The Federal Bureau of Investigation (FBI) is warning law enforcement agencies and international governments to bolster email security measures, as hackers increasingly exploit compromised police email accounts to send fraudulent subpoenas and customer data requests to US-based technology companies.
According to a recent report published in PDF form, the FBI has observed a notable surge in online postings involving felonious activities on platforms related to emergency data requests (EDRs) and the illegal sale of email login credentials stolen from law enforcement agencies and government organizations.
“Criminal hackers have potentially gained unauthorized access to compromised email accounts of US and international law enforcement agencies, exploiting these vulnerabilities to orchestrate fake emergency data requests to US-based companies, thereby putting sensitive consumer information at risk for further illegal exploitation,” the FBI cautioned.
In the United States, federal, state, and native law enforcement agencies require official court-ordered warrants or subpoenas when seeking information from technology providers about a specific account, such as an email address or previously accessed websites on a particular cellphone account.
Major online expertise firms serving large customer bases have dedicated departments that thoroughly review and process such requests, often granting (at least partial) access provided the necessary documentation is submitted and the request appears to originate from an official email address linked to a valid law enforcement agency’s jurisdiction.
In rare instances, cybercriminals may create fake court-approved subpoenas and distribute them via compromised law enforcement or authority email accounts that have been previously hacked. As the prevalence of fraudulent EDRs grows, criminals increasingly rely on these fake alerts, which allow investigators to claim that individuals may face physical harm or even death unless they quickly grant access to account information.
The concern is that many Electronic Discovery Requests (EDRs) circumvent traditional evaluation processes by avoiding official assessments and not necessitating the submission of court-approved documentation from the requesting party. For organizations receiving multiple EDRs, it’s a challenge to make an immediate determination about the authenticity of each report.
As the receiving firm grapples with the dilemma, it is confronted with a stark choice: risk catastrophic consequences by failing to swiftly adapt to an Electronic Data Request (EDR), potentially staining its reputation with the stain of blood on its hands, or confront the moral hazard of compromising buyer confidentiality by sharing a report with someone who may not be entitled to access it.
Compliance with such requests often exhibits an unusually high degree of excessiveness. According to its most recent PDF statement, the company received more than 127,000 law enforcement inquiries for customer information in the second half of 2023, including over 36,000 Electronic Discovery Requests (EDRs), and responded to approximately 90% of these requests.
A notorious English-speaking cybercriminal, operating under the pseudonyms “” and “”, has been touting fraudulent EDR businesses across multiple Russian-language and English-speaking cybercrime forums. Their costs range from $1,000 to $3,000 per profitable request, with a declared capacity to regulate “gov emails” from over 25 countries, including Argentina, Bangladesh, Brazil, Bolivia, Dominican Republic, Hungary, India, Kenya, Jordan, Lebanon, Laos, Malaysia, Mexico, Morocco, Nigeria, Oman, Pakistan, Panama, Paraguay, Peru, Philippines, Tunisia, Turkey, United Arab Emirates (UAE), and Vietnam.
“I cannot guarantee that every order will receive individual attention,” Pwnstar clarified. That’s social engineering at its most sophisticated; however, there may be instances where attempts fail. Don’t be discouraged. If you decide to employ escrow services, we will provide a full refund in the event that EDR does not take place or you fail to receive your information.
Are you tired of mediocre endpoint detection and response solutions? Look no further than Pwnstar’s range of high-quality, fully-featured EDR options – all designed to provide unparalleled visibility and control over your organization’s security posture.
Our cutting-edge solutions are built on the latest technologies, allowing for seamless integration with your existing security infrastructure. With real-time threat hunting capabilities, our software ensures you stay one step ahead of even the most sophisticated attackers.
But don’t just take our word for it – see for yourself how Pwnstar can revolutionize your endpoint detection and response efforts. Contact us today to learn more about our comprehensive suite of EDR solutions.
A review of online forums dedicated to cybercrime shows that certain entities claiming to be EDR distributors tout the ability to send fake police requests to specific social media platforms, accompanied by forged court documents. While some vendors may simply provide access to compromised email accounts of law enforcement agencies, they often leave it up to the client to create any necessary documentation.
“Upon opening an account, the user assumes sole ownership and legal liability for its management,” states a promotional message published in October. “Limitless Emergency Information Requests. As soon as payment is processed, logins become completely yours to use. Reset as you please. Wouldn’t You Want to Streamline Paperwork for Swift Access to Critical Information?
