Threat Watch

Compromised Passwords Found on Servers Used for Sextortion Attacks

On March 2nd, 2020, Have I Been Pwned (HIBP) sent out breach notifications relating to credentials found on a server referenced by IP address, instead of Pastebin or other paste sites. Since this was an unusual breach notification, Binary Defense’s analysts began investigating the server and uncovered infrastructure used by a sextortion botnet. Sextortion is a fraud scheme that uses email messages that attempt to extort funds from victims using threats to release pictures that the criminals claim to have that show the victims in unflattering situations, typically related to sexual activities. This fraud scheme includes the victim’s password in the extortion email to make it appear that the attacker’s claim may be true, even if the attacker does not actually have any photos.

Using several methods of information collection, Binary Defense analysts were able to identify nearly four million credentials from the server, including many that were not previously located by HIBP, and shared information back to HIBP to help notify additional victims.  Additionally, Binary Defense analysts were able to create a tracker to track the sextortion botnet and identify additional servers.


Many of the credentials from this sextortion botnet originate from publicized breaches, instead of a “private RAT” that the criminals claim to have used in their sextortion emails. These sextortion emails can be identified by the fact that there is no way to respond to the cyber criminals. Binary Defense does not recommend paying the ransom for this sextortion scheme. The criminals usually do not actually have any pictures of their victims. This is a fraud scheme that relies entirely on victim’s cooperation and fear. If a password has been exposed in a breach, it is important to change the password everywhere it has been used. Passwords should be unique to each service, and whenever it is possible to enable multi-factor authentication (MFA), that feature should be enabled to protect accounts from take-over if the password is stolen.