Sextortion: Who was it?

In the past few weeks we have been able to observe yet another campaign of sextortion via email. As usual, the body of the messages contains the threat of disclosing rather "intimate" videos unless payment is made in bitcoin. However, these are idle threats, intended to scare less experienced users and extort their money. Leaving aside the technical aspects of the emails, let's look at how to approach an investigation with a more hands-on approach. follow the money. In particular, we will try to reconstruct Bitcoin transactions and identify the exchanges they were sent to, to understand how the "bad guys" monetized the payments sent by some unfortunate individuals.

 

Let's analyze the phenomenon

 

When we talk about sextortion, we are generally referring to extortion attempts based on the threat of posting photos or videos online taken while viewing pornographic material (or worse), obtained by hacking the victim's PC and accounts.

As has happened on other occasions, the email's content also contains a potential password for the email address that received the message. Those in the know are well aware that there are dozens of collections of email addresses and passwords online, often resulting from compromised online services to which users signed up using their email address, rather than from an actual compromise of the email service. In any case, it's essential to avoid using the same password to sign up for multiple services.

To delve deeper into the phenomenon of sextortion, we recommend you read this item published on the ransomware.it blog. However, we remind you that:

• the same Bitcoin address is sent to many recipients and the sender of the emails has no way of knowing who made the payment;
• It is easy to find collections of millions of email addresses combined with passwords online, even for free;
• Based on several experiences collected, when the sender of the emails really has compromising material, he provides evidence to convince the victims to pay.

 

Follow the money!

 

There is a lot of information that could be explored in an investigation into emails from sextortion, such as the analysis of the header messages or studying the mail servers used. However, in this article, we'll focus on analyzing payments made by scammers to identify interactions with services that may have useful information to identify them.

First of all, let's note that, from the emails we received, we can obtain two Bitcoin addresses, useful for starting our analysis:

• 3K3vVqkxeDeD8Qbex4MzXe2WdAcfw2WXzF;
• 35a3xM83EeWGreXhSaoYs7nznukBtfSTmi.

First, we need to collect as many payments as possible to analyze. To do this, it's good practice not to limit ourselves to the addresses in the emails we receive, but to search for others used in the same sextortion campaign. To do this, we can try searching for certain sentences in the email body to find reports that other recipients of the campaign may have made, such as: this.

Thanks to this research, we can also add the Bitcoin address to our two 3KpYmUgtf8eS2NbcJhhv66g7fXg3AJndNd.

 

Transaction Analysis

 

Let's now begin analyzing the transactions involving the identified addresses. It's certainly best to focus on outgoing transactions. Incoming transactions will most likely involve payments sent by the recipients of the emails. sextortion who fell into the trap.

It is very important to note whether outgoing transactions include more sender addresses than those we have already identified. In such cases, we speak of "“cospending“Every time you send a transaction, you must sign it with the private key corresponding to the sender address. Whoever has the private key for an address can spend the bitcoins from that address. If a transaction involves multiple sender addresses, it almost certainly means that whoever initiated it had access to all the corresponding private keys. Therefore, it is reasonable to assume that these addresses are traceable to the same person and are part of a single cluster.

This approach makes it possible to trace many more transactions back to the same individual, increasing the likelihood of identifying interactions with exchanges or other services that could provide new information.

Now that we've gathered enough information, we can begin analyzing the activity of individual Bitcoin addresses.

 

Address activity 3K3vVqkxeDeD8Qbex4MzXe2WdAcfw2WXzF

The address 3K3vVqkxeDeD8Qbex4MzXe2WdAcfw2WXzF, present in one of the emails of sextortion as the address to which the payment should be made, it has been involved in six transactions, four incoming and two outgoing, and currently has a zero balance.

Looking closely at the two outgoing transactions, we immediately notice that there are multiple sender addresses. Returning to what we discussed earlier, we can immediately deduce that all the sender addresses belong to the same owner. These could be addresses from other sextortion emails or simply other bitcoin holdings held by the perpetrator.

In detail, in the first transaction there are ten sender addresses, while in the second There are thirteen of them. To perform a complete analysis, we should look at the origin of the bitcoins received by each address and, more importantly, whether they were involved in other outgoing transactions.

For simplicity, we'll focus only on the output of the two transactions involving the address we're examining, but a thorough analysis should never overlook any detail.

