Phorpiex Botnet Sending 30,000 Sextortion Emails an Hour

Sextortion may be nothing new, but it has certainly proven popular with cybercriminals in recent months. Sextortion emails threaten to expose sordid details of the activities of their victims unless payment is made.

One of the most common scams claims that the sender of the email is a hacker who has hijacked the victim’s webcam and recorded footage of a user viewing pornography. The supposed hacker claims to have also recorded the material that was being viewed at the time, has the user’s web history, and will send all that information to friends, family members, and other contacts unless a sizeable payment is made – often around $500-$700.

These scams have succeeded in many cases, when one of the spam emails hits the inbox of someone with something they definitely want to remain hidden who is not willing to take any chances.

What was not clear about these scams is how such large-scale spamming campaigns were being conducted without the email accounts being blacklisted. New research from Tel Aviv-based Check Point has shed some light on how the messages are being sent.

Check Point researchers discovered the Phorpiex botnet is being used to send sextortion emails. The Phorpiex botnet has been active for around a decade and has infected approximately 450,000 computers. The botnet has had a spambot installed which is being used to send masses of emails from infected devices through a simple implementation of SMTP. Huge sextortion spam campaigns are being conducted, with messages sent at a rate of up to 30,000 messages an hour. Each campaign can see up to 27 million individuals targeted.

In this campaign, as with several others, a user’s password is included in the message body. This password is usually an old password that has previously been compromised in a data breach. That breach most likely happened some time ago, but the password may still be in use or may indicate that the user’s computer has been compromised for a long time. The passwords may not even have been used before since they are often taken from a variety of different databases and may not match up with a particular user. However, since many people cannot remember their randomly generated passwords, it may have the desired effect.

The campaigns have been reasonably successful. In the past 5 months, the attackers have earned 11.99545 Bitcoin according to Check Point. That is around $97,000 at today’s exchange rate or about $19,000 a month.

These sextortion scams are now common, so there is a reasonable probability that you will eventually receive a message in your inbox if your email address and password have been compromised in a past data breach. If you do receive a message claiming to have recorded you while watching porn, just delete it.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of