The email, titled "Regarding Zoom Conference call," claims that the attacker exploited a zero-day vulnerability to access the victim's private data.
"You have used Zoom recently, like most of us during these bad COVID times. And I have very unfortunate news for you," reads the email.
"There was a zero-day security vulnerability on Zoom app that allowed me a full time access to your camera and some other metadata on your account."
The attacker then claims that while making recordings "just for fun," they "have made a recording, where you work on yourself."
Bitdefender's Alina Bizga noted: "The extortionist has clearly done his homework. Multiple zero-day vulnerabilities have been reported this year, including some that even allow a full takeover of devices." After claiming to be in possession of compromising images of their victim, the attacker then presents themself as a victim of the impact of COVID-19.
"I got very sick, lost my job, about to be evicted and have no money to survive. All of this because of the stupid virus," writes the attacker.
"I'm sorry. I have no other choice."
The scammer then demands a $2,000 ransom in Bitcoin to be paid within three days if the victim doesn't want the footage to be made public. "I do not want you to be the next Jeffrey Toobin," writes the attacker. "I'm sure you don't want to be embarrassed."