Does blackmailing pay? We investigated users response to Ashley Madison extortion emails

It was bound to happen: someone decided to blackmail members of online affairs website Ashley Madison, whose entire database was leaked last week by a group calling themselves the “Impact Team”.

Shortly thereafter, an unknown group or individual has been sending extortion emails demanding Bitcoin for silence:

Ashley Madison blackmail

Of those who had accounts on the cheating website, we asked ourselves: how many are actually paying the blackmailers? Does such a campaign work at all?

To begin our investigation, we noted that the addresses in our samples were all different and freshly generated, meaning it had no previous activity on the Bitcoin blockchain we could trace (Bitcoin addresses are merely encoded versions of randomly generated cryptographic keys, and thus generating new addresses is free and easy. In fact, most modern Bitcoin wallet software generates a new addresses for every incoming transaction, effectively making them ephemeral in use).

However, we realised that all the emails consistently demanded “exactly 1.05” BTC from their victims, suggesting that we could search the blockchain for transactions paying that amount to infer if such extortions were being paid.

Specifically, we found 67 suspicious transactions totaling 70.35 BTC or approximately $15,814 within the extortion time frame of approximately 4 days paying 1.05 BTC to addresses, with no previous activity, and with 2 or less transaction outputs (We conservatively restricted ourselves to ordinary transactions with 2 or less outputs, thus excluding those which were less likely to be simple one-to-one payments).

To put this in perspective, in the three months prior to 22/08/2015 when we first started seeing the extortion emails, we saw transactions matching the above pattern at a rate of approximately 5.3 per 100,000 transactions, versus 8.9 during the extortion period.

We can strongly reject the null hypothesis that the incidence of matching transactions during the extortion period followed a Poisson distribution at the historical rate, thus allowing us to infer that perhaps the 40 per cent of the 67 transactions totaling approximately $6,400 may be attributable to victims paying the blackmail.

So, although we cannot say anything conclusively, we have found out that:

  1. For a spammer with pre-existing infrastructure and tools, this extortion campaign could have yielded a worthwhile sum for very little effort. All the blackmailer had to do was download the Ashley Madison data, extract the email addresses, generate a Bitcoin address for each victim and send out the emails.
  2. Since this search would not have been possible without the consistent extortion amount, we suspect that future attempts at Bitcoin-based blackmail will randomise the amount they demand.

The next logical step in this analysis would be to follow the trail of Bitcoins leading to each suspicious address to see if they are connected on the blockchain to each other or any other known suspicious addresses.

Such analysis could potentially help law enforcement to deanonymise and pursue the perpetrators.

Toshiro Nishimura, research analyst at Cloudmark

Image source: Shutterstock/GlebStock