SatanLock ransomware gang shuts down after weeks of attacks and plans to leak stolen victim data. Group linked to Babuk-Bjorka and GD Lockersec families.

The newly formed SatanLock ransomware group has announced it is shutting down. Before disappearing, however, the group says it will leak all the data stolen from its victims later today. The announcement was made on the gang’s official Telegram channel and dark web leak site.

It’s also worth noting that the group has deleted all victim listings that were visible just hours ago. Now, anyone visiting their .onion site sees a message reading, “SatanLock project will be shut down – The files will all be leaked today.”

SatanLock Ransomware’s announcement (Image credit: Hackread.com)

SatanLock has been active since early April 2025 and is known for its aggressive tactics. The group quickly gained attention, posting details of 67 victims on its dark web leak site within just a few weeks.

Interestingly, as highlighted in a **May 2025 report**, by Check Point, more than 65% of these victims had already appeared on leak sites run by other ransomware gangs. This suggests the group may have used shared infrastructure or deliberately tried to “re-claim” already compromised networks.

According to an **analysis** by Lockbit Decryptor, a cybersecurity firm that helps victims remove Lockbit ransomware, SatanLock is linked to several other notorious ransomware families, including Babuk-Bjorka and GD Lockersec. These connections suggest the group is part of a much larger cybercriminal network.

SatanLock Ransomware’s victims by countries and industries (Image via Lockbit Decryptor)

The exact reason for SatanLock’s shutdown remains unclear. Just last week, news broke that Hunters International, another ransomware group, was shutting down too. However, it was later clarified that the group is only rebranding, moving its focus to data breaches and leaks instead of ransom demands.

Hunters International now operates under the name **WORLD LEAKS**. Is the SatanLock ransomware gang following the same modus operandi? Maybe we’ll never know, or maybe we will.

Even so, the shutdown of the SatanLock group is good news for victims. It’s one less cybercriminal gang out there extorting unsuspecting individuals and businesses with ransom demands.

SatanLock Ransomware Ends Operations, Says Stolen Data Will Be Leaked

Dr.Web reports Android malware surge in Q2 with adware, banking trojans and crypto theft hidden in fake apps, firmware and spyware targeting users.

A series of malicious apps and stealthy spyware is targeting Android users worldwide, with new data showing how cybercriminals keep finding ways to slip threats onto devices and even official app stores.

According to new findings from Dr.Web Security Space, adware is still the most common threat on mobile devices, but what is noticeable this time is how attackers keep finding new tricks to spread it.

****Adware Still Tops the Charts****

Adware Trojans continued to dominate, led by the Android.HiddenAds family. Although detections dropped by just over 80%, HiddenAds variants are still the most active group, often masquerading as harmless apps and vanishing from home screens once installed. Android.MobiDash adware trojans saw a jump of over 11%, proving that intrusive ads are still a reliable money maker for threat actors, revealed Dr.Web’s **report**.

****Fake Apps Fraud****

Android.FakeApp malware ranked third on the threat list, with activity dropping by a quarter. These malicious apps frequently pose as **finance tools, games or utilities** but instead, redirect users to gambling or phishing sites. Fake finance apps tricked Turkish and French-speaking users, promising easy income control or investment advice while silently pushing them to fraudulent sites.

****Banking Trojans Make a Comeback****

While some banking trojans like Android.BankBot and Android.SpyMax declined, Android.Banker surged by over 70% compared to the previous quarter. This spike highlights how cybercriminals keep targeting financial data with new variants, despite global awareness campaigns urging users to stick to official app stores.

****Crypto Theft Hidden in Firmware****

One of the most alarming revelations is a large-scale crypto theft campaign discovered in April. Attackers slipped a trojan named Android.Clipper.31 into a modified version of WhatsApp and even embedded it in the firmware of low-cost Android phones.

This trojan secretly **swaps legitimate crypto wallet addresses** for the attackers’ own and sends user images to a remote server, hunting for wallet seed phrases hidden in screenshots or photos.

