International email bomb hoax proves to be a spectacular failure

Recipients told there was a hidden bomb that would detonate unless a Bitcoin ransom was paid.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

International email bomb hoax proves to be a spectacular failure

Authorities in the United States, Canada, Australia, and New Zealand are said to be investigating a wave of bogus bomb threats that have been sent to a variety of organisations late on Thursday.

Scores of colleges, businesses, hospitals and courthouses are believed to have received the emails which demands a Bitcoin payment be made by the end of the working day.

Bomb threat

Sign up to our free newsletter.
Security news, advice, and tips.

There are minor differences in the emails (mostly words being swapped around), but here is a typical message:

There is the bomb (tronitrotoluene) in the building where your business is located. My recruited person constructed an explosive device under my direction. It has small dimensions and it is hidden very well, it is impossible to damage the supporting building structure by my bomb, but there will be many wounded people if it detonates.

My man is controlling the situation around the building. If any unnatural behavior, panic or emergency is noticed he will power the device.

I want to suggest you a deal. You send me $20’000 in Bitcoin and the bomb will not detonate, but do not try to fool me -I warrant you that I have to call off my man solely after 3 confirmations in blockchain network.

My payment details (Bitcoin address)- 149oyt2DL52Jgykhg5vh7Jm10pdpfuyVqd

You must pay me by the end of the workday. If the working day is over and people start leaving the building explosive will explode.

This is just a business, if I do not see the money and the bomb detonates, next time other commercial enterprises will send me a lot more, because this is not a single incident. I wont enter this email. I check my Bitcoin wallet every 40 min and after seeing the payment I will order my mercenary to leave your district. If an explosion occurred and the authorities see this letter:
we arent a terrorist society and do not assume responsibility for explosions in other places.

Police authorities have confirmed that they do not believe the threats to be genuine, but you can understand the anxiety that some schools and businesses will have experienced receiving an email like this.

It takes very little effort for some cockwomble to spam out a threat like this to a list of businesses and colleges, and the impact is even more considerable than the sextortion emails that so many of us have received in recent months, quoting old passwords and claiming to have captured video footage of us as we visited porn websites (spoiler: they don’t have any video footage of you).

Sextortion is unpleasant enough, but terrifying schools with bomb threats? The police aren’t going to turn a blind eye to that, and I expect the FBI to putting considerable effort into trying to track down who might be responsible.

I also can’t help but wonder if this latest spate of spammed-out bomb hoaxes is in any way connected to the sentencing last week of British teenager George Duke-Cohan, who targeted schools in the UK and United States earlier this year with a similar extortion.

Duke-Cohan has just been sent to prison for three years for his bomb threats. Let’s hope there’s a similar outcome for whoever is behind this latest wave of hoaxes.

In case you do receive a bomb threat email, here is the advice:

  • Do not respond or try to contact the sender.
  • Do not pay the ransom.
  • Report the email to the FBI’s Internet Crime Complaint Center or your local FBI field office.

The good news is, so far, it appears that none of the hoaxer’s intended victims has coughed up the $20,000 worth of Bitcoin. So, in that regard, the attack has been a spectacular failure.

If, however, the hoaxer was less interested in the money and keener on just causing disruption – well, I guess they have achieved their aim.

For more discussion on what George Duke-Cohan did, be sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #108: 'Hoaxes, Huawei and chatbots - with Mikko Hyppönen'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “International email bomb hoax proves to be a spectacular failure”

  1. Matt Parkes

    My company here in the UK received this hoax, or at least one of our Sales Managers did, needless to say we identified this as a hoax, however the initial reasons for deciding this were not what I would have expected.

  2. coyote

    I don't know if this says anything about my age but when I saw the title the first thing I thought of was the old email bombs (though how flooding a mailbox with emails would end up being a hoax I can't say but I've been extremely tired and finding it rather hard to read in my usual way ..or maybe it's just remembering old times. Probably both) rather than physical bombs. How times have changed… Much like malware as you pointed out some years ago. Have a good holiday or holidays more like, Graham!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.