Bomb Threat Extortion Scam
Mass-distributed emails or messages claim a bomb has been planted in the recipient's building and will be detonated unless a payment is made within hours. These are fabricated threats with no explosive device.
Last reviewed: 11 June 2026
What this scam is
Bomb-threat extortion emails are a public-safety variant of the mass-extortion model. Unlike most extortion scams, the primary harm is not financial — it is the operational disruption and fear caused by forced evacuations and emergency-service callouts. The secondary harm is the possibility of a recipient panicking and paying without reporting.
These campaigns are typically deployed in geographically targeted waves — a city or region receives the same email template sent to hundreds of organisations on a single day. The timing exploits news coverage of genuine threats or high-profile public events when institutions may be more anxious. No credible bomb threat has ever been delivered exclusively by bulk email with a cryptocurrency payment demand.
How it works
Criminals scrape published email addresses for businesses, schools, and public buildings in a target area. The email template is sent en masse with a time-sensitive payment demand, a wallet address, and instructions not to call police or the bomb will be triggered.
The psychological design is to force a choice under extreme time pressure: pay quickly and quietly, or trigger an evacuation and lose hours of operations. Many organisations correctly follow safety protocols regardless, which means the financial yield of these campaigns is extremely low — but the disruption is high.
In jurisdictions with mandatory reporting, the bomb threat itself requires emergency response, making non-reporting an unacceptable option. The scammer relies on a small number of recipients choosing to pay rather than report.
Why this scam works
Responsibility for staff or student safety creates intense pressure on whoever receives such a message. The instruction not to call police creates a false dilemma between safety and compliance with the threat. Extreme time pressure is intended to prevent consultation with colleagues or proper security advisors.
For organisations with previous security incidents or operating in a high-threat environment, the perceived risk of dismissing even a likely fake threat may feel unacceptably high — and the scammer deliberately targets this reasonable caution.
A typical pattern
An organisation, school, or business receives an email — often to a published contact address or abuse mailbox — claiming that a bomb has been hidden in the building and is set to go off within a specific number of hours. The message demands immediate cryptocurrency payment to receive instructions for deactivating or removing the device. Campaigns of this type are typically sent in bulk to thousands of addresses simultaneously on the same day, causing widespread disruption as organisations follow evacuation protocols. Law enforcement investigation consistently finds no device; the emails are templates designed to produce panic and quick payment from the small fraction of recipients who do not follow proper procedures.
Common red flags
- Unsolicited email claiming a bomb has been planted in your building
- Cryptocurrency payment demanded to receive deactivation instructions
- Very short deadline — hours rather than days
- Instruction not to call police or emergency services
- Generic language with no specific details about the location of the device
- Same template reported by multiple organisations in the same city on the same day
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
"A bomb device has been planted in your building. Pay [AMOUNT] Bitcoin to [WALLET] within [HOURS] hours and I will tell you where it is so you can disarm it. Call police and it detonates."
"My associate placed an explosive in your premises yesterday. You will not find it without our help. Pay [AMOUNT] now to receive instructions."
"I work for a group that has targeted your organisation. The device is active. You have [HOURS] hours. Do not evacuate or it triggers automatically."
Common variations
- School-targeted variant: emails sent specifically to schools during exam periods to maximise disruption
- Courthouse or government-building variant: sent to institutions where evacuation protocols are stricter and more costly
- Coordinated city-wide campaign: same template sent to hundreds of organisations in one city on a single day
- Follow-up escalation: if payment is not received, a second email threatens to move up the detonation time
How to verify before you act
No credible explosive device is ever managed via email with a cryptocurrency payment option. Real bomb threats — rare as they are — are communicated through different channels and are investigated by specialists, not resolved through Bitcoin payment.
If your organisation receives such an email, follow your established emergency procedures and contact emergency services immediately. Do not pay. Law enforcement responders will assess the threat; their standard outcome in bulk-email campaigns is no device found.
Payment methods used
- Cryptocurrency (Bitcoin, Monero)
Who is usually targeted
- Schools and universities
- Businesses with published contact addresses
- Government buildings and public institutions
- Shopping centres and large retail environments
What to do immediately
- Follow your organisation's emergency procedures immediately — do not attempt to investigate yourself
- Contact emergency services (police and, if relevant, fire/bomb disposal) without delay
- Do not pay under any circumstances — payment does not make anyone safer
- Preserve the email including full headers as evidence
- Brief senior staff and follow normal communications protocols
- After clearance, report the email to your national cybercrime reporting body
How to prevent it
- Have a documented bomb-threat response protocol in place before any threat arrives
- Train staff that bomb-threat emails demand evacuation and police contact — never payment
- Do not publish individual staff email addresses on public-facing websites where possible
- Report all bomb-threat emails to police regardless of perceived credibility
- Ensure reception staff know to escalate any threatening communications immediately
Evidence to preserve
- Full email including all headers
- Wallet address in the demand
- Any follow-up communications
- Time and date received, and the address the email was sent to
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Should we evacuate even if we believe this is a scam?
Your organisation's safety protocols exist for precisely this situation — follow them. Emergency services are trained to assess threats quickly and can usually resolve a search rapidly. The operational cost of a false-alarm evacuation is far lower than the risk of not evacuating.
Has anyone ever been injured in one of these bomb-threat email campaigns?
There are no documented cases of a genuine explosive device being connected to a bulk-email bomb-threat extortion campaign. However, evacuations themselves can carry minor injury risk, which is why calm, orderly compliance with established protocols matters.
Can police trace who sent the email?
Police investigate these campaigns and have successfully identified perpetrators in multiple countries. Headers, wallet addresses, and patterns across multiple reports contribute to investigations. Always report.