How do Bitcoin wallet threats get distributed?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Bitcoin extortion emails (sometimes called "sextortion scams") follow a surprisingly consistent playbook. Understanding it makes them much easier to dismiss.

The distribution mechanism is bulk email: attackers send these messages to millions of addresses at once, usually from lists obtained in data breaches. The economics work because even if 0.01% of recipients pay, the cost of sending is effectively zero. Each email claims to have compromising information (surveillance footage, embarrassing browser history, webcam recordings) and demands payment to a Bitcoin address to keep it private.

To add credibility, attackers often include a real password associated with the recipient's email address, sourced from breach databases like those aggregated by Have I Been Pwned. Seeing a real former password makes the threat feel much more credible than it actually is. In almost all cases, there is no actual compromising material. The attackers don't know anything specific about the recipient.

Bitcoin is specified for payment because it's pseudonymous and the transactions are irreversible. Once you've sent Bitcoin to a wallet address, there's no chargebacks, no disputes, no takebacks. The payment is also difficult to trace to a specific individual without significant resources.

What makes these effective at scale: the threat targets something people already feel shame or anxiety about, the password makes it feel targeted rather than mass-sent, and the irreversibility of Bitcoin payment creates urgency. These three elements together generate enough responses to be profitable even with extremely low response rates.

If you receive one: don't pay. Change the mentioned password if you haven't already. Report it as spam. There's no evidence attackers actually have what they claim in the overwhelming majority of cases. If you're an organization seeing these target your employees, security awareness training that specifically covers sextortion emails reduces the number of people who panic and pay.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Assess this extortion email threat

I or someone in my organization received a Bitcoin extortion email and I want to assess the risk. Here's the situation: - Whether the email included a real password: yes / no - The specific threat made: describe briefly - Whether the recipient has actually clicked unusual links recently: yes / no / not sure - Whether this is personal or work email: personal / work Help me assess whether this is a real threat or a mass-sent scam, what we should do right now, and whether we need to take any technical steps.

Edit the yellow boxes, then send to the AI of your choice.