I received a blackmail letter

Posted October 24, 2016 | View revision history

Got something very interesting in the mail a few days ago – a blackmail letter! Claiming that someone discovered that I have been unfaithful to my wife (which I haven’t been, I assure you). Obviously a phishing scam, but while these kinds of things may be common in email spamboxes, when USPS is used, it’s a felony. I did some research and it looks very much like a copycat of the Ashley Madison blackmail letters that went out last December, except the version I received only requires a name and an address. My name was only mentioned twice, and no other names were named. I’m attaching redacted copies.

Compare the letter I received (below) to the Ashley Madison one linked above.

  • The line spacing within-paragraph is the same,
  • the font face is the same,
  • the spacing between paragraphs is the same (which is noteworthy since it’s rather large spacing),
  • the requested amount ($2k) is exactly the same except that my version includes a comma in the number figure,
  • the language and font styling describing the “Receiving Bitcoin Address” is exactly the same, as is the wording from that point onward about things like “payment must be received by…”
  • the “THIS DOCUMENT IS TWO-SIDED” language on the bottom is also identical, although mine is right-aligned. Etcetera.

It’s such a close match that it’s obviously related to AM, but who would have taken the time to start with a physical letter and then match the formatting exactly in their own word template? Doesn’t make sense, unless there’s just one guy doing all this, which I doubt. I suspect that the digital file template that was used in the original AM blackmails is being shared on the darkwebs, although I haven’t ventured out to confirm. Sharing of source material is common, especially when the originator is feeling the heat and needs plausible deniability. Happened with the Mirai IoT Botnet source code.

The envelope used a physical stamp, and was sent from “Pittsburgh 150.” Impossible to say exactly where that is, but 150 is the first three in the 5-digit zip for the wide Pittsburgh region. I sent my original copy to the Pittsburgh US Postal Inspector, and I also filed a report with my local borough police in case these guys are shot-gunning letters to everyone in the neighborhood. It kind of unnerves me to imagine someone as nearby as downtown taking the time to stuff the envelope and drop it in the mailbox with my name on it, though. The day I received it, I found myself on edge when cars slowed down in front of our house. I suspect they got my address from the same place that junk mailers got it from. We’ll see what the inspector general finds, if anything. I doubt they’ll get much from the letter I sent them since I handled it so much, but maybe they’ll find something somewhere else.

On the cost issue from the perspective of the attacker: I’d be curious to know the response rates to postal letters versus spam emails, if the exact same message were sent out. I’d naturally predict that postal response rates would be much higher. But how much higher do they need to be, economically speaking? I’m having trouble finding an exact number (I know it’s in Brian Kreb’s Spam Nation, amazing book by the way), but an old estimate I found is that spam costs $0.00001 per email. So the response rate to a physical letter has to be at least 44,000 times higher than for a single spam email in order for it to make financial sense. I wouldn’t be surprised if it were. At 50 cents each and at 2k payout you’d only need a response rate of 1/4000 in order to break even.

Other considerations are that, for the letter I received, the attacker had to know that I am currently married, to a woman. They did not need to know my gender. My next curiosity is to see what’s available in the way of address list specificity. Maybe there is a specific list of “addresses of people married to a woman.” That’d be interesting. I’d also be interested to see what the street value is of each bit of information, e.g. the price of an address, birthday, home ownership status, credit cards owned, web searching behavior, etc. But I need to prepare a bit more before I delve into the darkwebs. vpn, tor, etc.

What should you do if you also got a letter?

You should contact the U.S. Postal Inspection Service (USPIS). The agent handling the case is Kyle Parker ([email protected]). Shoot him an email, and cc me if you wouldn’t mind. You may also file a formal complaint on the agency website. The Postal Inspection Service is the lead agency and is working with FBI and other federal and local agency regarding this scheme. Due to the time sensitivity of this fraud, Inspector Parker requests you scan a copy of the letter and envelope as soon as possible to him directly.

This is still current as of 8/11/2018. Kyle is still leading the investigation.

