Stolen Email Accounts of Law Enforcement and Government Agencies Auctioned on the Dark Web, Priced at $40 Each

In a concerning revelation, a recent report published by Abnormal AI on August 14 has highlighted the sale of compromised law enforcement and government email accounts on the dark web. These accounts, which originate from various countries including the US, UK, India, Brazil, and Germany, have been found to be actively used by attackers immediately after purchase.

The cost for these compromised accounts can be as low as $40 per account, making them an affordable tool for cybercriminals. This commoditization of institutional trust has broadened the appeal of these accounts and lowered the barrier to entry for impersonation-based attacks.

Cybercriminals are no longer just reselling access; they're actively marketing specific use cases, such as submitting fraudulent subpoenas or bypassing verification procedures for social platforms and cloud providers. Dark web advertisements encourage buyers to use compromised accounts for submitting emergency data requests, promising successful requests will yield data like IP addresses, emails, or phone numbers.

The result is a higher ratio of malicious attachments and links being clicked on. Emails from domains such as .gov and .police are more likely to evade technical defenses and less likely to raise suspicion among recipients.

The Abnormal AI report notes a marked shift in strategy by cybercriminals in the selling of these compromised accounts. Instead of simply selling the accounts, they are now offering full SMTP/POP3/IMAP credentials for the accounts, providing full control over the inbox through any email client, enabling immediate email sending or access to government-only services.

Some sellers promote leveraging stolen credentials to gain enhanced access to premium open-source intelligence (OSINT) services like Shodan and intelligence X. When a purchase is made, usually with cryptocurrency, buyers receive these complete credentials.

The researchers observed threat actors using credential stuffing, exploiting password reuse, infostealer malware, and targeted phishing attacks to compromise law enforcement and government accounts. These compromised accounts offer attackers opportunities to conduct sophisticated fraud and data theft schemes.

It's important to note that the search results do not provide information about the sellers of compromised government and agency email accounts on the dark web mentioned in the Abnormal AI report. However, the accounts are typically sold via encrypted messaging platforms like Telegram or Signal.

The use of these compromised accounts can have serious implications, particularly when they are used to submit emergency data requests. Real emergency data requests are used by law enforcement agencies to request immediate information from businesses in urgent situations where there is inadequate time to obtain a subpoena. The misuse of these requests can lead to the exposure of sensitive information.

This issue underscores the importance of robust cybersecurity measures, particularly for government and law enforcement agencies. It is crucial that these entities take steps to protect their email accounts and other sensitive data from unauthorised access.

Stolen Email Accounts of Law Enforcement and Government Agencies Auctioned on the Dark Web, Priced at $40 Each