WEBVTT 00:00.060 --> 00:02.700 This video, we're taking a look at a real scam. 00:03.810 --> 00:06.510 This involves Bitcoin in sextortion. 00:07.260 --> 00:13.680 So I'm going to make this video because these these kind of emails have been making the rounds quite 00:13.680 --> 00:14.370 a bit lately. 00:14.370 --> 00:20.190 And this is actually one that hit a user at one at the place I am working at right now. 00:20.880 --> 00:24.270 So I took in some of the critical information, like the actual email address and that. 00:24.270 --> 00:26.460 But let's take a look at this email. 00:27.650 --> 00:28.700 So when this email. 00:31.060 --> 00:33.220 The two address was spoofed. 00:33.370 --> 00:38.200 So it's actually spoofing one of the email addresses that that user actually had. 00:39.040 --> 00:42.760 So if you continue on this email, it says, Hello, my name is Talk. 00:43.060 --> 00:47.350 My nickname in Darknet is Zachary 31. 00:48.220 --> 00:49.330 That tends to change. 00:49.810 --> 00:55.390 Even if it's the same person running this scam, they tend to change whatever their supposed dark name 00:55.390 --> 00:57.790 is or Darknet name is. 00:59.050 --> 01:01.450 I checked your mailbox more than six months ago. 01:03.130 --> 01:08.650 Through it, I infected your operating system with a virus Trojan created by me and have been monitoring 01:08.650 --> 01:09.970 you for a long time. 01:10.450 --> 01:18.070 So your password is or password from and then they give the user email address is, then they give the 01:18.850 --> 01:22.720 supposed password for that particular email. 01:24.160 --> 01:30.370 Now, the way that works is typically the person will go grab my information from a data dump. 01:30.940 --> 01:38.780 So I could buy a data dump for around ten, $20 or so, grab a bunch of usernames and passwords. 01:38.800 --> 01:44.890 And that's what these people are typically doing or searching, Aaron, and finding a data dump that 01:44.890 --> 01:46.150 was published for free. 01:47.460 --> 01:52.740 Now in here, they'll pick up to look for people with email addresses and passwords saying at least 01:53.220 --> 01:56.520 these may still be valid or they may be changed. 01:56.520 --> 02:03.330 They really don't know and generally don't care because once they send these emails out, when a person 02:03.330 --> 02:09.360 generally sees, Oh, this is my email and this is really the password that's associated to it, they 02:09.360 --> 02:12.900 begin to panic whether they actually did anything wrong or not. 02:13.410 --> 02:15.210 And that's how these scams work. 02:16.110 --> 02:17.460 Now, let's continue with the email. 02:18.030 --> 02:20.600 Even if you change your password after that, it doesn't matter. 02:20.610 --> 02:27.480 My virus intercepted all of your caching data from your computer and automatically saved access for 02:27.480 --> 02:27.720 me. 02:28.260 --> 02:32.250 I have access to all your accounts, social networks, email browsing, history. 02:32.250 --> 02:37.530 Accordingly, I have the data of all your contact files from your computers, photos, videos. 02:38.810 --> 02:43.880 I was most struck by the intimate content sites that you occasionally visit. 02:43.930 --> 02:47.390 You have a very weird or very wild imagination, I tell you. 02:48.110 --> 02:52.640 During your pastime entertainment here, I took screenshots through your camera of your device, synchronizing 02:52.640 --> 02:54.470 with what you're watching. 02:54.500 --> 02:55.250 Oh, my God. 02:55.550 --> 02:56.960 You're so funny and excited. 02:58.210 --> 03:01.630 I think you don't want one of all your contacts. 03:01.630 --> 03:02.650 Get these files right. 03:03.370 --> 03:10.300 If you are of the same opinion, then I think that $837 is quite fair price to destroy the dirt I created. 03:11.350 --> 03:19.450 So there is extortion part and generally for people, whether they actually did anything wrong or not, 03:20.200 --> 03:27.070 they generally worry that, hey, my, so my critical data is out there that he's going to dump or maybe 03:27.070 --> 03:29.260 he's just going to dump a bunch of bogus information. 03:29.260 --> 03:32.680 I have been going all these crazy sites when I haven't been to my contacts. 03:33.850 --> 03:36.490 So this plays on fear for people. 03:39.870 --> 03:42.120 Send the above amount my bitcoin wallet. 03:42.420 --> 03:47.310 And he gives the Bitcoin address, which I'm going to copy right now and I'm going to show you why in 03:47.310 --> 03:47.880 a moment. 03:49.980 --> 03:52.980 As soon as the above amount is received, I guarantee the data will be deleted. 03:53.790 --> 03:55.170 I do not need it otherwise. 03:55.170 --> 03:59.880 His files in history of his insights will will get all your contacts from your devices. 