****Spyware Targets Military Personnel****

Another concerning discovery made by Dr.Web and **reported by Hackread.com** in April 2025, was spyware hidden inside a fake version of Alpine Quest, a mapping app. Distributed through a bogus Telegram channel and a local app catalogue, Android.Spy.1292.origin was designed to gather sensitive data from Russian military personnel, including location files, messages and phone book contacts.

****Threats Found on Google Play****

Despite tighter controls, Dr.Web’s researchers continue to find dozens of **malicious or unwanted apps on Google Play** (Apple App Store is **not** a secure place either). Recent finds include adware modules disguised in cryptocurrency news apps and finance-themed fake apps that redirect users to shady sites instead of offering any real service.

This new wave of cybersecurity threats simply goes on to show that Android’s open nature still makes it a favourite target for criminals pushing ads, spyware and banking malware. Even official app stores are not completely safe, therefore, users must keep their devices protected with up-to-date security software and stay cautious with any new app, no matter how harmless it appears.

Malware Surge Hits Android: Adware, Trojans and Crypto Theft Lead Q2 Threats

Stalkerware app Catwatchful has been leaking customer and victim information. It is one in a long line of such apps to do this.

If an app markets itself as being for “child monitoring”, a customer might expect that their data and those of the person you’re monitoring is handled with the utmost care and respect. However, as we’ve seen many times before, stalkerware (which is what monitoring software is known as) apps have a tendency to be low quality and lack security.

Stalkerware refers to apps and other monitoring software that enable someone to secretly spy on another person’s private life via their mobile device or computer. Many stalkerware apps market themselves as parental monitoring tools, but they can be—and often are—used to stalk and spy on a person. Sadly, the most common users of stalkerware are domestic violence abusers, who load these programs onto their partner’s device without their knowledge.

To prove our point about lacking security, researcher Eric Daigle found that an Android app called Catwatchful has exposed the data of thousands of its customers, along with its administrator.

Catwatchful claims it is “invisible and cannot be detected”, and uploads the victim’s photos, messages, and real-time location data to a dashboard for the person monitoring to see. It also can remotely tap into audio recorded by the phone’s microphone, as well as access both front and rear phone cameras.

Make no mistake, this is nasty stuff.

And now it turns out that the data hasn’t been stored securely. The exposed database, which the researcher shared with TechCrunch, contained the phone data from 26,000 victims’ devices as well as the email addresses and plain text passwords of more than 62,000 customers.

Stalkerware apps continue to pose a serious threat to privacy and security. Over the past years, several cases have revealed how these apps not only violate victims’ privacy but also expose sensitive data due to poor security practices. Recent leaks revealed that apps like Spyzie, Cocospy, and Spyic exposed millions of victims’ private information, including messages, photos, and locations. The attackers also obtained the email addresses of more than three million customers. Because the flaw was so easy to exploit, researchers kept the details under wraps to prevent further damage. After the breach, these apps disappeared from the internet, likely trying to avoid legal consequences rather than fixing security.

Another case involved Spyhide, where a security researcher uncovered a decade of surveillance on tens of thousands of Android devices. The app’s poorly secured backend let attackers access call logs, messages, and location data from tens of thousands of victims.

The infamous mSpy monitoring app has suffered multiple leaks, with millions of records including personal documents and monitored activity exposed. Even high-profile users were found among its customers. Despite repeated breaches, mSpy’s security remains weak, putting victims at ongoing risk.

These cases highlight a harsh reality: Stalkerware companies put profits before privacy, leaving victims and users vulnerable to further harm. As these apps operate in legal grey areas, it’s important to stay alert about the dangers they bring.

**Considering using a monitoring app?**

If you are thinking about installing such an app, and you are reading this:

1.  Don’t!
2.  Remember that using an app like this without the person’s permission is illegal in almost every country, unless it’s done with consent of the government itself.
3.  We have never heard of anyone who was able to solve a problem by using stalkerware. Usually resorting to stalkerware only makes it worse.
4.  Consider the consequences of the person finding out what you did. The lack of security and repeated breaches of these apps demonstrate that it is a distinct possibility.
5.  Listen to this podcast.

