Bitcoin Phishing: The n1ghtm4r3 Emails
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Bitcoin Phishing: The n1ghtm4r3 Emails

The story of how a scumbag named n1ghtm4r3 polluted our inbox with Bitcoin Phishing emails.

Let’s have a little fun today and talk about some Bitcoin phishing emails that have been showing up in our inbox lately. They’re from a “hacker” who goes by the alias “n1ghtm4r3.”

Before we get started, I need to warn you that there’s going to be some naughty language in this article. I didn’t use it, n1ghtm4r3 did. Not that I don’t use it. Just rarely on here.

Anyway, over the course of the last… six months or so? This n1ghtm4r3 fellow has been emailing various addresses at our company. He is attempting, albeit poorly, to blackmail us into sending him Bitcoin. He’s phishing for Bitcoin.

Obviously, we write about phishing quite a lot. In fact, we’ve written an entire eBook about it. That’s why these Bitcoin phishing attempts are amusing to us. But to others? Maybe not so much. A quick Google search for n1ghtm4r3 turns up dozens of articles related to his specific scam.

So, in the interest of public safety (and because it seemed like a fun thing to write about), today we’re going to cover these n1ghtm4r3 emails, Bitcoin phishing, and what you should do if one of these gems ends up in your inbox.

Let’s hash it out.

The story of the n1ghtm4r3 Bitcoin Phishing emails

Let’s start with n1ghtm4r3, and then we’ll zoom out a bit. Because this isn’t anything new.

Last Wednesday, August 28th, one of our distribution list accounts,, received this absolute gem of a Bitcoin phishing email.

Bitcoin Phishing Scam Email

I had to zoom out to 75% and still couldn’t get all of this windbag’s message to fit on the screen. So here it is in its entirety:

Subject: I know you are a pedophile ..

Yeah. I know you are a pedophile.
Actually I know way more about you than you think.
I am a computer scientist (internet security specialist) with affiliation with the Anonymous group.
Few months ago you downloaded an application.
That application had a special code implanted purposely.
Since the moment you installed it, your device started to act like a Remote Desktop I was able to access anytime.
The program allowed me to access your desktop, your camera(s), your files, passwords and contact lists. I also know where you live and where you work..
I was observing you for quite some time and what I have collected here is overwhelming.
I know about your sexual preferences and your interest in young bodies.
I have secured 4 video files clearly showing how you mɑsturbate (captured from your camera) to young teenagers (captured from your internet browser).
Glued together is a pretty overwhelming evidence that you are a pedophile.
The timestamps on the video files indicate the exact time you have been mɑsturbating to teenagers:
Retention_thesslstore_com_1564319884.mp4 (83.2 MB)
Retention_thesslstore_com_1566175291.mp4 (100.4 MB)
Retention_thesslstore_com_1565689335.mp4 (19.8 MB)
Retention_thesslstore_com_1565578231.mp4 (66.5 MB)
I am not here to judge the morality of your sexual preferences, I am here to make money. Because I know you are a wealthy person and that you do care about your reputation, I am willing to gίve you a chance to atone and I will leave you alone.
You do know what Bitcoin is, right ?
You must fund a special address with 5.000 GBP in Bitcoin, otherwise, I am going to seƞd those video files to your family members, friends and your work buddies.
I know it may be time consuming to buy 5.000 GBP in bitcoin, so I will gίve you exɑctly one week. Search on google ‘how to buy bitcoin’ and seƞd it to me.
Enough is enough. I have seen enough..
If you do not Ѕeƞd the bitcoins in one week, I will also Ѕeƞd those video recordings to your local police office. Your life will be ruined, trust me. Ƭrɑnsfer details are below..
Ѕeƞd exɑctly:
0.6328047 BTC
to my bitcoin address:
(copy and paste)
1 BTC is worth 7.922 GBP right now, so Ѕeƞd exɑctly: 0.6328047 BTC.
Make sure the amounț and address is copied correctly – this way I will know the trɑnsfer is coming from you.
As soon as you seƞd bitcoins, I will remove the videos from my drive and remove the software allowing me to access your device.
If you do not cooperate, I will start seƞding out those videos to people you care about.
Not excluded that after seƞding to one person, I will ask 10x more from you. I can make you suffer, trust me.
Don’t even think about going to police. If you try, I will immediately know it and I will Ѕeƞd them your mɑsturbation videos, pedo.
5.000 GBP is a fair price for my Ѕileƞce don’t you think?
You have only one week & better act fast.
Ѕeƞd exɑctly:
0.6328047 BTC
to my bitcoin address:
(copy and paste)
Do not reply to this email, it’s an untraceable one time message.
I will contact you.
Remember, I am watching you.

