Spammers are sending a wave of threats to businesses, schools, and other locations in English-speaking countries across the world, demanding bitcoin in exchange for not detonating a supposed bomb. There’s no evidence of any actual explosives being placed or detonated, but it’s causing numerous evacuations and law enforcement investigations across the US, Canada, and New Zealand — and potentially elsewhere. Police are both investigating potential threats and asking victims to exercise caution.
Several examples of the email threat have been posted online. A typical example, printed by the Cedar Rapids Police Department in Iowa, carries the subject line “Do not waste your time.” Its sender warns that a man has carried an explosive device into “the building where your business is conducted.” (The explosive material appears to vary across messages.)
MSP and partner agencies on federal and local levels are conducting risk assessment procedures regarding the threats and will determine appropriate responses. NO indications of any explosives located or detonated to this point. We will continue to communicate info when available. https://t.co/fPXhNy2vPF
— Mass State Police (@MassStatePolice) December 13, 2018
The sender demands $20,000 in bitcoin by the end of the day, claiming the “recruited person” will detonate the bomb if he sees any police activity or unusual behavior. “Nothing personal this is just a business,” the email continues. “If the explosive device detonates and the authorities see this letter: We are not terrorists and dont [sic] assume any liability for explosions in other places.” The messages include a bitcoin wallet address; it’s not yet clear how many people — if any — have actually paid a ransom.
We’re working a number of bomb threat calls in OKC. There have been similar threats called into several locations around the country. No credible threat found at this point. We encourage the public to continue to be vigilant and call with anything suspicious.
— Oklahoma City Police (@OKCPD) December 13, 2018
The Suffolk County Police Department has responded to at least 11 bomb threat incidents during which businesses, one school and one medical facility received an email demanding money. The threats are being investigated, but are deemed to be non-credible at this time.
— Suffolk County PD (@SCPDHq) December 13, 2018
The bitcoin wallet where the ransom money is to be sent varies between messages. (The Verge was able to confirm at least three distinct wallets.) Creating a separate wallet for each target is a common tactic for ransomware scams, allowing criminals to verify which targets have paid up. Other variations in the messages are harder to explain. Most of the threats name a specific explosive, but the explosive varies between messages. Common choices include tetryl, tronitrotoluane [sic], and hexigen.
We still don’t know exactly how far this email has spread, but police departments across the US and parts of Canada have now posted about the threats. At least one threat was noted in the UK, although it’s not immediately clear whether it’s related. Five Toronto subway stations were shut down because of bomb threats.
We are aware & investigating email threats that were sent to multiple businesses in communities throughout Manitoba. #rcmpmb is determining the origin & validity of the threats. Investigation is ongoing. Updates to follow.
— RCMP Manitoba (@rcmpmb) December 13, 2018
WPS is investigating a number of bomb threats that have been sent to local businesses email accounts.
Businesses are spread throughout the city. Similar threats have been made in CAN and the US. WPS is taking these threats seriously but none have been substantiated.
— Winnipeg Police (@wpgpolice) December 13, 2018
The unfounded e-mail threat to local business and individuals is demanding a bit coin payment.
If you have been the recipient of such an e-mail threat, please do not respond to the bit coin demand.
Please make a report with the Ottawa Police at 613-236-1222 ext. 7300.#ottnews https://t.co/LKR6qC5dlr
— Ottawa Police (@OttawaPolice) December 13, 2018
“They’re coming in really fast. I have no idea how many reports our folks have taken,” a Cedar Rapids Police Department spokesperson tells The Verge. The spokesperson was not aware of anyone having transferred money to the addresses.
The Bitcoin-spam-scammers have moved on from fake blackmail threats to fake bomb threats. So far no-one’s paid anything to the address, and I suspect it’ll stay that way. pic.twitter.com/N5MOdmu8Jm
— Tom Scott (@tomscott) December 13, 2018
The New York Police Department posted an advisory online about the emails, saying it was “currently monitoring multiple bomb threats.” It noted that similar threats had been reported across the country, saying that they “are NOT considered credible at this time.” The Oklahoma City Police tweeted that “no credible threat found at this point,” but said that “we encourage the public to continue to be vigilant and call with anything suspicious.”
At this time, it appears that these threats are meant to cause disruption and/or obtain money. We’ll respond to each call regarding these emails to conduct a search but we wanted to share this information so the credibility of these threats can be assessed as likely NOT CREDIBLE.
— NYPD NEWS (@NYPDnews) December 13, 2018
But many buildings were evacuated or locked down anyhow out of an abundance of caution, including some schools, hospitals, Call of Duty game developer Infinity Ward and the News & Observer in North Carolina. A Facebook building was evacuated yesterday after a bomb threat, though it may not be related.
Columbine High School and its sister schools were also on lockdown today due to a bomb threat, but that was from an anonymous caller, not an email scam.
Today’s wave of emails is similar to — but more overtly threatening than — another widespread ransom scam earlier this year. In that case, scammers sent an email claiming that they had recorded webcam footage of targets watching online porn. A number of people seem to have actually paid the ransom demands in those messages, although that doesn’t necessarily mean the same will happen here.
In a statement, the Federal Bureau of Investigation said that “we are aware of recent bomb threats made in cities around the country, and we remain in touch with our law enforcement partners to provide assistance. As always, we encourage the public to remain vigilant and to promptly report suspicious activities which could represent a threat to public safety.”
New Zealand’s cybersecurity agency CERT also posted an advisory about the threats. “New Zealanders have reported receiving threatening emails that claim an explosive device is hidden in the recipient’s office, and will be detonated unless an amount of ransom in bitcoin is paid,” it reads. “While this is likely to be an opportunistic scam, New Zealand Police are treating this as a real threat until confirmed otherwise.”
Update, 5:40PM ET: Added that reports of the bomb threats are coming in from across Canada and New Zealand as well.