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware makes it a priority to detect and remove stalkerware from your device. It is good to keep in mind however that by removing the stalkerware you will alert the person spying on you that you know the app is there.

**Check your exposure**

Unfortunately, breaches are an everyday occurrence. If you want to see how much of your personal data has been exposed online, Malwarebytes has a free tool that you can use to check. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

If you are looking for a way to remove stalkerware from your device, Malwarebytes Premium Security and Malwarebytes Mobile Security can help.

 Catwatchful &#8220;child monitoring&#8221; app exposes victims&#8217; data 

LGBTIQ+ organizations in El Salvador are using technology to protect themselves and create a record of the country’s ongoing authoritarian escalations against their community. It’s not without risks.

Steven Rodríguez traveled more than 40 miles from his home in Santa Ana, in western El Salvador, to attend the Pride march in the capital on June 28. It is the second time he has attended. There, some 20,000 people gathered in a mix of celebration and protest for the rights of sexual diversity. But this year, joy was replaced by fear.

“Maybe it won't escalate, but there is a fear that what happened to the El Bosque cooperative will happen. But, from deep down I believe that, as people, we have the right to a dignified life. If it's not me, who else is going to defend my experiences,” says Rodríguez about his decision to attend in the midst of the authoritarian escalation that the country is experiencing.

When Nayib Bukele assumed power in 2019, one of his first actions was to eliminate the Directorate of Sexual Diversity. In February 2024, during his participation in the Conservative Political Action Conference in the US, he made his position clear: “We do not allow those ideologies in schools and colleges. I think it is also important that the curriculum does not include gender ideology and such things.”

Natalia Alberto

Rodríguez's main fear is that the march will serve as an excuse to criminalize its attendees. Earlier this year, on May 12, a hundred members of the El Bosque cooperative held a peaceful protest to avoid being evicted. This was repressed by the military police and ended with the arrest of community leader José Ángel Pérez and lawyer Alejandro Henríquez for public disorder. Both are serving provisional detention in a penal center. In the past four months, at least six human rights defenders have been arrested in the country for political reasons.

On the afternoon of June 28, the march ended peacefully and, at least on the ground, no arrests were recorded.

**Training Day**

Rodríguez is part of a collective called Pedrina, which focuses on community articulation for LGBTIQ+ rights in the West. His approach to digital security began when members of the organization started receiving insults, threats, and hate messages on social networks.

Natalia Alberto

Rodríguez and his collective received digital security training from Amate, another LGBTIQ+ organization that advocates nationally. Since May, Amate has trained 60 people on issues including digital rights, risk analysis, extortion, phishing, outing, surveillance, and revenge porn. It also includes the implementation of tools such as the use of VPN and encrypted messaging platforms, such as Signal and Proton.

“Something that activists were telling us \[that\] is very common is that people take their Facebook photos and impersonate them on social networks, either to attack other collectives or to undermine personal aspects. So it's a very interesting experience. People are not aware of the exposure we have in the digital world,” says Fernando Paz, who is in charge of teaching these courses.

Natalia Alberto

For Rodríguez, these tools are a way of confronting a country that, with government support, is becoming increasingly violent towards those who represent diversity.

“At the university, we have had experiences of hate speech in classes. Professors have said that they share Bukele's thinking on gender ideology and that this has to disappear because it poisons the youth,” Rodríguez says.

One way the government has used to hide violence against the LGBTIQ+ community is the lack of accounting of hate crimes committed in El Salvador. In recent years, the country’s Attorney General's Office, also known as FGR, has used the categories “murder due to social intolerance” and “murder due to family intolerance” to count homicides that it cannot attribute to what it calls “general crime” (mostly, according to the government's narrative, perpetrated by gangs). There is no clarity about what falls into these categories, which are not official, are not defined, and are only used publicly—not within administrative reports. Between 2023 and 2024, the FGR counted 182 of these cases.

