By now you know that credit reporting agency Equifax was hacked, and with it, potentially 143 million Americans social security numbers, birth dates, and then some. Unless, according to the criminals who supposedly hacked them, Equifax pays up.
That’s according to an onion site, whose authors insist that if Equifax forks over 600 Bitcoin — approximately $2.66 million at the time of this writing — then they’ll delete all the stolen data. Oh, and Equifax better decide quickly, because if the ransom isn’t paid, the self-identified hackers say they’ll dump all the data on September 15th.
Well, almost all of the data. The supposed hackers wrote that they won’t publicly post credit card numbers — suggesting an intention to get some illicit use out of those.
“We are two people trying to solve our lives and those of our families,” the site explains. “We did not expect to get as much information as we did, nor do we want to affect any citizen. But we need to monetize the information as soon as possible.”
Now, you’d be right to be skeptical of these claims — after all, it’s pretty easy to throw together a website and pretend to be a hacker. However, there’s a twist: In a message addressed to Equifax the authors say they can prove they’re legit.
“Request a specific part or a specific data from an email that corresponds to Equifax and we will send it to you,” the group explains.
We’ve reached out to Equifax for comment, but haven’t received a response as of press time. The people behind the onion site, however, did respond to our inquiry. They offered to prove they have access to the data, but as of the time of this writing have failed to do so.
“We are not going to give interviews, our only intention is to solve this issue with EQUIFAX,” they wrote. “We do not have expectations to collect anything so on the 15th everything will be published except the credit cards.”
Importantly, the email address used by the group references the “national shitposting agency,” which security reporter Catalin Cimpanu of Bleeping Computer writes “is linked to a notorious group of 4chan pranksters.” This, of course, suggests whoever is behind the site might just be screwing with people for the fun of it.
And the purported hackers do appear to have a sense of humor — albeit, a twisted one. That 600 BTC ransom equalling roughly $2.6 million? Here’s how they claim to have arrived at the number.
“Equifax executives sold 3 million dollars in shares taking advantage of their insider information after the attack,” notes the site. “We believe that 600 BTC is a fair amount.”
That shade is a reference to the Equifax execs who sold around $1.8 mil in company stock after Equifax discovered the breach — but before it alerted the public.
While it’s too early to tell if this group is the real deal or just some scammers trying to make a quick few (million) bucks, ransoming hacked data is very much a thing. And on September 15, 143 million Americans may find out just how authentic this crew is. Here’s hoping Equifax is paying attention.
This story has been updated to include comment from, and more information about, the alleged hackers.