Listen to the 404 Media Podcast
News

Hackers Are Selling Hacked Police Emails to Try to Grab Personal Data From TikTok, Facebook

Many criminals want access so they can pose as cops and make fraudulent 'emergency data requests' with TikTok, Facebook, Discord, and more top companies.
One of the documents shared by the hacker. Image: 404 Media
One of the documents shared by the hacker. Image: 404 Media

“Howdy Joseph,” the July email I got from Zdravko Krivokapić, who was the Prime Minister of Montenegro until last year, read.

Obviously, this wasn’t actually Krivokapić emailing me. Instead, it was a hacker who had gained access to what seemed to be Krivokapić’s personal Gmail account. The hackers proceeded to send me a mass of alleged documents from the government of Montenegro, including some related to the country’s Ministry of Finance. Alongside those, the hacker also sent photos of cash, flashy watches, and weapons, which appear to be from the hacker’s own collection and not the former Prime Minister’s.

Beyond wanting to flex their access to Krivokapić’s account, the hacker said they might use the compromised email to then target other services, using the former Prime Minster’s identity as a cover. It’s unclear how successful that attempt may have been, but the brazenness of emailing a journalist from an official’s email account did highlight something gaining popularity in the digital underground. Hackers are compromising the email accounts of government and law enforcement officials, selling them on the open market, and in some cases using that access to trick social media giants and other legitimate companies to hand over their customers' data. Desired targets include TikTok, Discord, Snapchat, Facebook, and Instagram. The groups where these email accounts are often advertised include criminals who use personal information to target people for harassment, extortion, or physical violence.

The hacker’s initial email to me ended with “LOL.”

💡
Do you know anything else about fraudulent use of EDRs? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +44 20 8133 5190. Otherwise, send me an email at joseph@404media.co.

Cybercriminals sell access to these compromised government accounts across a variety of forums and groups chats, especially on the messaging app Telegram. One person who is a reputable seller of personal information on Telegram also claims to be selling such email accounts. One screenshot they shared on Telegram shows an inbox allegedly belonging to a Brazilian municipality; the seller said they are offering accounts for $400 each. In another post and accompanying screenshot, they claimed to have access to an FBI email account.

A second apparent seller wrote in one popular Telegram group they are “SELLING INDIAN GOV MAILS, $100 A PIECE, CAN ACCESS FB LAW PANEL/EDR IG/FB ACCS.” The post adds they are selling “other third world gov mails” for $50 each.

Other messages viewed by 404 Media advertise emails belonging to the governments of Thailand, the UK, Germany, Bangladesh, and Nepal.

Many of the adverts explicitly say that buyers can use these email accounts to then make Emergency Data Requests, or EDRs. EDRs are a common mechanism across social media or tech companies designed to provide user data to law enforcement in high stakes situations. This, for example, might include a child kidnapping, where authorities may need data quickly in an attempt to apprehend a suspect or locate a victim.

One Telegram group where government emails are being explicitly advertised as a way to gain access to sensitive user data is focused on physical violence against targets. Here, members can hire one another to perform shootings, stabbings, robberies, and more.

Companies each have their own way for handling EDRs, be that a locked-off web portal or a dedicated department to contact. But they typically require anyone requesting data to contact the company from an official government or law enforcement agency email address.

That’s why these compromised accounts are so valuable to criminals. They allow hackers to tap into a stream of data that is usually off limits, simply by pretending to be a law enforcement officer. In March last year cybersecurity reporter Brian Krebs reported on the rise of fraudulent EDR requests among cybercriminals and pointed to a specific case involving Discord. A day later, Bloomberg reported that Apple and Meta had given up user data in response to such demands.

In more recent Telegram messages, 404 Media has seen criminals specifically discuss the ability to make fraudulent EDRs with TikTok, Instagram, Facebook, and GoDaddy. Others have shown interest in targeting Discord and Snapchat.

Meta told 404 Media it blocks known compromised accounts from making requests to its dedicated Law Enforcement Response Team (LERT).

TikTok confirmed to 404 Media it more commonly sees fraudulent requests from people impersonating law enforcement agencies in foreign countries. TikTok said it has successfully blocked some fraudulent requests, but declined to say whether any have managed to get through. TikTok added it has additional safeguards in place to vet EDRs and tools to protect those requests.

A Discord spokesperson told 404 Media in a statement that “Like any company, we are obligated to comply with law enforcement requests. To ensure the legitimacy of requests from law enforcement, we follow thorough guidelines to carefully evaluate them and ensure they come from a genuine source and that they are not overly broad or vague.”

Snapchat and GoDaddy did not respond to a request for comment.

Krivokapić, the former Prime Minister of Montenegro who a hacker appeared to have targeted, did not respond to multiple requests for comment.

Update: this piece has been updated with a statement from Discord.