The coming cryptocoin blackmail market

by Konstantin Ryabitsev

This is the most depressing thing I've written. I hope I am proven wrong on all counts.

In the beginning

It started out fairly slow. A couple thousand people received the same poorly-worded email, coming from pay4silence@gmail.com:

Hello.

Your name is Bob Jones. You live in Cityville, ST. On these dates you
accessed porn from these sites:

January 24: pornhub.com
    [list with titles, headline screenshots, exact times accessed]

January 25: pornhub.com
    [list with titles, headline screenshots, exact times accessed]

[continued over a period of a few weeks]

In exactly 14 days we will send this list to following people:

    Jane Jones, your wife, email jjones@...
    Martha Jones, your mother, email mjones@...
    Bill Jones, your father, email bjones@...
    Melinda Smith, your coworker, email msmith@...

    [the list continued with coworkers, friends, family members]

To stop us from doing this, you must send us following Bitcoin payments.

0.012383 BTC to [wallet hash 1]
0.018344 BTC to [wallet hash 2]
0.018113 BTC to [wallet hash 3]

IT IS IMPORTANT THAT YOU SEND EXACT AMOUNTS LISTED TO ALL THREE
WALLETS OR YOUR PAYMENT WILL NOT BE PROCESSED CORRECTLY.

Failure to to so will result in incriminating email going out.

There is no way to contact us. Any email sent back will not be read.

When reached, Google confirmed that pay4silence@gmail.com was only accessed once from an IP address belonging to a webcam pointing at a vacant construction lot in Romania, and then never logged into again. All outgoing emails were purged from the "Sent Mail" folder, but the company was forced to disable the account anyway and set up an auto-responder stating that they were in no way associated with the blackmailer (or blackmailers) and recommending that all affected parties contact law enforcement in appropriate jurisdictions.

When the deadline came, the attacker delivered the threat as promised. Messages came in from various throwaway email accounts:

Hello.

Your name is Jane Jones. Your are wife of Bob Jones, who lives in
Cityville, ST. On these days, Bob Jones accessed following porn sites:

(same list with dates and times)

This information is true and not fake. We have access to Bob Jones's
router (D-Link AC750, serial number #####) and monitored web traffic.

We email this to you because Bob Jones chose not to pay the small sum
we asked in exchange for our silence.

The news were reported with a mix of horror and amusement. The FBI asked all affected parties to contact them and were able to verify that victims' routers were indeed broken into, and a simple SSL-strip proxy was installed to downgrade secure https traffic going out to popular porn sites in order to get the exact videos accessed by victims. The logs were sent to multiple IPs across the world, almost all belonging to webcams and other "internet of things" devices that were since purged clean.

Pornhub got flack for disabling HSTS in their site headers and home router manufacturers got well-deserved flack for their abysmal patching and security practices. Tracing bitcoin transactions proved futile and meaningless, as the attackers set up multiple wallets and even used some accounts that appeared to belong to completely unrelated individuals either as a way to create a false trail or because the whole setup was a test of the larger things to come.

Initial Reaction

The media loved it. Among the affected were several notable conservative politicians and religious leaders, now gleefully paraded as hypocrites despite their adamant denials.

Technology sites filled with content advising how to set up VPNs in order to hide your "naughty traffic" and how to download and install the Tor browser. Security professionals were quick to warn that, if not done right, this can make the situation worse -- and were right. Services offering "free anonymous VPN" proliferated and the number of domains with every possible way of writing "get-tor-browser.com" popped up, all offering downloads of the popular privacy suite (with a few backdoors added).

The next attack came a few months later and was almost word-for-word similar. Victims were again asked to send 3 payments of bitcoins, amounting to $100-$200 dollars in total, or have their embarrassing browsing habits sent to their family and coworkers. When not paid, the attackers meticulously delivered the payload, but appeared to fulfil their promise of keeping quiet when the blackmail request was accepted and bitcoin payments sent.

In the payload emails they again disclosed how they got the data -- in order to add weight to their statements. There were still quite a few routers there, but also a significant number of fake VPN services and trojaned Tor browser downloads, which were now all collecting data for the attackers while masquerading as privacy tools.

The quiet before the storm

The next few months were quiet -- at least on the surface. Some jurisdictions passed legislation that required ISPs to offer timely security updates and free consultation for clients in order to improve home networking security. Technology sites were now more cautious mentioning "a VPN service" and were instead recommending several notable leading providers, strongly advising against "free VPN." Search engines started offering "Assured site" markup for anyone searching for "Tor browser" with heavy filtering of all other results. Porn sites started providing "privacy bundles" that set up Tor browser when downloaded, and the sites themselves displayed a warning when you browsed from a non-Tor connection (with limited success, because with the increase of Tor traffic without the increase in Tor exit nodes, streaming videos became almost impossible).

However, the security field was abuzz, because someone was paying a lot of money buying account passwords and all sorts of stolen database dumps. They also put up bounties -- tens of dollars for security camera footage; hundreds of dollars for ISP client databases and social site logins; thousands for medical records and DMV vehicle registrations. The vaunted Russian face tracking database sold for a staggering 6-figure number paid to what was almost certainly an insider from the FSB. All paid with Bitcoin, all impossible to trace, embargo, or seize.

Someone was receiving all this data, meticulously correlating it... and biding their time.

The big con

Suddenly, extortion notices were everywhere. Men with embarrassing STDs were asked if $200 was worth their coworkers knowing exactly when and after what trip they got their genital herpes. Teenagers were asked if their parents and classmates should know that they have logins on gay dating sites. Pastors were asked if their church members should know how frequently their car ends up parked two blocks away from a Thai massage place in the neighbouring city. Moscovites faced the dilemma of paying up or having their wives know exactly how often they are seen in the company of a certain female coworker.

Then it got downright horrifying. Women were asked if $100 is worth not sending their photos, names, addresses, and exact routes they take to get to work from being sent to known sex offenders living in their area. Parents were asked what price was too large to keep private the bath time videos they took of their kids. Women who had abortions were blackmailed to pay up or have all their Facebook friends know exactly when and at what stage of pregnancy they chose to terminate.

And there was always the same request. Three fairly small cryptocoin payments to three different wallets. Or else. There, of course, was no guarantee that you were off the hook once you paid -- or that you wouldn't have to pay again in the future.

The big too late

People were terrified, and this time nobody smugly proclaimed that they needn't worry because they didn't have anything to hide -- because it was obvious that everyone did. In the age of mass surveillance and data collection almost every aspect of people's lives was recorded somewhere and could be sold, bought, correlated using massive computational powers of modern cloud computing -- and then used for extortion and blackmail.

Data protection legislation extolling huge fines on companies that collect citizens' personal data was passed, but proved too late and too ineffective. It was too late because so much of it was already in malicious hands, and it was ineffective because a lot of this data came from law enforcement and anti-terrorist mass surveillance databases themselves -- and because the bounties offered by blackmailers continued to increase, multiplying insider leaks. The irony that the tools that were supposed to make the populace more safe were now used to terrorize it was not lost on anyone.

Attempts to ban bitcoin were futile -- not only because it was not technically possible, but because by then so many powerful interests were invested in it, including most narco cartels. Since the blackmailers were careful never to cash out the payments, finding them proved impossible, and by then it was also obvious that the number of copycats was multiplying daily. There were massive blackmail campaigns in China, Russia and other parts of the world where mass surveillance went hand in hand with meticulous record keeping by the state.

Nobody knew what measures to take in order for it all to stop. However, one thing was clear: entire generations of people lost the war for their private lives, and there was no way to put that genie back into the bottle.

The only way to stop was to start from scratch.