Pegasus Spyware Email Scam: Analysis and Protection

Email scams continue to evolve in sophistication, with cybercriminals developing increasingly convincing threats to extort money from victims. The Pegasus Spyware Email Scam represents one of the most intimidating phishing campaigns in recent years, using the notorious reputation of legitimate Pegasus spyware to create fear and panic. This comprehensive guide explains what the Pegasus email scam is, how it works, why you shouldn’t panic if you receive one, and provides actionable steps to protect yourself from this and similar threats.

Key Facts

Threat Name	Pegasus Spyware Email Scam, Pegasus Sextortion Scam
Type	Phishing, Sextortion, Extortion, Social Engineering, Scam
Distribution Method	Mass email campaigns targeting leaked data from breaches
Threat Claims	False claims of hacking your device with Pegasus spyware, recording compromising videos, and threatening to expose them
Demand	Cryptocurrency payment (usually Bitcoin or Litecoin)
Risk Level	Low (if you don’t respond) – The claims are false, but the psychological impact can be significant
Red Flags	Poor grammar, generic content, unrealistic claims about Pegasus spyware, cryptocurrency payment demands
First Appeared	2021, with major resurgence in 2023 and 2024
Common Bitcoin Addresses	1AXNYLDEG5YEzc2eyUh7SUYYKeRUaRwseu, 12PY3MibuWtNHjszG4YMSaSEFf6Y8P2zcN (among others)

What is the Pegasus Spyware Email Scam?

The Pegasus Spyware Email Scam is a large-scale cyber extortion campaign where cybercriminals send threatening emails claiming to have hacked the recipient’s device using the infamous Pegasus spyware. These emails typically contain personal information about the recipient, such as their name, email address, phone number, or even home address, to make the threat appear credible. The scammers then demand a cryptocurrency payment to prevent the alleged release of compromising videos or photos that they claim to have captured.

This scam leverages the notorious reputation of the actual Pegasus spyware, a sophisticated surveillance tool developed by the NSO Group that has been used to target journalists, politicians, and activists worldwide. However, it’s crucial to understand that these emails are entirely fraudulent, and the scammers have not actually infected your device with Pegasus or any other malware.

Source: Analysis of Pegasus email scam tactics and operational flow

Key Statistics on Pegasus Scam and Email Fraud

Sources: FBI Internet Crime Complaint Center (IC3) 2023 Report, Risk Based Security Data Breach Report 2023, Symantec Internet Security Threat Report, Analysis of Pegasus scam emails (2023-2024)

How the Pegasus Email Scam Works

The Pegasus email scam follows a predictable pattern designed to create panic and pressure victims into paying a ransom. Here’s a breakdown of how this scam typically operates:

1. Data Collection

Scammers obtain personal information about potential victims from previous data breaches or leaks. This information may include:

Full name
Email address
Phone number
Home address
Passwords from compromised accounts

According to Risk Based Security, approximately 8.85 billion records were exposed in data breaches in 2023 alone, providing an abundant source of personal information for scammers.

2. Email Crafting

Using this information, scammers create personalized threatening emails that include enough personal details to appear legitimate. In some cases, they might even include photos of your home obtained from Google Street View or similar services to make the threat more believable.

3. False Claims

The emails claim that the sender has infected your device with Pegasus spyware, which has allowed them to access:

Your camera and microphone
Your browsing history
Your personal files and photos
Your contacts list

They typically claim to have recorded you visiting adult websites or engaging in private activities, threatening to share this alleged content with your contacts unless you pay.

4. Ransom Demand

The email includes a demand for payment in cryptocurrency (usually Bitcoin or Litecoin), with specific instructions on how to make the payment and a deadline to create urgency. The demanded amount typically ranges from $500 to $2,000 or more. An analysis of recent Pegasus scam emails indicates the most common demand is approximately 0.035 Bitcoin (approximately $1,600 USD at current rates).

