In offices and universities all across the country Thursday, the same threat appeared in email inboxes: Pay $20,000 worth of bitcoin, or a bomb will detonate in your building. Police departments sent out alerts. Workers from Los Angeles to Raleigh, North Carolina, evacuated their cubicles in the middle of the day. All over Twitter, people posted screenshots of the emails, many different versions of which appear to have been blasted out. As of Thursday afternoon, no bombs had been found, and cybersecurity experts largely dismissed the threats as an elaborate hoax.
Not all police departments have confirmed it as a scam. But it certainly appears to be a steep escalation of a bitcoin blackmail tactic that took off this summer. In that scheme, victims received an email claiming that a hacker commandeered their webcam while they were watching pornography and would release the resulting photos publicly if the target didn't pay a small amount in bitcoin. It was an obvious lie but one that nevertheless earned its perpetrators half a million dollars. In an apparent attempt to increase the urgency, this wave of attacks swaps out sextortion in favor of fake bombs.
The New York Police Department said in its initial warning on Twitter that the threats did not appear to be credible and told WIRED that though they were investigating reports, they had found no bombs. Police in Park City, Utah, quickly called at least one threat a hoax. Police will investigate every email, given that it involves potential physical harm, but the likelihood that someone planted actual bombs in hundreds or thousands of building all across America is next to zero.
“This is not a credible threat. It’s clearly a hoax,” says security researcher Troy Mursch, who has been tracking the sextortion scams. Like those, today’s threats were sent out in mass, automated batches to email addresses that the miscreants could have bought or found online. Those emails could have been scraped from public websites, accessed in data breaches, or compiled from shady email marketers.
Many of the recipients suspected a scam immediately. “My first thought was that it looked like a hoax. I didn’t even give it a second thought,” says social media researcher Kelli Burns, who received a threat to her University of South Florida email address this morning.
Burns says that the language gave it away, as often happens with phishing emails and other scams. “My subject line was ‘You are responsible for people,’ which didn’t sound like the person was a native English speaker,” Burns says. Other people in her department received slightly different wording, but all shared the same strange diction. Her director immediately emailed everyone to say that it was some kind of scam and that the university police were looking into it.
To Mursch, the bomb-threat scam is both familiar and totally new. “This new bitcoin extortion scam is something else. We've been tracking the sextortion bitcoin scam, but this is the first time we’ve seen bomb threats being sent out in the same vein as the sextortion one," he says. "It’s a terrible strategy."
That's not just for the disruption it sows, but also in that it seems poorly thought out on the part of the criminals. A violent threat, coupled with a request for a very high sum, will likely generate intense law enforcement scrutiny more than actual payouts.
The sextortion scam works in part by being remotely believable and asking only for small amounts of money. For some people, it may be worth paying just to put the whole nightmare behind them. A figure of $20,000 is much harder for a random email recipient to get their hands on in a short amount of time and seemed suspicious to those who received it.
By Mursch's count, at least 15 different Bitcoin wallets tied to the mass threats have circulated Thursday. As of 5:30 pm EST, only two deposits had been made into any of them, with funds totaling less than a single US dollar.
But money may not have been the point here. From Idaho to California to Texas and New York, and even Ottawa and Toronto, the bomb threats disrupted the workday and caused panic. Newspapers, universities, gaming software companies, municipal buildings all were briefly evacuated. If the main objective was general chaos, it worked.
“I went on Twitter and I was shocked that all these different places of business were closing and evacuating. I don’t know if that's just a sign of the times that we’re all so on edge, worried about mass shootings and terrorism,” USF's Burns says.
In another sign of the times, Mursch points out that even though these threats are most likely a hoax, there’s always the danger that someone with actually violent intentions could piggyback off this moment and plant a real bomb. The emailers themselves seem to have considered this, apparently trying to give themselves an out. Each email ended with the note: “If an explosion occurred and the authorities notice this letter: we arent the terrorist organization and dont assume any liability for explosions in other buildings.”
A representative for the FBI told WIRED the agency is working with law enforcement around the country but didn’t elaborate further.
The failure of whoever is behind these threats to actually get any money may make law enforcement's job harder; the easiest way to find the perpetrators would be to follow the money placed in the public bitcoin blockchain ledger.
“If nobody does pay the ransom it’s going to be hard to track from the ‘follow the money' angle,” Mursch says. Absent that, law enforcement will try to track the servers that sent the emails. Indeed, Twitter sleuths were already doing so on Thursday afternoon. Many people reported that they traced the email to a server that appeared to be based in Russia.
However, it’s tricky to actually pinpoint where spam like this actually originates. That so-called Russian server could be a proxy, for one thing. Botnets and Tor networks can also be employed to hide the origins of spam emails like this.
Tricky, but not impossible. “I suspect that these extortionists will get caught soon, and I would caution anyone who might think of using cryptocurrencies for crime that they are likely to get tracked and caught,” says Cornell computer scientist Emin Gun Serir. “Law enforcement is quite savvy about both email and Bitcoin tracking.”
- Everything you want to know about the promise of 5G
- How WhatsApp fuels fake news and violence in India
- Blu-rays are back to prove that streaming isn't everything
- An Intel breakthrough rethinks how chips are made
- 9 Trumpworld figures who should fear Mueller the most
- 👀 Looking for the latest gadgets? Check out our picks, gift guides, and best deals all year round
- 📩 Get even more of our inside scoops with our weekly Backchannel newsletter
