‘This account has been hacked!’ email scam blackmails you for Bitcoin

This account has been hacked email scam

A sextortion email scam sends you an email from your own account, claims that your operating system was hacked, and tries to blackmail you for Bitcoin.


Sextortion email scams are becoming very common. Just about every week a new campaign appears out of the blue. The latest sextortion email that might appear in your inbox appears to be sent to you from your own email address and says that your operating system was hacked and a hacker has full access to your account.
This account has been hacked

The email message claims that there was a vulnerability in the software of the router that you were connected to and that they first hacked the router and placed malicious code on it. The email then says that a trojan was installed on the operating system of your device when you got onto the internet.

Furthermore, the email claims that the hacker used the camera on your device to take screenshots and pictures of you while you were visiting adult websites.

This is why this type of scam is referred to as a sextortion scam. The scammer tries to instill fear into your mind by claiming to have images of you while you visit adult or intimate websites.

To add to this, the scammer then claims that they will send the images of you to your contacts including your relatives, friends, and colleagues if you do not pay them.

The scammer insists that you pay them in Bitcoin. They say that once the payment is made they will not disturb you again as if it is some “hacker code of honor.”

Transcript from email message:

Subject: [your email address] – this account has been hacked! Change all your passwords!
From: [your email address]
To: [your email address]

Hello!

I have bad news for you.
19/07/2018 – on this day I hacked your operating system and got full access to your account [your email address]

It is useless to change the password, my malware intercepts it every time.

How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
I’m talking about sites for adults.

I want to say – you are a big, big pervert. You have unbridled fantasy!!!

After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I made a screenshot of your joys (using the camera of your device) and joined all together.
It turned out beautifully, do not doubt.

I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.
I think $753 is a very small amount for my silence.
Besides, I spent a lot of time on you!

I accept money only in Bitcoins.
My BTC wallet: 1H9bS7Zb6LEANLkM8yiF8EsoGEtMEeLFvC

You do not know how to replenish a Bitcoin wallet?
In any search engine write “how to send money to btc wallet”.
It’s easier than send money to a credit card!

For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes .. it has already started!

After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your “joys”.

I want you to be prudent.
– Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
– Do not try to contact me (this is not feasible, I sent you an email from your account)
– Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.

P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
This is a hacker code of honor.

From now on, I advise you to use good antiviruses and update them regularly (several times a day)!

Don’t be mad at me, everyone has their own work.
Farewell.

Although this might sound frightening and seem real, it is just a scam. Your account was not hacked and no one took pictures of you. The same exact message has been sent to many people and there have been many campaigns like it in the past. For example, a previous email claims that a spyware software developer hacked your account and shows you the past or current password to your email account. If you have never visited an adult website, you will still receive the same message. If your device does not have a camera, they will still claim to have taken pictures of you through your camera.

Email message campaigns like this are getting a lot of steam following breaches that occurred on websites in the past like LinkedIn and Adobe. They use information leaked about you (such as your email address, email account password, and telephone number) against you in order to attempt to blackmail you. To see where your email information may have been leaked from check out https://haveibeenpwned.com/. You can input your email address to locate where your information was leaked.

Since this is a scam and you are not in danger please DO NOT PAY THE SCAMMER. They have not accessed your email account and they have not taken photos or videos of you. The only thing that you need to do is change the password to your email address and other accounts you have to ensure your safety.

The email message does not mean that your computer is infected with malware if you received this email message or one like it; However, if you would like to scan your computer for malware and other potentially malicious files to make sure that your computer is clean we recommended to use Malwarebytes.

Here are some instructions to scan your computer for malware and remove malware if found:

1. Download Malwarebytes Anti-Malware software to scan your computer and remove malicious files and potentially unwanted programs.

2. To install the program, click the file you just downloaded. It can usually be located in the Download folder.

install malwarebytes

3. A window that says “Welcome to the Malwarebytes Setup Wizard” will appear. Click Agree and Install to begin the installation. Once complete, click Finish.

scan now

4. Now the Malwarebytes is installed, open the program and click the Scan Now button – or go to the Scan tab and click the Start Scan button.

quarantine selected

3. When the scan is complete click the Quarantine Selected button.

4. If Malwarebytes says “All selected items have been removed successfully. A log file has been saved to the logs folder. Your computer needs to be restarted to complete the removal process. Would you like to restart now?” click the Yes button to restart your computer.

