Cybercriminals are selling access to active law enforcement and government email accounts for as little as $40 on the dark web, according to an investigation by Abnormal AI.
These compromised accounts belong to officials from the US, UK, India, Brazil and Germany, with agencies such as the FBI among those affected.
The ability to impersonate law enforcement and government employees through their own emails offers attackers’ opportunities to conduct sophisticated fraud and data theft schemes. Such schemes include sending fake subpoenas and accessing sensitive information through emergency data requests.
Emails sent from domains such as .gov and .police are more likely to evade technical defenses and less likely to raise suspicion among recipients. The result is a higher ratio of malicious attachments and links are clicked on.
The Abnormal AI researchers noted that while law enforcement accounts have been quietly sold on the dark web for years, there has recently been a marked shift in strategy.
“Cybercriminals are no longer just reselling access; they’re actively marketing specific use cases, such as submitting fraudulent subpoenas or bypassing verification procedures for social platforms and cloud providers. This commoditization of institutional trust has broadened the appeal of these accounts and lowered the barrier to entry for impersonation-based attacks,” they wrote.
“Unlike dormant or spoofed accounts, these are active, trusted inboxes that attackers have compromised for immediate malicious use,” the researchers added.
Read now: Cybercriminals Exploit Low-Cost Initial Access Broker Market
Customers Offered Immediate Use at Low Cost
The Abnormal AI report, published on August 14, observed that compromised law enforcement and government accounts are typically sold via encrypted messaging platforms like Telegram or Signal.
These are often at a relatively low cost given the unique criminal opportunities such email accounts offer, available for as little as $40 per account.
When buyers make a purchase, usually with cryptocurrency, they receive complete SMTP/POP3/IMAP credentials for those accounts.
This provides the actor with full control over the inbox through any email client, enabling them to immediately begin sending emails or taking advantage of government-only services.
Example listing offering a bundle of US government email accounts for sale, including an FBI.gov address. Source: Abnormal AI
Many of the dark web advertisements urge buyers to use compromised accounts for submitting emergency data requests, promising that "successful requests yield data like IP addresses, emails or phone numbers."
Real emergency data requests are used by law enforcement agencies to request information immediately from businesses in urgent situations where there is inadequate time to obtain a subpoena. These demands are often issued to technology companies and telecom providers who are legally obligated to respond to legitimate law enforcement requests.
The researchers also observed criminal marketplaces advertising access to official law enforcement portals on platforms such as TikTok and X, to conduct additional data retrieval requests.
Some sellers promote leveraging stolen credentials to gain enhanced access to premium open-source intelligence (OSINT) services. Platforms such as Shodan and intelligence X typically offer enhanced capabilities to verified government users.
How Attackers Compromise Government Email Accounts
The researchers highlighted a variety of simple but effective approaches used by threat actors to compromise law enforcement and government accounts before being sold on the dark web.
- Credential stuffing and exploiting password reuse
- Infostealer malware to harvest saved login credentials from infected browsers and mail clients
- Targeted phishing and social engineering attacks
No tags.
