Security Alert

Users around the world have been receiving¬†bitcoin¬†extortion emails for a long time, one of the most notorious being a ‚Äúsextortion‚ÄĚ threat to show a computer-eye view of you watching adult videos to the world. The latest threat is more alarming: the sender claims to have a bomb planted at the recipient‚Äôs business. Financial institutions in New York¬†began receiving¬†bomb¬†threat emails demanding payment of $20,000 in Bitcoin in early December.

New York City Police warned via Twitter that they were monitoring multiple bomb threats on December 13 and reports soon came in of threats emailed to Philadelphia, Las Vegas, Huntsville, Alabama, and Columbus, Ohio.

The subject line of most of these¬†bitcoin¬†scam emails is: ‚ÄúI advise you not to call the police.‚ÄĚ Some emails received in Canada came with a subject line of ‚ÄúThink Twice.‚ÄĚ

One copy of the email, which has been sent to multiple recipients, reads:

‚ÄúMy man carried a bomb (Hexogen) into the building where your company¬†is located. ‚Ķ. I can withdraw my mercenary if you pay. You pay me 20.000 $¬†in Bitcoin and the bomb will not explode, but don‚Äôt¬†try to¬†cheat¬†‚ÄstI warrant you¬†that¬†I will withdraw my mercenary only after 3 confirmations in¬†blockchain¬†network.‚ÄĚ

KrebsOnSecurity describes the emails as extremely disruptive spam. The emails have been received by thousands of governmental organizations, businesses, educational, and health care institutions around the world.

Hexogen is a chemical term for RDX, the explosive component in the military plastic explosive C-4.

What To Do If You Receive A Bitcoin Bomb Threat Email?

The National Cybersecurity and Communications Integration Center (NCCIC) released a bulletin about the emails on December 13. NCCIC recommends that if you receive the email:

  • Do not respond or try to contact the sender.
  • Do not pay the ransom.
  • Report the email to the FBI Internet Crime Complaint Center or the local FBI Field Office.

What Are The Risks With Bitcoin Bomb Threat Emails?

Bitcoin bomb threat emails are an obvious extortion scam. No bombs have gone off in any location where the threats have been received.

The scammers aren‚Äôt¬†completely¬†unsophisticated,¬†although the threats are¬†poorly-worded¬†and¬†no hacking is involved. Each email security experts have examined uses a different Bitcoin address to send the demanded payment. This is not¬†quite¬†as convincing as the ‚Äúsextortion‚ÄĚ emails, which included a real password that targets had used¬†at some point¬†in the past.

Paul Bischoff, a privacy advocate with¬†Comparitech.com, said: ‚Äúeven though bomb threats are scary, this is amateur scamming.‚ÄĚ

After multiple evacuations, the FBI and local police have¬†failed to find any¬†explosive devices. Most law enforcement officials termed the threats ‚Äúnot credible.‚ÄĚ

The likelihood of a bomb being present in any building receiving the threat is low.

What Are The Real Costs Of The Bitcoin Bomb Threat Emails?

Scams like the ‚Äúsextortion‚ÄĚ emails and the rash of Bitcoin bomb threats threaten to dull awareness to concrete security threats. They also demand attention and safety precautions even though they are nearly 100% certain to be fake.

Multiple threats received in Toronto brought police out around the city and shut down the King subway station. Schools and colleges in New York and several other U.S. cities shut down early after receiving the threats.

The Bitcoin bomb threat extortion likely yielded no cryptocurrency for the scammers. Costs in law enforcement investigative time, lost instructional time at closed schools, and lost business at commercial locations which were forced to shut down add up to far more than what the scammers could hope to obtain from recipients who don’t follow NCCIC’s instructions.

Unlike the ‚Äúsextortion‚ÄĚ scams which were alarming but personal, Bitcoin bomb threat emails to organizations have to¬†be taken¬†seriously¬†enough to confirm that employees and customers¬†‚ÄĒ¬†or students, faculty and hospital staff and patients¬†‚ÄĒ¬†are safe from harm.

The identical, amateurish emails are sent to thousands of targets, so in one sense, there’s safety in numbers. It’s highly unlikely any email scammer could plant C-4 explosives in thousands of locations around the world.

Bitcoin email bomb threats are very unlikely to be serious, real bomb threats, yet no organization can afford to take a bomb threat lightly. As long as they continue, they will remain a costly and aggravating nuisance.