DDoS scammers collect $20,000 with Ashley Madison extortion

Since September, Salted Hash has followed the extortion attempts from a group of scammers overseas who are targeting the leaked Ashley Madison email list.

Most of the emails threaten exposure, but others threatened DDoS as well as offered help collecting government aid.

Following the money, the group has earned more than $20,000 off the scam, and their emails are still going out. Here’s a brief overview of the scams, and the other technical data for anyone wishing to research further.

On September 22, the first email from the group hit a catch-all address used by Salted Hash. However, it was one of the addresses used by this blog in 2014 to investigate extortion claims against Ashley Madison.

The message, quoted below with no edits, was quick and to the point:

“Unfortunately your data was leaked in the recent hacking of Ashley Madison and I know have your information. I have also used your user profile to find your Facebook page, using this I can now message all of your friends and family members.

“If you would like to prevent me from sharing this dirt info with all of your friends and family members (and perhaps even your employers too?) then you need to send 1 bitcoin to the following BTC address…

“You may be wondering why should you and what will prevent other people from doing the same, in short you now know to change your privacy settings in Facebook so no one can view your friends/family list. So go ahead and update that now (I have a copy if you dont pay) to stop any future emails like this.”

The message warned that the payment was to be made within three days; else the discovered information would be shared with friends or family. The address (wallet) where payment was to be sent collected 37 BTC before it was emptied, which is just over $10,000 USD.

One week later (October 4), the group sent a similar message, but altered the wording from a basic matter-of-fact tone, to one that threatened the recipient with life ruin. This message also included instructions on how to purchase Bitcoin (using LocalBitcoins.com), and increased the ransom form 1 BTC to 2 BTC.

“If you need to contact us feel free but you do not have to you only need to pay and we will disappear. But if you ignore us, and don’t pay within the time frames specified we will make good on are word.

“If you think about reporting us to authorities, feel free to try. But it will not help. We are not amateurs. The best thing that can happen, they will go publicly about it. We will, again, get some free publicity. But for you, you will be ruined the damage will be done. It’s a one-time payment. Pay and you will not hear from us ever again!”

The BTC wallet for this round of extortion collected 19 Bitcoins before it was emptied of all but 1 BTC, for an additional $5,000 USD. On October 6, two days later, the exact message was sent again; and on October 8 the message was repeated for a third time.

On October 9, another message, one mirroring the friendlier tone of the original was sent to the Ashley Madison list, demanding 1 BTC. The wallet where funds were to be delivered collected a total of 19 BTC, for an additional $4,900 USD.

On October 11 and 12, the group changed tactics, promising to deliver a DDoS attack reaching 400-500 Gbps unless 10 BTC was paid. But unlike the previous attempts, the wallet for this run didn’t collect a single Bitcoin. A day after the final DDoS was sent, on October 13, the group sent an email, requesting a phone call in order to discuss a government student aid program, oddly, the phone lines were only available between the hours of 8-9 pm EST.

On October 15, the group sent another Ashley Madison email, the request was for 1 BTC to avoid details being released, but if payment wasn’t made within 48-hours, the total went up to 5 BTC. The timeline was seven days. The group used the same wallet referenced in the October 4 email; if payment wasn’t made by then, all details would be “in the hands of the people you wanted to keep your cheating secret from.”

On October 15, the group sent another message, repeating the threats from the previous Ashley Madison emails, but the wallet referenced in the message had little traction, collecting a single Bitcoin a day after the message was sent.

Finally on October 19, the group sent the last message received by Salted Hash. This message demanded 2 BTC, and raised the price to 5 BTC if payment wasn’t made within 48-hours. The wallet referenced by the email has collected a single payment since it was created.

Since the Ashley Madison scammers started their run, a number of people have been discussing the scams online, including one blogger who publicly explained his connection to adult playground and reproduced one of the extortion emails.

The scam has also gotten the attention of law enforcement. The Guardia Civil in Spain is investigating dozens of complaints, and on Wednesday, the Spanish investigators from the country’s Central Operations Unit said they are working with the FBI and Canadian police forces to locate the blackmailers.

If you or your organization get one of the emails being delivered as part of this scam, ignore it. But more importantly, do not pay the ransom. Doing so only encourages these crooks to continue their schemes.

The email address sending these messages is: sharingservices [at] aol.com.

It’s a forged address, and the return-path leads to a dead mailbox.

The group has claimed to be DD4BC. If this claim is true, their history is one of extortion and DDoS attacks against a number of targets in the public sector, including banks, publishers, and financial firms. They first surfaced in July 2014, but they have been operational since that time. The group was last active in August.

The following are the BTC wallets used by the group:

• September 22: 1AEJiZFnELwRZVjmVSvDSwUaXNZy4X9bQN
• October 4: 1CNrUCKbuHc1RS9XtWxCVbLHMuvhqwkedH
• October 6: 1CNrUCKbuHc1RS9XtWxCVbLHMuvhqwkedH
• October 8: 1CNrUCKbuHc1RS9XtWxCVbLHMuvhqwkedH
• October 9: 1MZBtduhBBz8Ha5ri1brqwTtCQeSmLGdeM
• October 11: 1EqwTAMgw8RtdGpWSFnsW5AdeM7RGVaKrZ
• October 12: 1EqwTAMgw8RtdGpWSFnsW5AdeM7RGVaKrZ
• October 13: Student Aid scam message (888-554-9076)
• October 15: 1MZBtduhBBz8Ha5ri1brqwTtCQeSmLGdeM
• October 16: 1UQRGEBsxcx64tpxRgmGwJ5K8jtVKW1Xu
• October 19: 1b6o5NanAkdPyUzEXzrZQaNN5x1rXWgvT