Scam: Sextortion emails mention real passwords
IT researchers have found real passwords in so-called sextortion scam emails. These originate from disposable email services.
(Image: fizkes/Shutterstock.com)
In the scam known as "sextortion," criminals attempt to extort money from victims by claiming to have recordings from their computer or smartphone cameras. These blackmail emails are almost always a scam; the perpetrators have not gained unauthorized access to the victim's IT systems at any point. However, to create the impression that they have, the criminal masterminds are now including real passwords in the scam emails.
This is reported by IT researchers from Malwarebytes in a recent blog post. The current fraudulent emails land in the inboxes of potential victims with subject lines such as "You pervert, I recorded you!". In the email body, the perpetrators claim to have infected the victim's device with a "drive-by exploit," thereby gaining full access and recording the email recipients while they were "masturbating" through the camera. To increase credibility, the attackers mention a password in the email that actually exists. In the subsequent text of the email, the attackers attempt to increase pressure and induce victims to transfer cryptocurrency to them. After this has happened, they would remove all traces of their malware – the supposedly incriminating materials would not be mentioned further.
The IT researchers found the address of a fraudulent sender in several emails directed at people who use a provider of disposable email addresses, in this specific case, FakeMailGenerator. These free services allow the creation of a temporary email address and subsequent viewing of emails sent to it. This enables signing up for services without using one's real email address – for example, as a spam protection measure. Typically, emails cannot be sent from these accounts, only received. The inbox does not belong to any single person; anyone can view any temporary email account by providing the email address.
Passwords from disposable email accounts
Malwarebytes assumes that the scammers search these public inboxes for passwords and use them in their sextortion emails. This should serve as a warning for users of such disposable email address services. The inbox could be publicly accessible and appear in search results. No one should use such services for anything confidential.
Videos by heise
The perpetrators behind such sextortion scam emails were heavily affected by inflation in the middle of last year. The payment demands have increased significantly. In April 2025, they were still 1200 US dollars, then 1450 US dollars in May, before climbing to 1650 US dollars in June. In the currently observed spam wave, the demand was only 800 US dollars.
