I received a mail some days ago that may make one really uncomfortable if you're not aware of the fact that this is just a decent scam attempt. Just to make it clear: I have nothing to do with the things I am accused of in this email and I understand that this is a serious topic. I decided to do a research on this mail(s) and to make it public because the allegations are serious and no one wants to be associated with something like this and there were thousands of mails like this sent in the past few days.

The mail I received on Thursday, 15.08.2019 at 09:55 GMT+2 was as follows


Yeah. I know you are a pedophile. Actually I know way more about you than you think.

I am a computer scientist (internet security specialist) with affiliation with the Anonymous group.

Few months ago you downloaded an application. That application had a special code implanted purposely. Since the moment you installed it, your device started to act like a Remote Desktop I was able to access anytime.

The program allowed me to access your desktop, your camera(s), your files, passwords and contact lists. I also know where you live and where you work..

I was observing you for quite some time and what I have collected here is overwhelming. I know about your sexual preferences and your interest in young bodies.

I have secured 4 video files clearly showing how you mɑsturbate (captured from your camera) to young teenagers (captured from your internet browser). Glued together is a pretty overwhelming evidence that you are a pedophile.

The timestamps on the video files indicate the exact time you have been mɑsturbating to teenagers: 
[my_mail_address_replaced_special_characters_with_underline]_1561913887.mp4 (44.4 MB) 
[my_mail_address_replaced_special_characters_with_underline]_1561173365.mp4 (33.7 MB) 
[my_mail_address_replaced_special_characters_with_underline]_1562330147.mp4 (22.8 MB) 
[my_mail_address_replaced_special_characters_with_underline]_1563680903.mp4 (84.2 MB)

I am not here to judge the morality of your sexual preferences, I am here to make money. Because I know you are a wealthy person and that you do care about your reputation, I am willing to gίve you a chance to atone and I will leave you alone.

You do know what Bitcoin is, right ?

You must fund a special address with 5,000 ÙSD in Bitcoin, otherwise, I am going to seƞd those video files to your family members, friends and your work buddies.

I know it may be time consuming to buy 5,000 ÙSD in bitcoin, so I will gίve you exɑctly one week. Search on google 'how to buy bitcoin' and seƞd it to me. Enough is enough. I have seen enough..

If you do not Ѕeƞd the bitcoins in one week, I will also Ѕeƞd those video recordings to your local police office. Your life will be ruined, trust me. Ƭrɑnsfer details are below..

Ѕeƞd exɑctly: 0.4915601 BTC

to my bitcoin address:

3Jrk7P36JXWerCKKEGKuUjphmnNyF895jQ

(copy and paste)

1 BTC is worth 10,185 ÙSD right now, so Ѕeƞd exɑctly: 0.4915601 BTC. Make sure the amounț and address is copied correctly - this way I will know the trɑnsfer is coming from you.

As soon as you seƞd bitcoins, I will remove the videos from my drive and remove the software allowing me to access your device.

If you do not cooperate, I will start seƞding out those videos to people you care about. Not excluded that after seƞding to one person, I will ask 10x more from you. I can make you suffer, trust me.

Don't even think about going to police. If you try, I will immediately know it and I will Ѕeƞd them your mɑsturbation videos, pedo.

5,000 ÙSD is a fair price for my Ѕileƞce don't you think?

You have only one week & better act fast.

Ѕeƞd exɑctly: 0.4915601 BTC

to my bitcoin address:

3Jrk7P36JXWerCKKEGKuUjphmnNyF895jQ

(copy and paste)

Do not reply to this email, it's an untraceable one time message. I will contact you.

Remember, I am watching you.

N1ghTm4r3

Body Content

Thats some serious allegation. Summarizing this up, the internet security specialist accuses me of having been recorded watching child porn and the mail sender wants 5k USD to not publish the "recorded video files". Lets take a closer look at the mail.

Language

The mail is written in a kind of solid english which seems not to be generated by a translator. If so, the only translator i know being able to create english with this kind of grammar properly is deepl which would limit the original language to a hand full of origin countries of the author of the text. However, the author can have a different nationality than the sender.

Outwit the spam filter

One of the things I realized first:

The mail contains unicode characters to pass spam filter dictionary tests.

For example in the word Ѕeƞd the n is not a n but a special character that looks like a lower case n. The same for the T and a in Ƭrɑnsfer and so on. All the spam-filter-critical words are mutated like that.

Time stamps

Let's take some look at the mentioned "time stamps" of the given file names which are unix time stamps

[my_mail_address]_1561913887.mp4 (44.4 MB) -> Sunday, 30.06.2019 - 18:58:07 GMT+2 
[my_mail_address]_1561173365.mp4 (33.7 MB) -> Saturday, 22.06.2019 - 05:16:05 GMT+2
[my_mail_address]_1562330147.mp4 (22.8 MB) -> Friday, 05.07.2019 - 14:35:47 GMT+2
[my_mail_address]_1563680903.mp4 (84.2 MB) -> Sunday, 21.07.2019 - 05:48:23 GMT+2

If I ignore the fact that I don't have a webcam that could record anything, I have logs that proof my computer was turned off at three of the dates. So this is some random fake data a non techy person would not have been able to read.

Bitcoin wallet

Now, let's inspect the Bitcon address. As Bitcoin is a technology where transactions can be sent anonymously but if you know an address, you can track which transactions that address has received and sent. By the sum of these activities you know the balance of each bitcoin wallet.

