Does Blackmailing Pay? Signs on the Bitcoin blockchain of responses to Ashley Madison extortion emails

It was bound to happen: someone decided to blackmail members of online affairs website Ashley Madison, whose entire database was leaked earlier this week by a group calling themselves the “Impact Team”.  Shortly thereafter, an unknown group or individual has been sending extortion emails demanding Bitcoin for silence:
screenshot
Of those who had accounts on the cheating website, we asked ourselves: how many are actually paying the blackmailers? Does such a campaign work at all?

To begin our investigation, we noted that the addresses in our samples were all different and freshly generated, meaning it had no previous activity on the Bitcoin blockchain we could trace.  (Bitcoin addresses are merely an encoded version of randomly generated cryptographic keys, and thus generating new addresses is free and easy.  In fact, most modern Bitcoin wallet software generates a new addresses for every incoming transaction, effectively making them ephemeral in use).

However, we realized that all the emails consistently demanded “exactly 1.05” Bitcoins from their victims, suggesting that we could search the blockchain for transactions paying that amount to infer if such extortions were being paid.

Specifically, we found 67 suspicious transactions totalling 70.35 BTC or approximately 15814 USD within the extortion time frame of approximately 4 days paying 1.05 BTC to addresses, with no previous activity, and with 2 or fewer transaction outputs.  All suspicious address we found are attached below. (We conservatively restricted ourselves to ordinary transactions with 2 or less outputs, thus excluding those which were less likely to be simple one-to-one payments.)

To put this in perspective, in the three months prior to 8/22/2015 when we first started seeing the extortion emails, we saw transactions matching the above pattern at a rate of approximately 5.3 per 100,000 transactions, versus 8.9 during the extortion period.

We can strongly reject the null hypothesis that the incidence of matching transactions during the extortion period followed a Poisson distribution at the historical rate, thus allowing us to infer that perhaps the 40% of the 67 transactions totaling approximately 6400 USD may be attributable to victims paying the blackmail.

So, although we cannot say anything conclusively, we have found out that:

1.  For a spammer with pre-existing infrastructure and tools, this extortion campaign could have yielded a worthwhile sum for very little effort.  All the blackmailer had to do was download the Ashley Madison data, extract the email addresses, generate a Bitcoin address for each victim and send out the emails.

2.  Since this search would not have been possible without the consistent extortion amount, we suspect that future attempts at Bitcoin-based blackmail will randomize the amount they demand.

In order to go deeper into this analysis, the next step would be to follow the trail of Bitcoins leading to each suspicious address to see if they are connected on the blockchain to each other or any other known suspicious addresses. Such analysis could potentially help law enforcement to deanonymize and pursue the perpetrators.

