The Craziest Spam / Scam Email I’ve Ever Received

We all get Spam email. It’s quite simply a fact of the internet. What’s more, the vast, and I mean vast majority of the spam email received is also some kind of scam in some form — be it the classic “Nigerian Prince” scam, the old school “malware in an attachment” email which now will usually contain the absolute horror that is ransomware, or even just typical “Russian babes want YOU” kind of email targeting those horny and gullible enough to fall for such.

Some of them, however, are a little more intense, and while I’ve gotten email like this before, nothing has ever been quite this extreme.

Buckle up, this is going to be a very long entry.

This particular email is the quite common “you’re in legal trouble, but I can get you out of it for a fee” type of spam scam which floats around these days, but this one stood out as oddly savage to me, given the subject matter of the crime of which the person receiving it (in this case, me) is accused of.

Obviously, it’s designed to outright terrify anyone who may happen to read it and somehow believe it to be true. However, any deep look at both the content and the metadata related to the email will show just how fake it is — not that it should take an investigation to determine but it’s worth going over the points.

It should be noted that this email does address a serious topic (that, after all, is its shock value and what is being leveraged against the person who receives it) and while that topic is not one to be taken lightly, this email is using that subject for outright theft via manipulation. I just wanted to explicitly clarify that, since some people on the internet cannot grasp such basic concepts.

Whatever case, here’s the body of the email as received.

Case #59126738
Distribution and storage of pornographic electronic materials involving underage children.
   
   
My name is Maud Hatcher and I am a technical collection officer working for Central Intelligence Agency.
   
It has come to my attention that your personal details including your email address (chris@xadara.com) are listed in case #59126738.
   
The following details are listed in the document’s attachment:
   
Your personal details,
Home address,
Work address,
List of relatives and their contact information.
   
   
Case #59126738 is part of a large international operation set to arrest more than 2000 individuals suspected of paedophilia in 27 countries.
   
The data which could be used to acquire your personal information:
   
Your ISP web browsing history,
DNS queries history and connection logs,
Deep web .onion browsing and/or connection sharing,
Online chat-room logs,
Social media activity log.
   
The first arrests are scheduled for April 8, 2019.

   
Why am I contacting you ?
   
I read the documentation and I know you are a wealthy person who may be concerned about reputation.
   
I am one of several people who have access to those documents and I have enough security clearance to amend and remove your details from this case. Here is my proposition.
   
Transfer exactly $10,000 USD (ten thousand dollars – about 2.5 BTC) through Bitcoin network to this special bitcoin address:
   
3FG3MH5eZ9pk3BkLXr1FuP39w4TFnzVnM2
   
You can transfer funds with online bitcoin exchanges such as Coinbase, Bitstamp or Coinmama. The deadline is March 27, 2019 (I need few days to access and edit the files).
   
Upon confirming your transfer I will take care of all the files linked to you and you can rest assured no one will bother you.
   
Please do not contact me. I will contact you and confirm only when I see the valid transfer.
   
Regards,
Maud Hatcher
   
Technical Collection Officer
Directorate of Science and Technology
Central Intelligence Agency

OH BOY. I TOLD YOU IT WAS BAD!

Okay, okay, I’m sure most reading will be able to tell where this is complete bullshit. It’s not hard to figure out, honestly, but let’s tear it apart piece by piece to see what we can make it of.

First off, the part I didn’t show you — the email header. Namely, where the email originated from: Maud Hatcher maud_hatcher@fsjb.ciagov.ga

Hmn… ciagov.ga? Really? a .ga Top Level Domain (TLD) ? No, that doesn’t mean “Government Address” or anything of the sort (which is all I can imagine the scammers thinking it might work as) oh no, that’s the TLD for the East-African country of Gabon!

However, there’s more to it — .ga is apparently used as a “free” domain service much like .tk, and as such anyone anywhere can, in theory, get a .ga TLD! So, this doesn’t tell us anything about the origins of this email, but it doesn’t need to — it tells us for certain that this is someone trying, very poorly, to make their email look like it’s coming from an official source. Hey, who wouldn’t panic seeing “ciagov” in an email right?

Okay, that’s flag one. Moving on to the email itself, we have the odd grammar. Subtle elements of this hint at it being from someone who doesn’t natively speak English, let alone a United States citizen. Namely the “for Central Intelligence Agency” part is hilarious – the definite article “the” always precedes the CIA in any usage (see, even there,) with the lack of it matching those of most international scammers (especially Indian scammers, in this case) among other issues continuing this pattern.

