Anatomy of a Sextortion Email: How These Scams Work and Why They Keep Coming

You open your inbox and find an email with your own password in the subject line. The message claims someone has installed malware on your computer, activated your webcam, and recorded you during private moments. They demand payment in Bitcoin within 48 hours or they will send the footage to everyone in your contacts list.

Your stomach drops. For about thirty seconds, you genuinely consider paying.

That reaction is exactly what the attacker is counting on. And it is why sextortion emails, despite being one of the most transparently fraudulent scam categories, continue to generate millions of dollars in payments every year. Understanding the mechanics of these scams, both technical and psychological, is the best inoculation against them.

What a Sextortion Email Actually Looks Like

The format is remarkably consistent across campaigns. Here is a representative example, composited from common templates:

Subject: Your password is sunshine42 - I know everything

I am a hacker who has access to your operating system.
I also have full access to your account.

I have been watching you for some months now.
The fact is that you were infected with malware
through an adult site that you visited.

I made a video showing how you satisfy yourself
in the left half of the screen, and in the right
half you see the video that you were watching.

With one click of the mouse, I can send this video
to all your email contacts and social network friends.

I can also post access to all your email correspondence
and messengers that you use.

To prevent this, transfer $1,900 to my Bitcoin address:
1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa

You have 48 hours after reading this email.

After receiving the payment, I will delete the video
and you will never hear from me again.

If I do not get the Bitcoin, I will send your video
to all of your contacts.

The email may vary in specifics, but the structure is always the same: proof of access (the password), claim of surveillance, threat of exposure, demand for cryptocurrency, and a countdown timer.

Why They Know Your Real Password

This is the detail that makes people panic, and it is the most important thing to understand. The password in the email is real. You have used it somewhere, possibly years ago. But the attacker did not hack your computer to get it.

They got it from a data breach.

Over the past decade, billions of username-password combinations have been leaked from breached services. LinkedIn in 2012, Adobe in 2013, Dropbox in 2016, Collection #1 through #5 in 2019, and hundreds of smaller breaches since. These credential dumps are traded freely on dark web forums and can be purchased in bulk for pennies per record.

Sextortion operators buy these dumps by the millions, extract the email-password pairs, and use them to personalize their scam emails at scale. They know nothing else about you. They have not accessed your webcam. They have not installed malware. They have a database row with your email address and an old password, and they are betting that seeing that password will terrify you into paying.

If you want to check whether your email has appeared in known breaches, services like Have I Been Pwned can tell you. For next steps after discovering your data in a breach, see our guide on what to do when your email appears in a data breach.

The Bitcoin Wallet Trick

Every sextortion email demands payment in Bitcoin, and for good reason from the attacker's perspective. Bitcoin transactions are irreversible, pseudonymous, and require no banking infrastructure. The attacker does not need a bank account, a merchant processor, or a money mule network. They just need a wallet address.

But here is what most recipients do not realize: the same Bitcoin address often appears in thousands or even millions of emails. Attackers reuse addresses across entire campaigns. You can look up any Bitcoin address on a public blockchain explorer and see its transaction history. Many sextortion wallet addresses have received dozens of payments from victims, sitting alongside addresses that have received nothing.

Research from the Anti-Phishing Working Group has tracked sextortion campaigns where a single Bitcoin address was used in over 500,000 emails. The payment rates are low, typically under 1%, but when you send 500,000 emails demanding $1,900 each, even a fraction of a percent generates serious revenue. A campaign with a 0.3% payment rate across half a million emails would yield roughly $2.85 million.

The economics are obscenely favorable to the attacker. The cost of sending half a million emails is negligible. The breach data is cheap. The infrastructure is disposable. And the payments are anonymous and irreversible.

The Psychological Machinery

Sextortion emails are not technically sophisticated. They are psychologically sophisticated. Every element is designed to trigger panic, prevent rational analysis, and push the recipient toward immediate payment.

Shame as a Weapon

The core leverage is shame. The email implies the recipient was watching pornography, something most people would prefer to keep private regardless of how common it is. The threat is not financial damage or identity theft. It is social humiliation. The attacker is betting that the fear of friends, family, and colleagues seeing the alleged video is powerful enough to override the victim's skepticism.

This works across demographics. Research shows that sextortion payments come from all age groups, income levels, and professions. Executives, teachers, retirees, and students all pay. The shame mechanism is near-universal.