1DriJgHZrYYmY4jRiVQaKHzcJpUjCpGeUQ
15Z8ouMiGi8mkzramRS8w2r5rTc6vmKmtJ
1FS273GrqQeDgHiFUQhmcVcdDsRxP8bH37
141bvr3GG4L5vaMEB1jNRQRxUVs8SL2Ues
1KktFva2VvC7ccJiLcRphziFejqLsAm19L
13qcYDvm3KJgQs8oLNDDmCRSUVNdFk1U7u
1NFA7wdpAnd98WNXSy14XFpWJvPFDMqWdB
13mTQa1Lu7PY7YQ9i1kHfJ2LAQPSHzipPC
13UhYXexu4gMZV7wuF6nMvcoskpZTzndFc
1LsAnYbqx1M3aVAxAx4HQ2s4mVmtTpbENH
18rAWeapsa8eYSPzLW7LLt5RPjaG99RyLU
1A1tD6Eh575B65FBnCU3nFyiE6F8XSTnGn
1PXmkZY5Dfdd21HnTsswYqA5ofBGA4uKCe
13bSLj3Meieo9c88hzUZZ7JCUDjyPFoPJW
1BcrFesya4yMMNt38SCkBWUS7cfeXWNfaZ
163xg99azNdRPysSSiKppbzsAeY8CZfNB4
137oYdzJkZ34Ragqv4mXr9b2GtmyTCKFdn
129DGouYdepTaoyPCoPno6XPBUdVqYLJzc
14ckjPngaCQ6TPXSJdajj2JbNKb1Mdb4wY
1C9w3DrL4Y4aJbf56adEPrbGYSzqrQshao
1LfbeLAcafgi4Dsgi6kZYutp8zco2Uhbty
1KBKxi9npjjaAFBb8D7VoFk65PVFJTfNFE
1ErwF3T6QCdZ75PBXZdyxXJPN2k7bBV9fd
1Nr2y7XD8c27tMQF5XrQJdfUWjCZ3zY5uy
3HjnsddWrsJGzCixWebUbWPvhQBnqmNKuS
1CHgfsytZX5sxYWmoTW9CLtRenALa438ZB
1P5Jz8MkEHrLvkst4nE3obENFk49h1naks
17N2PbooaR4F3C6DWkq2KwLubWGvZRgL7X
12nqFiUh78NnUWWWPDYoi77Wxu2jjzYqZu
1NTq99ERynPeW4tD66dU11rzg1srmLDS4z
1G52wBtL51GwkUdyJNYvMpiXtqaGkTLrMv
18euqRRpC2Zp9i9dwrT7Qp3M8jfbu9TUn6
1Q3AvrmZ8cykHGQ7kCkSZaopnWiHPzc1Qw
1y6W32cJfsRW5c16SUEXSyexWpvMbsBxn
1BkUNiTfJRTTG1iycaWGZavmLnLVHorUUo
1JjEY8H6QmwKYXuusksqCta2WhVQQG5e59
1CD3BoUwRC5uPxZSVeHhNGKcrv7iwddVbY
1MaqCVfiidjLitysy3vbWrJ12rU1xvEdyD
1B5NT9jV7BXoSPdEcbcCUAcPrpF7WeBLCc
17TmBnHmnkoQboVCmrcJGT2WzkBY8KRw6F
1JFf9QN9iNJA9QFhncEM5FGxqbr1JUmPP8
16w9fAaX8HEh4CMYAqdi9YvP93CSthV1jz
1LnxsZDPNkU96mrYoS1CQwxPmrhJyrgujM
1HZErPx5XPrp8mH98rKRjyazQLYN7j34Lk
14YeaK34GE68S6YASdtHR1iThj8c8hBQ1C
1PUt7bm1ZU6BRT85yDJxd651Fgneveuzs3
17CcixA4fyEmscXPsZRshecXzJ52eoKNNY
14gkHySfCnoV4Fy4nCxoLUgavMP3DMXKsS
1Gscvx3ugexW4xKjBFogQtQRsHR9Eh8v4n
1ETmDWjyto3gGegqch41PCeYJiVx9pmsuv
1EuRpZCEoyRKWcEpv6jD42N2CxJWrrETcD
1MAwvr21q95UBu6y4WhRM47K5RBijQ164G
1Kbj3tzAbtHgJHt6h6G5PuvWYRZkWXAfhH
1KFc1tekeQtZg48pKbCEU2j7J14N2XFTNW
1Hmjw6JcNDxCQuVo7pkUmRmJzRJe4yLze9
13Mj4nmV127symEJ6GTTb4kdTWyQ884QoN
12bbs3MZAsd9mseXKTA93PtHVd2nSkvjDy
137ENC6fNM97tawPMAGgyn9BKLEmkTx7Xd
1JBygewRQuHuh4qJnpQtb1qCfwNJ2zNrg5
1KbhhzTu14XPSMbBPCxEX4o3kTL9QS2UhZ
1Fb4zhTg4a7zmdRWJAJ1cg9A5pZSMdGGeA
19UMZViRQShqJz49cDDEiz3P1Steitze8A
1DUscKj5QoBoYAXq8cLa8bF8f4x9fNxSPx
1DG19BHaTWbLvaSXjGCmc8HmmptSoZSjVH
1HbUkTKH46RY9UBByUrW1qKNAXeCAqJi8E
1PCY5o15oeugfF9NcF3XiL776Bg4sSC9KL
12NXrKmp68vL59oh5Q1aMqNs35CBC97M1q


39 thoughts on “Does Blackmailing Pay? Signs on the Bitcoin blockchain of responses to Ashley Madison extortion emails”

  1. I have now received 3 requests for bitcoins to be paid in order to keep my information out of the hands of spouse, friends, co-workers, etc. the 1st request was for 2 bitcoins to be sent to : 1DJhHim2unsND9jvPoK1xALG1jfoWFZe4r
    the second one for 1 bitcoin to : 1AEJiZFnELwRZVjmVSvDSwUaXNZy4X9bQN
    the third for 5 bitcoins to : 1AEJiZFnELwRZVjmVSvDSwUaXNZy4X9bQN

    I have no intention to pay but do I report to authorities? Ignore? Run scared and hide?

  2. Hi Thanks for the article

    Very useful article a concerned friend of mine recieved this email below, I have choosen to hide his name and last 4 digits of account details and amount paid for his privacy. I have pasted the following email hope it may help your investigation or analysis . Please let me know if you need any further details.

    Regards
    Razor

    ————————————————————————

    Email recieved from
    ammail-int@public-files.de

    Hi Name,

    we are the Impact Team. Just google “Ashley Madison Hack”.

    As you probably already know, Avid Life Media (ALM) runs unethical portals like Established Men (EM) and Ashley Madison (AM). In relation to your money transfer of Amount.00 by Visa with last digits XXXX for your Ashley Madison subscription, we are sure you will be pleased to read this.

    What do you want?

    1st alternative:

    We will match your name XYZ and your address Actual Address %Staat% COUNTRY with your profile records, your secret fantasies, your conversations and pictures on our new portal.

    Family, friends and colleague will get an information about you. Social media, thank you very much. Email account contacts are a worthwhile information. You should better change the login data but now it is to late.

    2nd option:

    You are sending 0.35 Bitcoins to the Bitcoin address ———————–jwyorgw within 5 days. Then we will not inform your contacts and we will delete your complete data.