Natalia Alberto

**Hit Record**

In the face of statistical obscurity, the exercise of documenting and archiving hate crimes has been taken up by organizations. The Passionist Social Service, an anti-violence group, found that 154 LGBTIQ+ people have been detained during El Salvador's emergency regime, which began in March 2022 and has been extended 39 times to date. Following this, Nicola Chávez and her team saw the need to record cases of violence against members of the LGBTIQ+ population.

“We had always intended to start an observatory, but with the start of the exception regime everyone knows that police violence and military harassment have a disproportionate impact on the LGBT community. Obviously that hurts us, and I don't know who else they count on to be able to denounce,” Chávez says.

To date, Chávez's team has registered 68 incidents of violence against LGBTIQ+ people, although they believe there could be more. One of the main challenges has been to create a centralized database of the information that each member had kept on their own.

Natalia Alberto

“One of the big frustrations has always been that we don't have consistency when it comes to storing information,” Chávez says. “To make this database, I had to go from computer to computer, collecting information in emails and loose files.”

Chávez, a doctoral student in American Studies and archivist, applied her knowledge to compile and organize the information. For her, it's crucial to secure the databases that contain sensitive information related to the victims' allegations under the emergency regime. One of the keys is to protect the data with multiple layers of security and to use encrypted platforms with automatic self-destruct functions, such as CryptPad.

The authoritarian escalation in El Salvador has forced organizations to be more cautious with their public work. For this reason, Chávez requested that her organization not be mentioned for fear of reprisals following the recent approval of the Foreign Agents Law, which requires those receiving international funds to register as “foreign agents.” If authorized, they would be subject to a 30 percent tax on all foreign funding, a measure that opponents of the legislation say seeks to economically stifle dissenting voices.

Natalia Alberto

El Salvador's political situation has forced them to contemplate several scenarios on how to safeguard information. The most critical implies that the government may consider the activities of their organization as a direct contravention of the law and raid their offices. Another concern is that, at the time of registration, they will be required to hand over the contents of the devices.

“The registry is designed as an all-powerful entity. There are minimum requirements to be able to register, but they have the power to demand whatever they want,” says Chávez. “There are no limits in the regulations on what they can request. What worries us is that, as part of a routine process, they want to seize computers, hard disks, etc.”

Natalia Alberto

The passage of this law to control speech and information is not an isolated case. In November 2024, El Salvador's Congress passed laws establishing the creation of the State Cybersecurity Agency, whose powers include managing cyber threats and overseeing data protection compliance.

“The government of El Salvador has created an entire infrastructure to have not only social, but also digital control of the citizenry. With the creation of this agency, an oversight tool is enabled for issues related to information, the use of technology and our digital identity,” explains Joshi Leban, a specialist in advocacy and digital literacy.

The records that Chávez is so keenly guarding also have a vision in which this hope for justice persists.

“At some point, perhaps this will become an international litigation, or it may be that this government ends and a process of oversight of what has happened begins. In that scenario, it will serve that the organizations have put these facts on record as documentation.”

_This story originally appeared on WIRED en Español and has been translated from Spanish._

The Promise and Peril of Digital Security in the Age of Dictatorship

Model Context Protocol (MCP) is a powerful protocol from Anthropic that defines how to connect large language models (LLMs) to external tools. It has quickly gained traction due to its ease of use and the benefits it adds in our use of AI. In this article we'll cover some of the potential security risks you'll encounter with MCP and how you can approach mitigating them.How MCP worksMCP does not directly connect LLMs with tools. The MCP client component accesses the LLM, and the MCP server component accesses the tools. One MCP client has access to one or more MCP servers. Users may connect any

Model Context Protocol (MCP) is a powerful protocol from Anthropic that defines how to connect large language models (LLMs) to external tools. It has quickly gained traction due to its ease of use and the benefits it adds in our use of AI. In this article we'll cover some of the potential security risks you'll encounter with MCP and how you can approach mitigating them.

**How MCP works**

MCP does not directly connect LLMs with tools. The MCP client component accesses the LLM, and the MCP server component accesses the tools. One MCP client has access to one or more MCP servers. Users may connect any number of MCP servers to an MCP client.