Moving on, we have accusations of me being a part of some kind of crazy “paedophelia ring.” For those of you outside of the United States, you might not recognize this, but that’s not the spelling used here for that particular word. the “a” is lacking in the United States. Strike two for this person being American in any capacity.

That’s ignoring the entire prospect of this email is absurd — you’re saying I’m part of some crazy criminal conspiracy, that the US is explicitly in charge of some massive strike to happen all at once in 27 nations, only one of those being where the CIA has actual power, and that you somehow have logs associate with me even though that email address is only used for special purposes on this website and nothing else? Hahah that’s cute. Especially the presumption that they somehow have information which is quite well guarded and / or is in no way associated with the email address in question. Cute. Real cute. Of course, it’s all part of the scare tactics.

After telling us the exact date the arrests begin (like I couldn’t just obliterate data, machines, and warn others of this impending date so they can do the same, this at least providing some plausible deniability if the entire situation wasn’t a complete lie, we get to the meat of the email — what “Maud” wants, and what they are doing even sending this email.

Money, of course, is the answer. It’s always money. In this case, $10,000 via Bitcoin. Oh yes, good old Bitcoin. Yep, pay 10 grand and our friend “Maud” here will make everything go away.

The hilarious aspect is that the person claims that they have ” read the documentation and … know you are a wealthy person who may be concerned about reputation.”

That’s where you’re wrong kiddo. My reputation is whatever, I’m notorious for pissing of people both online and in real life (boohoo, so sad) but me? wealthy? HAHAHAHAHAHAHAHAHAHA I fucking wish I had 10 grand to make problems disappear. If I had that kind of money you think I’d have ads running all over this site? Ah, what bullshit, but hey, this kind of email is designed to scare the rich. It would only take one hit to make a good chunk of money, after all.

Hilariously, they seem to think that the person cares more about their reputation than the threat of being arrested on quite severe charges, indicating they either acknowledge that the wealthy can generally get away with most any crime, or that they are forgetting the fact that incarceration is far more of a threat to most anyone than simply a damaged reputation, when you really look at it. It’s actually quite typical for such email’s to really forget the point at this stage, hoping the person is already scared enough in general to just pay out.

That’s not addressing the fact that this person is thinking that they can somehow get away with editing this information without anyone noticing things changing, files being updated, edited, or erased, or that backups won’t exist which would quickly bring light to such changes. This ignoring that for such databases and archives change logs would obviously be recorded and I highly doubt there would be any way to edit such since, you know, that’s a security hole.

Or ignoring that I could, if this were somehow real, send this email to someone else at the CIA and have them and their incredible digital forensics team do some work on it to see just who might be behind this. Again, of course, that’s if this bullshit was real, which it, of course, isn’t.

The email ends as you would expect with a (not shown here) shitty jpg of the CIA emblem and the usual “Reagard, blah blah scammerson” crap to make it look more official, somehow.

So, yeah, it should be obvious how fake this is and interestingly enough while I was typing this article a group I follow online called “That’s Nonsense” (similar to snopes, but focusing on Facebook scams) did a short article on this very same email going around, including a sample of their own, with a different name and different bitcoin address but otherwise the same content, so if you somehow doubted this being a scam or it even being a real email (that I somehow made it all up and devoted 1500+ words to tearing it apart for fun) then it would seem you’re quite wrong.

https://www.thatsnonsense.com/email-extortion-scam-claims-to-be-from-a-cia-investigation/

What do I have to end with? Nothing much, except that just before finishing this article I did what I could to trace the origins of this email, and it looks to have been sent from the UK — this would explain the British spelling of a few words and the odd grammar in other places – many scams are now being run out of the UK in some form, but still done by people internationally at some stage.

That all being said, yeah, if you see this, just ignore it. I doubt most ever will, as in my attempt to share it with a few friends their spam filters not only caught it but actively killed the email in transit – they never received it and I’m sure I only did because I have no major filters on my own mail server preventing such from being delivered.

Hell, I wrote this for the fun of it. Is it damn near 2000 words? Sure. Is it way longer than it needs to be? Probably. Did I have fun typing it up? Hell yeah!