Alrighty, now let’s dissect this puppy. That came out weird. Now let’s take a look at the tactics used in this threatening email asking for Bitcoin.

The Premise

Bitcoin Phishing

The concept is simple. As we said, this isn’t new. The proverbial wheel wasn’t reinvented for this. This is just an attempt to:

  • Convince someone you have some damaging information about them
  • Blackmail them with it

In this case, the “hacker” is attempting to convince us that he’s been watching us through our webcam for the last four months and developing some type of pedophilic dossier that he will now use to ruin our lives unless we pay him about $5,000 worth of Bitcoin.

It’s all bullshit. For starters, as we said at the outset, this is a distro list. There isn’t a person associated with this account. There is no one at our office named Barry Retention or anything like that.

Second, the idea that some hacker played the long game, infected a computer system and sat around for four months watching someone else watch porn is downright laughable. Law enforcement doesn’t even spend that long on pedophile stings. No hacker is waiting around like that. What’s more, if he truly had compromised a device so it “started to act like a Remote Desktop I was able to access anytime. The program allowed me to access your desktop, your camera(s), your files, passwords and contact lists,” you could extract a lot more, much quicker.

Again, I’m not criminally creative, but with that much access you could easily search someone’s web history for their bank, use the stolen credentials to log in and then buy yourself $5,000 worth of Bitcoin.

Third, notice how he hedges on the number of cameras you may have? “Camera(s).” If you really have remote access, wouldn’t you know exactly how many webcams a device has? That’s phishy. And considering the fact you’re sending these emails out en masse, just hoping to catch one or two people gullible enough – wouldn’t it be smarter just to make it singular? Granted, the type of person that gets duped by this probably isn’t paying attention to that. Or at all.

Oh and finally, I really enjoyed that he included the names of four fake video files he allegedly took.

  • Retention_thesslstore_com_1564319884.mp4 (83.2 MB)
  • Retention_thesslstore_com_1566175291.mp4 (100.4 MB)
  • Retention_thesslstore_com_1565689335.mp4 (19.8 MB)
  • Retention_thesslstore_com_1565578231.mp4 (66.5 MB)

There’s a tiny part of me that wants to know why there’s one 20 MB file mixed in amongst the other much larger (but still fake) ones. Guess we must’ve been in a hurry that day.

Establishing Credentials

Let’s zoom in a little bit on the opening of this Bitcoin phishing email. Our enterprising “hacker” starts off by announcing that he knows “way more about you than you think.”

Then he drops this on you:

“I am a computer scientist (internet security specialist) with affiliation with the Anonymous group.”

Here’s leveraging the name recognition of the Anonymous group, which has bled over into the mainstream consciousness. Anonymous are more along the lines of “hactivists” than blatant criminals though, choosing to target influential people and organizations that they feel have acted unjustly.

This would be considerably low-rent for a group like Anonymous. But, the overall effect of these statements is to present n1ghTm4r3 as someone that is highly skilled and knows exactly how to pull off what they’re claiming.

Most people won’t be fooled by this, some might. That’s exactly what n1ghTm4r3 is going for.

The Bitcoin

Bitcoin Phishing

Here we see the dark underbelly of cryptocurrency in general, and Bitcoin specifically. The whole notion of a decentralized currency that can eliminate the need for fiat money sounds like a reasonably good idea. But like many things that are good in theory, it was only a matter of time before criminals slipped their proverbial turd into the punch bowl.

Cryptocurrency is widely used by criminals for the very reason that it seemed like such a good idea in the first place: it’s decentralized and nigh-untraceable. That means you can try to pull these sorts of stunts with little worry about anyone tracing any of the blackmail money back to you.

