A ransom email was sent to the family of a British girl who was found dead in a Malaysian jungle, an inquest heard.
Nóra Quoirin, from London, was reported missing on 4 August. Her body was discovered by a volunteer nine days later after a vast search operation.
Insp Noor Adil said the first of two emails demanding Bitcoin in ransom was sent to Nóra’s family on 7 August.
But Insp Adil told the court in Seremban, Malaysia, he felt the emails were a scam and not from kidnappers.
Nóra’s family, from Balham, were staying in Sora House in Dusun eco-resort near Seremban, about 40 miles (65km) south of Kuala Lumpur, when they reported Nóra missing, the day after they had arrived.
The 15-year-old, who was born with holoprosencephaly, a disorder which affects brain development, was eventually found by a group of civilian volunteers in a palm-oil plantation less than two miles from the holiday home.
The inquest has heard that her mother Meabh Quoirin repeatedly said she thought her daughter Nóra was abducted.
Insp Adil told the inquest he was asked to investigate the Bitcoin wallet address that was in the email sent to the family.
The email demanded 2 bitcoins (about £20,000) and said: “You have until 8pm Moscow time.”
He said he did not try to identity the email sender at the time as this was a task given to another officer.
But Insp Adil said he was instructed to conduct his own investigation into the wallet address on the morning of 13 August.
His first check of the wallet address showed that the balance was zero and there had been no incoming or outgoing transactions, he said.
For the purposes his investigation, Insp Adil deposited a small amount of Bitcoin currency and he found that was transferred from the first wallet address to a second wallet address the following day.
The sum was then sent to a third wallet address linked to BitMEX – a crypto trading platform registered in the Seychelles.
Insp Adil said: “Based on the emails sent, I found the pattern used by the sender of the email leans towards a modus operandi used by scammers – which is to take advantage of an issue by demanding a ransom in the form of Bitcoin.
“You can see the method is the same [as scammers] – they will provide the time, provide the wallet address, ask for the amount, and they will threaten what will happen if you do not pay up. But the sender of the email, we don’t know who it is.”
His said his investigation found BitMEX has had a warning notice from the UK’s Financial Conduct Authority and is regarded as an illegitimate firm.
The IP address for the last transaction was registered in Virginia, USA.
The inquest continues.