Slides for the work presented at AFT 2019 (aft.acm.org) Research paper: arxiv.org/abs/1908.01051

1. Spams meet Cryptocurrencies
Sextortion in the Bitcoin Ecosystem
MASARAH PAQUET-CLOUSTON, MATTEO ROMITI,
BERNHARD HASLHOFER, TOMÁŠ CHARVÁT
1

2. Collaboration
Masarah Paquet-Clouston
Researcher at GoSecure & PhD Student in Criminology at SFU
Matteo Romiti
Researcher @ AIT’s / Digital Insight Lab
Bernhard Haslhofer
Senior Scientist @ AIT’s / Digital Insight Lab
Tomáš Charvát
VirusFree
2

3. What is Sextortion Spam?
I know *** one of your pass word.
I installed a trojan from the adult videos site
I will send your video recording to your contacts
solution should be to compensate me $1000
via Bitcoin (google "how to buy bitcoin" ).
BTC Address: 1GYfPNat1uQzrBBKTzftMtZ5TgzNdNmTL9
[...]
3
FAKE!!

4. Research Questions
1. How do sextortion spammers operate?
2. Is there a financial relationship among them?
3. Are they more profitable than traditional spam?
4. Where is the money going? Any known entities?
5

5. Data Pipeline
PRIVATE - PUBLIC - PARTIALLY PUBLIC
INTERNET
BTC SPAM
FILTER
EMAIL
BUCKETING
BUCKETS
MANUAL
CLASSIFICATION
DATA
EXTRACTION
ADDRESS
PASSWORD
AMOUNT
LANGUAGE
…
DATA
ANALYSIS
RESULTS
SEXTORTION
CAMPAIGNSBUCKETS
6
SPAM
NOT
SPAM
NOT
SEXTORTION

6. How to collect spam emails?
Emails blocked from October 2018 until February 2019 that:
• Included BTC or Bitcoin in singular or plural form
• Were classified as spam by our spam filter
• Originated from an IP address of a botnet
Personally Identifiable Information were masked.
These spam emails never reached end-users
4,360,575 emails
7

7. How to extract data?
• Not all spam emails are sextortions.
• Sextortion emails follow different structures and
languages.
• How to extract BTC address, language, date, password,
amount asked from each email?
Email bucketing
8

8. Email Bucketing
4M spam
emails
1,810
buckets
28,282
buckets
groupBy(last_line)
groupBy(similarity(last_line))
filter(sextortion)
96 buckets
(sextortion)
9
Similar
syntax

9. Can we improve the bucketing?
Manual investigation is needed
35 campaigns
I sent you an email from your account. This means
I have full access to your account. Your
account ([...@....com]) password: [...] I watched
you for months. The fact is that you have been
infected with malicious trojan software via the
porn website you have used.
Hello! You can see, I contact you from your email
and yes I control your account. I’ve been
watching you for a few days now. Indeed, your
computer is infected by a trojan through an adult
site that you visited.
10
Two emails in two different buckets but same campaign

10. What are these campaigns about?
Some examples:
A. Trojan that can't be detected
B. RDP with a keylogger
C. Sender is an international hacker
D. RAT software installed
E. Specific CVE is mentioned
F. Attacker is from China
11

11. What about Bitcoin Data?
12,533 BTC addresses from 4M sextortion emails
Only 245 addresses received payments
Multiple-input clustering to expand the dataset (485
sextortion addresses)
3 specific filters to select sextortion payments
13
Remember:
blocked emails!
Using
GraphSense

12. How to Select Sextortion Payments?
• Collector filter
Removes transactions with one sextortion address in the input and the output
• Range filter
Selects transactions where sextortion addresses receive payments within the
range found in spams
• Moving-money filter
Removes transactions with only one output–known as exact-amount payment
15

13. Results
16

14. What is the Pricing Strategy?
17
• Higher prices for:
1. English
2. Slovenian
3. Korean
• Lower prices for:
1. Spanish
2. Italian
3. Portuguese
NO HIGHER PRICES FOR SPAMS WITH
PASSWORDS

15. Are Passwords Coming From Leaks?
• Created list of cleartext passwords seen only once in the dataset
• Fetched 21 publicly available data breaches
• Randomly selected 25% of the passwords in the list above
• Investigated whether they were contained in one of these breaches
51% of passwords appear in data leaks
19

16. How are Bitcoin Addresses used?
A1
A2A1
A2
Bucket 1
Bucket 2
Bucket 3
20

17. Any Financial Connection?
Node = Bucket
Node Color = Campaign
Red Edge = Address in common
Black Edge = Cluster in common
The main component out of 4 sub-graphs
21

18. What are the Revenues?
1: Collector filter
2: Range filter
3: Money-moving filter
22
Emails Collection

19. Where is the Money Going?
24
Known exchanges found : Huobi.com, CoinPayments.net, Cubits.com and Luno.com

20. Discussion
25

21. Discussion
Spammers are somewhat sophisticated…
(+) Price discrimination based on language
(-) No higher prices with a password
(-) Do not track which campaign is more effective
26

22. Discussion
Lower-Bound Revenue of
$1,300,620 for an 11-month operation
$122,933 per month
In line with traditional spam (Kanich et al., 2011),
but much more cost-effective
27

23. What's next?
• Litecoin is now used for sextortion
• Update spam filters
• Many more emails to collect
• Many more tags about real-world entities
30

24. Want to help?
Paper: http://webee.technion.ac.il/people/ittay/aft19/aft19-final44.pdf
Sextortion addresses github.com/MatteoRomiti/Sextortion_Spam_Bitcoin
Tags github.com/graphsense/graphsense-tagpacks/
GraphSense graphsense.info
Masarah Paquet-Clouston mcpc@gosecure.ca, @masarahclouston
Matteo Romiti matteo.Romiti@ait.ac.at, @MattRomiti
Bernhard Haslhofer bernhard.haslhofer@ait.ac.at, @bhaslhofer
Tomáš Charvát tc@excello.cz
31