03:59.880 --> 04:01.740 I'll send everyone your contact. 04:01.740 --> 04:06.140 Access to your email, access logs and. 04:07.030 --> 04:08.110 Carefully saved it. 04:08.620 --> 04:13.600 Since reading this letter, you have 48 hours after reading this message, I'll receive an automatic 04:13.600 --> 04:16.540 notification that you have seen the letter. 04:18.170 --> 04:19.100 And it goes on to. 04:21.130 --> 04:22.630 Essentially saying that. 04:24.520 --> 04:27.070 That they feel like they're doing you a service. 04:28.160 --> 04:30.770 So let's break this down a little bit. 04:30.800 --> 04:33.530 Supposedly someone has her email and password. 04:34.130 --> 04:40.550 So in general, again, that that usually freaks people out because let's be honest, people usually 04:40.550 --> 04:41.000 have. 04:43.140 --> 04:46.970 Really bad passwords and they have a bad habit of recycling passwords. 04:46.980 --> 04:50.010 That's why you shouldn't recycle passwords of all possible. 04:52.290 --> 04:57.120 The legitimacy of this is a lot of people say, yeah, that is my email, that's my password, or that 04:57.120 --> 05:00.120 used to be my password, as you know. 05:00.120 --> 05:05.120 So they contextualize it by saying, even if you change your password, I still have access. 05:05.580 --> 05:09.360 So that that also freaks people out. 05:10.620 --> 05:12.930 But again, this generally comes from data dumps. 05:14.040 --> 05:18.360 So you do want to keep that in mind that in that regard it's kind of worthless. 05:20.090 --> 05:22.830 But they are trying to scam you. 05:22.850 --> 05:24.230 They are trying to get money from you. 05:25.100 --> 05:30.670 And if you're doing Osten, then this gets a little tricky. 05:30.680 --> 05:35.030 So Bitcoin are designed to be anonymous, so it is kind of hard to track them. 05:35.180 --> 05:40.490 What you can do is there are certain tricks where if you send. 05:41.820 --> 05:45.540 A certain amount of Bitcoin to someone, you can kind of trace where it's going. 05:45.570 --> 05:51.930 I don't recommend actually spending money or giving any amount of money to anyone that's trying to scam 05:51.930 --> 05:53.010 you or extort you. 05:55.130 --> 06:02.570 But in order to help alleviate some fear from people, if you're doing a U.S. investigation for someone, 06:03.320 --> 06:05.780 again, they don't have to do anything wrong. 06:06.050 --> 06:09.710 People that don't do anything wrong still might freak out because they you know, they're still worried 06:09.710 --> 06:11.750 that this person is on my account. 06:11.750 --> 06:17.120 They have my, you know, critical information that they have email that's confidential and they're 06:17.120 --> 06:18.320 going to send it out to everyone. 06:18.320 --> 06:26.510 Or they might spread a bunch of lies about me and embarrass me, especially people in higher positions 06:27.680 --> 06:32.470 as CEOs, managers and whatnot. 06:32.480 --> 06:37.880 It's kind of hard for them to have their reputation tarnished, whether it's real or not. 06:39.420 --> 06:42.390 So a lot of people feel compelled to actually pay these ransoms. 06:43.440 --> 06:46.800 So what you could do is there's a couple of things you could do. 06:46.830 --> 06:49.740 One is you could trade, you could do a Bitcoin lookup. 06:49.980 --> 06:52.170 And if you go to Bitcoin, who's who? 06:52.560 --> 06:58.080 Dot com, you could enter in the bitcoin wallet to kind of see a little bit of the transaction history 06:58.080 --> 06:58.440 of it. 06:59.250 --> 07:06.240 Now the other thing you could do is you can go to De Hashed and have I been phoned and put that email 07:06.240 --> 07:09.420 address in that that they said they got ahold of. 07:10.350 --> 07:12.990 And you also can go to phone passwords. 07:14.310 --> 07:16.020 I generally like to use all these sites. 07:16.030 --> 07:17.970 You put the email address, you put the password in. 07:17.990 --> 07:24.750 That way, you could say, hey, your email has been part of, you know, a data breach breaches dates 07:24.750 --> 07:27.690 back at this time which kind of matches this information here. 07:28.800 --> 07:32.100 Your password is also came up in a data breach. 07:32.280 --> 07:33.690 It's been part of these breaches. 07:33.690 --> 07:40.950 So this is where this is coming from, you know, so this is how they got your information. 07:40.950 --> 07:42.660 It's not they actually hacked your account. 07:42.810 --> 07:44.400 This is your actual information. 07:45.200 --> 07:48.960 At that point, you tell the user, you change your password. 07:48.960 --> 07:55.080 If you don't change it already, if you're using Gmail or there's similar services, make sure you sign 07:55.080 --> 08:00.080 out of all the accounts, review the security check, make sure that no one's been logging your account. 