This would never work with traditional financial methods. That’s why short of cryptocurrency you see most other scams trying to use gift cards or some other form of non-traceable payment that can be cashed out anonymously (or without much oversight). If you asked someone to transfer the money to a bank account, Johnny Law will be at your doorstep by the next morning. Not the case with cryptocurrency.

Part Deux: n1ghTm4r3 Strikes Again (even more Bitcoin Phishing)

Obviously we didn’t send n1ghTm4r3 his Bitcoin. Instead we left his Bitcoin phishing email to rot in our spam folders along with the rest of the digital detritus that lands there.

That triggered the next email in this series. Maybe that’s giving n1ghTm4r3 too much credit. I don’t know for sure that he’s automated his email series, but given the fact these are clearly going out en masse, I’m making that assumption (dangerous, I know).

Anyway, n1ghTm4r3’s next email was a bit shorter, but still hit the same notes as the first.

Threatening Email Asking for Bitcoin

And again, here’s the transcript:

Subject: What the ƒuck are you doing, pedophile ?

Do you really think it was some kind of joke or that you can ignore me?
I can see what you are doing, pedo.
Stop SHOPPING and fucking around, your time is almost over.
Yea, I know what you were doing on Saturday. I am observing you.
Btw. nice car you have got there.. I wonder how it will look with big ‘PEDOPHILE’ stickers..
Because you think you are smarter and can disregard me, I am posting the 4 videos I recorded with you masturbating to kids right now. I will upload the videos I acquired along with some of your details to the online forum. I am sure they will love to see you in action, and you will soon discover what we do with pedophiles like you.
If you do not fund this bitcoin address with 5.000 GBP by next Friday, i will contact your relatives and everybody on your contact lists and show them your pedophilia recordings.
The bitcoin price changed since I last contacted you, here are the new transfer details:
0.64157341 BTC
to this Bitcoin address:
There are many places you can buy bitcoin like Bitstamp, Coinbase, Kraken etc. Register, validate your account, buy 0.64157341 BTC and send to my address – 3NquM6AaUfDWGEVykiMFVZk4QFBVzk82my – copy it and paste.
5.000 GBP = 0.64157341 BTC.
If you want to save yourself – better act fast, because right now you are FUCKED. We will not leave you alone, and there are many people on the groups that will make your life feel really bad, you fucking pedophile.

Now let’s dive in a bit more.

Special Characters

Starting from the top, real quickly, notice the use of the special character at the beginning of that F-bomb? You may have noticed a few special characters in the first email, too. Those are to try and trick spam filters. Obviously, it didn’t work, but evasion is the goal.

I know all about you… I swear

We kind of touched on this earlier with the webcam(s), but one of the most common tactics employed by phishing emails – not just this glorious piece of Bitcoin phishing – is trying to trick people into believing you really do have the goods on them. In other variants of this email you may see a password of yours listed. Chances are, they didn’t find that themselves.

They found that from one of the many databases of leaked credentials that exist on the fringes of the internet and all over the dark web. If you get an email that has your password, use a password checking services like HaveIBeenPwned to see where it may have been compromised. Then change them. But don’t let the cretin that sent you the phishing email convince you that they got it themselves. Or even that they know what to do with it. If they did, they wouldn’t need to email you.

This email attempts to convince its readers that the phisher has the goods on them by alluding to their car.

“Btw. nice car you have got there..”

Again, n1ghTm4r3 is playing a percentage here because not everyone owns a car. But for some very gullible person out there, this might be all they need to start looking for some place to buy some Bitcoin.

Sense of Urgency

Lately, phishing emails have begun to shift a bit in terms of the emotions they’re playing on. Nowadays you see a lot of phishing campaigns that play on our vanity, asking us to accept friend requests or view a picture we were tagged in.

But the tried and true method – the one employed by this Bitcoin phishing email – is to leverage panic. Create a sense of urgency.

If you want to save yourself – better act fast, because right now you are FUCKED. We will not leave you alone, and there are many people on the groups that will make your life feel really bad, you fucking pedophile.

Oh no!

