Over the last few days, someone has been targeting organizations with extortion letters that threaten a bombing unless payment is made via Bitcoin.

The emails themselves are spoofed to come from a btconnect.com domain, but the reply-to address changes with each email blast. So far, the scammers are using .cz domains, but that can and will change as this extortion scheme progresses.

The emails started circulating in late July (July 23, 2019, based on public mentions), with the most recent appearing on July 29th of this year.

The extortion note gets right to the point (presented here with no editing or corrections):

Email One

I will make this simple! 3 PVC pipe bombs placed underneath a secret axis in your premises will explode. I will then set off the main pipe bomb hidden in the submersible pump. Pay us $10,000 USD Via Bitcoin to wallet (1PTYbNwRXpb7sbdu3qDh2PjTxXhHDx5smz) and we will tell you how to remove our devices.

Note that we have complete access to your server, you are best advised to make this email discrete for the safety of everyone at large. You have few hours to ensure the safety of people around you,do not contact me without a proof of payment made.


Email Two

I will make this brief! We have 3 PVC pipe bombs set to launch in a secret axis in your premise. We will then set off the main pipe bomb hidden in the submersible pump. Pay us $ 10,000 USD Via Bitcoin to Wallet (1PTYbNwRXpb7sbdu3qDh2PjTxXhHDx5smz) and we will tell you how to defuse our devices.

Note we have full access to your server and will advise you dont joke with your life and properties.Failure to receive payment proof will result to a bad outcome.


Email Three

I will make this simple! 3 PVC pipe bombs placed underneath a secret axis in your premises will explode. I will then set off the main pipe bomb hidden in the submersible pump. Pay us $10,000 USD Via Bitcoin to wallet (1PTYbNwRXpb7sbdu3qDh2PjTxXhHDx5smz) and we will tell you how to remove our devices.

Be informed we have complete access to your server, you are best advised to make this email discrete for the safety of everyone at large. You have few hours to ensure the safety of everyone around you at large,do not contact me without a proof of payment made.


The message variations are subtle. It’s likely the threat actor sending these emails is just altering the script some to make the threat more realistic.

At the time this post was drafted, the Bitcoin wallet being used had no payments.

Risk Assessments

Ignoring spam is a common process in IT and for most of the general public.

Corporate inboxes are flooded with junk mail daily, and spam filters deal with these garbage communications automatically.

Extortion emails, such as those circulating over the last year that allegedly include the victim’s password, are all the rage in some spamming circles. It was only a matter of time before someone came up with a new twist on those scams.

However, bomb threats against an organization - no matter how unlikely - is something that can’t be dismissed out of hand.

Many organizations, especially those in the government and financial sectors, will have to investigate each instance and make a risk / threat assessment.

Usually the team responsible for physical security will work with InfoSec to track the volume of emails, and determine several factors, including credibility, building access, etc.

The messages that have leaked to the public are vague, and contain no direct information tied to the targeted organization. That alone will rate a healthy dose of skepticism and a low risk assessment score. If the same message is received several times with little to no variations, that too is a sign that the threat is low on the scale.

In the off chance you might need it, the US Department of Homeland Security has published bomb threat guidance materials, which help organizations and individuals assess the situation. In addition, they’ve also published a bomb threat procedure checklist.

These emails are just another example of a criminal willing to say and do anything to make a dishonest buck. Yet, because of the threat itself, this is one of the few times where some victims simply cannot dismiss such spam outright.