The Sextortion Email Scam: It Has Your Password, Not a Video
Also filed under: sextortion email scam · Bitcoin blackmail email · webcam blackmail scam · password extortion email
There is no video. The email in your inbox claiming a hacker filmed you through your webcam, complete with a password you actually recognize, is a bluff sent to hundreds of thousands of people at once, and the password is the only true thing in it. It came from an old data breach, bought in bulk for less than the Bitcoin they are asking you for.
The scam's entire engine is that one moment of recognition. You see a real password of yours in a threatening email, your stomach drops, and every wild claim after it borrows credibility from that single stolen fact. It is a magic trick performed with a spreadsheet.
How the con runs
It starts with a breach, and not yours personally, just some website you signed up for years ago that leaked its user database. Email addresses and passwords from those leaks circulate in bulk, and the scammer buys a list. A script then mails everyone on it the same script: I installed malware on your device, I recorded you through your camera visiting adult sites, and here is your password as proof I own your machine.
The password proves nothing of the sort. It proves a website you once used had bad security. But paired with a claim about private browsing habits, it lands on a statistically reliable fraction of recipients who feel a flash of plausibility, and shame does the rest of the sales work. The demand is Bitcoin, usually a few hundred to a couple thousand dollars, with a countdown of 24 to 72 hours because panic has a shelf life.
Newer variants dress the bluff up further: your home address in the subject line, a Google Street View photo of your house attached, a PDF 'report.' All of it is public or breached data arranged to look like surveillance. None of it is evidence of a camera recording, because there is no recording, and if there were, blackmailers show samples. It is the one industry where the honest ones prove their claims.
The economics explain everything. Sending a million emails costs almost nothing, so even if 99.9 percent of recipients delete it, the remainder funds the operation. You are not a target, you are a rounding error that occasionally pays.
Play defense
- Do not pay and do not reply. A reply confirms your address is live and attentive, which upgrades you from list entry to prospect.
- Change that password anywhere it is still in use, and stop reusing passwords across sites. The breach that leaked it will not be the last one.
- Turn on two-factor authentication on your email and important accounts. It makes the leaked password nearly worthless to anyone who actually tries to use it.
- Check which breaches exposed your accounts at haveibeenpwned.com, a free and legitimate service. Knowing the source drains the email of its remaining mystery.
- If a webcam cover buys you peace of mind, they cost about two dollars. Cheap insurance against a threat that, in this case, was fictional anyway.
Already got hit?
- If you paid, report it at ic3.gov immediately with the Bitcoin address from the email. Crypto payments are traceable on the blockchain, and fast reports occasionally catch funds at an exchange.
- Report the email at reportfraud.ftc.gov and use your email provider's report-phishing button, which helps filters bury the next wave.
- Do not negotiate or send follow-up payments. Payers get re-extorted, because the scammer's records have exactly one useful column: who paid.
- Change the exposed password everywhere and enable two-factor authentication now, since paying confirmed nothing about your device but plenty about your breach exposure.
- If the threat involves real images of you, that is a different and more serious crime: report it to ic3.gov, and if a minor is involved, to NCMEC's CyberTipline. Real sextortion has real remedies, and paying is still the wrong one.
Questions people ask at 2 a.m.
The email has my real password. Doesn't that mean they hacked my computer?
No. The password came from a data breach at some website where you used it, and those breach lists are bought and sold in bulk. The scammer mailed the same threat to a huge list, inserting each victim's leaked password as fake proof. Your device was never touched.
Could there actually be a video of me?
In this scam, no. The email is a template blasted to enormous mailing lists, and no variant of it has ever been backed by real footage. A genuine blackmailer proves possession with a sample, because that is what makes victims pay. No proof means no video.
What should I do after getting one of these emails?
Delete it, change the leaked password anywhere you still use it, and turn on two-factor authentication. Do not reply or pay. If you already paid, report the Bitcoin address at ic3.gov and the scam at reportfraud.ftc.gov as soon as possible.