There is a somewhat-copycat blackmail email floating around (First reported July 2018-ish)

It is an email that reports that the blackmailer has compromised your computer camera and recorded you doing embarrassing things. To “prove” the claim, the attacker shows you one of your legitimate passwords. Don’t worry, this is also a ruse. Your passwords have been compromised and leaked by a plethora of sites over the last decade or so, over and over again. Your personal information has likely also been available for sale on the black market for years, too. Best advice, do not reuse passwords across sites. Easy way to get pwned. Say you use the same password on linkedin as you do for your online banking portal. Bad move, linkedin got breached in 2012. Sites get breached every day. Equifax was not a new thing. It was just bigger, and no one really understands why they (data brokers) have our information in the first place, so the audacity was off the chart and therefore it got a lot of media attention. Check https://haveibeenpwned.com/ to see which mega-breaches your email account(s) may have been involved in. It’s a legit service run by Troy Hunt, security researcher. Sponsored by 1password password manager, which I also use and recommend.

See here for more.


Update 11/9/2016: I made a first foray into the darkweb using Tor running on Tails in a VM (on a usb stick soon), but I didn’t find anything yet.

Update 10/27/2017: I got three emails today from other victims. I have only received one other email in the 12-ish months that this post has been up. Seems like another wave has gone out.

Update 10/28/2017: I have now received 8 emails from victims since yesterday. There’s definitely been another wave. At least five were postmarked “Nashville, Tennessee 370.” Several didn’t have the stamp cancelled out. Recipients are all over the US:

  • Portland, Oregon
  • Alabama
  • California (Unknown + Southern + San Francisco)
  • Fort Myers, Florida
  • Houston, Texas
  • Austin, Texas
  • Chandler, Arizona
  • Cincinnati, Ohio
  • Annandale, Virginia
  • Wilmington, Delaware
  • Seattle, Washington
  • Nashville, Tennessee (!)
  • York, Maine (a detective from the York police department reached out to me for that one)

All postmarked October 24, 2017.

Bitcoin addresses are unique.

By the way, nothing ever came from me ignoring the original letter I received.

A later version of the letter had these revisions:

  • First sentence is “I know about the secret you are keeping from your wife” instead of “I know you cheated on your wife.”
  • There’s a reference to “I stumbled across your misadventures while working a job around [location close to victim’s address]”, whereas before the location was not specified.

I know my name (all our names) are on a lot of lists for sale out there (the same lists that junk mailers use), but I still wonder, which list did the scammer use for this? Knowing that would answer the question – “why me?”. Probably just a mundane “people who are married” list of some kind, with random selection from the list. It’s not even a “people who are married and who probably have $2,000 to spare” list, because I got targeted when I was a doctoral student ¯\_ツ_/¯.

The other thing is that before, I got a letter postmarked from my local city (which was unnerving). So did another victim who contacted me last year. I wonder how the attacker pulled that off. Are there such things as local letter-sending mules? But this time, it’s all from Nashville?

Update 11/2/2017: By now, over two dozen people have contacted me. Thought it would be interesting to share the Google Analytics traffic to this blog post. I typically get ~3-5 visits a day, but since Oct 25th I’ve had an explosion. I’ve had 1,300 visits to the page in the past week, 960 of those being unique visits. If that’s any indication of the number of victims, that’s huge.


Update 11/22/2017: Another wave has been released! I’ve had another dozen people contact me so far. Dates for this wave are Nov 17th and 18th. A disproportionate number of people who have contacted me have been lawyers – seems the targeting is getting more sophisticated. One person reported that multiple people in their neighborhood received copies of the letter. Letter contents are exactly the same, except that the extortion amount has increased to either $2,500 or $3,500 (interesting, isn’t it?).

Again, victims are all over the U.S.

Update 12/14/2017: Two more waves have come out. One on December 1st, postmarked from Chattanooga TN 374, asking $2500. Another on December 2nd, again from Nashville, TN 370. Unsure about the dates of several sent in, but overall less people contacted me this time. Another received on December 11th, postmarked Birmingham AL 350. I wonder if the attacker is getting nervous about only using Nashville, so he’s using nearby post offices.

Update 1/8/2018: Birmingham from December 11th was a huge wave. Another wave started on Jan 2nd, 2018, this time out of Evansville, Indiana (IN). Evansville is noteworthy because it’s within two-ish hours from Nashville. Birmingham was also close to Nashville. Extortion amount for the Evansville wave is $3,500 (with a few interesting cases at $3,450 and $3,600 – I don’t know what to make of the small variance in pricing). The Birmingham wave demand got as high as $8,000!