Sean Doyle

Sean Doyle is a tech author and engineer with over 20 years of experience in cybersecurity, privacy, malware, Google Analytics, online marketing, and other topics. Sean's content has been featured in numerous publications.

27 Responses

  1. Matt says:

    It’s still going on I received one on the 8 th December and one on Monday 17th saying something similar that my account has been ha
    Hacked and I need to pay $738 or he’s going to leak my data to my contacts

  2. Anonymous says:

    It’s still going on I received one on the 8 th December and one on Monday 17th saying something similar that my account has been ha
    Hacked and I need to pay $738

  3. Chris says:

    This happened to my parents’ Verizon account recently. There were multiple emails, and the ‘hacker’ had written their previous passwords in the subject line, so that was concerning. Also, they changed the passwords on the router, wifi and email and the ‘hacker’ STILL got another one of these messages through. Ordinarily we wouldn’t be concerned, but they lost their pc to ransomware about two years ago.

  4. terry says:

    Im being bombarded by these mostly daily at least 6 at a time and they are now using a From : with various names made up from nonsence,the subject: line was always the e mail address i use followed by “has been hacked”,the new take on this is now to add the words security alert infront of the original subject line,when i looked at the headers they were saying i had sent them myself originally but now they seem to be just made up nonsence as to who sent them,its quite astonishing that the claimed password they say ive used is also complete rubbish its just nothing ive used and neither was the hotmail.com e mail address attached to it,so i believe my non hotmail e mail address has been leaked..

  5. Anonymous says:

    if you pull the header information IP traceroute you will see that the sender (in my case) is not your isp, even though it is spoofed. The password they gave me in the email is for the US retailer Target and a password I have not used in years. I keep all my passwords in classes, so that when someone says they are compromised that i know where this is from. I am honestly suprised it took this long for someone to try to use it.

  6. Allen says:

    I also received this email on the 22nd November. Been advised by technical support it is a scam.The above transcript is the same except for bitcoin number & amount to pay.

  7. Anonymous says:

    Spoof!

  8. Laura says:

    I did recieve this email. The same day that the hacker suggested, I could not get on to my phone. Is that the same for everyone else?

  9. Shay says:

    I recieved the same email and it honestly petrified me. Thank goodness I found this thread. I would advise everyone to change the passwords they stated in the email.
    I think it’s just a spam email using a spoof.

  10. Anonymous says:

    Still looking for info on how the sender could spoof the SMTP server that it was received from. If anyone is curious, I utilize InmotionHosting and the source definitely shows it passing through their smtp host. Maybe something is infected internally at inmotionhosting? I have already notified the originating IPs web host (in Columbia) but am still trying to find out from inmotion if i have access smtp logs or email account access logs. I also notice the x-mailer info, etc is a bit strange.

    Received: from [SENDER IP] (port=26143)
    by biz***.inmotionhosting.com with esmtp (Exim 4.91)
    (envelope-from )
    id private
    for myemail@mydomain.com;
    Message-ID:
    From:
    To:
    Subject: myemail@mydomain.com – this account has been hacked! Change all your passwords!
    Date:
    MIME-Version: 1.0
    Content-Type: text/plain;
    charset=”ibm852″
    Content-Transfer-Encoding: 8bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
    X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109

  11. Anonymous says:

    Still looking for info on how the sender could spoof the SMTP server that it was received from. If anyone is curious, I utilize InmotionHosting and the source definitely shows it passing through their smtp host. Maybe something is infected internally at inmotionhosting? I have already notified the originating IPs web host (in Columbia) but am still trying to find out from inmotion if i have access smtp logs or email account access logs. I also notice the x-mailer info, etc is a bit strange.

    Received: from [190.127.196.235] (port=26143)
    by biz***.inmotionhosting.com with esmtp (Exim 4.91)
    (envelope-from )
    id private
    for myemail@mydomain.com;
    Message-ID:
    From:
    To:
    Subject: myemail@mydomain.com – this account has been hacked! Change all your passwords!
    Date: 18 Nov 2018 14:32:12 -0600
    MIME-Version: 1.0
    Content-Type: text/plain;
    charset=”ibm852″
    Content-Transfer-Encoding: 8bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
    X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109

  12. Anonymous says:

    Yes, it was strange because I did look at the headers and they are somehow spoofing the headers to match my server even if it is not in my sent box? That part had me a bit confused. I did change my email pw just in case. But had additional concern that if they did actually get into my account they could have downloaded some of my notes to self and get across to other accounts from there even though they’re disguised. Definitely not too worried about it as I have no adult websites in there which was the first red flag… it is the possibly spoofed headers that have me scratching my head a bit and wondering what has or has not really happened here.

