Cybercriminals Hijack Email Accounts to Send Disturbing Blackmail Messages to Victims
Cybercriminals Use Fear and Shame Tactics in Alarming New Sextortion Scam
A new wave of cyber extortion emails is alarming users worldwide, as attackers gain unauthorized access to personal email accounts and use them to send themselves threatening messages — making it appear as though the victim sent the email to themselves.
One such message, recently reported by multiple Microsoft Outlook users, starts with a chilling line: “Hello pervert, I’ve sent this message from your Microsoft account.” The attacker then goes on to claim that the user’s devices have been infected with Pegasus spyware, giving the criminal access to webcam feeds, messenger logs, and personal videos.
The email uses highly manipulative and shame-based language to push the target into paying a ransom in cryptocurrency — specifically, $1,600 worth of Litecoin — (Lіtecoіn (LTC) (wallet: ltc1q4kpx3rxxeh0xq8ea5e5uuzua44sc3f5mwqn5s2 and ltc1qna3fk5q99l2acx67gplqnq85warwhkzma6hgkj) within 48 hours. It threatens to distribute explicit videos allegedly recorded through the victim’s webcam to all contacts across various platforms like WhatsApp, Telegram, Instagram, Facebook, and email.
The blackmailer warns:
“It’s been a few months since I installed it on all your devices… I’ve recorded many videos of you… to highly controversial porn videos.”
Cybersecurity experts say such messages are a textbook example of sextortion scams, which rely on fear and shame to extort money, even when the attacker has no real access to the victim’s devices or content.
Email Spoofing or Real Account Access?
What sets this scam apart is its apparent origin from the victim’s own email account. Security analysts warn that in some cases, attackers may have actually compromised the victim’s email login via phishing, data breaches, or password reuse. Once inside, they send the message from the account itself to increase credibility and fear.
This increases the urgency for users to:
-
Immediately change all email and social media passwords.
-
Enable multi-factor authentication (MFA) to block unauthorized logins.
-
Run a full malware scan on all devices.
-
Contact the email provider’s support to check for any recent suspicious activity.
Do Not Pay the Ransom
Authorities and cybersecurity professionals emphasize that victims should not pay the ransom or respond to the email. “Paying emboldens the attacker and offers no real guarantee that any alleged data will be deleted,” says cybercrime analyst Linda Morgan.
Instead, report such incidents to your local cybercrime unit or agencies like the Internet Crime Complaint Center (IC3).
An Evolving Threat
This case underscores the evolving sophistication of online threats — combining psychological manipulation, technical breaches, and anonymity through cryptocurrency. While claims involving Pegasus spyware are almost always fabricated in these emails, the emotional pressure they exert can be very real.
Stay safe by using strong, unique passwords, avoiding suspicious links, and remaining calm in the face of threatening emails.
Aleksandra Erdogdu – Cybersecurity Desk
