A new report published today traces a bitcoin haul “earned” from a global sextortion scam, delivered by botnet, for the first time.
Yet the investigation — by UK-based security firm Sophos, and partner CipherTrace — also casts a light on just how hard it is to trace funds through a hugely fluid ecosystem characterised by bitcoin wallets with short shelf lives, heavily obfuscated IP addresses and other techniques.
The scam was delivered via a botnet that launched millions of spam emails to recipients around the world in multiple languages.
(Sextortion is a form of cyber crime in which attackers accuse the recipient of their emails of visiting a pornographic website, then threaten to share video evidence with their friends and family unless the recipient pays. The request amount is often around £650 ($800) via a Bitcoin payment.)
SophosLabs investigation uncovered nearly 50,000 bitcoin wallet addresses attached to spam emails, out of this 328 were deemed to have successfully scammed someone and had money deposited in them.
The attackers “pulled in 50.98 BTC during a five month period. That amounts to roughly $473,000, based on the average daily price at the times the payments were made, and an average of $3,100 a day” it notes.
SophosLabs researchers worked with CipherTrace to track the flow of the money from these wallets. CipherTrace is a cryptocurrency intelligence company initially founded with backing from the US Department of Homeland Security Science and Technology and DARPA.
They found that the extorted funds were typically used to support a range of ongoing illicit activity, including buying stolen credit card data on the dark web. Other funds were quickly moved through a series of wallet addresses to be consolidated, and put through “mixers” to launder transactions.
Yet while providing some insight into the success and outcomes of a typical campaign like this, they ultimately hit a brick wall.
As the report notes: “Tracking where physically in the world the money went from these sextortion scams is a difficult endeavor. Out of the 328 addresses provided, CipherTrace determined that 20 of the addresses had IP data associated with them, but those addresses were connected to VPNs or Tor exit nodes—so they were not useful in geo-locating their owners.”
At this level, taking investigations further than that is, essentially, a nation state game, requiring Tor exit node monitoring and legal demands on VPN providers, among other techniques, experts say.
A majority of the Bitcoin transactions were traced to the following points:
Binance, a global BTC exchange (70 transactions).
LocalBitcoins, another BTC exchange (48 transactions).
Coinpayments, a BTC payment gateway (30 transactions).
Other wallets within the sextortion scheme, consolidating funds (45 transactions).
These are known exchanges and as the researchers note “unknowing participants in these deposits of funds,” as they are unable to block transactions due to the nature of the blockchain.
However, further tracing of transactions which made additional “hops” from the original address revealed seven ‘distinct groups’ that were tied together and could be traced back to addresses that were associated with criminal activity. Some were traced to WallStreetMarket, a black market for stolen credit card details: “Sextortion wallets were tied to wallet aggregating funds, including payments from the Russian-language darkweb market Hydra Market and the credit card dump marketplace FeShop,” the report states.
(The average life of one of these wallets was 2.6 days. However, the 328 ‘successful’ wallets tended to last up to 15 days on average.)
The researchers looked at the origin of millions of sextortion spam emails which launched since last September up to February of 2020.
Tamás Kocsír, the SophosLabs security researcher who led the investigation noted that: “Some of the scam emails featured innovative obfuscation techniques designed to bypass anti-spam filters.
“Examples of this include breaking up the words with invisible random strings, inserting blocks of white garbage text, or adding words in the Cyrillic alphabet to confuse machine scanning. These are not beginner techniques and they are a good reminder that spam attacks of any kind should be taken seriously.”
The sextortion scams that the firm traced used global botnets comprised of compromised systems across the world. The most common places that these compromised system were traced back to Vietnam, South America, South Korea, India and Poland. the majority of the messages (81 percent) were written in English, while ten percent were delivered in Italian. Others were written in Chinese and German.