08:00.090 --> 08:02.550 Chances are no, they haven't logged in your account. 08:02.550 --> 08:05.340 But it's always good to run that that check. 08:06.390 --> 08:08.950 Now let's go back to the Bitcoin address. 08:08.960 --> 08:09.400 Look up. 08:10.870 --> 08:14.880 So I'm going to pieces in here and we have there a bitcoin. 08:15.040 --> 08:18.250 I'm just going to click a little magnifying glass and start to search. 08:22.340 --> 08:23.670 Can we give this sick? 08:23.690 --> 08:25.550 And here we go. 08:27.920 --> 08:30.350 Okay, so this is pretty cool. 08:30.350 --> 08:32.570 So we can actually see quite a bit of history on this. 08:33.080 --> 08:35.900 So we can see this Bitcoin address appeared on four websites. 08:35.900 --> 08:38.040 I can click to see what websites they've been on. 08:39.270 --> 08:40.520 There's the wallet name. 08:42.090 --> 08:45.570 The current balance is almost one bitcoin and. 08:47.710 --> 08:53.460 Well, you can see there's eight transactions, which when I look this up yesterday, you only had two. 08:53.470 --> 08:57.370 So apparently you got a few more people now. 08:58.280 --> 09:00.050 You can look at the first transaction. 09:01.010 --> 09:05.840 If we click on Scam Alert, we could see all these people that reported this a scam. 09:05.840 --> 09:11.630 And again, this is this can add legitimacy to your report when you're reporting back to someone, say, 09:11.630 --> 09:13.520 hey, this is a scam, don't pay it. 09:14.540 --> 09:18.110 Here's a bunch of scam alerts for that particular email. 09:18.740 --> 09:24.170 And you can see all these are sextortion, hack, blackmail and whatnot. 09:24.170 --> 09:26.240 And if I click on any of these things here. 09:28.050 --> 09:30.060 You can see it's a similar format. 09:30.510 --> 09:35.420 My nickname is Darknet and the name is Changed Kelby 27. 09:35.430 --> 09:37.350 I hacked or your mailbox six months ago. 09:37.350 --> 09:41.360 Infect your operating system with a Trojan password is playing point blank. 09:42.450 --> 09:44.670 So essentially it's the same email address again. 09:45.630 --> 09:51.570 And the other thing I like about running the Bitcoin wallet through here is some of these other ones 09:51.570 --> 09:51.810 here. 09:51.810 --> 09:58.020 They people did get additional information, including the IP address. 09:58.350 --> 10:00.180 And again, you can take that IP address. 10:00.180 --> 10:01.920 You can run it through IP tracer. 10:02.580 --> 10:07.170 And if you do that, you'll find out this person's from South America, which kind of. 10:08.670 --> 10:12.420 Lends credibility to why the English is a little broken. 10:13.830 --> 10:15.160 Is not a Native American. 10:15.720 --> 10:17.610 United States individual. 10:18.180 --> 10:18.660 So. 10:20.690 --> 10:22.160 That's all a great information. 10:22.610 --> 10:28.850 And again, it's this will really go a long way for you when you put it in a report that saying that, 10:28.850 --> 10:29.900 hey, don't pay this. 10:30.260 --> 10:33.230 You can see all these people report all these different scams. 10:33.770 --> 10:40.130 And if I click on here, I can see the different websites and it's come up on scam survivors dot com. 10:41.150 --> 10:43.700 This Twitter post is talking about it. 10:44.120 --> 10:48.020 Another Twitter post talking about we can take a look at the transaction history. 10:49.630 --> 10:56.590 So we could say we can see this Bitcoin wallet paid that address and how much they they got and on the 10:56.770 --> 10:57.610 time and date. 10:58.870 --> 11:03.250 So that's that's additional interesting information just to have. 11:03.820 --> 11:09.550 Again, it's going to be pretty hard to trace back to the actual individual, but it is interesting 11:09.550 --> 11:12.070 to take a look at what the pattern of this is. 11:12.970 --> 11:20.620 And also, you can run this through maltego if you want to verify this information, which I did yesterday 11:22.030 --> 11:23.590 when it had two transactions. 11:23.590 --> 11:28.690 Transactions also appear to maltego same amount, same wallets and whatnot. 11:28.720 --> 11:37.150 So again, if you really need to prove that to your client, that, hey, this is a scam, this is all 11:37.190 --> 11:39.280 the odd things going on with it. 11:40.630 --> 11:44.110 The way you can kind of verify the information is dearest. 11:44.200 --> 11:53.260 Have I been pwned pone passwords bitcoin address lookup which is bitcoin whose hukum and then run a 11:53.260 --> 11:54.310 maltego scan. 11:55.120 --> 11:59.620 So this is all about bitcoin scams and sextortion scams. 12:00.190 --> 12:01.450 Thank you for watching the video.