Using an online service to inspect this wallet, we can see, that this wallet where I should send ~0.5btc to has not done any transactions yet. https://live.blockcypher.com/btc/address/3Jrk7P36JXWerCKKEGKuUjphmnNyF895jQ/

Which information does the scammer have?

Inspecting the mails contents again, which information does the scammer have about me?

  • My email address

The scammer doesn't even know my name. It's in my mail address but if you'd send this kind of e-mail automated you can't be sure that this is always the case. So far, so good. Can we get more information from the mail?

We haven't been inspecting the mail header yet, so let's take a look at it. For privacy reasons I will post the excerpts that matter, only.

Return-Path: <theodoorharmsen-950@leucocrate.palustrian.top>
Received: from mx.leucocrate.palustrian.top (mx.leucocrate.palustrian.top [165.22.70.98])
Received: from mx.leucocrate.palustrian.top (mx.leucocrate.palustrian.top [127.0.0.1])
    by mx.leucocrate.palustrian.top (Postfix) with ESMTP id 468KMF57s7z27p3
Authentication-Results: mx.leucocrate.palustrian.top (amavisd-new);
    dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
    header.d=leucocrate.palustrian.top
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=
    leucocrate.palustrian.top; h=content-transfer-encoding
    :content-type:content-type:mime-version:message-id:x-mailer
    :user-agent:reply-to:list-unsubscribe:subject:subject:to:from
    :from:date:date; s=dkim; t=1565857657; x=1568449658; bh=2xpEjllf
    hbKTU0obzbp9dQxqRBt0jC9vuWsRhMmb/4E=; b=bsbN1tdM2Iq6fb2S0aMts4AG
    PC+CFDjMB5FJ5TId5PsUBzqyc0Y8VZHB5PBBt4lBsHUFloGE7X9c70jfge8Mv3I3
    FrYc4UWHCvh1NZ+IQbZdQmL+84nGqA5GNCrPsTbP4OH8xC12tp4SMMI7hQ5/vaRH
    n+i1w4vRoTP4C9eePL0=
X-Virus-Scanned: Debian amavisd-new at mx.leucocrate.palustrian.top
Received: from mx.leucocrate.palustrian.top ([127.0.0.1])
    by mx.leucocrate.palustrian.top (mx.leucocrate.palustrian.top [127.0.0.1]) (amavisd-new, port 10024)
    Thu, 15 Aug 2019 08:27:37 +0000 (UTC)
Received: from [127.0.0.1] (mx.leucocrate.palustrian.top [127.0.0.1])
    by mx.leucocrate.palustrian.top (Postfix)
Date: Thu, 15 Aug 2019 08:55:36 +0100
From: "N1ghTm4r3" <theodoorharmsen-950@leucocrate.palustrian.top>
Subject: =?UTF-8?Q?I=20know=20you=20are=20a=20pedophile..?=
List-Unsubscribe: <http://leucocrate.palustrian.top/unsubscribe/[some_customized_hash]>
Reply-To: <theodoorharmsen-950@leucocrate.palustrian.top>
User-Agent: CodeIgniter
X-Sender: theodoorharmsen-950@leucocrate.palustrian.top
X-Mailer: CodeIgniter
X-Priority: 3 (Normal)
Message-ID: <5d550ff82ac5e@leucocrate.palustrian.top>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Flag: NO

Domain

Doing a whois request with the domain name palustrian.top we get the following result:

Domain Name: palustrian.top
Registry Domain ID: D20190815G10001G_16521725-top
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com
Updated Date: 2019-08-15T06:30:08Z
Creation Date: 2019-08-15T06:15:21Z
Registry Expiry Date: 2020-08-15T06:15:21Z
Registrar: NameSilo
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod

Expectedly, the registrator's name does not appear as namesilo, the registrator service of this domain, seems to offer anonymous domain hosting. The creation date of the registration is 2019-08-15T06:15:21Z. Comparing that to the mail header and adjusting time zones I received the mail at 2019-08-15T07:55:36Z. The domain was created less than two hours before I received the mail.

Mail address

Theodoor Harmsen, propably Theodor Harmsen is not a popular name. I found a website of an artist from the netherlands and some entries at a heritage research page. Nothing special about that choice for a fake mail address, I guess.

Server

The mail was sent from 106.76.151.251 which is owned by an Indian Company named Idea Cellular Limited. It seems like the domain doesn't redirect to the IP anymore.

DKIM

The certificate used to authenticate the sender of the email seems valid, as the Authentication-Results section shows.

X-Mailer: CodeIgniter, User-Agent: CodeIgniter

This information tells us that the internet security specialist may use an implementation of the CodeIgniter API (documentation) to authenticate against the mail server. Either this is carelessness, because this information would have been removed from the header or overwritten with only one line of code or it's a feint, which I do not assume.

Propably the scammer is able to paste in some mail address dumps and runs a php script that generates and sends the mail for each of the pasted addresses.

X-Spam-Flag: NO

As explained above, the mail is optimized against spam detection and therefore not classified as spam.

Summary

We can deduce the internet security specialist propably is a script kiddie that just sends autogenerated mails to mail-address lists. The unsubscribe link seems to be customized so the scammer would know if I would click that link. The btc wallet seems to be customized in every email as well for each mail, which i found out while doing some web search. I don't think, our internet security expert has anything to do with anonymous as they would not send this kind of blackmail to randoms and, of course, have a much higher level of proffession. Nontheless this is a bad scam that could make people pay much money even if they don't relate to the mails content.

My poor investigation stops here as I'm not a security expert. If you can provide additional Information, please let me know.