fatcousin
// investigation guide

sextortion — methodology

sextortion is not generic spam. it is coordinated pressure across email, imessage, and whatsapp — often paired with ai-generated intimate imagery, face-swap stills, and a cryptocurrency payment demand. victims delete threads in panic; your job is to preserve what survives (header authentication gaps, sms.db deletion artifacts, chat databases, image provenance, and the btc peel path) before actors rotate burners and wallets.

safety and crisis resources — before any of the path

if you or someone you are helping is in immediate danger or crisis, contact crisis support first — not forensic tooling. this guide documents evidence preservation only; it is not legal advice.

  • US suicide & crisis lifeline: 988
  • report sextortion to local law enforcement — they coordinate takedowns, payment freezes where possible, and referral to appropriate victim services in your jurisdiction.
  • do not pay. preserve evidence, then report — payment rarely stops the demands and funds the actor.

what evidence exists and how fast it dies

artifactvolatilitytime to loss
original extortion .eml / .msgpersistent if saveddestroyed if victim deletes or auto-purge runs
imessage thread (visible)volatileminutes — victims delete under pressure
sms.db deletion artifacts (rowid gaps, tombstones)persistent on backupgone on factory reset or restore without the same backup
whatsapp chatstorage / msgstore.dbpersistentoverwritten on app reset or backup rotation
threat images (png exif, a1111 params, face-swap stills)persistentstripped on re-encode or aggressive chat compression
btc wallet string in messagespersistent in exportsburner domains and wallets rotate within days
on-chain payment txpersistent (blockchain)peel to mixer within hours if victim pays

the first 10 minutes

  1. stop payment. document that instruction — further sends fund the actor and complicate recovery.
  2. screenshot threat messages with utc-visible device clock; then prefer filesystem extracts over live scrolling.
  3. save the extortion email as .eml — do not forward inline.
  4. take a full encrypted backup before any thread deletion, app reset, or carrier advice.
  5. record every handle: burner email, imessage number, whatsapp jid, btc address, and any payment qr.
  6. preserve threat images as original files — not chat thumbnails.
  7. do not block the actor until you have exports; blocking can accelerate wallet rotation.
  8. note whether images appear synthetic, face-swapped, or claimed as real — do not assume either way.
  9. if a minor is involved: involve a guardian and report to local law enforcement before deep forensic work.
  10. begin the path below on a copy of the backup, not the live handset if you can avoid it.

the path

  1. 1. email header analyzer

    extortion .eml from burner domain. surfaces spf/dmarc failures, reply-to mismatches, and the btc wallet embedded in the body.why first: email is often the first channel — authentication gaps and the payment address anchor the case before chat threads are wiped.

  2. 2. ios imessage deletion artifact detector

    sms.db from ios backup. finds rowid gaps, join orphans, deleted_messages tombstones, and temp_id_counter alerts after the victim deletes the thread.why second: victims panic-delete imessage threads. deletion artifacts often outlive the visible conversation.

  3. 3. ios whatsapp artifact forensic extractor

    chatstorage.sqlite and related plists from ios backup. recovers extortion thread ordering, attachment paths, and quoted payment demands.why third: actors pivot to whatsapp when email gets blocked. extract the ios side before the victim resets the app.

  4. 4. android whatsapp database forensic analyzer

    msgstore.db and wal/shm from android. parses parallel threat messages, media references, and repeated wallet strings across dm threads.why fourth: many cases span both platforms. android storage is a separate evidence plane — do not assume ios parity.

  5. 5. ai generated image provenance analyzer

    compromised portrait png/jpeg. scores stable diffusion / a1111 parameter chunks, generator metadata, and composite cues in the file tail.why fifth: a large share of modern sextortion uses synthetic or scraped composites. provenance work separates real leaks from fabricated pressure.

  6. 6. face swap artifact detector

    still image with victim likeness composited onto another body. surfaces boundary artifacts, lighting mismatch, and swap-model fingerprints.why sixth: face-swap stills are cheap to produce and devastating to victims. technical inconsistency supports a non-authentic claim.

  7. 7. bitcoin tx decoder

    raw payment transaction json or hex from the demand message. decodes outputs, change addresses, and the extortion wallet receive amount.why seventh: decode the payment artifact before tracing — amount and output script must match what the actor quoted.

  8. 8. crypto tx graph

    victim send → extortion wallet → peel/mixer edges from captured flow json. maps hop count and consolidation patterns offline.why last: actors peel quickly. the graph shows whether this wallet feeds a known cluster, not just a single address string.

common false leads

  • the image looks real so it must be a breach. a large share of modern pressure uses ai composites and face-swap stills — provenance work comes before panic assumptions.
  • deleting the thread destroyed the evidence. visible messages may be gone; sms.db tombstones and chat databases often survive on backup.
  • only one channel matters. actors layer email, imessage, and whatsapp so blocking one does not stop the rest.
  • paying small amounts ends it. partial payment signals willingness; actors escalate or sell the contact.
  • the btc address is the whole story. peel chains and mixer hops matter — a single static address is rarely the final destination.

what we can tell you, what we can't

we can tell you:

  • header-level authentication failures and embedded payment strings in extortion email
  • imessage deletion artifacts in sms.db after the victim wipes the visible thread
  • structured extraction from ios and android whatsapp artifacts you already hold
  • ai-generated and face-swap signals when metadata or swap artifacts survive in the file
  • bitcoin transaction decode and offline peel-graph patterns from captured flow json

we can't tell you:

  • recover paid cryptocurrency. on-chain sends are irreversible without law-enforcement or exchange cooperation.
  • unmask a real identity from a burner email or btc address alone without your own legal process.
  • guarantee images are fake or real. provenance tools surface technical cues — counsel and experts interpret them.
  • provide counseling or mental health guidance. use crisis resources and qualified professionals in your jurisdiction.
  • remove circulating images from the internet. platform takedown and law-enforcement processes are separate workflows.

handing it off

  • local law enforcement / IC3: representative .eml, chat excerpts with utc, threat image hashes, btc wallet and tx id, and a one-page chronology of channels used.
  • NCMEC (minors): CyberTipline report, preserved originals, and whether images appear synthetic or face-swapped.
  • counsel: chain of custody for backups, list of what was extracted, and what was intentionally not copied.

further reading

reference investigation

synthetic fixture hayes-sextortion — morgan hayes sextortion via burner email, deleted imessage artifacts in sms.db, parallel ios/android whatsapp threads, a1111-parameter composite, face-swap still, and btc peel payment path, seed hayes-sextortion:v1. compare output via npm run check:flagship.

fixture download: evidence zip · proof page: /forensics/proof/hayes-sextortion · case playbook: case type tools

run the sextortion kit →forensics home
ready