Two recent sextortion scam campaigns seem to rely on the Necurs botnet infrastructure to distribute the messages, security researchers have discovered.

Sextortion scammers pick their targets from leaked databases with email addresses and cracked passwords. Armed with this information, the scammers pretend to be in possession of videos showing the potential victim watch explicit videos.

In exchange for not sharing the video with people close to the victim, the scammer demands a payment in cryptocurrency.

Blame it on Aaron Smith

Researchers at Cisco Talos investigated two such campaigns - one started on August 30, the other on October 5 - and named them the 'Aaron Smith' sextortion scams after the 'From: header' of the messages.

Cisco Talos technical leader Jaeson Schultz says that the Aaron Smith campaigns sent out at least 233,236 sextortion emails from 137,606 unique IP addresses.

The number of distinct email addresses was 15,826, each recipient receiving on average a 15 sextortion messages. With one user, however, the scammers made an exception and delivered 354 messages, Schultz details.

The Necurs botnet connection

During their investigation, Talos researchers found that about 1,000 sending IP addresses involved in the Aaron Smith operations were also used in an international sextortion campaign IBM X-Force experts discovered in September and associated with the Necurs botnet.

Talos made the connection with Necurs based on 20 cryptocurrency wallets identified by IBM X-Force.

The financial details

The two Aaron Smith campaigns ran for about 60 days and the operators ask between $1,000 and $7,000 which are not tailored for each victim but randomly generated.

Victims that fell for the scam and paid a total of 23.3653711 bitcoins, the equivalent of $146,380.31. The bitcoins were distributed across 58,611 unique bitcoin wallet addresses, but only 83 of them had active balances.

However, the researchers found that some of the wallets received payments smaller than $1,000. The explanation for this was that some of the bitcoin wallet addresses were used in other spam campaigns.

These details are in contrast with other sextortion campaigns that proved more profitable. For instance, some scammers make at least €40,000 from victims in Europe.

Related Articles:

New Sextortion Scam Pretends to Come from Your Hacked Email Account

Fake Elon Musk Twitter Bitcoin Scam Earned 180K in One Day

Compression File Formats of the past Come Haunting in Spam Campaigns

Bushido-Powered DDoS Service Whipped Up from Leaked Code

Sites Trick Users Into Subscribing to Browser Notification Spam