The Nightmare Before Christmas: Bomb Threats and Bitcoin

The Nightmare Before Christmas: Bomb Threats and Bitcoin

“You are responsible to people.”

It was just one of the dozen or so subject areas that made their way into inboxes around the globe last week. They also brought with them a disturbing threat of violence via bomb threat.

Forcepoint Security Labs has been watching a steady stream of hoaxe emails that attempt to blackmail and extort recipients for the past year. This email is well-known and can’t be dismissed as anything other than an empty threat.

Violence as a motivator

One of the last week’s campaigns was a major change. Instead of sending out wild and sometimes lurid threats of embarrassment to victims, the perpetrators threatened them with bombs and acid attacks.

These hoaxes are intended to gain credibility by mentioning explosive chemical name (e.g. hexogen, lead azide, trinitrotoluene, tetryl). These messages also included a $20,000 higher demand than ever recorded – possibly because the perpetrators are now targeting organisations with more money than the people targeted in previous campaigns.

The email does not contain any information about the victim. However, a look at the entire campaign reveals that it is a template email sent to multiple companies around the globe.

The emails contain vague phrases like ‘the building where you company is located’ or ‘you must pay money by the end the working day’. This would indicate a general lack of knowledge and could be interpreted as an indication of a bomb threat.

Figure 1 – A sample bomb hoax extortion email

The email ends with a disclaimer that the perpetrators attempt to deny any involvement in any real terrorist threats that may have happened on the same day.

Another template was used to accompany the bomb threats. It revolved around acid attacks and employed colorful (and unlikely) phrases like “splashing sulfur in your face”.

The email sender is a criminal who has been paid to harm the victim. However, they are willing to share their client’s information in exchange for $1600 in bitcoin.

Figure 2 – A sample acid attack hoax extortion email

Scale plausibility

Forcepoint has seen too many messages from this campaign, and others like it, to give any legitimacy to the threats being made.

We have blocked more than 335,000 email of this type in the last week, with a peak of more than 100,000 on December 13th.

Figure 3 – Total blocked samples for hoax campaigns including those targeting .com, .uk, and .au TLDs)

It is also clear that the campaign’s targets have been distributed across many countries and regions. With over 200,000 recipients possessing a TLD of, the US and Australia are the most important targets.

It is clear that the,.uk were not included in this analysis. The primary focus was on New Zealand and mainland Europe.

Figure 4 – Breakdown of targeted TLDs excluding .com, .uk, and .au TLDs

Untold stories

The idea of sending benign emails to extort money has been around for a while. Last summer, we saw emails using a bitcoin address to request a few dollars from someone who was down on their luck.

Hi, my name’s Arseny Golorich. I am from Belarus, Minsk. We are quite poor. The BTC-E Crypto-Currency Exchange was closed on July 26th, and I cannot get my money back. The FBI closed it and illegally took all our funds. My last two Bitcoins, which I had earned and traded on the stock market, were there. Now, I have no means of survival and I’m starving. I need your help. I came across the emails of wealthy Americans on the Internet and decided to send them a message. Although a few dollars is not worth much, they will allow me to get back to earning money through the exchange. We are so grateful for your time!

My Bitcoin Wallet – 1MY1Fso8SW9XTPCca7oLEBUWFJRZWNK9Qs

You can always rely on absolutely safe resources for help:

This was quickly discovered by the criminals who changed from appealing to goodwill to threatening people with embarrassment. These scam emails have been well-reported in recent years. In fact, we published a blog in August 2017 that highlighted the main targets and magnitude of the scam email campaign.

Over the past year, we have witnessed many minor changes and variations in these emails. We also saw the addition of passwords that were previously leaked to increase credibility of the threats. Additionally, we experimented with ransom money amounts to determine what amount is most likely to be paid to victims. Generally, the amounts range between $300 and $6000.

Figure 5 – A sample ‘sextortion’ email


Sextortion campaigns were always about the person: they targeted shame and embarrassment and hoped to protect one’s reputation enough to make it worthwhile for people to pay the fee. It was in many cases.

Our technology services : Magento posshopify posbigcommerce poswoocommerce pos

Perhaps the most unlikely or least wise decision was to target businesses. Bomb threats should not be taken lightly. Universities, schools, businesses, and the police are naturally called upon.

The model for the bitcoin extortion operation had changed with the threat of communal violence. This led to a shift in the media attention and police response. Presumably due to this attention, and possibly a poor “return” on the campaign, the afternoon’s campaign shifted back to individuals. However it still posed the threat of violence.

Although it is important to exercise caution when responding to threats of violence, there are bulk campaigns that are designed to extort money. Although the exact nature of the threats might change, they will likely remain an integral part of the email marketing landscape for some time.