Security & Privacy

A couple of days ago, I received an email addressed to a website that I manage for a friend. The email told me that I was illegally using the sender’s images and that I was in violation of copyright. It said that I was using the sender’s images “for commercial purposes on your platform without proper licensing or attribution,” and said, “I have also noticed that my images are being used on your social media profiles, notably: Facebook.”

The email was quite long, well written, and claimed that, if I did not compensate the sender, they would file a Digital Millennium Copyright Act (DMCA) takedown notice.

I read the email a couple of times because it sounded authentic. But I realized that I know the provenance of all the images on this website, and I know that none of them are being used illegally.

Demands cryptocurrency? Smells fishy

The kicker came when I got to the end of the email: the sender said that if I would send her $500 in Bitcoin or Ethereum, she would “refrain from initiating any legal actions against you. Failure to comply will result in immediate legal proceedings.”

While it may not be obvious to the average person, any demand for payment in cryptocurrency immediately makes me assume it is a scam. Cryptocurrency is relatively anonymous, meaning there’s usually no way to verify that the sender is a legitimate person. And unlike federally insured bank accounts, there’s no recourse if you mistakenly pay a scammer; you’ll never get that money back.

The website that I manage is a very small one, without many images. But imagine if this email were addressed to someone with a larger website and thousands of images. It would be very difficult, if not impossible, for the owner to verify the origin of all those images. Someone running that sort of website might feel that sending $500 in cryptocurrency — assuming they can figure out how to do it — would be a lot easier than all the research necessary to find if any of their images violated copyright laws.

The sender said that, “The unauthorized use of my images has caused significant damage to my professional reputation and financial losses. I have consulted with legal counsel, and I am prepared to pursue all available legal remedies to protect my rights,” which sounds a bit over the top. If they had paid to consult a lawyer, and determined that their professional reputation was damaged, then surely $500 wasn’t enough to compensate for those torts, not to mention legal fees. And it’s hard to imagine how using someone’s copyrighted images on a website could damage their reputation.

Déjà vu

In the end, this email is not very different from the porn blackmail emails that have been circulating for several years. These emails claim that the authors have hacked your webcam, and recorded your most private moments, and threatened you with blackmail by sharing the video with your relatives unless you pay them money.

But there’s one key difference. These porn blackmail emails are sent out to millions of people; the one I received was sent through a contact form on a WordPress website. (WordPress is commonly used for blogs as well as other websites.) Spam sent via WordPress contact forms is nothing new. There are automated tools allowing spammers to send emails to millions of websites. But the email I received contained a link to the website; this either means that it was partially handcrafted, or—perhaps more likely—cleverly scripted.

The email was also very well written. Most of the porn blackmail emails are written with an accent; you can tell they weren’t written by native speakers. But with today’s AI tools for composing and editing text, it’s quite simple to generate an email that reads well in just about any language. This email is wordy enough to sound like someone took a lot of time to explain their case and why you should pay them.

While clever, it’s still a scam

In spite of how well-reasoned the email was, it is fake. It’s just another attempt to scam people. If you do run a website and receive an email like this you can ignore it. If you are using images illegally, it’s unlikely that you’ll be contacted by the creator of those images in this manner. And they certainly wouldn’t ask for payment in cryptocurrency.

Interestingly, the sender included an address in Australia, which turns out to be a beach house that is currently for sale at AUD 3.75 million.

By the way, when searching for some of the exact sentences in this email, I discovered many cases where the same text had been posted as comments on websites, signed by different names and addresses, but have the same Bitcoin and Ethereum account numbers.

The full text of the scam message

Here is the complete text of the email, with information about the innocent website redacted. I’ve also redacted the presumably fake names and addresses used by the scammers, in case they belong to innocent people.

Dear [WEBSITE URL],

I trust this letter finds you. I am writing to address a matter of serious concern regarding the unauthorized commercial use of my copyrighted images, which were discovered on your website without my explicit consent (page titled ” [WEBSITE TITLE] ” ).

