CHOICE membership

Cryptocurrency email extortion scams


No you can buy Bitcoin anonomously it is just rarer than the way you advised. From a site on Bitcoin buying in Australia is this:

"If you want to buy bitcoin in Australia, most exchanges will require you to verify your identity first. However, if you value your privacy, it is still possible to buy bitcoin anonymously.

The following are some of the available options:

  • Using a peer-to-peer platform like LocalBitcoins to trade directly with a bitcoin seller
  • Using a bitcoin ATM to anonymously deposit cash, have it converted to BTC and then transferred to your bitcoin wallet
  • Buying bitcoin with a prepaid credit card or cash via a platform that doesn’t require ID
  • Trading altcoins for bitcoin on an exchange that doesn’t require proof of ID"

My Newsagency is able to printout the Bitcoin “voucher” and I believe there are a few of them who do it.


I agree there are other options. And someone who is in the right place, knows about them, or has the time to do the research would be able to get some BTC quite quickly.

I’m just hoping/assuming that most newbies would follow a more traditional route and not be able to fulfil the demand. (That would make an interesting study–how long would it take the average person to acquire some BTC?!)

If I’m wrong, more people are likely to be conned.


The Con-persons tell them how to obtain it, and my Newagency does a reasonable trade (not much commission on it though) in printing out the Bitcoin (BTC) vouchers. If the person volunteers that they are buying for a reason that sounds like a scam they advise them to not do it unless they are the victim of a encrypting ransomware attack (they advise them to think about it though). Not many volunteer this information so to give numbers to the problem is very difficult but I suspect like his BTC traffic the issue is increasing.


I have also received one of these emails, and there were no instructions… and the person says they’re not in Australia (and their English is poor), so I doubt they’d know. They’re going for low hanging fruit.


I have seen some emails with links to instructions on how to obtain BTC. The emails vary, and so I imagine do the requests and possible instructions. If you get the simple demand with little actual proof etc and no instructions it may just point to a case of “low hanging fruit”, but some are run by more sophisticated back end organisations/groups which are much better at nailing a victim.

This is why Australia has a huge amount of money being sent to overseas and untraceable, for the most part, destinations. 2017 we saw around $340 million lost to all forms of scams reported (how much more went unreported) and this year to July a figure of about $79 million. The threat type scams reported so far this year to July are around 3,164 (again these are only the reported ones). The stats from the Govt Scamwatch show an increasing trend, the education against being scammed does not seem to be working as well as we would hope.

From the USA a CNBC article that refers to letters containing the instructions:


Wow, that’s appalling. I wonder what an effective education campaign would look like? Maybe TV ads?
There are so many people who are barely web-literate who would be sitting ducks for these scams.


Yet another flaw in their evil plan :slight_smile: thanks for pointing it out, as a non-crypto user I hadn’t been exposed to that process.

The upshot from my contact interacting with the business concerned is:

  • Their site was compromised in 2011.
  • They claim to have notified all users of the compromise at the time - seems there are a number who never received this notification
  • They made no effort to track the response from their users, or the change of passwords (or not)
  • They subsequently migrated to Amazon Web Services and made big improvements in security (apparently).
  • When migrating, they took all the existing passwords with them, regardless of their status.
  • They claim to have done everything required of them. Required under law? maybe. Required ethically and reasonably by anyone with the faintest knowledge of security let alone an IT professional? I doubt I need to answer that.

Not sure what else can be said, except I’m sure this company is not alone …


If that’s all that’s required of them by law, that’s appalling.

As has been said before, using different passwords for each site is a good idea, but again this isn’t easy for those who aren’t computer-literate.

For this very reason, on a recent visit I set up LastPass on my mother’s PC… but after a short while she said it was “all too hard”. If I lived close by and could help her whenever she was stuck it might work. But alas the attempt was abandoned. And LastPass seemed like the best option.

Next time I’ll try the Firefox PW manager instead… it requires the user to sign in at the start of each session, or to access the stored passwords, and is resistant to password download programs, unlike most browser password managers.


I thought I’d add this similar scam email I received a few weeks ago, simply because it made me laugh.

