So far it seems to be the usual "pay up or we'll ... well, do nothing and try another victim" routine. It just seems to be a cash grab with no actual activity behind it.
(Not that blackhats can't make a nuisance of themselves, of course. Over the years a number of my email addresses have been repeatedly reported to blacklisting sites in an attempt to shut them down. One of my most common addresses is pretty much completely blocked on GMail unless you whitelist it ...)
............ This message may or may not be governed by the terms of http://www.noticebored.com/html/cisspforumfaq.html#Friday or https://blogs.securiteam.com/index.php/archives/1468
Idle threats seem to be on the increase. We've had threats to report vulnerabilities to government regulators unless we paid a bug bounty. The supposed bugs were undisclosed. I think they're relying on inducing fear to pay up, rather than having any particular technical information.