Extortionists earning big bucks through Ashley Madison scam, researcher says

Ashley Madison users who had their personal data dumped online don’t have many options with regards to recourse, but a researcher says gullible account holders have nevertheless given extortionists thousands of dollars in recent weeks in hopes of having their hacked data removed from the Web.

Despite warnings from law enforcement, Ashley Madison members appear to have given extortionists at least $6,400 so far, wrote Toshiro Nishimura, of network security firm Cloudmark.

Soon after the records of some 37.5 million Ashley Madison account holders were leaked online last month, blackmailers began reaching out to affected users through emails in which they promised to keep their embarrassing data from being disclosed in exchange for a nominal fee.

Staff Superintendent Bryce Evans of Toronto Police Service told reporters at a subsequent press conference that investigators were aware of the scheme and warned members, “Nobody is going to be able to erase that information.”

Regardless, an analysis of all online transactions during the past few months indicates that dozens of users have fallen for the scam, Mr. Nishimura wrote on Tuesday.

Mr. Nishimura recalled that the emails all appeared to request “exactly 1.05” in Bitcoin, a digital crypto currency that can’t easily be traced. Because transactions between anonymous Bitcoin user are recorded in the “blockchain” that powers the technology, however, he was able to review past activity during the last few months and see a statistical jump with respect to payments in that specific amount.

According to the researcher, 67 suspicious transactions totaling the equivalent of $15,814 (USD) were conducted through the blockchain during the relevant time frame.

More specifically, he said that payments in the amount of 1.05 BTC made up 8.9 transactions per 100,000 during the relevant extortion period. When compared with the span of time three-months prior to the data dump, Mr. Nishimura said transactions in that amount were done at a rate of approximately 5.3 per 100,000 transactions.

Statistically, the researcher says it appears as if the scam is working to at least some degree.

The researcher said it can be mathematically inferred that “perhaps the 40 percent of the 67 transactions totaling approximately $6,400 USD may be attributable to victims paying the blackmail,” based off of his own blockchain analysis and statistical theorems.

While Mr. Nishimura cautioned that he couldn’t make any conclusive determinations, he said that his analysis suggests the extortion campaign “could have yielded a worthwhile sum for very little effort.”

“All the blackmailer had to do was download the Ashley Madison data, extract the email addresses, generate a Bitcoin address for each victim and send out the emails,” he added. Given the sheer size of the website’s user base, the scam could have netted more than $1 million if it work on just a fraction of a percentage of its members.

Unfortunately for the customers who fell for the scam, purging private data from the Web is easier said than done. Others affected by the breach have since sought a remedy in the form of several lawsuits filed in the last few weeks against Ashley Madison and its parent company, Avid Life Media.

Complaints entered in the U.S. and Canada accuse the firms of negligence and causing emotional distress, and attorneys for the members have asked for more than $1 billion in compensation between the suits.