Millions of Ashley Madison users have allegedly become the victims of extortion as online bandits attempt to take money from them in exchange for not spilling the beans on their family and friends about membership to the extramarital affairs website.
In fact, online security firm CloudMark estimates that nearly $16,000 worth of virtual money have already been paid by Ashley Madison members to extortionists who are threatening to expose them to their loved ones and even their employers if they do not pay the amount demanded in a widely circulated email believed to have come from the blackmailers.
In a blog post by CloudMark software engineer and research analyst Toshiro Nishimura, he explains how he and his team tracked down bitcoin payments in Bitcoin's blockchain and discovered a total of 67 transactions amounting to 1.05 BTC each, the same amount demanded by blackmailers from Ashley Madison users who do not want to be exposed.
"Specifically, we found 67 suspicious transactions totaling 70.35 BTC or approximately $15,814 USD within the extortion time frame of approximately four days paying 1.05 BTC to addresses, with no previous activity and with two or fewer transactions," Nishimura wrote.
Although Nishimura says the evidence is not conclusive, he notes that fairly skilled spammers can easily pull off the the blackmail campaign simply by downloading the Ashley Madison data, collect email addresses and generate separate Bitcoin addresses for each email address before firing off the blackmail letter to the affected users.
He also says that the method that led him to his theory would not have been possible had the blackmailers extorted different amounts from the members, and he is expecting future blackmail letters to contain various amounts to circumvent the same kind of tracking that Nishimura did.
Nishimura has made public the Bitcoin addresses generated for each transaction, which he says can help law enforcement track down the extortionists.
"In order to go deeper into this analysis, the next step would be to follow the trail of Bitcoins leading to each suspicious address to see if they are connected on the blockchain to each other or any other known suspicious addresses," he says. "Such analysis could potentially help law enforcement to deanonymize and pursue the perpetrators."
As many as 30 million individuals are believed to have been affected by the Ashley Madison hack. In August, hackers calling themselves the Impact Team released as much as 10GB of data supposedly taken from the hack, which contains the names, email addresses and other private information of individuals who signed up to the website.