“Professional hacker” blackmail with Bitcoin ransom

  • Post
    • April 9, 2026 at 4:41 pm
    Corinthian
    Keymaster
    We received an email from an a spoofed email address, containing an image of this letter.

    The email was sent from a spoofed email address (recipient address = sender address) – which can happen if your email provider doesn’t have strong security settings.

    The message claims that the sender is a “professional hacker” who has infected the recipient’s devices with a spyware that cannot be detected by antivirus and they secretly recorded private and embarrassing videos. chats, and images of the victim. In exchange for deleting “forever” these embarrassing materials, they want a payment of 3300USD to a Bitcoin wallet within 48 hours, or else they will send this material to all of the victim’s contacts and make it public.

     

    About the email

    • Sender: same address as the recipient
    • Subject: YOU PERVERT, I RECORDED YOU!
    • Wallet address: bc1qm4km3h7udttp52nvu5cwdtn2c0jp9t2tvy5w9f and looks like an inactive wallet.
    • Nothing revealing that the “hacker” has any personal details of the recipient
    • Excessive explanation of how the “spyware” is supposed to work and why it cannot be detected.

     

    What the email really says

    From a quick analysis of the email headers (the email “metadata”), it appears that the real sender is tied to the following IP addresses:

    • 130.78.81.212
    • 138.201.212.93

     

    There are also suspicious domains that have been reported for security violations:

    • 86675.com
    • 28463.com
    • 09529.com

     

    Numeric domains are commonly used in spam infrastructure. These are likely disposable and part of a rotating email campaign.  This is mass-produced sextortion scam, not a targeted attack. It likely originates from a bot at scale.

    Sending money in a sextortion case like this is almost always the worst option, even if the message feels convincing.

    Why you should not pay:

    • There is no proof the attacker actually has anything, these campaigns are mass-sent using fear tactics.
    • Paying does not stop them, it often leads to more demands because you are now a confirmed target.
    • Most of these emails rely on spoofing and bluffing, not real access to your device.

    What to do instead:

    • Do not reply or engage with the sender.
    • Secure your accounts, change passwords, enable MFA.
    • Run a security scan on your devices using trusted tools.
    • Report the email to your provider or local cybercrime authority.

    If there were real compromise indicators, you would typically see account takeovers or suspicious activity, not just a generic threatening email.

     

    • This topic was modified 1 month, 3 weeks ago by Corinthian.

Tagged: ,

  • You must be logged in to reply to this topic.