Active Government and Law Enforcement Email Accounts Sold on Dark Web
Summary
Hide ▲
Show ▼
Criminals are selling active government and law enforcement email accounts on the Dark Web for as low as $40 per account. These accounts, from users in the US, UK, India, Brazil, and Germany, are being actively exploited to bypass security measures and commit fraud. The compromised accounts provide access to government-only services and can be used to send emails and impersonate officials, increasing the likelihood of successful phishing and social engineering attacks. The accounts are compromised through methods such as credential stuffing, infostealer malware, phishing, and social engineering. Once purchased, buyers receive full access to the inbox and associated services. This trend represents a shift in cybercriminal strategy, focusing on active accounts to enhance the credibility and effectiveness of their attacks.
Timeline
-
14.08.2025 23:09 1 articles · 1mo ago
Active Government and Law Enforcement Email Accounts Sold on Dark Web
Criminals are selling active government and law enforcement email accounts on the Dark Web. These accounts, from users in the US, UK, India, Brazil, and Germany, are being actively exploited to bypass security measures and commit fraud. The compromised accounts provide access to government-only services and can be used to send emails and impersonate officials, increasing the likelihood of successful phishing and social engineering attacks. The accounts are compromised through methods such as credential stuffing, infostealer malware, phishing, and social engineering. Once purchased, buyers receive full access to the inbox and associated services. This trend represents a shift in cybercriminal strategy, focusing on active accounts to enhance the credibility and effectiveness of their attacks.
Show sources
- Police & Government Email Access for Sale on Dark Web — www.darkreading.com — 14.08.2025 23:09
Information Snippets
-
Active government and law enforcement email accounts are being sold on the Dark Web.
First reported: 14.08.2025 23:091 source, 1 articleShow sources
- Police & Government Email Access for Sale on Dark Web — www.darkreading.com — 14.08.2025 23:09
-
The accounts are from users in the US, UK, India, Brazil, and Germany.
First reported: 14.08.2025 23:091 source, 1 articleShow sources
- Police & Government Email Access for Sale on Dark Web — www.darkreading.com — 14.08.2025 23:09
-
Compromised accounts provide access to government-only services and can be used to send emails and impersonate officials.
First reported: 14.08.2025 23:091 source, 1 articleShow sources
- Police & Government Email Access for Sale on Dark Web — www.darkreading.com — 14.08.2025 23:09
-
The accounts are compromised through credential stuffing, infostealer malware, phishing, and social engineering.
First reported: 14.08.2025 23:091 source, 1 articleShow sources
- Police & Government Email Access for Sale on Dark Web — www.darkreading.com — 14.08.2025 23:09
-
Buyers receive full access to the inbox and associated services upon purchase.
First reported: 14.08.2025 23:091 source, 1 articleShow sources
- Police & Government Email Access for Sale on Dark Web — www.darkreading.com — 14.08.2025 23:09
-
This trend represents a shift in cybercriminal strategy, focusing on active accounts to enhance the credibility and effectiveness of their attacks.
First reported: 14.08.2025 23:091 source, 1 articleShow sources
- Police & Government Email Access for Sale on Dark Web — www.darkreading.com — 14.08.2025 23:09
Similar Happenings
RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare
The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.
Increased Browser-Based Attacks Targeting Business Applications
Browser-based attacks targeting business applications have surged, exploiting modern work practices and decentralized internet apps. These attacks, including phishing, malicious OAuth integrations, and browser extensions, compromise business apps and data by targeting users. The attacks leverage various delivery channels and evasion techniques, making them difficult to detect and block. Phishing attacks have evolved to use non-email channels such as social media, instant messaging apps, and malicious search engine ads. These attacks often bypass traditional email security controls and are harder to detect. Attackers exploit the decentralized nature of modern work environments, targeting users across multiple apps and communication channels. Non-email phishing attacks can result in significant breaches, as seen in the 2023 Okta breach. The rise in these attacks highlights the need for enhanced browser security measures and better visibility into user activities within the browser.
