“Hello! My nickname in darknet is des53” – dissecting the extortion By Will Wisser Posted on November 2, 2018 3 min read 0 0 218 Online scammers have recently launched an extortion campaign through “Hello! My nickname in darknet is des53” emails – here’s what you need to know about it. Darknet, dark web, deep web – all of these concepts have come to designate the enigmatic and elusive cybercriminal underground. The aura of secrecy, heated up by the numerous science fiction movie plots, instills fear when people encounter one of these terms in real life. The crooks out there couldn’t possibly walk by this apprehension, coining and firing up email scams that revolve around the hacker theme and thus pressure users into following their demands. The latest large-scale fraud wave from this category involves email messages that start with the spooky phrase “Hello! My nickname in darknet is des53”. The subject of such a spoof email will state that the recipient’s account is hacked, just to scare the person further. “Hello! My nickname in darknet is des53” email scam – the message body The most unsettling part about the whole scheme is that the sender appears to know the victim’s real email password, a currently used one or – more likely – valid old credentials that have already been changed. This stems from the fact that the “From” field in the message header matches the receiving address. In some variations of this scam, the message body will actually include the victim’s password. One way or another, the fact of someone knowing your sensitive credentials is an element of persuasiveness, and the felons try to take advantage of it to the fullest. Below is the full text of this hoax – note that the wording may vary slightly in different sub-campaigns, but the core idea is basically the same. Hello! My nickname in darknet is des53. I hacked this mailbox more than six months ago. Through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time. Even if you changed the password after that – it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me. I have access to all your accounts, social networks, email, browsing history. Accordingly, I have the data of all your contacts, files from your computer, photos and videos. I was most struck by the adult sites that you occasionally visit. You have a very wild imagination, I tell you! During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching. Oh my god! You were so funny and excited! I think that you do not want all your contacts to get these files, right? If you are of the same opinion, then I think that $880 is quite a fair price to destroy the dirt I created. Send the above amount to my Bitcoin wallet: [Redacted] As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it. Otherwise, these files and history of visiting sites will get all your contacts from your device. Also, I’ll send to everyone your contact access to your email and access logs, which I have carefully saved. Since reading this letter you have 48 hours! After your reading this message, I’ll receive an automatic notification that you have seen the letter. I hope I taught you a good lesson. Visit safe websites only, and don’t enter your passwords anywhere! Good luck! Let’s now dissect the tactic of blackmail proper. The self-proclaimed “hacker” says he has dropped a virus (trojan) onto the target computer, and it has allegedly intercepted all caching data and saved the user’s contacts, personal files, photos and videos. Furthermore, the malicious code has presumably taken a picture of the user as they were watching adult content online, and the attacker claims to have synchronized this image with the screenshot of what exactly they were watching. Then, the swindler threatens to send these “incriminating” materials to all of the user’s contacts. In order to avoid the embarrassment, the recipient is coerced to pay a ransom in Bitcoin. Its size is $800-$900 worth of cryptocurrency, which des53 – whoever he may be – thinks is a “fair price to destroy the dirt” he has compiled. By the way, there are other nicknames that can also be mentioned in these deceptive emails. The frequently reported ones include: artie71, josephus63, brion40, hort17, saunderson53, nickola53, demetre97, hansiain16, bartlet56, fransisco73, fitzgerald59, alexandr88, gray24, fred26, rockwell79, zacherie99, rafaelle76, weston87, and gordie49. A slightly different variant of the “Hello! My nickname in darknet is des53” scam To top it off, the malefactor sets a deadline for payment. Unless the victim coughs up the money in 48 hours, the sensitive stuff will supposedly go to their family, friends and colleagues. All in all, this form of hoax is commonly referred to as sextortion (sex + extortion), but in this particular scenario the term is only partially relevant because the crook doesn’t actually have any ignominious information at their disposal. This is nothing but bluff – keep it in mind. The fraud in question bears a close resemblance to other recent blackmail waves, including the “Hacker who cracked your email” and “I’m a programmer who cracked your email” scams currently in rotation. Now, at this point, it makes sense to dot the i’s and cross the t’s. The allegation about the wannabe hacker having your password is controversial. He may have actually obtained it from one of the past compromises of major Internet services. In this case, the credentials are probably old and have already been changed. Sometimes, though, the culprits employ a technique called email spoofing, which allows them to mimic one’s real email address so that it looks as if the message had been sent from the victim’s account. You can differentiate between these two scenarios by scrutinizing the message body. If it includes a password, then you’re dealing with someone who has access to a credentials dump stemming from a service breach. Otherwise, you are being manipulated by means of email spoofing. What both of these variants have in common is that the fraudster doesn’t actually have any embarrassing photos of you or screenshots of sites you have visited. This is simply a method to get you on the hook and add some intimidation to the mix. So, what’s the verdict? If you have received the “Hello! My nickname in darknet is des53” email (again, the nickname may vary), refrain from submitting any funds to the sender’s BTC wallet. You can safely delete this message. However, just to make sure you’re on the safe side, consider changing your email password and have your system scanned for spyware with a trustworthy security solution.