Compromised Passwords Found on Servers Used for Sextortion Attacks

On March 2nd, 2020, Have I Been Pwned (HIBP) sent out breach notifications relating to credentials found on a server referenced by IP address, instead of Pastebin or other paste sites. Since this was an unusual breach notification, Binary Defense’s analysts began investigating the server and uncovered infrastructure used by a sextortion botnet. Sextortion is a fraud scheme that uses email messages that attempt to extort funds from victims using threats to release pictures that the criminals claim to have that show the victims in unflattering situations, typically related to sexual activities. This fraud scheme includes the victim’s password in the extortion email to make it appear that the attacker’s claim may be true, even if the attacker does not actually have any photos.

Using several methods of information collection, Binary Defense analysts were able to identify nearly four million credentials from the server, including many that were not previously located by HIBP, and shared information back to HIBP to help notify additional victims.  Additionally, Binary Defense analysts were able to create a tracker to track the sextortion botnet and identify additional servers.