Extortionists Are After the Ashley Madison Users and They Want Bitcoin

By Adam Clark Estes on at

People are the worst. An unknown number of arseholes are threatening to expose Ashley Madison users, presumably ruining their marriages. The hacking victims must pay the extortionists “exactly 1.0000001 Bitcoins” or the spouse gets notified. Ugh.

This is an unnerving but not unpredictable turn of events. The data that the Ashley Madison hackers released early this week included millions of real email addresses, along with real home addresses, sexual proclivities and other very private information. Security blogger Brian Krebs talked to security firms who have evidence of extortion schemes linked to Ashley Madison data. Turns out spam filters are catching a number of emails being sent to victims from people who say they’ll make the information public unless they get paid!

Here’s one caught by an email provider in Milwaukee:

Hello,

Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.

If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value $225 USD) to the following address:

1B8eH7HR87vbVbMzX4gk9nYyus3KnXs4Ez

Sending the wrong amount means I won’t know it’s you who paid.

You have 7 days from receipt of this email to send the BTC [bitcoins]. If you need help locating a place to purchase BTC, you can start here…..

The above email was forwarded to Brian Krebs who points out that no bitcoins have been added that wallet yet. (Looks like the Milwaukee-based victim did not pay up.)

One security expert explained to Krebs that this type of extortion could be dangerous. “There is going to be a dramatic crime wave of these types of virtual shakedowns, and they’ll evolve into spear-phishing campaigns that leverage crypto malware,” said Tom Kellerman of Trend Micro.

That sounds a little dramatic, but bear in mind just how many people were involved. Even if you assume some of the accounts were fake, there are potentially millions who’ve had their private information posted on the dark web for anybody to see and abuse. Some of these people are in the US military, too, where they’d face possible penalties for adultery. If some goons think they can squeeze a bitcoin out of each of them, there are potentially tens of millions of dollars to be made.

The word “potentially” is important because some of these extortion emails are obviously getting stuck in spam filters, and some of the extortionists could easily just be bluffing. Either way, everybody loses when companies fail to secure their users’ data. Everybody except the criminals.

[Krebs on Security]