Axios and Direct Send Abuse in Microsoft 365 Phishing Campaigns
Threat actors are exploiting HTTP client tools like Axios and Microsoft's Direct Send feature to create highly efficient phishing campaigns targeting Microsoft 365 environments. These attacks, which began in July 2025, initially targeted executives and managers in finance, healthcare, and manufacturing sectors, but have since expanded to all users. The campaigns use compensation-themed lures to trick recipients into revealing credentials and bypassing multi-factor authentication (MFA). The abuse of Axios has surged, accounting for 24.44% of all flagged user agent activity from June to August 2025. The attacks leverage Axios to intercept, modify, and replay HTTP requests, capturing session tokens or MFA codes in real-time. This method allows attackers to bypass traditional security defenses and conduct phishing operations at an unprecedented scale. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA has been discovered, which steals Microsoft login credentials and sidesteps MFA by simulating various authentication methods. Salty 2FA uses advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its phishing campaigns. It also abuses legitimate platforms to stage initial attacks and uses Cloudflare Turnstile for secure CAPTCHA replacement. Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting.
Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data
The threat actor, tracked as UNC6395 by Google and GRUB1 by Cloudflare, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and steal data from Salesforce customer instances. The campaign, active from August 8 to at least August 18, 2025, targeted over 700 organizations, including Workiva and Stellantis, and impacted all integrations connected to the Drift platform, not just Salesforce. The attackers exported large volumes of data, including credentials for AWS, passwords, and Snowflake access tokens. Zscaler, Palo Alto Networks, Cloudflare, and Workiva reported data breaches after threat actors accessed their Salesforce instances via compromised Salesloft Drift credentials, exposing customer information. The breach began with the compromise of Salesloft's GitHub account, accessed by UNC6395 from March to June 2025. The threat actor accessed multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred in the Salesloft and Drift application environments between March and June 2025. The attackers accessed Drift's AWS environment and obtained OAuth tokens for Drift customers' technology integrations. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened it with improved segmentation controls. Salesloft recommends that all third-party applications integrated with Drift via API key revoke the existing key. Salesforce restored the integration with the Salesloft platform on September 7, 2025, except for the Drift app, which remains disabled. Salesloft and Salesforce have taken steps to mitigate the breach, including revoking tokens and removing the Drift application from AppExchange. The breach highlights the risks associated with third-party integrations and the potential for supply chain attacks. UNC6395 demonstrated operational discipline, querying and exporting data methodically, and attempting to cover their tracks by deleting query jobs. The targeted organizations included security and technology companies, suggesting a broader strategy to infiltrate vendors and service providers. The campaign is limited to Salesloft customers who integrate their own solutions with the Salesforce service. There is no evidence that the breaches directly impacted Google Cloud customers, though any of them that use Salesloft Drift should review their Salesforce objects for any Google Cloud Platform service account keys. The threat group ShinyHunters and Scattered Spider claimed responsibility for many of those attacks, and vishing attacks have been cited as the means of compromise. Google disclosed that UNC6040 breached one of its Salesforce instances using these tactics. The UNC6395 Salesloft Drift activity is separate from the vishing attacks attributed to UNC6040. Okta successfully defended against a potential breach by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric. Palo Alto Networks' Unit 42 advised organizations to conduct immediate log reviews for signs of compromise and rotate exposed credentials. Okta suggests reducing the blast radius of a single entity breach by constraining token use by IP and client and ensuring granular permissions for M2M integrations. The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims. UNC6040 is a threat actor that specializes in voice phishing or vishing and recently was observed using social engineering to pose as IT support staff to get into Salesforce environments. UNC6395 is best known for using stolen OAuth tokens from Salesloft's Drift application, which has a Salesforce integration, to steal sensitive data from hundreds of Salesforce environments earlier this year. The FBI's latest advisory provides additional context into the technical aspects of the threat campaigns, particularly UNC6040's activity, which began last fall. The advisory also includes indicators of compromise, including IP addresses and URLs associated with the two campaigns.
PyPI implements expired domain checks to prevent account takeovers and supply chain attacks
The Python Package Index (PyPI) has implemented a new security measure to check for expired domains, blocking over 1,800 email addresses tied to expired domains since June 2025. This update targets domain resurrection attacks, where malicious actors exploit expired domains to gain unauthorized access to PyPI accounts. PyPI uses Domainr's Status API to determine a domain's lifecycle stage and mark email addresses as unverified, preventing password resets and other account recovery actions. Users are advised to enable two-factor authentication (2FA) and add a secondary verified email address from a notable domain to enhance security. Additionally, PyPI has warned of a new wave of phishing attacks using fake websites to steal user credentials, advising users to change passwords and use phishing-resistant 2FA methods.