The sale of these compromised government and police email accounts on the dark web is creating a new and dangerous avenue for cybercrime. These are not merely spoofed addresses but active, functional accounts from agencies in countries including the United States, United Kingdom, Germany, India, and Brazil. Because the emails originate from official domains, they can easily bypass traditional security filters and are more likely to be trusted by recipients. This institutional credibility is a valuable asset for criminals, allowing them to carry out highly convincing and difficult-to-detect attacks.
Accounts are compromised through a variety of simple yet effective methods. One of the most common is credential stuffing, where attackers use databases of stolen credentials from past breaches to find matching passwords for government email addresses. Another method is the use of infostealer malware, which harvests login details from an employee’s browser or email client. These bulk logs of stolen data are then sold cheaply on the dark web. Finally, targeted phishing campaigns, also known as spear phishing, trick government and police staff into voluntarily giving up their login information. The lack of multi-factor authentication (MFA) on many of these accounts makes a single stolen password sufficient for an attacker to gain full access.
Once compromised, these accounts are typically sold through encrypted messaging platforms like Telegram, with payment made in cryptocurrency.
Unlike in the past where access might have been resold quietly, sellers are now openly advertising specific malicious use cases. These include filing fraudulent legal requests to companies or bypassing verification procedures for online platforms. In some instances, sellers even bundle the account access with the personal details of the original owner to make the purchase more attractive and effective for the buyer.
The value of these accounts lies in the institutional trust they carry. A compromised government email address has the authority to issue legal requests that many companies and services are obligated to fulfill, often with little to no verification. The report highlights that emails from official domains are more likely to pass automated security checks and are less likely to be questioned by recipients. Furthermore, some restricted systems and databases only grant access to verified government accounts. When criminals gain control of these accounts, they inherit this authority, making it incredibly difficult for recipients to distinguish a fraudulent request from a legitimate one.
The implications for cybersecurity are significant. Traditional email security tools often fail to flag these threats because the emails come from legitimate accounts with valid authentication records. The burden, therefore, falls on agencies and their security teams to adopt stronger defensive measures. This includes implementing mandatory MFA, enforcing better password practices, and establishing a rapid response protocol for when an account is compromised. Agencies must also re-evaluate their processes for verifying urgent data requests and restrict access to sensitive systems to limit the damage a single compromised account can cause.
Reference:
