Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Sextortion: Follow the Money Part 3 - The cashout begins! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sextortion: Follow the Money Part 3 - The cashout begins!

There hasn't been much to update in the several months since the Sexploitation: Follow the money updates in Diary 1 and Diary 2.  For those of you who didn't read those diaries.  When the Sextortion email campaign began in July, I asked for ISC reader submissions of the BTC addresses from that campaign so we could attempt to follow the Bitcoins created by the payments from this campaign..  By the last update in September tthe copycats were plentiful, but the payments from the original campaign were still sitting in their original BTC addresses.

Since the September update there has not been any new payments against the known BTC addresses from the original campaign. I am now tracking 434 BTC addresses.  There have been 143 payments on 56 BTC Addresses, for a total of about $105,000 USD. The Bitcoin value was nearly 3 times that when the tracking started in July, leading to speculation that the bad guys were waiting for some of that value to return before cashing out.  Well it looks like they finally got impatient. 

Over the last couple of weeks the money has started to move.  We always believed that the 400+ BTC addresses we were tracking from the original campaign, were a small fraction of the addresses used in the campaign. The consolidaton of the BTC totals, presumably with the intention of cashing out, has given a glimpse further into the scope of this campaign.

Of the tracked BTC addressed, 6 have had their balances zeroed through movement of the value to other BTC addresses. If you look at the chart below you can see those six addresses and how the payment value has moved, and consolidated, through intermediary addresses to end up in two BTC addresses.

I know that is an eyechart, but what it shows is the BTC addresses have been consolidated, through intermediary addresses, into two BTC addresses. 1AdDewXEgRFdsXh73CxQp59S4j4efGsqQb which contained about $21.5 Million USD and 3JRQWBg5TnMHUzzhUhMPCJNCMNW6cZWWP5 which contained about $18.5 Million USD.   Definitely a lucrative criminal enterprise. Keep in mind that the value that has been transferred out of those 6 BTC addresses is only about 14% of the payments, or about $15,000 USD of the $108,000 USD that I am tracking, so presumably this is just the beginning of a much bigger operation to consolidate and cash out.  This also suggests that this nearly $40 MIllion USD that has been consolidated so far is only a small portion of the total haul from this campaign.

Here is the really interesting part. The Bitcoin totals in those two consolidated addresses have also been moving out, as expected, but as part of that movement, the totals have been fragmented into smaller amounts again.  The best guess is that they are being fragmented so they can be mixed, effectively breaking the connection between where the Bitcoins originated and where they are converted to cash by mixing, or tumbling, them with other Bitcoins.  Effectively money laundering for cryptocurrencies.  I was able to find a couple of services that provide that capability. bestmixer.io and mix.io.  For as little as 0.25% they will mix, your cryptocoins with others and then spit clean ones out the other end.

From bestmixer.io:

Yet another essential service to the cyber-criminal enterprise.

 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

290 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!