Profero logo
Company
Resources
BlogGithub
CareersTrust Portal
Under Attack?Get Started
Blog
Incident Response

The $5 Million Letter: When Physical Mail Becomes Digital Extortion

By
Profero IRT
August 20, 2025
Share this post

https://profero.io/blog/the-5-million-letter-when-physical-mail-becomes-digital-extortion

The Letter That Started a Crisis

It was 7:43 AM on a Monday when the CEO's secretary walked into his office with an unusual envelope marked "TIME SENSITIVE - READ IMMEDIATELY."

Inside was a letter claiming to be from the notorious BianLian ransomware group. The demand was simple: $5 million in Bitcoin within 10 days, or they would release stolen customer data and internal documents to the media.

The company went into full crisis mode. The board was convened. The incident response team was activated.

When Profero was brought in, our threat intelligence team quickly identified the telltale signs: This was part of a widespread impersonation campaign. Within hours, we confirmed there was no breach. The entire attack was fiction - saving the company from a potential $5 million loss and weeks of unnecessary disruption.

The Rise of Physical Mail Extortion

In an era of sophisticated cyber attacks, criminals are discovering that sometimes the oldest tricks work best. Profero's Incident Response Team has recently investigated multiple cases where physical letters - yes, actual postal mail - were sent to corporate executives impersonating known ransomware groups and demanding cryptocurrency payments.

This isn't your typical phishing email that gets caught in spam filters. This is a calculated psychological attack that bypasses every technical security control because it doesn't need to breach anything except human psychology.

Anatomy of a Physical Extortion Campaign

The Delivery Method Evolution

While early extortion attempts relied on mass email campaigns, today's attackers are diversifying:

  • Physical Letters: Sent directly to executives' offices or homes
  • Phone Calls: Direct vishing to C-suite personal numbers
  • Messaging Platforms: WhatsApp, Signal, Telegram
  • Social Media: Direct messages to personal accounts
  • Hybrid Attacks: Coordinated multi-channel pressure

The shift to physical mail shows attackers will use any communication method that grabs attention and creates urgency.

The Common Playbook

Regardless of delivery method, these scams share patterns:

  1. False Authority: Impersonating known ransomware groups (BianLian, LockBit, BlackCat)
  2. Fabricated Breach: Claims of network compromise without proof
  3. Urgent Deadlines: "Pay within 10 days or we go public"
  4. Isolation Tactics: "Don't contact FBI - they won't help"
  5. Technical Theater: Using jargon to sound credible
  6. Cryptocurrency Demands: Always Bitcoin or Monero

Real Cases from the Field

Case Study: The BianLian Impersonation Campaign

Target: US Financial Services Companies

Method: Physical letters to C-suite executives

Demand: $5-15 million in Bitcoin

Attackers sent letters on fake BianLian letterhead to dozens of companies, claiming to have stolen:

  • Customer financial records
  • Internal strategy documents
  • Executive communications
  • Source code

The letters included specific instructions:

  • Bitcoin wallet addresses
  • "Proof" would be sent after initial contact
  • Warnings against involving law enforcement
  • Threats of immediate public disclosure

Reality: BianLian had no knowledge of these letters. No breaches had occurred.

Case Study: The "Inside Knowledge" Scam

Target: Healthcare Provider

Method: Combination of letter and phone calls

The Twist: Used publicly available information

Attackers researched the company extensively:

  • LinkedIn profiles of employees
  • Recent M&A announcements
  • Public financial filings
  • Social media posts

They crafted a letter with just enough accurate information to seem credible:

  • Named specific employees
  • Referenced real projects
  • Mentioned actual vendor relationships
  • Cited legitimate internal system names

The Outcome: Without proper threat intelligence, this could have cost millions. Profero's Rapid-IR verification prevented unnecessary payments and lengthy investigations.

Why Physical Mail Works

Bypassing Digital Defenses

Your security stack is worthless against a letter:

  • No firewall to block it
  • No email filter to catch it
  • No EDR to detect it
  • No SIEM to alert on it

The Psychology of Paper

Physical letters trigger different psychological responses:

  • Tangibility: Paper feels more "real" than email
  • Personal: Delivered to your physical space
  • Unusual: Unexpected in digital age, breaking patterns
  • Official: Mimics legal notices and official correspondence

The Executive Vulnerability

C-suite executives are particularly vulnerable:

  • Less likely to follow standard security protocols
  • More authority to authorize payments
  • Greater concern about reputation
  • Direct access often bypasses security teams

The Hidden Costs of Fake Breaches

Even when no breach occurred, organizations suffer:

  • Incident Response: Without prior cases or knolwedge a full investigation to dismiss claims is very costly
  • Business Disruption: Operations paused during investigation
  • Legal Costs: Counsel involvement and regulatory notifications
  • Reputation Management: Preparing for potential disclosure
  • Emotional Toll: Stress on leadership and teams

How to Identify Extortion Scams

Red Flags to Watch For

Lack of Specific Proof

  • No actual data samples provided
  • Vague descriptions of "stolen files"
  • Claims that proof will come "after contact"
  • Generic threats without specifics

Communication Anomalies

  • Unsolicited physical mail about digital matters
  • Impersonation of known groups
  • Grammar/spelling errors in "professional" criminals
  • Pressure to not involve authorities

