In offices and universities all across the country Thursday, the same threat appeared in email inboxes: Pay $20,000 worth of bitcoin, or a bomb will detonate in your building. Police departments sent out alerts. Workers from Los Angeles to Raleigh, North Carolina, evacuated their cubicles in the middle of the day. All over Twitter, people posted screenshots of the emails, many different versions of which appear to have been blasted out. As of Thursday afternoon, no bombs had been found, and cybersecurity experts largely dismissed the threats as an elaborate hoax.

Not all police departments have confirmed it as a scam. But it certainly appears to be a steep escalation of a bitcoin blackmail tactic that took off this summer. In that scheme, victims received an email claiming that a hacker commandeered their webcam while they were watching pornography and would release the resulting photos publicly if the target didn't pay a small amount in bitcoin. It was an obvious lie but one that nevertheless earned its perpetrators half a million dollars. In an apparent attempt to increase the urgency, this wave of attacks swaps out sextortion in favor of fake bombs.

An Escalation

The New York Police Department said in its initial warning on Twitter that the threats did not appear to be credible and told WIRED that though they were investigating reports, they had found no bombs. Police in Park City, Utah, quickly called at least one threat a hoax. Police will investigate every email, given that it involves potential physical harm, but the likelihood that someone planted actual bombs in hundreds or thousands of building all across America is next to zero.

“This is not a credible threat. It’s clearly a hoax,” says security researcher Troy Mursch, who has been tracking the sextortion scams. Like those, today’s threats were sent out in mass, automated batches to email addresses that the miscreants could have bought or found online. Those emails could have been scraped from public websites, accessed in data breaches, or compiled from shady email marketers.

Many of the recipients suspected a scam immediately. “My first thought was that it looked like a hoax. I didn’t even give it a second thought,” says social media researcher Kelli Burns, who received a threat to her University of South Florida email address this morning.

"It’s a terrible strategy." Security researcher Troy Mursch

Burns says that the language gave it away, as often happens with phishing emails and other scams. “My subject line was ‘You are responsible for people,’ which didn’t sound like the person was a native English speaker,” Burns says. Other people in her department received slightly different wording, but all shared the same strange diction. Her director immediately emailed everyone to say that it was some kind of scam and that the university police were looking into it.

To Mursch, the bomb-threat scam is both familiar and totally new. “This new bitcoin extortion scam is something else. We've been tracking the sextortion bitcoin scam, but this is the first time we’ve seen bomb threats being sent out in the same vein as the sextortion one," he says. "It’s a terrible strategy."

That's not just for the disruption it sows, but also in that it seems poorly thought out on the part of the criminals. A violent threat, coupled with a request for a very high sum, will likely generate intense law enforcement scrutiny more than actual payouts.

The sextortion scam works in part by being remotely believable and asking only for small amounts of money. For some people, it may be worth paying just to put the whole nightmare behind them. A figure of $20,000 is much harder for a random email recipient to get their hands on in a short amount of time and seemed suspicious to those who received it.