It started with an odd e-mail saying “you have been served” by people impersonating the Swedish police. Attached was a PDF with the name “Scan file”. Usually, this goes in the trash but I decided to see what they were after.
Before we start
Please be safe and don’t open these e-mails. Throw them in the trash.
TL; DR
Goals: likely identity theft and extortion
Method: Phishing impersonating the Swedish police. Not using names indicated a wide attack
Method of payment: Bitcoin coupons
Amount: 10 000 kr - 290 000 kr
Loot: A couple of IP addresses and their methodology
The Scam
The first e-mail can be summarized as:
Dear Mr, Mrs/Ms
Our IT-experts noticed, through various investigations, that you are conducting yourself immoraly on your communications networks. That’s why I have taken the liberty to contact you because this is against the law.
The document attached contains all the information you need. I am at your disposal for additional information that you may need.
The department of identification, swedish police
If you think that sounds kind of odd, you are right. Something is off. The language is weird and not very specific and the department of identification can’t identify people well enough to put their names in the e-mail.
So let’s have a look!
Metadata
Let’s have a look at who sent this message: 
The Swedish police use the domain polisen.se which the scammers tried to impersonate with polisen.seINFO at this point you should throw this in the trash, but let’s dig deeper.
Attachment One
PDFs can be scary. They can contain files, JavaScript payloads, and trackers so we don’t just want to open them. I downloaded the PDF and transferred it to an offline VM and analyzed it with Peepdf, which unravels the objects of the file and lets you inspect them. I found suspicious elements but everything I found indicated that it was a false positive. The next step was to monitor what happens when the file is opened. It made no connections. Let’s read it.
The gist of it is:
- Dear MR/MRS/MS
- You are accused of every sexual crime imaginable
- We have you on camera and stored messages
- Respond within 48 hours or you will be arrested and the media will be notified
So the common scare tactic with vague wording. The goal here is to intimidate the victim to act quickly and not to think, system one in Kahneman’s philosophy. We need to use system two! How come they still don’t mention us by name if they have all this information? Why is the Swedish police commissioner using a dot info domain in official correspondence?
Let’s go deeper!
Hello scammer
So I sent a message to the new e-mail address and quickly got a response. The new message has another attachment and tells me to read it and respond within 72 hours, along with some threats that failure to comply will get my face posted in the media. For the first time, they used “my” name. Let’s see what they want us to do.
Attachment Two
Same deal here. Investigate with Peepdf and look for connections, don’t be lazy. Nothing here. Let’s read: 
Again the gist of it is:
- “We have perfect evidence against you, no need to dispute”
- Comply or you will be a registered sexoffender which might hurt your family, friends and/or work-life
- You have to pay 291 543 kr and 77 öre which is roughly 29 000 euro / dollar (yikes)
- If you pay we will protect your information (ew)
- You have to confirm that you are willing to pay by writing a letter and attach in your reply. It must contain:
- Full name
- Address
- Date
- Amount to pay
- Your signature
Let’s break this down and I will also share my thought progress for digging deeper. My thinking was that this is an attempt at identity theft since the sum was so large and they imply a “one-time payment”, but I was far from sure. Since I don’t want to give them my information I replied to them with a malformed PDF to show a sign of compliance. I also asked about how the payment was to be made. They replied that the payment will be a bank transfer, which surprised me.
After a day they sent me another message and seemed to have forgotten about the very important e-mail with the attached letter they expected from me. Now they asked how much I could pay as a first down payment. I replied with a few thousand kronor, which they were not happy with. The scammer, impersonating the police commissioner, informed me that he had been very patient but his bosses were getting angry, and now I have to pay…
The payment
This part made me laugh:
They stopped using “my” name again, but that is not all. The Swedish police commissioner wants me to run down to the local gas station and buy “Bitcoin coupons” to pay my fines for sexual misconduct. I tried to object to these coupons by arguing that they don’t exist where I live (they don’t. I asked and they just stared at me). The goal with this was to try and get a Bitcoin address out of it, but it’s hard to straight up ask for it when you are role-playing a nontechnical victim.
I figured this is as far as I am going to get so I replied to them with a couple of different canary tokens. They were hoping for those coupons because they clicked the links and files all night hoping for an update. I got two different IP addresses out of that and their user agents. The IP’s traced back to France and Belgium, but that does not indicate their real position.
What’s next?
I collected all the information in a document and turned it over to the police (the real police). I was very clear that I was not a victim of the scam, but they called me up and asked some questions, and gave me instructions on how to proceed. I doubt anything will come from it but it was a fun experience.
Takeaways
- Don’t open these strange e-mails.
- Keep calm, if you get upset you make mistakes
- Look at the domains used
- If someone is trying to reach out to you, look up that person or department credentials from a trusted source and use that information