December 18, 2018

The Nightmare Before Christmas - Bomb Threats and Bitcoin

‘You are responsible for people.’

It was one of a dozen or so subject lines that shouldered their way into people’s inboxes across the world last week, bringing with it a sobering threat of violence via bomb threat.

For the past year Forcepoint Security Labs have been monitoring a persistent strain of hoax emails attempting to blackmail or otherwise extort their recipients. This type of email has been widely reported, and the sheer scale indicates that it can’t be taken as anything but an empty threat.

Violence as a motivator

However, one of last week’s campaigns brought with it a significant change: instead of sending wild (and occasionally lurid) threats of embarrassment, the perpetrators were threatening victims with bomb and acid attacks.

These hoaxes attempt to gain some credibility by mentioning explosive chemical names (e.g. hexogen, lead azide, trinitrotoluene, tetryl). These messages further included a higher than previously recorded demand of $20,000 – presumably as the perpetrators now expected to be targeting organisations with more money at their disposal than the individuals targeted by previous campaigns.

However, the complete lack of specific information about the victim within the email is the first suggestion that all is not as it seems, and inspection of the campaign overall reveals a template email sent to many different companies across the world.

Non-specific phrases such as ‘the building where your company is located’ and ‘you must send money by the end of the working day’ highlight the catch-all nature of the emails and would imply a bizarre lack of knowledge on the part of the perpetrator in the case of a real bomb threat.

Figure 1 - A sample bomb hoax extortion email

Note the disclaimer at the end of the email in which the perpetrators apparently attempt to disavow foreknowledge or involvement in any real bomb threats which may, coincidentally, have occurred the same day.

The other template used in conjunction with the recent bomb threats revolve around the theme of acid attacks, employing colourful (and unlikely) phrases such as ‘splashing sourness in your visage’.

This campaign explains that the sender of the email has been hired to cause harm to the victim but they are willing to stand down and share information on their client in return for $1600 in bitcoin.

Figure 2 - A sample acid attack hoax extortion email

Plausibility of scale

Forcepoint have seen far too many messages in this campaign – and those like it – to lend any kind of legitimacy to the threats being made.

In just the past week we have blocked over 335,000 emails of this type, with a peak of over 100,000 on the 13th of December.

Figure 3 - Total blocked samples for hoax campaigns including those targeting .com, .uk, and .au TLDs)

We can also see that the targets of this campaign have been spread out through many countries and regions. The US, the UK, and Australia being the main targets with over 200,000 of the recipients having a TLD of .com .uk or .au.

If we exclude the .com, .uk, and .au TLDs it highlights that there was quite a spread of other countries targeted, with the primary focus on mainland Europe and New Zealand.

Figure 4 - Breakdown of targeted TLDs excluding .com, .uk, and .au TLDs

A chequered history

This theme of sending benign emails in an attempt to circumvent email analytics and extort money from people has been around for quite a while. For example, last summer we saw some email campaigns using a bitcoin address and a simple sob-story asking for a few dollars for someone down on their luck:

Hello, my name is Arseny Golorich, I live in the country Belarus, Minsk, we are a rather poor country. On July 26, the BTC-E Crypto-Currency Exchange closed, and I can not get my money back. It was closed by the FBI and illegally appropriated all of our funds. There were my last 2 Bitcoins on which I earned and traded on the stock exchange. Now I am without means for existence, I am starving, I ask to help, who can. On the Internet, I found the emails of the wealthy people of America and decided to write to you, for you a few $ are worthless, but they will help me a lot to start earning again on the exchange. Thank you so much for reading!

My Bitcoin Wallet - 1MY1Fso8SW9XTPCca7oLEBUWFJRZWNK9Qs

For the help you can use absolutely safe resources:



The criminals quickly realized this was not very fruitful and moved entirely from appealing to people’s goodwill to threatening them with embarrassment. These campaigns have been widely reported in recent years and, indeed, in August 2017 we published a blog highlighting the main targets and scale of this scam email campaign.

We have seen many small developments and variations in the content of these emails over the year, including the addition of previously-leaked passwords to add some credibility to the threats and experimenting with the amount of ransom money to determine the amount most likely to be paid by the victims, generally ranging between $300 and $6000.

Figure 5 - A sample 'sextortion' email


The so-called sextortion campaigns have always been about the individual: they preyed on shame and embarrassment, and hoped protecting one’s personal reputation was a big enough driver for someone to pay the fee. In many cases it was.

The switch to targeting businesses was, perhaps, an unlikely (or at least ill-advised) change of tack for this sort of campaign. Bomb threats are never taken lightly and universities, schools, and businesses naturally called the police.

With the communal threat the model of the bitcoin extortion campaign had shifted and with this shift came the communal response of police and media attention. Presumably as a result of this attention (and possibly a poor ‘return’ on the campaign) the afternoon’s campaign returned to targeting individuals, although it maintained the threat of violence.

While caution should be exercised when acting on information regarding threats of violence, ultimately, regardless of the specific content of these messages, these are bulk campaigns designed to extort money. The specifics of the threats may change, but they are, unfortunately, likely to remain a fixture of the email campaign landscape for some time to come.

Protection statement

Forcepoint customers are protected against these campaigns at the following stages of attack:

Stage 2 (Lure) - E-mails associated with this campaign are identified and blocked.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.