These are some observations and assumptions about the sextorsion mails which are currently in circulation.

Email

I recently got an email.

One of those which tell you, that you’ve been hacked.

One of those which state that you’ve been watching porn.

One of those which try to threaten people into paying bitcoins.

One of those that I’ve been talking about in user awareness trainings.

One of the so called sextorsion mails or blackmails.

I just got a email
I just got an email

The email was send to my old email address which is not in use anymore. It was written in german (my native language) and the emails subject told me “Access to your account has been compromised. Files on your device may be damaged or copied.”

This was the first sextorsion email that I got on one of my own email addresses, I just knew that anyone could get them, because nobbs already got a few of them. And even though I had done some research on those emails and teached people about them, this email made me thinking about this topic again.

Some thought-provoking impulses

I remembered that during the user awareness trainings the usual reactions when I was talking about sextorsion emails were:

  1. “I never got anything like this”
  2. “This is super obvious fake”
  3. “How could anyone believe that this is true?”

About the first statement I would argue that this kind of emails started to become big in 2018 and of course in English, because there are a lot of people you can address in English. There are not that many people you can address in German, but still a few and as you can see in my email: the attackers are able to use a translator tool and they will use it. So, if you haven’t gotten any of those emails yet, they might come soon.

The second statement is easy to make when it’s not you who got the email and when you see the email for the first time while sitting in an user awareness training and someone tells you “there is a new trending blackmail circulating and it looks like this”. The most mentioned arguement when I ask why they think it’s fake is “The mail is written so poorly.” - this might be an indicator for a fake message, but it’s no proof. Let’s just take this to a real situation:

Imagine you are working at a bank and some armed bank robbers storm the bank and shout “Give us all your money and nobody gets hurt!”. You would totally give them all your money, because of obvious reasons.

Now imagine you are working at a bank and some armed bank robbers storm the bank and they shout “Give money and no people gets heart!”. Would you think that they have fake weapons just because they are not 100% capable of speaking English?

The third statement is a bit tricky. But before I dive into my thoughts and assumptions about this, i will explain what those emails are about.

Greetings, send me Bitcoin…

The rough structure of the emails is always the same. You get some greetings followed by the message that the sender has some bad news for you. Then you are told, that you got hacked by the sender and while he/she was doing that, he/she discovert, that you are watching porn and having fun with yourself while doing so. So the sender recorded this and will send it to all your contacts (which of course he/she got because he/she hacked your machine). Then you’re told to pay a certain amount of money (I’ve seen anything between 300$ and 1900$) in Bitcoin. You also get a hint on how you can find out how to pay in Bitcoin. Then the sender tells you that you should not try to find him/her or his/her “virus” and that everything can be solved by just paying the money. In the end he/she promises that he/she will never contact you again when it’s done and that asks for forgiveness for him/her having this job.

The sextorsion mail: I hacked you, you're a pervert, give me Bitcoin or i'll tell everyone!
The sextorsion mail: I hacked you, you’re a pervert, give me Bitcoin or i’ll tell everyone!

Does it work?

Sometimes I’m asked in my user awareness trainings how I come to the opinion that people do react when they get a sextorsion email. Well, that is easy to answer. You can check if people have paid money to the Bitcoin address (e.g. at blockchain.com).

There is no money paid to the Bitcoin address in my sextorsion mail, but nobbs had an old email with a Bitcoin address which was more successfull.

Checking a Bitcoin address from a sextorsion at [blockchain.com](https://www.blockchain.com/explore)
Checking a Bitcoin address from a sextorsion at blockchain.com

So I think it’s obvious that it works.

That there are no payments done to the Bitcoin address included in my email might be, because everyone who got the mail was super clever and didn’t pay or because this Bitcoin address was generated just and only for me.

But why?

So we now know that threatening people into paying money because they were filmed while watching porn works, but why? And why is it a trending method to “gain” money / Bitcoin?

The obvious reason that nobody wants his or her friends and acquaintances see him- or herself while watching porn and doing explicit things.

In addition, people struggle to ask for help when it comes to anything related to the consumption of porn, so they don’t ask others, e.g. an expert if someone really hacked him / her and watched him / her watching porn, because this would be equal to admitting to watch porn.

But that people do not talk about watching porn, doesn’t mean that they don’t do it, right? To prove this, I spend some time on Pornhub… and I’m very sure I exceeded the average visit duration of 10 min 13 sec because I was reading the Pornhub statistics “2018 Year in Review” which is interesting and disconcerting at the same time.

Find more interesting graphics and statistics at the Pornhub 2018 Year in Review
Find more interesting graphics and statistics at the Pornhub 2018 Year in Review

In 2018 there were 4.79 million new videos uploaded to Pornhub which are equal to 1 million hours of porn which is equal to 115 years. But there are not just people who create and upload porn; there are also a lot of people who watch it. In 2018 Pornhub had 33.5 billion visits, that’s an average of 92 million visits per day.

What a great number of people to target! 92 million targets per day. Keeping in mind this are just visitors for one of the endless amount of porn-websites. The chance to send someone a sextorsion mail who really watches porn seems to be very high.

But what makes people believe that the content of the email is true? Well, there do exist cases where people really were hacked, recorded and extorted so the probability that something like this might happen may be small, but it’s not zero. If someone knows about those cases, watches porn and gets a sextorsion email he or she might come to the conclusion that the claims are valid.

The senders of the emails know that not every recipient will fall for the email, but even if only 1% does, it is more than worth it, since they send it to ten- or hundred-thousands recipients at once.

How to be a little more save

What literally everyone can do for his or her own security is:

DO UPDATES!

This makes it at least more complicated to hack you.

In addition, if you want to be sure if and when your computer, tablet, phone, etc. – or who ever may hack your devices – can see you, you should totally buy cam covers :)

Get camera covers for your devices!
Get camera covers for your devices!