(An earlier version of this update incorrectly stated that the new wave was out of Evanston Illinois. I got mixed up because someone in Evanston IL got a letter from Evansville IN.)

Update 1/26/2018: Another few weeks pass, another wave has begun. Postmarks 23 January, Chattanooga TN again. If you get a letter from this wave, please tell me the first sentence of your letter. the attacker has started saying “My name is ____”, but he uses a different name each time. I can’t decide if the attacker is just messing with me because he’s realized I’m collecting letters and is giving me a wild goose chase or a “fun” thing to collect, or if the attacker is just trying to throw off the google-abilty of blog articles like mine. Either way, I’ll post some of the names I’ve seen the attacker use so far (below).

There’s a few other different things that stand out to me about this letter, from what I’ve seen from readers sending theirs in. Biggest change besides some new line breaks is that it includes the wive’s name peppered throughout. See lower for a transcribed exceprt from this letter.

Something else I noticed is that not everyone is getting the same kind of window mailer envelope. Some have the address on the top-right of the letter, and some on the top-left. Don’t know what to make of that.

A reader suggested that demand amount may be correlated with home value / property tax. Interesting idea. Doing so would be a “smart” way to extract the maximum amount from victims without being more than victims can pay.

Update 2/17/2018: Like clockwork, another wave, all postmark dates Feb 12 2018. What a nice letter to receive on Valentine’s Day… asking price seems to be north of $8k for all I’ve seen. Blackmailer is still using ridiculous handles. Shocker this time is that multiple post offices were used: so far, I’ve seen Wichita KS, Richmond VA, Raleigh NC, and Denver CO. Which begs the question, who else has the blackmailer recruited to help, and who is sending what where? Well…

Update July 19, 2018 – There has been something like one wave every three weeks consistently since the last wave I noted for February 12, 2018. Only notable difference is that the asking price has jumped to around $15k. Most coming from Nashville, some from Little Rock.

Update 31 August 2018: A twisted development has come to light. As of two weeks ago, the attacker has started to include a return address on the letters. The return addresses are for previous blackmail victims! Here’s USPIS inspector Kyle’s observation:

The return addresses started about two weeks ago. The return addresses are secondary victims who are being recycled from earlier letters. At this point, they are mostly attorneys and for the most part consistently being used from the same state as the postmark. Demand amounts exceeding $15k.

This sickens me (the new method, not Kyle ;-) ). Please don’t start a witch hunt going after the people listed on your return addresses.


Waves so far (precise dates are postmark dates)

  • October 2016 – I posted this article and only heard from one other person. If the letter has been posted back in time, I probably would have gotten more emails. Mine was postmarked Pittsburgh.
  • October 24, 2017 – Wave of letters, postmarked Nashville, Tennessee 370
  • Nov 17th and Nov 18th, 2017 – Nashville, TN again. Asking price $2,500 or $3,500
  • December 1st, 2017 – Chatttanooga TN 374
  • December 2nd, 2017 – Nashville, TN 370
  • December 11th, 2017 – Birmingham AL 350 – asking price as high as $8,000
  • January 2nd, 2018 – Evansville, IN – asking price $3,450 to $3,600
  • January 23rd and 24th, 2018 – Chattanooga TN – asking price either ~$3,800, or low-to-high $8,000’s. Nothing in between.
  • February 12th, 2018 – Wichita KS, Denver CO, Richmond VA, Raleigh NC – asking price north of $8.
  • Mid-August, 2018 – Attacker starts to include return addresses of previous victims.

Locations

Literally no rhyme or reason as far as I can tell. All over the United States. High variance within waves. Generally middle- or high-income neighborhoods though.

Google analytics

Interesting because you can clearly see the waves of letters in my traffic spikes. The flat line before October 2017 was my traffic to that page for the entire year before that.

Posted: 1/26/2018


Original Letter I received in October 2016

My scans of the letter I got in October 2016 (nothing received at the bitcoin address yet, I already checked. Probably unique anyway.):


Text excerpt of letters beginning October 2017

A friend recommended I post some of the text of the letter for SEO purposes (to help victims find this post), so here goes with the first two paragraphs:

I’m going to cut to the chase. I know about the secret you are keeping from your wife. More importantly, I have evidence of what you have been hiding. I won’t go into the specifics here in case your wife intercepts this, but you know what I am talking about.