Notwithstanding, various vendors of electronic discovery services claim to offer solutions promoting the creation of hacked or fraudulently generated user accounts for a startup aiming to aid technology companies in improving their screening processes for allegedly fraudulent law enforcement data requests. Kodex facilitates immediate collaboration with information providers to gather insights on police or authorities officials submitting these requests, striving to simplify identification of unauthorized Electronic Data Retrieval (EDR) instances.
Police and authority officials seeking data related to Coinbase customers must initially register on kodexglobal.com. Kodex’s algorithms evaluate requestors based on their history of submitting legitimate legal requests, assigning a rating or credit score that reflects their reputation. Officers with a proven track record of sending authentic requests receive higher scores than first-time senders of EDRs.
Some alleged EDR distributors falsely claim they can fulfill knowledge requests through Kodex, and a few have taken to sharing heavily censored screenshots of police records on the platform.
Was the founding father of Kodex, a pioneering effort launched in 2021 by a seasoned former FBI agent. Despite possessing an official police department or authority email, the ability to ship items does not necessarily follow. Donahue emphasized that, even in cases where a single buyer receives a fake request, Kodex is committed to preventing a similar occurrence from affecting another party.
Over the past 12 months, Kodex reported to KrebsOnSecurity that it had handled a total of 1,597 electronic discovery requests (EDRs). Notably, nearly one-third (approximately 30%) of these requests – specifically 485 – did not pass a second-level verification process. Kodex reports that it has suspended approximately 4,000 law enforcement customers over the past year, including:
-1,521 from the Asia-Pacific area;
Over 1,290 requests emanated from Europe, the Middle East, and Asia.
-4,600 police departments and companies in America;
-385 from entities in Latin America.
-285 from Brazil.
At least 60 specialized firms currently channel all law enforcement information inquiries through Kodex, while an increasing number of financial institutions and cryptocurrency platforms also utilize this platform for knowledge sharing. One major concern voiced by prospective clients is the growing threat of fraudulent law enforcement requests, which can lead to the freezing or even seizure of specific financial accounts.
“Donahue emphasized that what’s being mistakenly equated with EDRs lacks a legitimate decision-maker’s signature and a sanctioned process.” “That embodiment of managerial control over knowledge could be likened to a secure account freeze or data preservation request.”
In the event of a hypothetical scenario, a scammer compromises an official email account and uses it to instruct a service provider to place a hold on a specific financial institution or crypto account allegedly subject to a garnishment order or sanctions for international crimes such as terrorism or child exploitation.
In just a matter of days or possibly weeks, the scammer makes a reappearance, posing as an exact duplicate and demanding immediate access to transfer funds from the account or redirect them to purportedly controlled custodial wallets allegedly managed by law enforcement officials.
“According to Donahue, as one builds stronger relationships through social engineering tactics, trust naturally follows.” When clients place a freeze order, this method effectively establishes trust from the start, since they’re not requesting personal data initially. When someone asks for a favour by saying ‘can I ask a favour of you?’ it has a profound impact on the recipient, making them truly feel valued and appreciated.
The FBI’s warning notwithstanding, Donahue emphasized that numerous law enforcement agencies worldwide are neglecting basic account security best practices, often failing to adopt fundamental safeguards such as mandatory phishing-resistant multifactor authentication.
Cybercriminals occasionally gain unauthorized entry into police and authority email accounts due to inadequate password security, phishing attacks, or exploited vulnerabilities in software. While Donahue notes that breaches are still primarily driven by email-based phishing, he emphasizes that other factors, such as opportunistic malware infections, also play a significant role in compromising credentials, which are then sold on the dark web. Despite the global prevalence of unhealthy practices, he emphasized that numerous law enforcement agencies in America still have significant opportunities to improve accountability by enhancing data security measures.
“Sadly,” Donahue observed, “a significant proportion of those emails are actually phishing or malware scams.” Numerous world-class police forces lack rigorous cybersecurity practices, but surprisingly even the United States dot-gov emails get hacked.
In the span of nine months, I’ve repeatedly contacted CISA – the Cybersecurity and Infrastructure Security Agency – more than a dozen times regarding government email addresses (.gov) that had fallen victim to compromise, only for them to remain unreported to CISA.
