Global cybersecurity company Check Point on Thursday said after a five-month research project, it exposed Phorpiex (aka Trik) botnet that is using people to unknowingly send 30,000 sextortion emails per hour.
"In the 5-month period that we have been monitoring this operation, we recorded transfers of more than 11 BTC to the wallets of Phorpiex sextortion - currently over $110,000," said the company.
The sheer speed and volume of emails being generated is staggering, it added.
"The idea behind sextortion is simple - an email demands blackmail payment threatening to expose sexual content relating to the recipient if not obeyed. Many of us received such emails or know others that have," said researchers Gil Mansharov and Alexey Bukhteyev.
The botnet under study uses thousands of infected hosts under its control to deliver millions of threats to innocent recipients.
Phorpiex (aka Trik) botnet has been active for almost a decade and currently operates more than 450,000 infected hosts.
In the past, Phorpiex monetized mostly by distributing various other malware families including GandCrab, Pony, Pushdo and used its hosts to mine cryptocurrency utilizing various cryptominers.
"Recently, Phorpiex has added a new form of revenue generation to its abilities; A spam bot described in the following article is used by Phorpiex to run large-scale sextortion campaigns," the findings showed.
This is how the botnet works.
It uses a spam bot that downloads a database of email addresses from a command and control (C&C) server.
Then, an email address is randomly selected from the downloaded database, and a message is composed from several hardcoded strings.
The spam bot can produce a large amount of spam emails - up to 30,000 per hour. Each individual spam campaign can cover up to 27 million potential victims.
"The most interesting feature of the last spam campaigns is that Phorpiex/Trik spam bot uses databases with leaked passwords in combination with email addresses," said the researchers.
"A victim's password usually included in a spam email message to make it more persuasive and show that password is known to the attacker. To shock the victim a spam message starts from the string with the password," they added.
Leaked credential lists, containing passwords that are often not compatible with their linked email addresses, are a common inexpensive commodity.
"Phorpiex, a veteran botnet, has found a way to use them to generate a low maintenance, easy income on a long-term basis and is continuously propagating sextortion emails - in the millions," the researchers noted.