Here's what a typical MCP client and server exchange looks like:

1.  The user requests a task from the MCP client
    1.  The MCP client has the information about the tools that each MCP server implements or has access to
2.  The MCP client passes the request from the user plus the information from the MCP servers to an LLM which responds with the tool needed and the parameters to be used
3.  The MCP client sends the information about the tools and parameters to the MCP server
4.  The MCP server completes the task and returns the answer to the MCP client that passes the answer to the LLM, and the LLM generates a response for the user
5.  The response is shown to the user by the MCP client

MCP servers can be run locally or remotely, and the security risks differ depending on how they are executed.

We define "**local MCP servers**" as the MCP servers that we run in a host that we control. To perform the requested tasks, local MCP servers usually execute OS commands or custom code locally.

"**Remote MCP servers**" are only run remotely by a third party. We can have access to remote MCP servers, but they don’t run on a host we control. Remote MCP servers still have security risks for the users because they have access to their data, but since they are not executed locally, many common risks don’t apply.

**Security risks and controls**

Here's a quick overview of some of the MCP risks security researchers have identified and some mitigation approaches.

**Authentication and authorization**

When an MCP server performs an action triggered by a user’s request, there is a risk of a "confused deputy" problem. Ideally, the MCP server should execute this action on behalf of the user and with the user’s permission. This is not guaranteed, however, and depends on the implementation of the MCP server. If it's not implemented correctly, a user could gain access to resources that should not be available to them but that are available to the MCP server, violating the principle of least privilege.

MCP defines authorization using OAuth, but the community has identified that the current specification includes implementation details that conflict with modern enterprise practices. Efforts are underway within the community to improve and Update the Authorization specification and address this discrepancy.

**Supply chain risks**

MCP servers are composed of executable code, so users should only use MCP servers that they trust. And if we develop MCP servers, we must take precautions so our users can trust our software. MCP components must also be signed by the developer, so users can be more certain of their integrity.

We must also build MCP components on pipelines that implement security best practices like Static Application Security Testing (SAST). We must understand the findings, discard false positives and fix known security vulnerabilities. Pipelines must also implement Software Composition Analysis (SCA) so that known vulnerabilities in the dependencies used by MCP servers are identified and fixed.

If an MCP server is offered as a cloud service, it should also implement cryptographic server verification so clients are able to verify the server.

As with any other software, if attackers are able to access and modify the source code for any MCP component, that will allow them to compromise the users. To reduce this risk, software developers and users must verify the integrity of all the dependencies they use and scan them for malware.

**Unauthorized command execution**

Local MCP servers may execute any code. Depending on how the MCP client passes the information to the MCP server and how the MCP server is implemented, command execution functionality may be vulnerable to command injection vulnerabilities. Always double check what commands will be executed and sanitize the data before using it as an argument for a function that executes commands.

The following is an example of an MCP server with a command injection vulnerability:

    def dispatch_user_alert(self, notification_info: Dict[str, Any], summary_msg: str) -> bool:
    """Sends system alert to user desktop"""
    notify_config = self.user_prefs["alert_settings"]
    
    try:
         alert_title = f"{notification_info['title']} - {notification_info['severity']}"
         if sys.platform == "linux":
             subprocess.call(["notify-send", alert_title])
         return True

Code seen in: https://equixly.com/blog/2025/03/29/mcp-server-new-security-nightmare/ 

Additionally, consider running local MCP servers in a sandbox so they are only capable of executing and accessing what they are explicitly allowed to.

**Prompt injection**

MCP servers pose significant security risks due to their ability to execute commands and perform API calls. One major concern is that even if a user doesn't intend a specific action, the LLM might decide it's the appropriate one.

This risk can arise without malicious intent, but it's also a factor in adversarial scenarios. For example, a legitimate user might submit a prompt they didn't write to the MCP client, perhaps one recommended by a malicious third party. Such a prompt could be obfuscated but still leak private information from the user's conversation or accessible tools. Imagine a user copying and pasting a complex, obfuscated prompt they believe will create a new user in their cloud environment—the malicious prompt could, in addition to creating the intended user, also create another user for the attacker.

