Hello Pervert Pegasus Scam: Home Photos, Old Passwords, and the Safe Response

The "Hello Pervert" email is usually sextortion theater. It tries to create panic with three props: a porn accusation, a claim that spyware recorded you, and a threat to send a "video" to your contacts unless you pay. Newer variants add a photo of your home to make the threat feel personal.

Key idea: a home photo is not proof of hacking. It is proof that the attacker can copy public information and present it as surveillance.

Start here: what to do in the first 30 minutes

What you received	Do this now	Why it works
Only an email with threats	Do not reply, do not pay, do not click. Save the email headers and the full message as evidence. Mark as spam and block the sender after saving evidence.	Extortionists optimize for speed and panic. Breaking the feedback loop removes leverage.
An email that includes an old password	Treat it as a password reuse emergency, not proof of spying. Change that password everywhere it was used, starting with your email inbox. Enable strong sign-in (authenticator, passkey, or security key) on your inbox.	Old passwords usually come from breaches. Reuse is how scammers turn old data into real access.
You clicked a link or entered a password	Change your email password immediately. Sign out other sessions where possible. Run a full device malware scan and remove unknown browser extensions.	Phishing and malware create the only realistic path from an email to real account takeover.

What the email is trying to do

These messages are designed to make you feel watched, ashamed, and out of options. The attacker wants two outcomes: (1) you pay fast, and (2) you do not slow down long enough to verify anything. The home photo exists to force a belief that they can physically reach you.

The safer mental model is simple: assume the attacker has a list of emails and some personal data, and they are running a high-volume campaign. Most recipients are not individually targeted. When someone is targeted, it is usually because the attacker can reliably reach their recovery control plane (email inbox, phone number, or device sessions), not because they have a video.

How they get a photo of your home

A photo of your home is usually scraped from legitimate sources, then presented as "proof" of surveillance. Common sources include:

Street-level imagery and satellite maps
Real-estate listings (current or old)
Social media posts that show exteriors, landmarks, or address details
People-search and data broker sites that aggregate addresses

That means the photo can be real and still unrelated to device compromise.

If the email includes a password, your name, or an old address

Many variants include a password to increase credibility. In practice, this is often a password from an older data breach or a password you used on a low-value site. The attacker is counting on password reuse. The right response is to treat it as a data breach symptom, then close the actual takeover paths.

Start with your email inbox and any account that can reset other accounts (Apple Account, Google Account, Facebook/Instagram, your password manager). If you reuse passwords, assume the attacker will try the same password on higher-value services.

If you clicked a link or typed a password

If you clicked a link or entered credentials, focus on containment and recovery. Do not waste time debating whether the threat is "real". The risk is that your credentials or session cookies were stolen.

Secure the inbox first. If your email is compromised, the attacker can reset other accounts. Change the password, enable strong sign-in, and review recent sign-ins.
Kill active sessions. Sign out of other devices/sessions where available, then sign back in only on trusted devices.
Check for silent persistence. Look for auto-forwarding rules, new recovery addresses, new trusted devices, and unfamiliar app access.
Scan and update devices. Install OS and browser updates, run a reputable malware scan, and remove unknown browser extensions. If you suspect malware, reset passwords only after the device is clean, and prioritize a password manager plus stronger sign-in methods.

If you are not sure whether you entered the password on a real site or a fake one, assume it was fake. Changing passwords and reviewing sessions is cheaper than recovering an account later.

What not to do

Extortion emails work because they push you toward a few predictable mistakes. Avoid these, even if you feel pressured:

Do not pay. Payment rarely ends the harassment, and it signals that you are reachable.
Do not negotiate. Replies confirm the address is monitored and can increase targeting.
Do not send personal photos or ID documents. Attackers often pivot to identity fraud.
Do not install remote access tools. Some campaigns try to escalate from intimidation to real compromise by convincing you to install software.
Do not open attachments on your work device. If the email includes attachments, treat them as hostile and avoid turning a scam into an infection.
Do not forward the email widely for "advice". Preserve evidence privately and share only what is necessary.

Why they name-drop Pegasus

Some variants claim they used "Pegasus" spyware. Pegasus is the name of a high-end surveillance tool that has been reported in targeted operations. Sextortion scammers use that name because it sounds credible and expensive.

In most cases, the Pegasus claim is marketing. The email is written to create a feeling of inevitability. The practical response does not change: look for real compromise signals, secure your recovery control plane, and do not pay based on a story.