You don’t know me personally and nobody hired me to look into you. Nor did I go out looking to burn you. It is just your bad luck that I stumbled across your misadventures while working a job around [redacted]. I then put in more time than I probably should have looking into your life. Frankly, I am ready to forget all about you and let you get on with your life. And I am going to give you two options that will accomplish that very thing. Those two options are either to ignore this letter, or simply pay me $2,000. Let’s examine those two options in more details.

And so on.

And here’s a PDF scan of one of the October 24, 2017 that a reader sent in. Removed because of the double-sided photoshop address recovery threat.

Text excerpt of letters beginning January 23 2018-ish that include wife name, with commentary.

I haven’t looked too closely at other letters that have been sent in to me to note more differences.

My name is SwiftDog~[redacted] and I know about the secret you are keeping from your wife and from everyone else. More importantly, I have evidence of what you have been hiding. I won’t go into the specifics here in case your wife intercepts this, but you know what I am talking about.

You don’t know me personally and nobody hired me to look into you. Nor did I go out looking to burn you. It is just your bad luck that I stumbled across your misadventures while working a job around [nearby place]. I then put in more time than I probably should have [note: “looking into your life” has been removed.]. Frankly, I am ready to forget all about you and [wife name!] and let you get on with your life. So I am going to give you two options that will accomplish that very thing. Those two options are either [note: “to” has been dropped here] ignore this letter, or simply pay me $3,800 [or whatever other varying amount.]

[new line break here] Let’s examine those two options in more detail.

Option 1 is to ignore this letter. Let me tell you what will happen if you choose this path. I will take this evidence and send it to everyone in your life, [this part is new:] especially [wife name]. And as insurance against you intercepting it before she gets it, I will also send copies to her friends, family, associates, and all your neighbors on and around [street name of address letter sent to]. So even if you decide to come clean with your wife, it won’t protet her from the humiliation she will feel when everyone she knows finds out your sordid details from me.

Option 2 is to pay me [amount]. We’ll call this my “confidentiality fee”. Now let me tell you what happens if you choose this path. Your secret remains your secret. You go on with your life as though none of this ever happened. Though you may want to do a better job at keeping your misdeeds [used to say indiscretion] secret in the future.

At this point you may be thinking, “[Used to say “This is blackmail!] I’ll just go to the cops.” [Used to say: “Yes, this is blackmail. And yes, blackmail is illegal and I would likely do some jail time if caught.”] Which is why I have taken steps to ensure this letter cannot be traced back to me. So that won’t help, and it won’t stop the evidence from ruining your life. [Used to say: “So going to the cops won’t stop the evidence from being sent out and would destroy your life the same as Option 1.”] I’m not looking to break your bank. I just want to be compensated for the time I put into investigating you. [Used to say here: “[amount] will close the books on that”]

[snipped…]

payment must be received within 9 days of this letter’s post marked date. [Used to be “within 10 days”!] [Used to say: “There will be no further communication between us.”] If I don’t receive the bitcoin by the deadline, I will go ahead[…] the least you could do is tell [wife] so she can come up with an excuse to prepare her friends and family before they find out. The clock is ticking.

</div>

10 days is too long I guess, had to make it 9? I notice that in Brian Kreb’s transcription of the letter his reader sent him, the deadline was 12 days.

Wife’s name peppered throughout? Supposedly as an indicator that he actually knows something, I guess.

Sample of ridiculous usernames I’ve seen the attacker use so far

In the 23 January 2018 wave, the attacker started beginning his letters with “My name is _______”. No two letters sent in to me have used the same name here so far. Here’s some I’ve seen, with numbers redacted.

  • GreenWolf
  • BlueWolf
  • BadOwl
  • SwiftOwl
  • WhiteBat
  • NightBat
  • BigShark
  • GreyBear
  • SwiftDog
  • BlackDog
  • BadStag
  • RedBear

Miscellaneous

Tags: security

Dave Eargle is a Senior Consultant in Cybersecurity Assessment at Carve Systems. More about the author →

This page is open source. Please help improve it.

Edit