- 1.- Typical scenario
- 2.- Techniques we use
- 3.- Legal considerations and chain of custody
- 4.- Mitigation recommendations
- 5.- Mandatory
Introduction: In digital-extortion cases, identifying the perpetrator requires a delicate balance between credential-recovery techniques and infrastructure analysis. Below we outline a typical operational scenario at Detective Hacker, the tactics used to access the extortionist’s mailbox, and the precautions needed to maintain the chain of custody.
1.- Typical scenario
- The extortionist operates from an anonymous account (free webmail, disposable domain, or encrypted service).
- The victim provides our organization with the original messages and headers.
- Forensic objective: access the aggressor’s mailbox to extract:
- Real source IP.
- Contacts / accomplices.
- Evidence of multiple blackmail attempts.
2.- Techniques we use
| Technique | Mode of operation | Entry vector | Risks |
|---|---|---|---|
| Spear phishing | A “support” email impersonates the provider to steal the password. | Email with link to a cloned site (evilginx, Gophish) | Fake URL flagged by filters; prosecutable for impersonation. |
| Social engineering + SIM swap | The attacker duplicates the SIM and receives the 2FA SMS to reset the account. | Call to the mobile operator with leaked data | Forgery crime; 1–2 h window before lockout. |
| Password spraying / credential stuffing | Leaked credentials from previous breaches are tested. | Bots (Hydra, Burp Intruder) from a distributed network | Account lockout due to mass logins; IP blacklisted. |
| Remote-access malware (RAT) | A trojan is installed on the extortionist’s PC/phone. | Malicious attachment, browser exploit | Infecting without a court warrant is a serious offense. |
| Cloud misconfiguration | The extortionist forwards copies to an S3/Bucket without permissions. | OSINT, Shodan, bucket_finder | Only valid if the repo is public; otherwise, unauthorized access. |
3.- Legal considerations and chain of custody
- The IP alone does not identify a person: it requires subscriber data, ISP logs, and often device analysis to support the accusation.
- All emails and headers must be preserved in native format (.eml) and sealed with
SHA-256on WORM media. - Any access to someone else’s mailbox without explicit consent or a court order may constitute computer intrusion (Arts. 197 & 264, Spanish Penal Code).
- Requests to foreign operators are channeled via MLAT or the Budapest Convention to ensure procedural validity.
4.- Mitigation recommendations
- Implement MFA based on FIDO2 keys to thwart phishing and credential stuffing.
- Monitor anomalous logins (geolocation, impossible travel) and trigger alerts.
- Audit S3/Blob Storage buckets with “
Block Public Access” policies and periodic scans. - Train staff on SIM-swap risks and require a portability PIN with the carrier.
5.- Mandatory
Review the disclaimer on our website.