Factual Information About the Real Pegasus Spyware

Attribute	Real Pegasus Spyware	Pegasus Email Scam Claims
Developer	NSO Group (Israeli cyber-arms company founded in 2010)	Claims vary, typically anonymous “hackers”
Cost	$650,000 for 10 phone installations + $500,000 setup fee (2016 pricing)	No mention of actual costs involved
Targets	Specific high-profile individuals (journalists, politicians, activists)	Claims to target random individuals indiscriminately
Infection Method	Sophisticated zero-click exploits, targeted SMS/WhatsApp messages	Claims to be installed via websites or browser activity
Licensed Users	Government agencies in approximately 45 countries	Claims to be used by individual hackers
Discovery Date	First discovered in 2016 by Citizen Lab and Lookout	No specific timeline provided in scam emails
Technical Capabilities	Advanced surveillance, encrypted data exfiltration, zero-day exploits	Makes vague claims about camera access and browsing history

Signs of a Pegasus Scam Email

Pegasus scam emails share several common characteristics that can help you identify them:

Content Red Flags

Poor grammar and spelling: These emails often contain numerous grammatical errors and awkward phrasing, indicating they might be written by non-native English speakers or generated using translation tools.
Generic descriptions: Despite claiming to have specific compromising content, the emails typically use vague descriptions rather than specific details about what they supposedly recorded.
Technical inaccuracies: The emails often contain technical claims that don’t make sense or are impossible, such as claiming to have “hacked your RDP” on a device that doesn’t use Remote Desktop Protocol.
Unrealistic timeline: Scammers often claim to have been monitoring you for weeks or months, yet provide no specific evidence of this surveillance.

Technical Red Flags

Cryptocurrency payment requests: Legitimate organizations almost never demand payment in cryptocurrency.
Unfamiliar sender address: The email typically comes from an unfamiliar or suspicious email address.
No proof of compromise: Despite claiming to have recorded you, the scammers never provide actual evidence of the alleged compromise.

Sample Pegasus Scam Email Analysis

Let’s analyze a typical Pegasus scam email to identify the red flags:

[Your Name],

I know that XXX-6573 is too personal to reach you.

I won’t beat around the bush. You don’t know anything about me whereas I know you and you must be thinking why are you getting this e-mail, right?

I actually placed Pegasus (spyware) on pxxx website and guess what, you visited same sxx website to have fun (if you know what I mean). And while you were busy watching those videos, your internet browser started working as a RDP (Remote Device) that has a backdoor which provided me accessibility to your screen and also your camera controls. Immediately after that, my software program obtained all of your information and your complete contacts from device including all of your photos.

I then invested in more days than I probably should have exploring into your data and prepared a split-screen videotape. First part shows the recording you were watching and 2nd part displays the capture from your web camera.

If you want me to delete everything, send 0.035 Bitcoin (about 1600 US Dollars) to this address: 1AXNYLDEG5YEzc2eyUh7SUYYKeRUaRwseu

The fee is non-negotiable, to be transferred within 2 business days.

Obviously do not try to ask for any help from anybody unless you want your privacy to be violated.

Red Flags in This Email:

Technical inaccuracies: The claim that “your internet browser started working as a RDP (Remote Device)” is technically nonsensical. Browsers don’t function as RDP clients without specialized extensions or configurations.
Unrealistic Pegasus deployment: The email claims Pegasus was “placed on a website,” which is not how the real Pegasus spyware works. Legitimate Pegasus spyware is a sophisticated targeted surveillance tool that isn’t deployed randomly on websites.
Vague descriptions: Despite claiming to have specific recordings, the email provides no verifiable details about the alleged content.
Cryptocurrency demand: The demand for Bitcoin payment is a classic scam indicator.
Threatening language: The threats and urgency are designed to prevent you from thinking rationally about the situation.

Why You Shouldn’t Worry About These Emails

If you’ve received a Pegasus scam email, there are several important reasons why you shouldn’t be concerned:

1. Real Pegasus Spyware Is Highly Targeted and Expensive

The real Pegasus spyware is an extremely sophisticated and expensive surveillance tool developed by the NSO Group. It costs hundreds of thousands of dollars to deploy and is primarily used by government agencies to target specific high-profile individuals like journalists, politicians, and activists. The idea that someone would use such an expensive tool for random extortion attempts is completely unrealistic.

According to documentation from the NSO Group leaked in 2016, the cost of installing Pegasus on just 10 phones was over $650,000, plus a $500,000 set-up fee, making the total cost well over $1 million—far too expensive for use in mass extortion campaigns.

2. No Actual Evidence of Compromise

Despite their claims, these scammers never provide any actual proof that they’ve accessed your device or recorded anything. If they truly had compromising videos, they would likely include a screenshot or short clip as proof—but they never do.

3. Mass-Targeted Campaign

These emails are sent to thousands of people simultaneously as part of mass phishing campaigns. The personal information included was likely obtained from data breaches, not from monitoring your device.

4. Technical Impossibilities

Many of the technical claims in these emails are simply impossible or demonstrate a fundamental misunderstanding of how technology works, revealing that the senders are not sophisticated hackers but rather scammers using fear tactics.

