Active police and government email accounts are being sold on the dark web for as little as $40, giving cybercriminals a direct line into systems and services that rely on institutional trust. According to new research from Abnormal AI, the accounts come from agencies in the United States, United Kingdom, Germany, India, and Brazil, and are being traded on underground forums.
Source: Abnormal AI
Unlike spoofed or dormant addresses, these accounts are functional and still in use by legitimate agencies. Once compromised, they allow attackers to impersonate officials, send fraudulent subpoenas, or request sensitive data with a level of credibility that is difficult to challenge.
How accounts are compromised
Researchers found that many accounts are taken using straightforward methods.
Credential stuffing and password reuse: Government workers who reuse passwords or pick weak ones create an opening for attackers. With billions of stolen credentials from past breaches available online, cybercriminals test government email addresses against these databases to find matches.
Infostealer malware: Malicious software that collects stored credentials from browsers and email clients can expose accounts. Bulk logs of stolen data can be bought for as little as $5. Attackers then test which government emails are still active.
Targeted phishing: Spear phishing campaigns aimed at police or government staff can trick victims into giving away their login details. Without MFA, a single stolen password is enough to give an attacker full access.
How accounts are sold and used
The sale of these accounts usually happens through encrypted messaging services like Telegram or Signal. Buyers pay in cryptocurrency and receive the credentials needed to log in through standard email protocols such as SMTP, POP3, or IMAP.
In the past, access might have been quietly resold. Now, sellers openly advertise specific uses for the accounts. This includes filing fake legal requests or bypassing verification steps for online platforms. Some even bundle account access with the personal details of the original owner to make the purchase more appealing.
The value of institutional trust
A compromised government account carries legal and operational weight that is hard to replicate. The report highlights three areas of concern:
- Legal compulsion authority: Many services are required to respond quickly to urgent law enforcement requests, often without verification.
- Built-in credibility: Emails from official domains can pass automated security checks and are less likely to be doubted by recipients.
- Exclusive access: Some systems and databases only grant entry to verified government accounts.
When criminals control one of these accounts, they inherit its authority. This makes it difficult for recipients to tell a fake request from a real one.
Fraudulent data requests and system access
With a compromised account, attackers can send what appear to be legitimate subpoenas or emergency data requests to tech companies and telecom providers. Emergency requests are meant for urgent situations where a subpoena cannot be obtained quickly, which makes them particularly vulnerable to abuse.
In some cases, attackers have used compromised accounts to log into restricted systems. One example cited in the report involved access to a platform for handling legal requests to a social media company, which could be used to pull user data or remove content.
Beyond phishing
The risk goes beyond sending convincing emails. Researchers found that some sellers offered access to law enforcement databases and investigative tools, including license plate lookup systems and internal police reporting dashboards. In the wrong hands, these could be used for surveillance, data theft, or other crimes.
Implications for cybersecurity teams
The report warns that traditional email security tools may not catch these threats. Since the emails come from legitimate accounts with valid authentication records, they can bypass standard filters. The challenge is compounded by the fact that recipients often trust official addresses without question.
For security teams, this underscores the need for stronger authentication, better password practices, and faster response to account compromise. Agencies should also review how they verify urgent requests and limit access to sensitive systems to reduce the damage that a single compromised account can cause.
Source link
