What is cyber kidnapping - explained

Cyber kidnappings are on the rise, and the far-reaching effects of these attacks have proven to be life-altering.

The recent cyber kidnapping scam that swept the US saw victim Kai Zhuang and his family suffer the consequences of this attack. This incident demonstrates a terrifying trend of scams that are sweeping the nation.

What is cyber kidnapping?

Cyber kidnapping is a form of extortion that deceives family members into thinking that their loved ones are in grave peril, being held for ransom, and threatened with harm or death.

Jon Clay, VP of Threat Intelligence at global cybersecurity firm Trend Micro, explained that “virtual or cyber kidnapping is an emerging cybercrime that abuses AI technologies to manipulate the decision-making processes.”

Clay continued by stating that “malicious actors exploit AI to introduce negative stimuli to unscrupulously control human emotions for ill gain on the feelings of torment and trauma that child abduction victims experience to persuade them to pay up.”

In Kai Zhuang’s case, cyber criminals forced him to isolate himself in a remote location to make it appear to his family that he was being held captive.

Where did it start?

From as early as 2013, the FBI’s Los Angeles Division was investigating calls originating from Mexican prisons.

These devious calls targeted Spanish speakers, and a large number of the victims were from the Los Angeles and Houston areas.

"In 2015, the calls started coming in English…and something else happened: The criminals were no longer targeting specific individuals, such as doctors or just Spanish speakers. Now they were choosing various cities and cold-calling hundreds of numbers until innocent people fell for the scheme,” the FBI special agent Erik Arbuthnot writes.

In 2023, we observed one of the most bizarre and chilling cases of cyber kidnapping, where young Zhuang was forced to isolate in the snowy mountains of Utah, sitting like a duck, awaiting a fate unknown.

How does it work?

Anurag Gurtu, CPO at StrikeReady, told Cybernews that cybercriminals will “typically call the victim, sometimes using spoofed numbers, claiming to have kidnapped a family member, and might use background noises to create a sense of urgency and realism.”

The victim will answer the phone and hear a screaming voice ringing down at them from the other end – although there’s no person at the end of the line, it’s just a recording.

“To add authenticity, scammers have started using AI to clone their victim's voice,” said Josh Amishav, CEO of Breachsense.

Clay told Cybernews how “adversaries leverage ChatGPT to filter and fuse large datasets to victim selection, and deepfakes are deployed to deceive victims into believing a close relation has been kidnapped to extort a ransom.”

The voice will cry out something like, “HELP ME,” and the victim may instinctively call out their family member's name, believing that it’s them on the other end of the line.

Once the criminal has this information, they can use it against the victim by claiming that they have their loved one under captivity.

The voice may threaten the life of the family member that was seemingly blurted out in a state of panic – stating that they may cause them harm or even worse.

The perpetrator would then demand a ransom, forcing the person on the other side to pay a specific amount; otherwise, something terrible would transpire.

Gurtu explained that “scammers often use personal information, possibly sourced from social media or data breaches, to make their threats seem real.”

Josh Amishav, CEO of Breachsense, said cybercriminals “often use various OSINT techniques to gather personal information beforehand, making their claims more believable.”

One thing is for sure: “The psychological impact of such an experience can be profound and lasting,” said Gurtu.

Could happen to anyone

From Kai Zhuang’s encounter with these unknown cyber criminals, we can deduce that adversaries must have gathered information about Zhuang and his family online that they could use against him.

Adversaries may have contacted him via spoofed phone numbers and ordered him to do as they said, or his parents would suffer.

Zhuang’s parents were then given information that Zhuang was held captive and ordered to pay a ransom.

According to the BBC, the family paid $80,000 to a bank account in China.

The victim was then forced to self-isolate and may have been monitored via video chatting services if the attackers followed the typical protocol.

Perpetrators may demand that victims take ransom photos of themselves to make the threat more believable.

But why Zhuang? It could be as simple as his foreign exchange student status, as many exchange students are targets for this attack.

However, the details surrounding this attack remain a mystery.

How to avoid cyber kidnapping scams

On the 21st of December, the Grant Country Sheriff’s office in Washington released a statement on Facebook regarding recent cyber kidnapping reports.

The statement revealed that “while real kidnappings are rare, at least in the United States, virtual kidnappings are on the rise.”

So, how do we avoid these attacks when adversaries use sophisticated techniques to make their scams more believable?

Gurtu suggests that individuals should be “skeptical of unsolicited calls, especially those that incite fear or urgency.”

If you have fallen victim to a cyber kidnapping, you should “verify the whereabouts of the alleged kidnapped person through other means,” said Gurtu

Gurtu, Amishav, and the Grant County Sheriff’s Office expressed that personal information shared on social media, such as your location, voice, or phone number, should be avoided at all costs.

If you suspect you have fallen victim to a cyber kidnapping, contact law enforcement immediately.