The company said in a detailed post by its researchers Tamás Kocsír and Sean Gallagher that the spam messages had been sent between 1 September last year and 31 January this year.
Recipients were told their PCs had been hacked, that the sender was in possession of videos of them visiting porn sites, and threatened to share the videos with their friends if they did not pay up.
Sums of as much as US$800 in bitcoin were demanded, the Sophos researchers said.
"Though there were some smaller players involved in these spam campaigns, the movement of the bitcoin deposited in many of those wallets shows the campaigns were linked to other criminal enterprises — either funding other illicit activity or providing a way to convert the bitcoin to hard cash."
The data which the Sophos duo collected was analysed by blockchain analytics and cryptocurrency firm CipherTrace which found that the wallet addresses used by the senders of the messages had made transactions with dark web marketplaces, stolen credit card sellers and others who are part of the cyber criminal economy.
Kocsír and Gallagher said there was nothing particularly unique about the messages themselves. Despite this, and the fact that the majority of recipients either did not see the messages or did not pay up, the wallets associated with the messages pulled in 50.98 bitcoin during the five months of the scam.
"That amounts to roughly US$473,000, based on the average daily price at the times the payments were made, and an average of US$3100 a day," the Sophos researchers noted.
They said there had been unusual spikes in the volume of such sextortion mnessages in the five-month period cited, with as much as a fifth of the spam monitored by the company falling into this category. " And the sextortion emails on just three days in October accounted for over 15 percent of all spam between September and January," they added.
A total of 328 wallets received payments during the period and 12 of these were connected to online cryptocurrency exchanges or other wallet services. A total of 476 output transactions from the remaining 316 were mostly sent to the following:
- Binance, a global BTC exchange (70 transactions);
- LocalBitcoins, another BTC exchange (48 transactions);
- Coinpayments, a BTC payment gateway (30 transactions);
- Other wallets within the sextortion scheme, consolidating funds (45 transactions); and
- There were 54 transactions to addresses that could not be attributed – likely private non-hosted wallets.
Kocsír and Gallagher said it was difficult to trace the money that was generated by these scams in the real world.
"Tracking where physically in the world the money went from these sextortion scams is a difficult endeavour. Out of the 328 addresses provided, CipherTrace determined that 20 of the addresses had IP data associated with them, but those addresses were connected to VPNs or Tor exit nodes – so they were not useful in geo-locating their owners," they pointed out.