Bomb Threat Extortion Scam via Cryptocurrency
How mass-distributed bomb threat emails demand cryptocurrency payment within hours to prevent a fabricated explosion, forcing evacuations before anyone can verify the claim.
Part of: Bomb Threat Extortion Scam
Last reviewed: 13 July 2026
Bomb threat extortion emails are sent to businesses, schools, and individuals claiming an explosive device has been planted in the recipient's building and will be detonated within hours unless a cryptocurrency payment is made to a specified wallet address. These campaigns are typically sent to enormous numbers of recipients simultaneously and are not based on any real explosive device; their goal is to collect fast payments from a small percentage of frightened recipients before the deadline passes.
Because the threat implies an imminent risk to life, many recipients feel compelled to evacuate buildings and involve police immediately, which is exactly the correct response regardless of the ransom demand — safety protocols should never be skipped because a threat is suspected to be a hoax. Payment in cryptocurrency is demanded because it can be collected instantly and anonymously, and law enforcement agencies worldwide have found that the overwhelming majority of these campaigns are hoaxes sent in bulk rather than targeted, credible threats.
How this scam works on Cryptocurrency
The email is typically sent to a company's general contact address, a school administration, or an individual's personal or work email, stating that an explosive device has been hidden somewhere in the building and giving a short deadline — often just a few hours — before detonation. It demands a cryptocurrency payment, usually Bitcoin, to a wallet address, claiming payment will cause the device to be 'remotely disarmed.'
The wording is frequently near-identical across many unrelated recipients and locations, sometimes sent in large batches on the same day across a city, region, or country, which is itself strong evidence of a mass hoax campaign rather than a targeted threat against any single building.
Regardless of the payment demand, any bomb threat received should be treated as a security incident requiring immediate notification of building security and police, since safety verification must always take priority over reasoning about the plausibility of the ransom element.
Common red flags
- An email claims a bomb is planted in your building and demands cryptocurrency payment to prevent detonation
- The deadline is extremely short, often just a few hours, to prevent verification or calm decision-making
- The wording matches threats reported by other unrelated businesses or organisations around the same time
- Payment is demanded exclusively via a cryptocurrency wallet address with no other contact method offered
- No specific, verifiable detail about the building or device is provided beyond generic threatening language
- The email is sent to a general or public-facing address rather than a specific individual
How to protect yourself
- Treat any bomb threat as a security matter first — evacuate per your building's protocol and call police immediately, regardless of the ransom element
- Do not pay the cryptocurrency demand; payment does not affect whether a real device exists and funds a criminal enterprise
- Preserve the original email with full headers for law enforcement rather than deleting it
- Notify your organisation's security team, building management, and local police as soon as the threat is received
- After the immediate safety response, report the email as part of a wider hoax campaign to help investigators track the source
- Brief staff or family afterward on the hoax nature of these mass campaigns to reduce panic if a similar email arrives again
How to report it
- Call local emergency services immediately to report the threat and follow their evacuation guidance
- Report the email to the FBI's IC3 (ic3.gov) in the US, or your national police cybercrime unit elsewhere
- Report the cryptocurrency wallet address to blockchain-abuse tracking services
- Notify your organisation's security or facilities team so the building can be checked per standard protocol
Frequently asked questions
Should we evacuate even if we suspect it's a hoax?
Yes. Safety protocols should always be followed regardless of how likely the threat is to be a hoax, since the consequences of ignoring a genuine threat are far more severe than a false alarm. Let police and security professionals make the credibility assessment.
Does paying the cryptocurrency ransom make the building safer?
No. Whether or not a device exists is unrelated to whether payment is made; these threats are typically sent in bulk as a hoax campaign, and payment only funds the criminals and marks the recipient as willing to pay for future threats.
How common are these threats actually being real?
Law enforcement agencies have repeatedly found that mass bomb threat extortion campaigns sent to many organisations on the same day are almost always hoaxes with no real device. Still, every individual threat must be verified through proper security protocol, not assumed safe.
If we already paid, can the cryptocurrency be recovered?
Cryptocurrency payments are typically irreversible once confirmed. Report the wallet address and transaction details to law enforcement; recovery may depend on the payment method and timing, but a refund from the sender is very unlikely.
How can we prepare staff for future threats like this?
Establish a clear protocol that separates the safety response (evacuate, call police) from the extortion element (never pay, preserve evidence, report), and brief relevant staff so they know who to notify immediately if a similar email arrives.