This is why the actions performed by the MCP servers should always be confirmed by the users or restricted to reduce risk to an acceptable level.

**Tool injection**

There's also the possibility that someone could build a malicious MCP server, which poses  a whole new level of potential risk. For example, a malicious MCP server might initially appear safe during installation, even with its source code and tool descriptions appearing normal. But the tools may be modified during a future update. For example, a tool originally described as gathering weather information may be modified in an update to start gathering confidential information and sending it to an attacker.

This can also happen with the names of the tools. Malicious aMCP servers may use deceptive names for the tools so the LLM selects them for a task that should be done by other legitimate tools, potentially causing unintended or harmful actions.

To mitigate some of this risk, software that allows users to install MCP servers should have the capability of pinning the version of the MCP servers and notifying the user if any changes occur in their code or composition after installation.

**Sampling**

Malicious MCP servers may also try to exploit the MCP sampling functionality, where MCP servers can request MCP clients to use an LLM to complete a request. If an MCP server needs to send a request to an LLM, sampling allows the MCP client to make the request on behalf of the MCP server, since the user has more control over the MCP client and it helps centralize costs.

MCP clients should implement the following controls to reduce the risks associated with sampling:

*   Enable clients to show users the completion request
*   Allow users to modify or reject completions
*   Enable clients to filter or modify completions
*   Allow users to control which model is used
*   Implement appropriate rate limits
*   Control cost exposure
*   Implement timeouts

**Logging**

As previously discussed, MCP servers are able to execute sensitive commands. They should have the capability of sending logs or events to standard centralized logging servers or to be able to log these events locally. This enables investigation into system actions if a problem occurs or is suspected.

**Vulnerability management**

Since MCP servers are code, they may have vulnerabilities just like any other software, so it's critical to include them into your standard vulnerability management process. This includes upgrading the MCP clients and servers and their dependencies at planned intervals, based on the organization's risk appetite.

**Conclusion**

MCP has sparked interest in manipulating tools using natural language and in better understanding how we communicate users, LLMs and tools. However, we must acknowledge the security risks that come with this increase in automation and additional AI agency. As with any other new technology, when using MCP, companies must evaluate the security risks for their enterprise and implement the appropriate security controls to obtain the maximum value of the technology.

**Learn more**

*   MCP Servers: The New Security Nightmare
*   The MCP Authorization Spec Is... a Mess for Enterprise
*   Everything Wrong with MCP
*   Imprompter: Tricking LLM Agents into Improper Tool Use
*   Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions
*   WhatsApp MCP Exploited: Exfiltrating your message history via MCP
*   5 MCP Security Tips

Model Context Protocol (MCP): Understanding security risks and controls

Apple and Google espouse strong values about data privacy, but they allow programs from a Big Brother state to thrive on their app stores, researchers allege.

Top Apple, Google VPN Apps May Help China Spy on Users

Popular messaging platform WhatsApp has added a new artificial intelligence (AI)-powered feature that leverages its in-house solution Meta AI to summarize unread messages in chats.
The feature, called Message Summaries, is currently rolling out in the English language to users in the United States, with plans to bring it to other regions and languages later this year.
It "uses Meta AI to

WhatsApp Adds AI-Powered Message Summaries for Faster Chat Previews

Cybersecurity researchers have detailed two now-patched security flaws in SAP Graphical User Interface (GUI) for Windows and Java that, if successfully exploited, could have enabled attackers to access sensitive information under certain conditions.
The vulnerabilities, tracked as CVE-2025-0055 and CVE-2025-0056 (CVSS scores: 6.0), were patched by SAP as part of its monthly updates for January

Citrix Bleed 2 Flaw Enables Token Theft; SAP GUI Flaws Risk Sensitive Data Exposure

The company has patched two vulnerabilities in its Graphical User Interface that would have allowed attackers to grab data from a user's input history feature.