Hello, prey.
I write you because you are one of those people that downloaded my malicious software from the visited web page with porn.
When you visited that site you let my soft collect all your personal data and switched on your web-camera that captured the process of your onanism. After that my malware saved your contact list.
I will delete the compromising video and info if you send me 370 $ in bitcoins.
It is my address to pay: 1FwZR8jZ4Xpdvx8GdaUvxjRhD4h1uE3CLf

I give you 24 hours after you open this message for making the transaction.
You do not need to write me that you have sent money to me. This bitcoin wallet is given only to you, everything will be deleted automatically after payment verification.
If you need 48 hours only reply on this letter with +.
You can visit the police station but they cant solve your problem.
I dont live in your country. So nobody can track me even for 9 weeks.
Goodbye. Dont forget about the shame.

The salutation!
The postscript!

Perhaps I should forward it to James Veitch as grist for one of his comedic scammer interactions?:


The ABC News website has an article regarding this scam today.


Yep I will disregard it if I receive one as for a start no porn and for another whilst I do have a Webcam it is not plugged in. If they can achieve turning it on when it isn’t working or powered or even anywhere near a computer they deserve some award for achieving the impossible.


And they’re almost certainly right - Australian laws about hacked business websites are ridiculously lax. I have reported a hacking to a website quite a few years ago, and heard nothing back at all!

Having said that, I would very much like to know the name of the business you were caught up with - I have accounts with various computer hardware resellers.

For people who use Google Mail, you can and should set it to not load pictures by default. You can choose then whether content should be loaded on a case by case basis, or give the green light to a particular sender.

I’m the family nerd and have set up password managers for my wife and my mother. Both find them ‘too hard’! So far I have tried two popular managers, but I heard recently that LastPass is brinhing out ‘family’ accounts and thought that sounds promising. Maybe not, on your evidence :slightly_frowning_face: .


My mother’s 82 and not at all computer-literate, so there might be some hope for you. Also, I only see her twice/year; possibly with (a lot) more support, she would have understood it well enough for everyday use.

The main difficulty is that sometimes LastPass doesn’t work as expected, most likely because some websites aren’t set up properly in the way they identify usernames and passwords. So the user has to understand enough to realise when and why it’s not working as expected and how to work around that. A solution (for me) could be to make my mum some short video clips showing how to recognise these issues and what to do when they occur. YMMV :slight_smile:


Same age as mine, but not too bad literacy-wise. She uses a notebook and a pen. Wouldn’t consider Lastpass for her, though I use it. Remote support is common and very useful - AnyDesk now the weapon of choice, while a lot more basic than Teamviewer it is not going through the current total fiasco Teamview is going through with its B/S commercial use detector …

Found that myself many times, and its not limited to Lastpass. I’m seriously considering the notebook and pen solution as well …


I have use TeamViewer to access my mum’s computer, although I’m wary of her having it on her machine lest she be hijacked. I’ll look into AnyDesk as an alternative.

That’s also what my Mum does, and maybe I should just leave well enough alone! I don’t relish the thought for my own passwords, as I use 16-20 character random strings, and I’m logging in and out of sites all day long!

As a side note, I do a bit of crypto trading and the precautions required to maintain security are pretty onerous. For example:


My mother has done that, but keeps losing the notes! As for her ability to generate a password that is anything like random… :roll_eyes:.


… little wonder it seems like a losing battle:

and from the above:

Slightly different compromise vector, but …


I’ve received no less than 6 of these emails in the last 10 days, every one of them slightly different wording but all saying the same thing essentially … all with the same password. I guess someone has bought the list and is now trying to cash in :slight_smile: My other contacts, including the one who unsuccessfully contacted the store, have received a number each as well - all tied to that dame data breach.

They have 5 stores in QLD and 4 in NSW - maybe you can derive what U need from that? :wink:


Nice to see today that some scam artists (a too kind a word but will do for here) that involved some Nigerians in Australia have been netted in a police operation. The sad outcome though for any caught by these fraudsters is that most if not all the money scammed is unlikely to be recovered.


One has to wonder why they didn’t operate from Nigeria - much harder to get caught.

On a separate matter, I received (yet another) email from haveibeenpwned to advise that once again some of my details are out in the wild.