Ramblings of a Tampa engineer
Photo by Azamat E / Unsplash

So I got an interesting email and I thought it would be the perfect chance to blog about it.

Oct 18, 2020 - "On the day of hack..."

So this email goes as follows...

  1. Says one of my passwords.
  2. Claims I visited a porn site and was infected.
  3. Claims it recorded that porn site and my own camera in parallel.
  4. Claims I should pay a BTC address $1,052 dollars.
  5. Claims should I not - the video will be released.
  6. Claims any back n forth communication is useless due to non-negotiation.

So let's go through these claims and see what is happening.

(1) My password has been leaked!

Yes welcome to the Internet. We have a growing problem where accounts and data are hacked from the source and released to the web. Depending on the company - the passwords may be in plain text or easily reversed. So your password will be discovered and correlated with an email. If the password worked - they would probably take your email - not email it.

So use a different password per website or even a password manager.

https://haveibeenpwned.com - my history

(2) Claim I visited a porn site and was infected.

Well any real hacker would just tell you which site you were visiting. However, this is an obvious scam so the wannabe just has to say something vague like porn to pray on a negative reaction to the victim. Hoping they will panic and react quickly to whatever the demands are.

(3) Claim I was recorded alongside my screen remotely.

While this is theoretically possible - my camera has a little slider on it and it turns on with a little light when in use. So lets say I stumble upon a porn site and notice my camera light turn on - I would nope out there quickly.

(4) Claim I should pay a BTC address.

This is wanted from the hacker because it isn't exactly a paper trail like something like PayPal. Not to mention you can't really undo it. So the goal being that you send money down a trail you can't effectively trace or recover.

(5) Claim the video will be released if I don't comply.

Well this assume there is a video. A proper hacker would slip in a gif of the video into the email body for a few seconds to really instill fear, but the video isn't real. So obviously the hacked contacts to message isn't real either. Since they just picked popular social media sites like Facebook in hopes that you actually use it and will be nervous.

(6) Claims this is non-negotiable so don't respond

You can just read this from the email itself, but the sender explains:

if you are planning on going to the law, surely, this e-mail can not be traced back to me, because it's hacked too.

So the real meaning of not responding is because the email account is stolen and/or misconfigured and within minutes abused to fire out as many emails as possible. This is the pattern used because hackers hope the stolen email accounts have the credibility to send emails vs a brand new signed up domain which have trust issues when it comes to sending emails.

However, we can ask Google for the original details of the email and can look for the SPF records.

Received-SPF: fail (google.com: domain of metcalfe@silavit.com does not designate as permitted sender) client-ip=;

So this SMTP server does not allow the above IP to be a sender. Lets check that IP real quick.

So that IP that sent the "hacked" email came from Russia. The failure of the SPF rules is what led Google to put some big red warning over this email - as well as probably having a ton of machine learning behind the scenes.

So yeah at this point it is some mass script of a leaked database that someone/something in Russia executed against misconfigured or stolen servers.

I'll end this post with the raw text for Google searches to index in case someone else gets a similar message.

I know {password} is one of your password on day of hack..

Lets get directly to the point.

Not one person has paid me to check about you.
You do not know me and you're probably thinking why you are getting this email?

in fact, i actually placed a malware on the adult vids (adult porn) website and you know what, you visited this site to experience fun (you know what i mean).

When you were viewing videos, your browser started out operating as a RDP having a key logger which provided me with accessibility to your display and web cam.
immediately after that, my malware obtained every one of your contacts from your Messenger, FB, as well as email account.
after that i created a double-screen video. 1st part shows the video you were viewing (you have a nice taste omg), and 2nd part displays the recording of your cam, and its you.

Best solution would be to pay me $1052.
We are going to refer to it as a donation. in this situation, i most certainly will without delay remove your video.

My -BTC -address: {btc}
[case SeNSiTiVe, copy & paste it]

You could go on your life like this never happened and you will not ever hear back again from me.

You'll make the payment via Bitcoin (if you do not know this, search 'how to buy bitcoin' in Google).

if you are planning on going to the law, surely, this e-mail can not be traced back to me, because it's hacked too.

I have taken care of my actions. i am not looking to ask you for a lot, i simply want to be paid.

if i do not receive the bitcoin;, i definitely will send out your video recording to all of your contacts including friends and family, co-workers, and so on.
Nevertheless, if i do get paid, i will destroy the recording immediately.
If you need proof, reply with Yeah then i will send out your video recording to your 8 friends.

it's a nonnegotiable offer and thus please don't waste mine time & yours by replying to this message.
You’ve successfully subscribed to Connor Tumbleson
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.