    • Anonymous says:

      Still looking for info on how the sender could spoof the SMTP server that it was received from. If anyone is curious, I utilize InmotionHosting and the source definitely shows it passing through their smtp host. Maybe something is infected internally at inmotionhosting? I have already notified the originating IPs web host (in Columbia) but am still trying to find out from inmotion if i have access smtp logs or email account access logs. I also notice the x-mailer info, etc is a bit strange.

      Received: from [SENDER IP] (port=26143)
      by biz***.inmotionhosting.com with esmtp (Exim 4.91)
      (envelope-from )
      id private
      for myemail@mydomain.com;
      Message-ID:
      From:
      To:
      Subject: myemail@mydomain.com – this account has been hacked! Change all your passwords!
      Date:
      MIME-Version: 1.0
      Content-Type: text/plain;
      charset=”ibm852″
      Content-Transfer-Encoding: 8bit
      X-Priority: 3
      X-MSMail-Priority: Normal
      X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
      X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109

      • Sean Doyle says:

        They use a simple email spoofing service like anonymailer. There’s nothing to it.

        You are referring to “failed messages” in your comment. Those are sometimes generated by spam filters. They are generated when the spammer/scammer spoofs your email address and send a third-party recipient a message. An outbound filtering service will then essentially notify you that a message sent from your account (spoofed account) was flagged as spam. It can also be triggered when the IP used to send the message is blacklisted.

        • Anonymous says:

          No I don’t think it has anything to do with returned emails. The headers actually look like they genuinely sent through the same SMTP as my account would. On spoofed email, I’d expect the reply to, etc to all be spoofed but the actual server looks fairly legitimate. I opened up a ticket with my web host for the exim logs to see if they can find anything. All update if the host finds anything. Also, sorry for posting the same details three time up there. Something got jammed up and I didn’t think anything had posted.

          • Sean Doyle says:

            Hello,

            I can tell you with absolute certainty that your email was spoofed. No one was logged into your account. The type of messages you are referencing have been sent to most people and their ‘server’ information was also shown; even after they changed their passwords. This happens when you use a spoofing service like anonymailer. If you want to physically see this, send yourself an email using anonymailer with the same information in the email you received.

            Also please be aware that it is a high volume scam. They are throwing a needle into a haystack and hoping to make an impact somewhere. They will not take their time to individually log into everyone’s account. That takes much longer, is a risk, and is not worth it when you might be able to only trick 1 out of 10,000 people. Also note, many email services will block or question suspicious requests for access so it would be too big of an issue and risk for a scammer just to target someone that probably won’t believe what they’re reading or even open the message they receive.

            Hope this is able to clear some things up.

            • Gabi says:

              Hello Sean, does it mean that I do not need to change my password? Thank you!

              • Sean Doyle says:

                Hello,

                It means that your information (such as your email address) was leaked somewhere online following a breach. In previous versions of these scams they would provide you with your email accounts password in order to frighten you. You most definitely should change your password.

    • Anonymous says:

      my web host is in los angeles. I’m wondering if this was an infection on their network

  13. Anonymous says:

    It’s a spoof email. It will NOT be in your sent box. Just ignore it. Don’t even open it. Just delete it. IT’S ALL FAKE. JUST CHANGE YOUR PASSWORDS on all your accounts. Not just emails. Everything. Including your credit card sites, even supermarkets. EVERYTHING.

  14. Mark says:

    Its all baloney, my website-admins confirmed taht they did not really hack the account, they have means to make it look that way. Dont pay money, dont get nervous, nothing will happen. Ignore it.

  15. Anonymous says:

    I received the same email and my website-admins told me that even the supposedly hacking the email-account is not true, they have means to make it look like it. Dont pay the money, dont worry, its all baloney.

  16. Gabi says:

    Anonymous Nov 19, 9:36 am –> does it mean that I do not need to change my password? Thank you!

  17. Anonymous says:

    Anonymous: this is because they just send this mail from another server and spoof the origin. Just look at the headers and you’ll see it’s not sent from your server.

  18. Anonymous says:

    i did too… what i’m confused about is how did they send from my account and why isn’t the email they sent in my sent box. Did they really send from my account or did they just spoof like they did. Do I really need to change my password? It’s strange.

  19. Lionel says:

    I received this same email and am concerned. what do you advise??

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.