It was bound to happen: someone decided to blackmail members of online affairs website Ashley Madison, whose entire database was leaked earlier this week by a group calling themselves the “Impact Team”. Shortly thereafter, an unknown group or individual has been sending extortion emails demanding Bitcoin for silence:
Of those who had accounts on the cheating website, we asked ourselves: how many are actually paying the blackmailers? Does such a campaign work at all?
To begin our investigation, we noted that the addresses in our samples were all different and freshly generated, meaning it had no previous activity on the Bitcoin blockchain we could trace. (Bitcoin addresses are merely an encoded version of randomly generated cryptographic keys, and thus generating new addresses is free and easy. In fact, most modern Bitcoin wallet software generates a new addresses for every incoming transaction, effectively making them ephemeral in use).
However, we realized that all the emails consistently demanded “exactly 1.05” Bitcoins from their victims, suggesting that we could search the blockchain for transactions paying that amount to infer if such extortions were being paid.
Specifically, we found 67 suspicious transactions totalling 70.35 BTC or approximately 15814 USD within the extortion time frame of approximately 4 days paying 1.05 BTC to addresses, with no previous activity, and with 2 or fewer transaction outputs. All suspicious address we found are attached below. (We conservatively restricted ourselves to ordinary transactions with 2 or less outputs, thus excluding those which were less likely to be simple one-to-one payments.)
To put this in perspective, in the three months prior to 8/22/2015 when we first started seeing the extortion emails, we saw transactions matching the above pattern at a rate of approximately 5.3 per 100,000 transactions, versus 8.9 during the extortion period.
We can strongly reject the null hypothesis that the incidence of matching transactions during the extortion period followed a Poisson distribution at the historical rate, thus allowing us to infer that perhaps the 40% of the 67 transactions totaling approximately 6400 USD may be attributable to victims paying the blackmail.
So, although we cannot say anything conclusively, we have found out that:
1. For a spammer with pre-existing infrastructure and tools, this extortion campaign could have yielded a worthwhile sum for very little effort. All the blackmailer had to do was download the Ashley Madison data, extract the email addresses, generate a Bitcoin address for each victim and send out the emails.
2. Since this search would not have been possible without the consistent extortion amount, we suspect that future attempts at Bitcoin-based blackmail will randomize the amount they demand.
In order to go deeper into this analysis, the next step would be to follow the trail of Bitcoins leading to each suspicious address to see if they are connected on the blockchain to each other or any other known suspicious addresses. Such analysis could potentially help law enforcement to deanonymize and pursue the perpetrators.