
Type of Bitcoin Address: P2SH
Total Received Amount: $ 48,067.90
IP: 5.8.18.29 (Tighina, Moldova)
Scam Alert: None

Just like Master, this address also appeared on 26th February and last appeared date also fells the same.

39tMpWZW8HeabT94TDfNwPFWnBEJw7xhV9 had again distributed to 2 other addresses namely:-

3GNdPUcq3ajhzKDmKxKaQdd2oMQwcU77R4 (2.94279613 BTC) — Unspent
3FBk7oW9MhjHErfsWAh6rx233P8RmZ7A1q (2.19799924 BTC)

As we can see the funds are not spent on 3GNdPUcq3ajhzKDmKxKaQdd2oMQwcU77R4, we do not move further with that, to avoid the complexity.

Moving forward with 3FBk7oW9MhjHErfsWAh6rx233P8RmZ7A1q, it again distributes funds to following 2 addresses:-

3BS7qMLMwenBEQqMM2QXRPShy24jMLkPgT ( 0.00956110 BTC) Unspent
3DmD6ucjoPHpXBcMhfSGLUyqxaHg1JyuEB (0.40751826 BTC) Unspent

All these addresses appeared on the same day 26th February, 2020, which underlines the fact that the mass spam campaign was active on this day, though the spamming started on 24th February, 2020.

“Here ends the iteration for 39tMpWZW8HeabT94TDfNwPFWnBEJw7xhV9”

On Analyzing 3DUPNK4wUGGtJbziGWWSpAsodz7QwRiEEE

Bitcoin Address: 3DUPNK4wUGGtJbziGWWSpAsodz7QwRiEEE
Type of Bitcoin Address: P2SH
Total Received Amount: $ 34,312.8
IP: Undetected
Scam Alert: None

This wallet address is no difference as the spammer had used this to receive the fund and emptied the same in 3 hours.

3DUPNK4wUGGtJbziGWWSpAsodz7QwRiEEE had further distributed to 3 other addresses namely:-

38kohsbAPk6jAoFJ6qgiYTJ9nV3MhNrbav (0.00955499 BTC) Unspent
3QbnTzzGgqCf2Zx1Q3E4a2kbETo1Gs7CxE (0.09384104 BTC)

Transfer History of 3DUPNK4wUGGtJbziGWWSpAsodz7QwRiEEE

Moving forward with 3QbnTzzGgqCf2Zx1Q3E4a2kbETo1Gs7CxE, it first appeared on the same day, but unlike other wallets, it last appeared on 27th February, 2020.

Timeline Chart for 3QbnTzzGgqCf2Zx1Q3E4a2kbETo1Gs7CxE

To empty that wallet address, it again distributes funds to following 2 addresses:-

3LqJ5o1tdo1J6MJHRehf1Gxo5C5djjF4N3 (0.00066194 BTC) Unspent
3CwFWq3YfLUUt1QPrkrcBXdc51J6LRUbi5 (0.02443172 BTC) Unspent

“Here ends the iteration for 3DUPNK4wUGGtJbziGWWSpAsodz7QwRiEEE”

In Short:-

Master transferred to these 2 addresses
Follow the rabbit for “7xhV9"
Follow the rabbit for “RiEEE”

[It is also to note that as this is an ongoing operation, the criminals had not transferred the funds. Hence, there may be chance of more P2SH addresses to spring-up and follow the same until some legit balance left in any wallet]

During the investigation, it is observed that very few transactions spotted from online exchanges such as BitStamp.

From this, it is evident that the Modus Operandi of Criminals/Spammers are:-

>>A plain bitcoin wallet address is being circulated over the internet via emails. These wallet address would be P2PKH (which starts with “1”)
>>Once the victims pays the amount, these are timely transferred to the real owner’s wallet. These would be P2SH Address (which starts with “3”)
>>The receiver (middle node) still distributes to others in the group until everyone gets the share.
>>Any leftovers in the bitcoin wallet for a long time, can be assumed as the real wallet address of the spammer/criminal.

As the Crypto-Industry is thriving at a faster rate, more and more crypto-villains begins to appear who targets individuals and Corporates.

Key Takeaways

>>Never ever pay ransom to any criminals.
>>Upon receiving a threat mail with bitcoin address, check the legitimacy of the same in sites like Bitcoin Abuse DB or a simple address lookup on Bitcoin Who’s Who
>>Spammer often distributes same bitcoin address, hence check for the real time balance in Bitref or Blockchain

Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.

Care to Donate for Research Purpose?
1E4v8eXjieNhKDWc5Rww84D2TXrqxcjVKZ (only BTC Accepted)