Now it's Ashley Madison wives who are receiving blackmail letters

“I am afraid this letter contains bad news”

The continuing story of the Ashley Madison hack, and its repercussions, has taken another ugly twist.

We all know that extra-marital dating site Ashley Madison (motto "Life is short. Have an affair") got hacked, and details of its members were published online.

You may even have heard that some users received blackmail demands through email, and that more recently some have been targeted with blackmail letters through the US postal system demanding thousands of dollars be paid or loved ones and friends will be told about their membership of the controversial site.

That's all horrid enough, but now things have got even nastier.

In the last week or two I have been contacted by a number of people who refused to pay the Bitcoin ransom after receiving earlier Ashley Madison blackmail letters, and are now reporting that follow-up letters have been sent addressed to their wives.

In some cases the husbands have intercepted the letters, forwarding scanned copies of the envelopes and letter contents to me.

Here is a typical example (redacted to protect the individual's privacy):

Ashley Madison blackmail letter

Dear Mrs [Redacted] I am afraid this letter contains bad news. Perhaps you remember hearing in the news this past summer about a website called “Ashley Madison” being hacked. Ashley Madison is a website that facilitates people meeting each other that wish to commit adultery. The hackers released the membership and billing details of all the members. I am sorry to tell you that [Redacted] is a member of that adultery website. You, and some people you know, will be hearing from me via electronic communication in the near future with links and detailed instructions on how to confirm what I am telling you. But if you wish to do your own research before then you can search “Ashley Madison database” on Google to learn how to find it. Once you do find it you will see [Redacted] has entries in the database, including on [Redacted]. He signed up under the name "[Redacted]", used this mailing address as his billing address and used [Redacted] for his email address. But as I said, if you have difficulty locating the database, and it can be tricky, I will be contacting you via other means in the not too distant future. That is also for my own peace of mind in case [Redacted] intercepts this letter before you read it.

Why am I telling you and people close to you about this? Well, a while back I sent [Redacted] a letter telling him if he did not send me $2,000 I would reveal his secret to you. Well, he didn't pay. Either he thought I was bluffing or he decided to man up and tell you the truth. If he told you the truth I can respect that, but you should probably go ahead and prepare your friends and family for the impending communications from me. You can come up with some excuse to tell them in order to try and save you some embarrassment if you wish. Perhaps tell them he had his identity stolen and it wasn't really him. They might be naive enough to fall for that. I told [Redacted] that if he didn't pay I would be telling not only you but others close to you about his misdeeds. I guess your dignity wasn't worth $2,000 to him.

You will probably show this letter to [Redacted] when you confront him so I would like to close with a little message for him. Hey [Redacted]! You probably thought I forgot about you, didn't you? I told you missing the deadline would only bring you misery. I am sure you assumed I was just sending out multiple form letters hoping some small percent would pay up and that I wouldn't actually waste time and money on going through with my threat. Well, you were half right. I'm a crook, but I'm not a liar.

In a further twist, the blackmailer has included a message specifically for the husband - predicting that in some cases letters may be intercepted before the wife gets to see them.

Ashley Madison blackmail letter

[Redacted], in the event you intercepted this letter that wasn’t addressed to you (naughty boy, reading someone else mail is crime) you have one more chance to make things right. And Mrs. [Redacted], if you wish to keep this information from spreading to others you know then this is your chance as well. To stop me from spreading this infornation to rest of the people in your lives send me $2,500 in bitcoin. Yes, that is more money than I initially asked. The additional money is the penalty for making me ask twice. I realize the conventional wisdom is not to pay blackmailers because they will just come back at you for more. That is generally good advice. But hopefully this letter has shown you that I do things a bit differently. People who comply with my demands don't hear from me again. As for people like you, [Redacted], who don't comply? Well, this letter to Mrs. [Redacted] answers that, now doesn't it? I can be as tenacious as a bill collector.

You will send the $2.500 in bitcoin to the same bitcoin address I provided [Redacted] in my initial letter. Odds are [Redacted] doesn't have that letter anymore. He likely either destroyed the evidence or he tumed it over to law enforcement. No problem. You will find the bitcoin address listed at the bottom of this page again. As a courtesy I have also re-enclosed the “How-To” guide in the event you don't know how to procure and send bitcoin.

If you do not wish me to wreak further havoc upon your lives then send $2.500 in BITCOIN to the Receiving Bitcoin Address listed below. Payment MUST be received within 10 days of the post marked date on this letter's envelope.

This latest round of blackmail letters is being actively discussed in the comments section of one of my earlier stories about Ashley Madison, where a number of users have confirmed that they have received similar communications.

In at least one instance, someone claiming to be the wife of an Ashley Madison user has left a comment, saying she has no intention of paying the blackmailer:

Im a wife and received my letter today informing me that my husband is a member of AM. He apparently already got his letter but disposed of it without me knowing. This stuff is crazy! I'm not paying. Expose the cheating bastard to whover the blackmailer decides. My letter was post marked Feb 22, 2016 from NO VA. My letter was sent to our old address in Illinois and then forwarded to our new address in Wisconsin. BTW, hubby admitted to being a member. That's enough for this wife!

I don't believe you should pay the blackmailer either. Paying blackmailers is an idiot's game, and just means they can keep coming back for more and more money.

Furthermore, one has to wonder whether the blackmailer's new scheme of writing to wives of Ashley Madison members indicates that their earlier attempts to extort money simply have not been as successful as they hoped. It could be argued that they are becoming increasingly desperate in their attempts to frighten people into coughing up cash, and that may increase the chances that they will make an elementary mistake.

Ashley madisonAnd, let's not forget, it takes a lot more effort to determine the alternative contact details for someone's wife, their friends and colleagues - information which was not stored in the hacked Ashley Madison database.

The sheer fact that the letters are addressed to "Mrs [Redacted]" rather than Sandra or Katie, indicates just how little the blackmailer really knows.

I'm not going to stand in judgement regarding the rights and wrongs of joining a site like Ashley Madison. As we have discussed before there are entirely innocent reasons why people might have been in the site's database, or they may have joined the site long before they entered their current relationships.

But what is as clear as day is that blackmail is an abhorrent crime, and the criminal behind the current letter-writing campaign is playing a dangerous game.

As before, I would recommend that anyone who receives a blackmail threat through the US Postal Service contact the US Postal Inspectors Service and FBI so that they can investigate. I haven't seen any reports of Ashley Madison blackmails being sent by post outside the United States.

My hunch is that whoever is sending these blackmail threats is more of a computer nerd than someone who is experienced in covering up any physical evidence they may have left on the envelopes and letters themselves.

Ashley madison wife envelope

Finally, if you are ever considering joining a site like Ashley Madison and don't want anything like this to ever happen to you - be very very careful about what information you share with the site.

How would you feel if you received an Ashley Madison blackmail letter?

Further reading:

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,