How Scammers Get Your Personal Information

The personal information included in these scam emails is typically obtained from data breaches and leaks, not from actually hacking your device. Here’s how scammers get your data:

1. Data Breaches

Large-scale data breaches of companies and websites can expose millions of user records, including names, email addresses, phone numbers, and sometimes home addresses. This data is often sold or leaked on the dark web, where scammers can purchase it.

According to IBM’s Cost of a Data Breach Report 2023, the average data breach exposed 32,150 records and cost companies $4.45 million. The Identity Theft Resource Center (ITRC) reported 2,116 data breaches in 2023, exposing approximately 349 million victims—providing a vast pool of potential targets for scammers.

2. Public Records

Some information, like your name and address, might be available through public records that can be accessed online.

3. Social Media

Information shared publicly on social media platforms can provide scammers with additional details about you.

4. Combining Multiple Sources

By combining information from multiple sources, scammers can create a more complete profile that makes their threats seem more credible.

This is why the scam emails may include accurate personal details despite the scammers never having accessed your device. It’s a social engineering tactic designed to make the threat appear legitimate.

Evolution of the Pegasus Scam (Timeline)

2016: Legitimate Pegasus spyware first publicly identified by Citizen Lab and Lookout
2018: First cases of sextortion emails without specific Pegasus references
2021: Initial wave of Pegasus-themed scam emails following media coverage of the NSO Group’s surveillance tool
2022: Second wave with more personalized information from data breaches
2023: Major resurgence with sophisticated variants including home addresses and phone numbers
2024: Current wave includes more technical details and sometimes photos of victims’ homes from Google Street View

What To Do If You Receive a Pegasus Scam Email

If you receive a Pegasus scam email, follow these steps:

1. Don’t Panic

Remember that these are false claims designed to create fear. The scammers have not infected your device with Pegasus or recorded any compromising content.

2. Do Not Respond

Never reply to the email or attempt to contact the scammer. Any response confirms that your email address is active, which may lead to more scam attempts.

3. Do Not Pay Any Money

Under no circumstances should you pay the ransom. Paying will not only cost you money but may also mark you as a responsive target for future scams.

4. Report the Email

Mark the email as spam in your email client
Report the email to your email service provider
Forward the email to relevant authorities like the FBI’s Internet Crime Complaint Center (IC3) or your country’s cybercrime reporting agency

5. Scan Your Device

While the Pegasus claims are almost certainly false, it’s always a good practice to scan your device for any actual malware:

↓ Download Trojan Killer

Download from the official website to ensure you get the authentic software

6. Review Your Online Security

Take this opportunity to enhance your overall digital security:

Update all your passwords, especially if you’ve reused passwords across multiple sites
Enable two-factor authentication on your accounts
Review your privacy settings on social media and other online platforms

How to Protect Yourself from Future Scams

To minimize your risk of being targeted by Pegasus scam emails and similar threats, follow these preventive measures:

1. Protect Your Personal Information

Limit the personal information you share online
Use privacy settings on social media platforms to restrict who can see your posts and personal details
Be cautious about what information you provide when registering for online services

2. Strengthen Your Account Security

Use strong, unique passwords for each of your online accounts
Consider using a password manager to help generate and store secure passwords
Enable two-factor authentication whenever possible

3. Stay Informed About Common Scams

By familiarizing yourself with common phishing and extortion tactics, you’ll be better equipped to identify and ignore scam attempts. Check out our guides on email security update scams and server authentication email scams to learn about similar threats.

4. Use Security Software

Comprehensive security solutions like Trojan Killer can help protect your system from actual malware threats and provide peace of mind. While the Pegasus scam emails themselves don’t contain malware, having security software installed can protect you from genuine threats and help you distinguish between real and fake security concerns.

Related Email Scams to Be Aware Of

The Pegasus spyware scam is just one of many email extortion schemes currently circulating. Other similar scams to be aware of include:

Bitcoin Blackmail Email Scams – Similar extortion attempts demanding cryptocurrency payments
Email Violation Policy Scams – Fake notifications about email policy violations
Financial Institution Processing Scams – Impersonating banks to create urgency
Bad News Email Scams – Creating concern through vague “bad news” claims

Frequently Asked Questions

Can Pegasus spyware really be installed through an email or website?

