In a digital version of a criminal shakedown, international hackers have gained control of files on millions of computers, taken down public websites and demanded that their victims pay up using the untraceable virtual currency.

Share story

In the old days, criminals liked their ransom payments in briefcases full of unmarked bills.

These days, there’s a new preferred method for hostage takers: the virtual currency bitcoin.

In a modern-day version of a mob shakedown, hackers around the world have seized files on millions of computers, taken down public websites and even, in a few cases, threatened physical harm.

The victims — who have included ordinary computer users, financial firms and police departments — are told that their only way out is through a bitcoin payment that is sometimes more than $20,000.

One set of attackers, believed to be based in Russia and Ukraine, collected about $16.5 million in bitcoins in a little over a month, primarily from victims in the United States, according to the security firm Sophos.

Criminals like the virtual currency because it can be held in a digital wallet that does not have to be registered with any government or financial authority — and because it can be easily exchanged for real money. At the moment, a single bitcoin can be sold online or on the street for around $290.

“The criminal underground very much likes bitcoin,” said Curt Wilson, a senior threat-intelligence analyst at Arbor Networks. “It’s enabled a greater sense of obfuscation.”

Bitcoin, which was released by an anonymous creator in 2009, has recently been gaining mainstream appeal. Startups in the industry have won investments from big names like Goldman Sachs and the New York Stock Exchange, which have praised the technology as a faster, more efficient way to complete financial transactions.

But the proliferation of ransom demands has provided an unhappy reminder of the virtual currency’s continuing appeal to the criminal underworld, long after the authorities shut down the online drug bazaar Silk Road, where heroin and cocaine were sold using bitcoin.

The latest reminder of bitcoin’s underbelly came last week with the arrest of two Florida men. Authorities said victims of malware were steered to Coin.mx, a site run by the two men, to buy the bitcoins to pay the ransom demanded by the malware. The complaint suggested that the criminals also used the site to launder their proceeds.

In a separate set of recent cases, security experts said, several financial firms have been attacked by one or more criminals going by the name DD4BC, who threatened to overwhelm the firms’ public websites with message traffic unless a bitcoin payment was made. These corporate victims are generally asked to pay about $10,000, the security experts said, and the attacks have shown no signs of abating.

“Do not ignore me, as it will just increase the price,” DD4BC said in one email that was made public. “Once you pay me you are free from me for the lifetime of your site.”

Ted Weisberg, president of the brokerage firm Seaport Securities, which was hit in June, said that he initially thought the message was a joke. But as he called competitors, he said, he quickly learned that the threat was real. Seaport’s website ended up being down for a day and a half. Weisberg’s firm did not pay the ransom and repelled the bombardment of traffic with the help of one of its technical providers.

The extortion attempts have been widespread enough that the brokerage industry’s self-governing regulatory agency, the Financial Industry Regulatory Authority, warned its members in June to contact the FBI if they received a message from DD4BC.

Bitcoin has made the delivery of ransom more seamless and untraceable for criminals because the virtual-currency system is run by a decentralized network of computers that collects no personal information about users.

Unlike the days of bulging briefcases, bitcoin payments can be made without an in-person meeting. What’s more, bitcoin transactions are designed to be irreversible, so victims cannot reclaim their money as they could with a credit-card or PayPal transaction.

Early bitcoin users realized the currency could be useful for ransom payments. But in late 2013, the threat spread far beyond the virtual-currency community when the first version of bitcoin-fueled ransomware, known as CryptoLocker, began to spread around the globe.

The software encrypted all the files on a computer and offered a key to unlock the files in exchange for a bitcoin payment. Victims were directed to websites where they could buy bitcoins through a bank transfer.

When an alliance of international authorities took down CryptoLocker in mid-2014 and identified the mastermind as a 30-year-old Russian named Evgeniy Bogachev, the group said that the software had spread to 234,000 computers. Since then, much more virulent strains have popped up, most of them under the name CryptoWall, and spread even more widely to the computers of anyone who opened infected attachments.

Authorities have had trouble estimating the number of victims because many do not report their problem and quietly pay the price. But in late 2014, Dell SecureWorks said CryptoWall had infected more than 800,000 computers. New versions of the malware, going by names like TorrentLocker and Dirty Decrypt, have popped up frequently since then.

A police department in Durham, N.H., that was hit by CryptoWall in June 2014, refused to hand over the ransom and was able to revert to backup files. But more recently, police in Dickson County, Tenn., and Tewksbury, Mass., said they paid the roughly $500 ransom to skip the headache of trying to circumvent the hackers.