XOR Marks the Flaw in SAP GUI

"Hello pervert" sextortion emails are going through some changes and the price they're demanding has gone up considerably.

Every so often the sextortion emails that start with “Hello pervert” get a redesign.

You may have received one yourself: The emails claim that the sender has been watching your online behavior and caught you red-handed doing activities that you would like to keep private.

The email usually starts with “Hello pervert” and then goes on to claim that you have been watching porn. The sender often says they have footage of what you were watching and what you were doing while watching it.

To stop the sender from spreading the incriminating footage to your email contact list, you are asked to pay them money. The overall tone is threatening, manipulative, and designed to provoke fear and urgency.

We know these emails are a big problem. We see thousands of people visiting our website a week looking to find information on sextortion emails like these. And now we’re seeing a new version with some features we haven’t seen in the past. Interestingly, just as the cost of food, travel, and—well—living has gone up, so has the amount of money that the scammers ask for in the email.

This most recent email we’ve seen also gives away the probable origin of the emails.

With all that we thought it would be interesting to take a closer look.

> “Hello pervert, I’ve sent thіs message from your **Microsoft** account.
> 
> I want to іnform you about a very bad sіtuatіon for you. However, you can benefіt from іt, іf you wіll act wіsely.
> 
> Have you heard of Pegasus? Thіs іs a spyware program that іnstalls on computers and smartphones and allows hackers to monіtor the actіvіty of devіce owners. It provіdes access to your webcam, messengers, emaіls, call records, etc. It works well on Androіd, іOS, macOS and Wіndows. I guess, you already fіgured out where I’m gettіng at.
> 
> It’s been a few months sіnce I іnstalled іt on all your devісes because you were not quіte choosy about what lіnks to clіck on the іnternet. Durіng thіs perіod, I’ve learned about all aspects of your prіvate lіfe, but one іs of specіal sіgnіfіcance to me.
> 
> I’ve recorded many vіdeos of you jerkіng off to hіghly controversіal рorn vіdeos. Gіven that the “questіonable” genre іs almost always the same, I can conclude that you have sіck рerversіon.
> 
> I doubt you’d want your frіends, famіly and co-workers to know about іt. However, I can do іt іn a few clіcks.
> 
> Every number іn your contact Iіst wіll suddenly receіve these vіdeos – on WhatsApp, on Telegram, on Instagram, on Facebook, on emaіl – everywhere. It іs goіng to be a tsunamі that wіll sweep away everythіng іn іts path, and fіrst of all, your former lіfe.
> 
> Don’t thіnk of yourself as an іnnocent vіctіm. No one knows where your рerversіon mіght lead іn the future, so consіder thіs a kіnd of deserved рunіshment to stop you.
> 
> I’m some kіnd of God who sees everythіng. However, don’t panіc. As we know, God іs mercіful and forgіvіng,  and so do I. But my merсy іs not free.
> 
> Transfer **1650$** to my Lіtecoіn (LTC) wallet: **{redacted}**
> 
> Once I receіve confіrmatіon of the transactіon, I wіll рermanently delete all vіdeos compromіsіng you, unіnstall Pegasus from all of your devіces, and dіsappear from your lіfe. You can be sure – my benefіt іs only money. Otherwіse, I wouldn’t be wrіtіng to you, but destroy your lіfe wіthout a word іn a second.
> 
> I’ll be notіfіed when you open my emaіl, and from that moment you have exactly **48 hours** to send the money. If cryptocurrencіes are unchartered waters for you, don’t worry, іt’s very sіmple. Just google “crypto exchange” or “buy Litecoin” and then іt wіll be no harder than buyіng some useless stuff on Amazon.
> 
> I strongly warn you agaіnst the followіng:  
> \* Do not reply to thіs emaіl. I’ve sent іt from your Mіcrosoft account.
> 
> \* Do not contact the polіce. I have access to all your devісes, and as soon as I fіnd out you ran to the cops, vіdeos wіll be publіshed.
> 
> \* Don’t try to reset or destroy your devісes. As I mentіoned above: I’m monіtorіng all your actіvіty, so you eіther agree to my terms or the vіdeos are рublіshed.
> 
> Also, don’t forget that cryptocurrencіes are anonymous, so іt’s іmpossіble to іdentіfy me usіng the provіded address.
> 
> Good luck, my perverted frіend. I hope thіs іs the last tіme we hear from each other.
> 
> And some frіendly advіce: from now on, don’t be so careless about your onlіne securіty.”