    Bitcoins: 0.35

    Bitcoin address: ——————Yjwyorgw

    Time limit: 120 hours

    You can buy Bitcoins at a market like Anycoindirect.com, Happycoins.com, Litebit.eu, Localbitcoins.com or an ATM BTC machine Coinatmradar.com.

    The exchanger can send the BTC directly to our Bitcoin address. You do not need to have a Bitcoin wallet. 1 BTC = 228 USD (market price).

    Critical:

    Relevant:

    – We will not answer to your reply.

    – You will never hear from us again if you pay the Bitcoins. Our guaranty.

    – Non-payment and we will destroy your life. Everyone will see your complete data and we will inform your family and many people.

    You have to make a payment within 5 days of receipt or you know what will happen. After the deadline we can not do anything more for you. Our website is launching soon.

    We promise you: We do what we say!

    Our new portal is coming soon. Everyone will see your complete data and we will inform your family and many people. This is your last chance.

    Best wishes

    The Impact Team

  3. Here’s a list of blackmailers that came in spam folder just last few days –
    track and destroy 🙂

    alejandrobadash1@yahoo.com
    1BXgGTQdNfPp9LtUr895VFqu8WVTtkmNvh

    “Anthony Williams”
    1NP2uxg348YTE3Mb8eaR1urqs4WvgcmEET

    “James Smith”
    1NP2uxg348YTE3Mb8eaR1urqs4WvgcmEET

    “Laura Davis”
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Barbara Johnson”
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Anthony Smith”
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Kevin Brown”
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Michelle Smith”
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Barbara Davis”
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Thomas Williams”
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Helen Johnson”
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Richard Miller”
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    dosilamki3@yahoo.com
    1BXgGTQdNfPp9LtUr895VFqu8WVTtkmNvh

    allen_neal@hilton.com
    1MZBtduhBBz8Ha5ri1brqwTtCQeSmLGdeM
    wanted 5 bitcoins

    fbassan@servirio.com
    19CPsAdtBoNwaTvuCBk689PRLS9H8sgAoK

    marcos101922@htmail.com
    16F6MZE6VDrAaAykMrpx9Rvh2XRdTRXwaV

    “David Williams”
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Anthony Davis”
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Anthony Smith”
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Anthony Davis”
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Thomas Davis”
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Kimberly Smith”
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Thomas Davis”
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Mr. X”
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

  4. Whoops! previous comment had brackets around most of the email addresses so they didn’t post.
    Doesn’t really matter – emailed them all back telling them what a bunch of lameass turds they were and most all mailer-daemoned back.
    If they really had any real info on anyone, they would cough it up – besides lack of proof, no one would have any ability to keep a million other dbags do the exact same thing – basically only the gullible and scared will fall for this – and only the first one that emails them.

    Here’s a list of blackmailers that came in spam folder just last few days –
    track and destroy 🙂

    alejandrobadash1@yahoo.com
    1BXgGTQdNfPp9LtUr895VFqu8WVTtkmNvh

    “Anthony Williams” morganatul@obj.xyz
    1NP2uxg348YTE3Mb8eaR1urqs4WvgcmEET

    “James Smith” outlookyugle@passed.xyz
    1NP2uxg348YTE3Mb8eaR1urqs4WvgcmEET

    “Laura Davis” comeareqa@dealers.xyz
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Barbara Johnson” superiorblqy@teachers.xyz
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Anthony Smith” existinguygwy@flashers.xyz
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Kevin Brown” avitiu@bureau.xyz
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Michelle Smith” fle@gives.xyz
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Barbara Davis” immunologyuz@incoming.xyz
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Thomas Williams” indicatingxan@launched.xyz
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Helen Johnson” distinguishedvarb@enhancement.xyz
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    “Richard Miller” roundforu@scene.xyz
    1Hg9bcYL6J6624i5UJFLs958H9AHWAzDJu

    dosilamki3@yahoo.com
    1BXgGTQdNfPp9LtUr895VFqu8WVTtkmNvh

    allen_neal@hilton.com
    1MZBtduhBBz8Ha5ri1brqwTtCQeSmLGdeM
    wanted 5 bitcoins

    fbassan@servirio.com
    19CPsAdtBoNwaTvuCBk689PRLS9H8sgAoK

    marcos101922@htmail.com
    16F6MZE6VDrAaAykMrpx9Rvh2XRdTRXwaV

    “David Williams” republicanqujt@gmail.com
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Anthony Davis” themselvesziqu@gmail.com
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Anthony Smith” landscapebq@gmail.com
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Anthony Davis” connectedgzedi@gmail.com
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Thomas Davis” pastawiixd@gmail.com
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Kimberly Smith” collectablest@gmail.com
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Thomas Davis” pastawiixd@gmail.com
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

    “Mr. X” reseteik@gmail.com
    13q1PpnrvGFakzfvnE8Hi2NC7qnnDkudnX

Leave a Reply

Your email address will not be published. Required fields are marked

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2017 Cloudmark, Inc.