Technical Inconsistencies

  • Claims that don't match your infrastructure
  • Threats about systems you don't use
  • Data types you don't actually possess
  • Impossible timeline claims

The Verification Protocol

Before panicking, verify:

  1. Check with Real Groups: Known ransomware groups have public communication channels
  2. Look for Indicators: Real breaches leave digital footprints
  3. Analyze the Language: Legitimate attackers rarely use certain phrases
  4. Examine the Demands: Real ransomware groups have established patterns

Building Resilience Against Extortion

Immediate Response Protocol

Hour 1: Don't Panic

  • Secure the letter/communication
  • Don't respond immediately
  • Activate incident response team
  • Begin verification process

Hours 2-4: Verify Claims

  • Check system logs for anomalies
  • Review network traffic patterns
  • Examine data egress points
  • Contact threat intelligence sources

Hours 4-8: Assess and Decide

  • Determine legitimacy of threat
  • Engage legal counsel
  • Prepare communication strategy
  • Document everything

Organizational Preparedness

Executive Education

  • Train C-suite on extortion tactics
  • Establish clear escalation protocols
  • Create decision frameworks
  • Practice scenario responses

Communication Security

  • Secure executive mail handling
  • Verify sender authenticity protocols
  • Establish code words for verification
  • Create isolated communication channels

Intelligence Gathering

  • Monitor for your organization's mentions
  • Track impersonation attempts
  • Build relationships with peer organizations
  • Maintain threat intelligence feeds

The Future of Extortion

Emerging Trends

  • AI-Enhanced Targeting: Using LLMs to craft convincing threats
  • Deepfake Integration: Voice and video "proof" of breaches
  • Supply Chain Leverage: Threatening partner relationships
  • Regulatory Weaponization: Using compliance requirements as pressure

The Criminal Evolution

Modern extortion groups are becoming sophisticated businesses:

  • Specialization in psychological operations
  • Research teams for target intelligence
  • Professional negotiators
  • Money laundering operations

Protecting Your Organization with Rapid-IR

Pre-Emptive Protection Against Extortion

Profero's Rapid-IR platform provides continuous protection against both real and fabricated extortion attempts:

Threat Intelligence Monitoring

  • Real-time tracking of threat actor communications
  • Early warning of targeting against your organization
  • Verification of legitimate vs. fake threats
  • Dark web monitoring for planned campaigns

Rapid Verification Capabilities

  • 20-minute response to verify breach claims
  • Immediate access to forensic data
  • Historical baseline for anomaly detection
  • Automated threat hunting for indicators

Executive Protection Services

  • Secure communication channels for crisis management
  • Pre-positioned response protocols
  • Direct line to experienced negotiators
  • 24/7 availability for urgent verification

Why Rapid-IR Makes the Difference

When that letter arrives, every minute counts. With Rapid-IR:

  • Instant Verification: Know within hours, not days, if threats are real
  • Reduced Costs: Avoid unnecessary full-scale investigations
  • Confident Decision-Making: Data-driven response, not panic
  • Continuous Protection: Monitoring before, during, and after threats

Schedule a Demo: See how Rapid-IR can protect against extortion: contact@profero.io

Key Takeaways

  1. Physical mail extortion is real and increasing
  2. Threats might be fabricated - but all must be investigated
  3. The cost of fake breaches can rival real ones
  4. Preparation and verification capabilities are critical
  5. Human psychology remains the weakest link

Don't Wait for the Letter

Whether delivered by email, mail, or phone, extortion attempts are inevitable. The question is: Will you be prepared to quickly determine what's real and what's fiction?

Contact Profero before the next letter arrives.

General Inquiries: contact@profero.io

Learn More:www.profero.io

About This Report

The Profero Incident Response Team has investigated dozens of extortion cases involving physical mail and other non-digital delivery methods. This article synthesizes our findings while protecting client confidentiality.

*Currently experiencing an extortion attempt? Contact our emergency hotline immediately or press the emergency button on www.profero.io website.

Share this post
Profero IRT
Profero Incident Response Team - From the trenches insights from IRT

Related posts

Read related insights

View all

AtomicStealer Spreading via Fake Apple Support Websites

Uncovering AtomicStealer campaign using a fake Apple Support website designed to trick users into running a malicious bash command, infecting their machine.

Read Now

The $5 Million Letter: When Physical Mail Becomes Digital Extortion

How sophisticated criminals are using old-school tactics and psychological warfare to extort businesses without ever touching their systems

Read Now

New Attack Vector - AI - Induced Destruction

The New Attack Vector No One Saw Coming, how "helpful" AI assistants are accidentally destroying production systems - and what we're doing about it.

Read Now
View all
Profero logo
Subscribe
By subscribing you agree to with our Privacy Policy and provide consent to receive updates from our company.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Solution
Get StartedUnder Attack?
About
CompanyCareers
Resources
BlogGithubTrust Portal
Contact
X/Twitter
LinkedIn
© 2024 Profero. All rights reserved.
Privacy PolicyTerms of Service
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
ManageDenyAccept
Privacy Preferences
Essential cookies
Required
Marketing cookies
Personalization cookies
Analytics cookies
Reject all cookiesAllow all cookiesSave preferences