The Countdown Timer

The 48-hour (sometimes 24-hour or 72-hour) deadline serves a critical function: it prevents the recipient from thinking clearly, consulting with someone else, or researching the scam. Every hour that passes increases the anxiety. The attacker wants the decision made in a state of fear, not after a calm conversation with a tech-savvy friend who would immediately identify it as a scam.

Proof of Compromise

The real password serves as false proof that the attacker has deep access to the victim's digital life. If they know the password, the reasoning goes, maybe they really do have webcam footage. This logical leap is exactly what the attacker wants. In reality, having a password from a years-old breach proves nothing about current system access, but in a moment of panic, that distinction disappears.

Isolation

Many sextortion emails explicitly tell the recipient not to contact authorities or tell anyone about the email. Some threaten that any attempt to seek help will trigger the release of the video. This is a standard manipulation tactic designed to keep the victim isolated and unable to get the outside perspective that would immediately deflate the scam.

Why You Should Never Pay

This cannot be stated clearly enough: do not pay. There are three practical reasons beyond the ethical objection to rewarding criminals.

First, there is no video. The attacker has no webcam footage, no screen recordings, and no access to your system. They have a password from a database. That is all. Paying for the deletion of something that does not exist is paying for nothing.

Second, payment does not guarantee silence. You are dealing with a criminal who has already demonstrated willingness to extort you. Paying marks you as someone who pays, which makes you a target for follow-up demands. Many victims who pay report receiving additional extortion emails weeks or months later, sometimes from the same operator and sometimes from others who acquired the "verified payer" list.

Third, your payment funds the next campaign. Every Bitcoin that arrives in that wallet proves the business model works and finances the infrastructure to send millions more emails. Non-payment is the only thing that makes the economics stop working.

The Technical Tells

If you examine a sextortion email with the same analytical eye you would apply to any phishing email, it falls apart quickly.

Authentication Failures

Most sextortion emails are sent from compromised servers, botnet nodes, or cheap VPS infrastructure. They almost always fail SPF checks because the sending IP is not authorized for the claimed domain. DKIM is usually absent entirely. If the recipient's mail server enforces DMARC, many sextortion emails never arrive at all.

Generic Headers

The email headers reveal mass-mailing infrastructure. You will see generic reverse DNS entries, high-volume sending patterns, and IPs that appear on multiple blocklists. The Received headers often show the email routing through multiple relays, a pattern consistent with botnet distribution rather than legitimate email delivery.

Reused Bitcoin Addresses

As mentioned, the Bitcoin address is a dead giveaway. Copy the address, paste it into a blockchain explorer, and you will typically see that it has received payments from other victims or appears in threat intelligence databases associated with sextortion campaigns.

Template Language

The language is formulaic because it is generated from templates. Minor variations exist between campaigns, but the structure is always the same. Security researchers track these templates, and most spam filters have signatures for common sextortion patterns. The grammar is often slightly off, consistent with non-native English speakers using translation tools.

How Spam Filters Catch Them

Modern spam filters handle sextortion emails through several mechanisms working in combination.

Content analysis detects the characteristic pattern of sexual references combined with cryptocurrency addresses and threat language. This pattern is highly distinctive and rarely appears in legitimate email.

Bitcoin address blacklists are maintained by multiple threat intelligence providers. Known sextortion wallet addresses are flagged and any email containing them receives a significant spam score increase.

Authentication failure is the first line of defense. Since most sextortion emails come from unauthorized infrastructure, SPF and DMARC failures catch the majority before content analysis is even needed.

IP reputation scoring identifies the sending infrastructure. Sextortion campaigns typically originate from IPs with terrible reputation scores due to prior spam activity, botnet association, or recent appearance on DNSBLs.

For a broader view of how to reduce unwanted email, including scam emails like these, see our guide on how to stop spam emails permanently.

Why They Keep Coming

Sextortion is a volume game with favorable economics. The breach data is effectively free. The sending infrastructure costs almost nothing, especially when using compromised servers. The payment mechanism is anonymous and irreversible. And enough people pay to keep it profitable.

Estimates suggest that sextortion campaigns have collectively generated over $50 million in Bitcoin payments since 2018. Individual campaigns regularly produce six-figure returns. As long as that remains true, the emails will keep coming.

The best defenses are straightforward: use unique passwords for every service so that a breach of one site does not expose credentials usable elsewhere, enable two-factor authentication everywhere it is available, keep your software updated, and treat any email demanding cryptocurrency payment with the contempt it deserves. These emails are designed to make you feel powerless. Understanding how they work gives you the power back.