No, the real Pegasus spyware is a highly sophisticated surveillance tool that cannot be deployed through random websites or emails as claimed in these scam messages. Legitimate Pegasus infections typically require sophisticated delivery methods and zero-day exploits targeting specific individuals. The NSO Group, which developed Pegasus, sells this technology exclusively to vetted government clients at costs reaching hundreds of thousands of dollars, making it economically unfeasible for use in mass extortion campaigns. These scam emails falsely invoke the Pegasus name to capitalize on its fearsome reputation, but the technical claims they make about how it was supposedly installed on your device are completely inaccurate.

The scammer knew my personal information – does this mean my device was hacked?

No, the presence of your personal information in a scam email does not indicate that your device was hacked. Scammers typically obtain this information from public data breaches, not from your device. In recent years, billions of email addresses, phone numbers, and other personal details have been exposed through data breaches of major companies and websites. This data is often compiled, sold, and traded on dark web forums, giving scammers easy access to your information without ever accessing your personal devices. They include these details in their messages specifically to create the illusion that they’ve hacked you, when in reality they’re simply using publicly available information obtained from third-party breaches. This is precisely why maintaining different passwords across services is crucial – if one service is compromised, others remain protected.

What should I do if I already paid the ransom?

If you’ve already paid a ransom to a Pegasus email scammer, take these steps immediately: First, accept that the money may not be recoverable due to the anonymous nature of cryptocurrency transactions, but it’s still worth reporting. Document all communication and transaction details, including email content, cryptocurrency addresses, and payment confirmation. Report the incident to your local law enforcement, the FBI’s Internet Crime Complaint Center (IC3), and your country’s financial crime reporting agency. Contact your bank if you used a credit/debit card to purchase cryptocurrency, as they may be able to dispute the charges. Finally, strengthen your security by changing all important passwords, enabling two-factor authentication where possible, and scanning your devices with security software. Remember that paying once may mark you as a target for future scams, so remain vigilant against follow-up attempts.

How can I check if my email was involved in data breaches?

To check if your email address has been compromised in known data breaches, use reputable breach notification services like Have I Been Pwned (haveibeenpwned.com), which maintains a database of billions of compromised accounts from known breaches. Simply enter your email address, and the service will show which data breaches have included your information. Many password managers also offer similar features that continuously monitor for new breaches involving your information. If you discover your email in a breach, change passwords for that service immediately and any other services where you’ve used the same or similar password. Additionally, enable two-factor authentication wherever possible, as this provides an extra layer of security even if your password is compromised. Consider using a unique email address for your most sensitive accounts to further reduce risk from breaches.

Structured Data for AI Processing

Pegasus Spyware Email Scam Technical Analysis
Threat Classification	Phishing, Sextortion, Social Engineering
Attack Vector	Email
Threat Actor Type	Financially motivated cybercriminals
Target Selection	Opportunistic, mass-campaign
Initial Access	None (false claims)
Social Engineering Tactics	Fear, urgency, shame, technical intimidation
Malware Payload	None (claims Pegasus spyware falsely)
Indicators of Compromise	Common Bitcoin addresses: 1AXNYLDEG5YEzc2eyUh7SUYYKeRUaRwseu 12PY3MibuWtNHjszG4YMSaSEFf6Y8P2zcN 17KHqeibF7TWfb9dvPRrbRhvwpkYPd8R3R
Typical Ransom Amount	0.035 BTC (~$1,600 USD)
MITRE ATT&CK Techniques	T1566.001 (Phishing: Spearphishing Attachment) T1566.002 (Phishing: Spearphishing Link) T1589.001 (Gather Victim Identity Information: Credentials) T1598 (Phishing for Information)
Recommended Mitigations	Email filtering (M1049) User Training (M1017) Block suspicious domains (M1031) Multi-factor authentication (M1032)

Conclusion

The Pegasus Spyware Email Scam represents a classic example of how cybercriminals exploit fear and technical confusion to extort money from victims. By understanding how these scams operate and recognizing their telltale signs, you can protect yourself from falling victim to such schemes.

Remember that legitimate Pegasus spyware is an expensive, highly targeted tool used primarily by governments against specific individuals—not a tool for mass extortion campaigns. The personal information included in these emails comes from data breaches, not from actually monitoring your device.

If you receive such an email, the best course of action is to ignore it, report it as spam, and take the opportunity to review and strengthen your overall digital security. Never pay ransoms or engage with the scammers, as this only validates their tactics and may mark you as a target for future scams.

By staying informed about common scam tactics and maintaining good security practices, you can significantly reduce your risk of falling victim to the Pegasus email scam and similar threats.