Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Sextortion: Follow the Money - The Final Chapter - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sextortion: Follow the Money - The Final Chapter

For the background on this diary please see the previous diaries on Sextortion: Follow the Money: Diary 1, Diary 2, Diary 3

Since the last update in the Sextortion series I have contined to track the bitcoin addresses reported to the ISC.  Altogether 563 BTC addresses have been reported.  90 of those addresses received 497 payments totalling over $785,000 USD. That is an average payment of nearly $1600 USD at current Bitcoin prices. Over $530,000 USD of that value has been moved out of the tracked addresses, leaving about $250,000 USD still sitting in the tracked addresses.

I still believe that the addresses we are tracking are a very small percentage of the overall addresses used in the various sextortion campaigns, but even these addresses received, and moved out a not insignificant amount of value.

As shown in Diary 3,at that point is was possible to track over $40 Million USD of payments being sent into Bitcoin mixers to have the payments laundered for extraction, and that was only a small amount of the value that was in the consolidation addresses.   The rest had not moved out yet, leaving over $100 Million USD behind presumably to be moved out later. 

Unfortunately, shortly after that diary was published, the bad guys got more creative with the way they moved value out of the BTC wallets, breaking the tools I was using to find the consolidation wallets. It appeared as if they were consolidating the value in new addresses, fragmenting the value again, reconsolidating, etc.  in order to make it far more difficult to follow where the value was going.

---------

UPDATE 20190805:  Please ignore the numbers below this update.  I am being told that my methodology was faulty and that some of these are BTC wallets are known valid.  This clearly needs more investigation.  Sorry!

Still I was, with some patience, able to track some of the BTC value to some consolidation wallets, and the dollar values are truly frightening.  Keep in mind that I cannot attribute all of the value in these consolidation BTC addresses to the Sexploitation campaigns, all I can be sure of is that the money from some of the sexplotiation BTC addresses was moved into these addresses, so presumably it belongs to the same criminal enterprise that was running the Sexploitation campaigns. Also, the value is based on the current value of Bitcoin.  With the volativity of Bitcoin the actual value may have been more or less at the time the value was moved out. Some of these consolidation BTC addresses appear to still be in use.  The values in them were changing as I was writing this diary. 

Here are the top 5 consolidation BTC addresses by value that I could find:

Consolidation Address Total BTC Total USD
39id1GfYff4x5r7UEALUjPYVQPGuMj5L1g 61.93172327 $683,881.05
3QR7FADzk6U227eJ3Ud1vxzmh4HNWpnbgp 140.1842615 $1,547,984.71
1DX3MvGTanzcTgnHw8SnorhgpQNHspSWTX 655.84167 $7,242,131.68
179KLpQM8Mse6MmG5gk6JTSokQohiGGrbh 6,437.50 $71,086,105.01
1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s 6,229,301.73 $68,787,064,396.14
    ------------------------------
    $68,867,624,498.59

Like I said a truly frightening number...almost $69 Billion USD! It is important to remember that these consolidation addresses are the ones I was able to find using only our very limited set of tracked Sexploitation BTC addresses, there are very likely many more consolidation addresses in use.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

293 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!