Upon investigation, I have identified that my images are being used for commercial purposes on your platform without proper licensing or attribution. This constitutes a clear infringement of my intellectual property rights as the sole copyright holder of these works. I have also noticed that my images are being used on your social media profiles, notably: Facebook

The unauthorized use of my images has caused significant damage to my professional reputation and financial losses. I have consulted with legal counsel, and I am prepared to pursue all available legal remedies to protect my rights, including initiating a formal legal action and filing a Digital Millennium Copyright Act (DMCA) takedown notice.

However, in an effort to resolve this matter amicably and avoid protracted legal proceedings, I am willing to settle the dispute immediately upon receiving a payment of $500. This settlement amount is a fraction of the damages I have incurred due to the unauthorized use of my work.

Please note that failure to comply with this demand within 14 days, will leave me with no alternative but to pursue legal action against you. In such an event, I will seek maximum damages under the law, as well as injunctive relief to prevent any further unauthorized use of my images.

To facilitate a prompt resolution, kindly remit the settlement amount to any of the following wallets:

Bitcoin: [REDACTED; see below] Ethereum: [REDACTED; see below]

Upon receipt of the payment, I will consider the matter resolved, and I will refrain from initiating any legal actions against you. Failure to comply will result in immediate legal proceedings.

I urge you to treat this matter with the utmost urgency, as further delays may exacerbate the consequences you may face.

Thank you for your immediate attention to this matter.

Please note that I have also sent out a hardcopy of this correspondence to your office.

Sincerely,

[NAME AND ADDRESS REDACTED]

Can we identify the scammer?

Cryptocurrency is somewhat anonymous by nature. But there are a couple of interesting details about the two crypto addresses included in this scam email.

We’ve redacted the addresses from the email body above to avoid anyone mistakenly sending the scammers any money. But since there’s evidence that these addresses have been used by the same scammer before, let’s share what we know.

Investigating the scammer’s Bitcoin address

The scammer’s Bitcoin address (bc1q4206tlzgldnr3efu44hf9m6qm329ztzxhqfxdw) has been reported only once on Coinabuse, a site that accepts reports of alleged fraud. The one report, dated December 7, sounds very similar to what we might expect:

“Received an email telling [the recipient that] images were used without consent and [that upon] failure to pay 500.00, DMCA and legal procedures will be initiated. No mention of the ‘images.'”

So far, nobody has sent any Bitcoin to that address, according to public blockchain records. Let’s hope it stays that way.

Investigating the scammer’s Ethereum address

Meanwhile, the scammer’s Ethereum address (0xa74cce7805342F10df39B698342380f58bB709b5) has a more interesting history. It has been reported four times; the most recent was the same December 7 report. The three previous reports date back to March and May 2023; all three were used in tandem with a different Bitcoin address. (We’ll get back to that in a moment.)

The March report sounds very similar to what we’ve described in this article:  “I received an email from my website’s contact form (probably automated).”

However, the May reports are a bit different. Both were listed as “Donation Impersonation Scams.”  For the first May report, the only details provided were: “Fake Donation Scam from Miami, Florida.” The second report’s details are: “Scammer abusing war on Ukraine.”

Going deeper down the rabbit hole: a second Bitcoin address

Let’s get back to the second Bitcoin address used in three previous scam campaigns. As a reminder, all three were used in tandem with the Ethereum address used in the scam message we received. The scammer’s older Bitcoin address (bc1q9uun7eny4t8pvlq7lmz39z9rr7rm3vw849hqwv) appears in eight reports, including the three we’ve already discussed. The earlier five reports date from Christmas Eve 2022 through February 2023, and include the following report categories and details:

• Other: scammers, pseudo-volunteers; Scammers pretend to be from a volunteer organization
• Ransomware; Scam trying to get your money.
• Other: Scam; Ukraine Scam, low life using the war to scam people.
• Other: Charity Scam; Looking for donations to crypto wallet for [Ukraine].
• Other: Darknet Market; asking for donation for Ukraine.

None of those five were reported in tandem with any other cryptocurrency wallet addresses. So, for now, that’s as deep as we’ll go down the rabbit hole.

But it does demonstrate how scammers may sometimes reuse the same cryptocurrency addresses across multiple fraud and abuse campaigns. And this means you may be able to find others’ reports about a potential scam, if you search for it.

How can I learn more?

We discussed this scam on episode 322 of the Intego Mac Podcast.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:       

About Kirk McElhearn