How to check for real compromise without spiraling

If you are worried that the email reflects real access, use evidence-based checks. Look for changes that a scammer cannot fake in an email:

Inbox account activity: new logins, new devices, password reset emails you did not request, or security alerts that do not match your actions.
Account settings changes: recovery email/phone changed, forwarding rules added, or new app authorizations.
Outbound activity: messages sent from your accounts, new social posts, or unauthorized transactions.

If you see these signals, treat it as a real incident and follow a full containment playbook. If you do not see them, treat the email as intimidation and focus on hardening.

Rule of thumb: if the attacker had real access, the first thing you would usually see is account changes and reset attempts, not a long email trying to sell you a story.

Preserve the email properly (quick evidence checklist)

Good evidence is boring, complete, and easy to hand to a support team or investigator later. Preserve it before you delete anything:

Save the full email with headers. Many mail apps let you download the original message (often as an .eml file) or view message details.
Capture the threat artifacts. Screenshot the message, copy any wallet addresses, and save any attached images.
Record timing. Note when you received it and whether you replied, clicked, or paid.
Keep it in one place. Store it somewhere private that you control, not in a shared chat thread.

You do not need to become a forensic analyst. You just need to avoid losing the parts that prove what happened.

If you already paid

If you paid once, do not assume you are "safe". Payment confirms that your email address is reachable and that you will act under pressure. Many victims are contacted again with new threats.

Do not pay again. Paying more increases leverage.
Preserve all payment details. Keep wallet addresses, transaction IDs, and copies of the messages.
Report anyway. Reporting can still help pattern tracking and may be relevant if the campaign escalates.
Harden the control plane. Treat the situation like a security incident and secure your inbox and recovery accounts.

Protect your contacts and reputation

These emails often claim they will send content to your contacts. In many campaigns, that is bluff. Still, it helps to reduce the risk of attackers using your accounts to reach other people.

Secure social accounts. If your social account is taken over, the attacker can message your network directly.
Consider a short heads-up only if needed. If you believe your account might be compromised, a neutral message like "I am dealing with a security issue, ignore unexpected messages" is usually enough.
Watch for follow-on scams. Some campaigns pivot into impersonation and "support" scams after the initial email.

When it might be more than a mass scam

Most "Hello Pervert" emails are mass campaigns. If you are receiving repeated messages over time, the sender is referencing private details that are not easy to scrape, or the threat is moving from online intimidation to physical stalking, treat it as harassment with a safety component.

In that case, preserve evidence, tighten accounts, and consider reporting locally. If your workplace accounts or employer identity are involved, loop in your IT or security team so the response is coordinated and you do not accidentally trigger account lockouts.

Report it and preserve evidence safely

Reporting matters for pattern tracking and can help if the campaign escalates. Preserve evidence first, then report.

Save the original message. Keep the full email with headers, wallet addresses, screenshots of threats, and any attached images.
Report sextortion. File a complaint at the FBI's Internet Crime Complaint Center (IC3). IC3 also publishes public service announcements on sextortion trends.
If a minor is involved: use the National Center for Missing & Exploited Children (NCMEC) resources for sextortion and reporting guidance.

Helpful references: IC3 PSAs, IC3 PSA on sextortion, and NCMEC sextortion resources.

Reduce future targeting

These scams work better when attackers can easily tie an email address to a real person and a real address. You cannot remove yourself from the internet, but you can reduce how quickly someone can connect the dots.

Reduce the amount of public address and phone data available through data brokers.
Lock down social media privacy settings and remove location-revealing posts.
Use a password manager and stop password reuse.
Keep your recovery control plane healthy: updated inbox security, up-to-date devices, and recovery methods that you can actually use.

If you are being directly threatened

If the message includes your real name, address, or other specifics, treat it as intimidation, but take it seriously as harassment. Preserve evidence, tighten your account security, and consider reporting to local law enforcement. If you feel in immediate danger, prioritize physical safety first.

For deeper incident guidance that stays defensive and privacy-safe, see: how to fight online blackmail and digital extortion, what to do if someone is blackmailing you for watching porn, and been hacked.

The goal is not to prove the email is fake. The goal is to make it powerless. When you treat it like a routine security incident and harden the control plane, the scam stops being a crisis and becomes background noise. The attacker cannot shame you into paying if you do not participate.

Most of the damage from sextortion emails comes from panic and rushed decisions. Slow down, preserve evidence, secure your inbox, and move methodically. If anything looks like real access, switch from "ignore" to "contain and recover" and follow the signals instead of the story.

Once your accounts are stable, reduce the amount of personal data that is easy to scrape and keep your sign-in methods strong. These campaigns rely on scale. When you make your account harder to take over and your identity harder to stitch together, you stop being an easy win.