What a tool (that was not my first choice of pejorative, but we’re running a business here). Frankly, n1ghTm4r3 seems a little TOO obsessed with pedophilia. I’d love to get a glimpse of HIS web history. Sometimes the loudest ones are the ones with the most to hide.

Anyways, ignoring n1ghTm4r3’s predisposition towards the under-aged, you can see how this could trigger panic for the right person. It feels as if there’s an imminent threat. Even with nothing to hide, the prospect of someone slandering you and loosing an internet mob in your direction is unappealing. And that’s probably an understatement.

Bitcoin phishing: Same song, different singer

These are by no means unique to our nefarious friend, n1ghTm4r3. In fact, we’ve been getting this flavor of phish for well over a year. You may remember we first mentioned them in our Phishing Examples article.

At the time we joked:

And I think there’s a foundational flaw in the logic behind this whole endeavor, which is that the type of person that might be scared into believing this definitely has no idea how to buy Bitcoin.

In fact, asking such a naive, impressionable individual to even try to obtain Bitcoin is like sending a sheep into a lion’s den. They’ll have their money, their home and all their credit sucked out of them way before you ever see your $2,000’s worth.

Back then the emails were attributed to “Anonymous Hacker – Yuki.” Incidentally, I feel like providing the name Yuki makes it all a little less anonymous. But you do you, Yuki.

Email Phishing for Cryptocurrency

We even got a few in Danish.

Email Asking for Bitcoin

We’ve noticed two big changes since then – besides, of course, the name on the emails. First, the price. It’s gone up from a couple grand to five. Not sure if that indicates the scam is working, or not working – I’d wager on the latter though.

Second, we’ve graduated from… how can I say this in a way that won’t get me in trouble? From allegations of self gratification to accusations about pedophilia. So, we’re really ramping this up to 11.

Continuing our critique, I’m not sure that this evolution works better. I feel like you’re phishing in a bigger lake the first way. Most people are pretty confident they’re not pedophiles, which lets you rule this out pretty quickly. But the idea someone hacked your webcam and caught you in a compromising position? Sure, I can see that catching a few people.

Either way, these emails are FAKE and regardless of who n1ghTm4r3 actually is, they’re an absolute piece of trash. Don’t fall for this garbage.

What Bitcoin says about Bitcoin Phishing

As we’ve already addressed, this has been going on for a while. Long enough, in fact, that Bitcoin itself has addressed it.

A lot of this is going to sound familiar:

Be wary of blackmail attempts in which strangers threaten you in exchange for bitcoin as a means of extortion. One common execution of this method is by email, where-in the sender transmits a message claiming that he/she has hacked into your computer and is operating it via remote desktop protocol (RDP). The sender says that a key logger has been installed and that your web cam was used to record you doing something you may not want others to know about. The sender provides two options – send bitcoin to suppress the material, or send nothing and see the content sent to your email contacts and spread across your social networks. Scammers use stolen email lists and other leaked user information to run this scheme across thousands of people en masse.

What should you do if you receive a Bitcoin Phishing email?

Bitcoin Phishing

Let’s start with the obvious stuff first.

  • Don’t follow any links
  • Don’t open any attachments
  • Don’t pay the ransom

There are also a couple of other things you might want to check out, just for the sake of due diligence.

First, head over to HaveIBeenPwned and enter the email address you received the Bitcoin phishing email with. It’s going to tell you whether any of the associated credentials have been compromised. With that knowledge, go and change your passwords. It’s just good hygiene.

Second, run a malware scan. This is really only mandatory if you DID open a file or click on a link, otherwise just consider it a helpful suggestion. You should already be running scans regularly, but if you’re not this is a great excuse to start.

Finally, get a webcam cover. One of these:

This tiny piece of plastic prevents someone from watching you, even in the event your device is compromised. Obviously we don’t want to let it get that far, but it’s a nice last line of defense.

If for some reason you can’t locate a webcam cover, just use a piece of solid (non-clear) tape or a post-it note or anything you can use to obscure the lens.

Of course, if you’re doing it right on the Email Security side, most of these Bitcoin phishing emails will wind up in your spam folder – where they belong.

That said, if you need help securing your email, you’ve come to the right place. As we mentioned at the top of the article – we’ve literally written a book on it.

Check it out.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.