New Bitcoin Racket Threatens to Use Hitmen on Victims

An old type of extortion tactic gets a new lease on life as victims are threatened with assassination if they do not send Bitcoin.

Threatening people with assassination in a place that offers as much anonymity as the internet does is nothing new, but this time, the extortionist is demanding Bitcoin.

Newemailsfirst spotted by BleepingComputer contain a message telling victims to pony up $4,000 in the cryptocurrency. In broken English, the extortionist explains that he runs a website on the dark web that offers services that include assassination, and that the victim was a target for one of his clients.

He then explains that he wants to “offer” the victim the opportunity to end this deal if he receives a $4,000 payment in Bitcoin.

Cryptovest looked at the extortionist’s wallet address and found exactly zero BTC have been paid so far. It’s been more than 24 hours since the email in the screenshot was sent.

There is a threat of violent action. The sum demanded is a specific amount of dollars in Bitcoin, not a specific amount of BTC. There is a promise to halt the violent action upon receiving payment. The author of the email uses an alias that differs from the name in the email. The bomber used the name Clair James, but the email address before the “@” symbol read “Frank.” This extortionist uses the name Justine Dibenedetto, but the email address begins with “John.” Both of the names used in the email addresses themselves are typical anglophonic names. Both emails provide a precise time limit upon which funds must be sent to the would-be attacker. The bomber gave victims 24 hours. The extortionist, 38. Both authors use a similar style of broken English. The subjects are vague.

  • There is a threat of violent action: The message contains an explicit threat to use violence.
  • The sum demanded: A specific amount of dollars in Bitcoin is requested, not a fixed amount of BTC.
  • Promise upon payment: The extortionist promises to halt the violent action if the payment is received.
  • Alias discrepancy: The email uses an alias different from the name in the email address. For instance, the bomber used "Clair James" while the email address read "Frank," and this extortionist uses "Justine Dibenedetto" with an email beginning with "John." Both names are typical anglophonic names.
  • Precise time limit: Both emails provide an exact deadline for the payment. The bomber gave victims 24 hours, while the extortionist’s timeframe was 38 hours.
  • Broken English: Both authors exhibit a similar style of broken English.
  • Vague subjects: The subject lines in the emails are ambiguous.

The only clear differences between the two are the destination wallet address used and the fact that the bomber separated paragraphs more consistently than the extortionist.

Cryptovest looked at the bomber’s wallet address and found one transaction of 0.000007 BTC, which is worth two cents today. This may have been the result of a transaction fee.

The similarity between these two incidents indicates that this new attack may have been inspired by the bomb threat.