The first transaction sends bitcoins to the address 18jeeEFep3LUHadGeEt5ZGt5BsFpbWfN6o. From here the bitcoins go to two different addresses, 16Eigw7VYGgEq5XSknNaDHwyyg13VBHqEy e 1F6Uw3SVoC3vUNAk4vBfhbWDCrD6yMzb4u. The second transaction sends the bitcoins to the address 1LSnGgnHg4TZR3YfqrLdH6K5HT274rabG3. At this point, the addresses 16Eigw7VYGgEq5XSknNaDHwyyg13VBHqEy e 1LSnGgnHg4TZR3YfqrLdH6K5HT274rabG3, along with other addresses, spend their bitcoins in the same transaction, towards the addresses 17hDQH2ZqgogezyzwztW3N9pW6d8jRvQCj e 1BEjC9x1KJeAxvpV9zQcpkGze2sxdpCHR2.

The fact that bitcoins, even if they originated from different transactions, are now being spent together again indicates that we are most likely still observing movements made by the same user.

To better understand what happened, it can be very useful to report everything on a graph.

 

Before we continue adding more addresses to our analysis, let's start by seeing if any of the destination addresses can be linked back to a exchange or to some other service that might provide useful information about the scammers' identities.

To do this, we search for addresses using the service oxt.me. This is a block explorer that integrates an experimental feature of tagging, capable of associating a portion of Bitcoin addresses with known entities such as exchanges, gambling sites, dark web markets, etc.

Thanks to this research, we can find out that the address 17hDQH2ZqgogezyzwztW3N9pW6d8jRvQCj is associated with the exchange Huobi.

At this point, entities such as police forces or judicial offices can contact the Huobi exchange regarding the transaction we have identified and obtain all the information related to the registration and activity of the accounts involved.

 

Address activity 35a3xM83EeWGreXhSaoYs7nznukBtfSTmi

The address 35a3xM83EeWGreXhSaoYs7nznukBtfSTmi, present in one of the emails of sextortion as the address to which the payment should be made, to date, is not present in any transaction. This means that none of the recipients of the emails sextortion The person who listed this address fell for the scam. However, it may be appropriate to monitor the address for any future activity that could compromise the owner's identity.

 

To do this, we can create a wallet “watch only” with the client Electrum, by entering only the public addresses to be monitored during the wallet creation phase, or by using services such as Blockonomics, which we have already talked about in this article.

 

Address activity 3KpYmUgtf8eS2NbcJhhv66g7fXg3AJndNd

The address 3KpYmUgtf8eS2NbcJhhv66g7fXg3AJndNd, identified thanks to the research we conducted, received a single incoming transaction of 0.16 bitcoin and made a single outgoing transaction.

 

Again, in this case, in the transaction There are six sender addresses on the outgoing line. A complete analysis would require us to examine each one individually, but for simplicity and educational purposes, we'll focus on the destination of the bitcoins we're tracking.

The transaction has two destination addresses, 34PwR7a96ngpSiftHp6PAHsZx3KpRXxzx7 e 1LBj8834guiqVz64dRuWBiv42z66rFvMS4. The address too 34PwR7a96ngpSiftHp6PAHsZx3KpRXxzx7 in a second transaction it is emptied to the same address 1LBj8834guiqVz64dRuWBiv42z66rFvMS4. At this point, in a new transaction bitcoins go to addresses 1K2RFC5789Y1MxB53pYbKT2omnZ5bXGaN2 e 1GdmkqjDm8FYR5n4ad8MsQoA39gg9yfZFz.

To get a clearer picture of the movements we are following, let's report everything on a graph.

 

By analyzing the addresses with oxt.me as in the previous case, we can observe that 1K2RFC5789Y1MxB53pYbKT2omnZ5bXGaN2 can be traced back to Binance, one of the main exchange as well as trading platform.

At this point, by contacting Binance, if you are among the eligible beneficiaries, you will be able to access a lot of new information such as email addresses used for account registration, documents used for KYC, IP addresses, payment methods, etc.

 

Conclusions

 

In this article, we've illustrated one of the various approaches you can take when investigating sextortion. Thanks to services like oxt.me, which tag Bitcoin addresses with the service they belong to (if known), we can determine where at least some of the fraudulently obtained bitcoins have ended up.

In particular, 10 bitcoins (about €85,000 to date) went to the address 17hDQH2ZqgogezyzwztW3N9pW6d8jRvQCj, attributable to the’exchange Huobi and 5.34 bitcoins (about €45,000 today) went to the address 1K2RFC5789Y1MxB53pYbKT2omnZ5bXGaN2, attributable to the’exchange Binance.

To get a clear picture of how the scammers used bitcoins, we would need to reconstruct the entire cluster, starting from the other sender addresses present in the transactions we observed.

Of course, there are further investigations that could be conducted. We focused on the monetization of bitcoins obtained from victims, the ultimate goal of sextortion campaigns. We can safely assume that the accounts registered on exchanges do not contain the actual personal information of the perpetrators, but they will certainly be essential to further investigations.