**Spoofing your email address**

One clever trick the scammers use is saying they’ve sent the email from your Microsoft account. The sender spoofs your email address, in the hope that it makes you think your device may indeed be compromised.

However, it’s easy for scammers to spoof (use a fake) email address because the email system doesn’t check if the sender is real. That’s why it’s important to be cautious. Even if an email looks like it’s from someone you know, or even yourself, it could be from a scammer.

If you’re technically savvy, taking one look at the authentication results in the email header would reveal that the email failed because the IP address does not match the domain.

However, we can assume that most people receiving the email wouldn’t think to do this, and so the email spoofing might well work to add legitimacy to the email.

**Encoding errors**

Looking at the source of the email, we got a little insight into its origin.

The intro of the email shows the repeated use of “=D1=96” and some other encoding errors. In fact, the whole text is riddled with encoding errors, which typically appear when Cyrillic or other non-Latin characters are misinterpreted as UTF-8 or quoted-printable, or when text is generated or processed by automated systems not properly handling character sets.

The sequence =D1=96 is the quoted-printable encoding for the Unicode character U+0456, which is the Cyrillic letter “i”. This encoding error strongly points towards the writer’s native language being one that uses the Cyrillic script, which is predominantly used in Eastern European and Central Asian countries, with Russian being the most prominent language using it.

These errors also tell us that this scammer doesn’t use the most sophisticated tools. Although the awkward sentence structures and repetitive language are consistent with automated text generation or translation, they are classic signs of a low-effort, high-volume campaign—not the kind where an AI has been used to add personalization or a more natural voice.

**Price hike**

Back in April, the price that scammers were asking victims to pay for being a “pervert” was $1200, and in May it was $1450.

This time we’re asked to pay no less than $1650.

There could be several reasons for this. Maybe the costs of the operation have gone up. Or the scammers feel the value of their threat and its consequences have increased.

Scammers often start with what seems a “reasonable amount” to them and, if successful, incrementally increase it for future victims. This allows them to gauge the maximum amount that people are willing to pay to avoid the threatened consequences.

I’m happy to report that both the mentioned Litecoin wallets are empty. Let’s keep it that way.

**How to spot a sextortion email**

Once you’re aware of them, it’s easy to recognize these emails. Remember that not all of the below characteristics might be included in the email you receive, but all of them are red flags in their own right.

*   They often look as if they were sent from your own email address.
*   The scammer accuses you of inappropriate behavior and claims to have footage of that behavior.
*   In the email the scammer claims to have used Pegasus or some Trojan to spy on you through your own computer.
*   The scammer says they know your password and may even offer one as “proof”. This password is likely to have been stolen in a separate data breach and is unrelated to the sextortion email itself.
*   You are urged to pay up quickly or the so-called footage will be spread to all your contacts. Often you’re only allowed one day to pay.
*   The actual message often arrives as an image or a pdf attachment. Scammers do this to bypass phishing filters.

**How to react to sextortion emails**

First and foremost, never reply to emails of this kind. It may tell the sender that someone is reading the emails sent to that address and so they will repeatedly try other methods to defraud you.

*   Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes.
*   Do not open unsolicited attachments. Especially when the sender’s address is suspicious or even your own.
*   If the email includes a password, make sure you are not using it anymore and if you are, change it as soon as possible.
*   If you are having trouble organizing your passwords, have a look at a password manager.
*   For your ease of mind, turn off your webcam or buy a webcam cover so you can cover it when you’re not using the webcam.

Sextortion emails often contain passwords that have been stolen in another data breach and posted online. If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and you’ll get a free report.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#sap