Active Law Enforcement and Government Email Accounts Sold on Dark Web
Summary
Hide β²
Show βΌ
Active law enforcement and government email accounts are being sold on the dark web for as low as $40 per account. These accounts, originating from the US, UK, India, Brazil, and Germany, are being used by cybercriminals to exploit institutional trust. The compromised accounts provide access to government-only services and can be used for various malicious activities, including sending fraudulent subpoenas and bypassing verification procedures. The accounts are compromised through methods such as credential stuffing, infostealer malware, phishing, and social engineering. Once purchased, buyers receive SMTP, POP3, and IMAP credentials, allowing them full access to the inboxes and the ability to send emails and use government services.
Timeline
-
14.08.2025 23:09 π° 1 articles
Active Law Enforcement and Government Email Accounts Sold on Dark Web
Cybercriminals are selling active law enforcement and government email accounts on the dark web for as low as $40 per account. These accounts, originating from the US, UK, India, Brazil, and Germany, are being used to exploit institutional trust and access government-only services. The accounts are compromised through methods such as credential stuffing, infostealer malware, phishing, and social engineering. Buyers receive SMTP, POP3, and IMAP credentials, allowing them full access to the inboxes and the ability to send emails and use government services.
Show sources
- Police & Government Email Access for Sale on Dark Web β www.darkreading.com β 14.08.2025 23:09
Information Snippets
-
Active law enforcement and government email accounts are being sold on the dark web.
First reported: 14.08.2025 23:09π° 1 source, 1 articleShow sources
- Police & Government Email Access for Sale on Dark Web β www.darkreading.com β 14.08.2025 23:09
-
The accounts are from the US, UK, India, Brazil, and Germany.
First reported: 14.08.2025 23:09π° 1 source, 1 articleShow sources
- Police & Government Email Access for Sale on Dark Web β www.darkreading.com β 14.08.2025 23:09
-
The accounts are compromised through credential stuffing, infostealer malware, phishing, and social engineering.
First reported: 14.08.2025 23:09π° 1 source, 1 articleShow sources
- Police & Government Email Access for Sale on Dark Web β www.darkreading.com β 14.08.2025 23:09
-
Buyers receive SMTP, POP3, and IMAP credentials, allowing full access to the inboxes.
First reported: 14.08.2025 23:09π° 1 source, 1 articleShow sources
- Police & Government Email Access for Sale on Dark Web β www.darkreading.com β 14.08.2025 23:09
-
The compromised accounts can be used to send fraudulent subpoenas and bypass verification procedures.
First reported: 14.08.2025 23:09π° 1 source, 1 articleShow sources
- Police & Government Email Access for Sale on Dark Web β www.darkreading.com β 14.08.2025 23:09
-
Cybercriminals are actively marketing specific use cases for the compromised accounts.
First reported: 14.08.2025 23:09π° 1 source, 1 articleShow sources
- Police & Government Email Access for Sale on Dark Web β www.darkreading.com β 14.08.2025 23:09
Similar Happenings
Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns
Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to MarchβApril 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.
Iranian Homeland Justice Group Targets Global Embassies in Phishing Campaign
An Iranian-aligned group, Homeland Justice, has conducted a coordinated, multi-wave spear-phishing campaign targeting embassies and consulates in Europe and other regions. The campaign involves sending spear-phishing emails disguised as legitimate diplomatic communications to deploy malware. The phishing emails exploit geopolitical tensions and use compromised email accounts to send malicious Microsoft Word documents. The malware establishes persistence, contacts a command-and-control server, and harvests system information. The campaign is part of a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension. The campaign began on August 19, 2025, and targeted around four dozen embassies, consulates, and government ministries globally, as well as various international organizations. The campaign is assessed to have concluded shortly after it began, with the attackers' command-and-control infrastructure appearing inactive.
Salesloft OAuth breach exposes Salesforce customer data via Drift AI chat agent
A threat actor, UNC6395, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and access customer data across multiple integrations, including Salesforce, Google Workspace, and others. The breach occurred between August 8 and 18, 2025, affecting over 700 organizations, including Zscaler, Palo Alto Networks, Cloudflare, Google Workspace, PagerDuty, Proofpoint, SpyCloud, and Tanium. The attackers targeted Salesforce instances and accessed email from a small number of Google Workspace accounts, exporting large volumes of data, including credentials and access tokens. Salesloft and Salesforce have taken steps to mitigate the breach and are advising affected customers to revoke API keys and rotate credentials. Salesloft will temporarily take Drift offline to enhance security. UNC6395 demonstrated operational security awareness by deleting query jobs, indicating a sophisticated approach. The breach highlights the risks of third-party integrations and the potential for supply chain attacks. The breach is unrelated to previous vishing attacks attributed to ShinyHunters. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign is not limited to Salesforce customers who integrate their own solutions with the Salesforce service; it impacts all integrations using Salesloft Drift. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. The blast radius of the Salesloft Drift attacks remains uncertain, with the ultimate scope and severity still unclear. Numerous companies have disclosed downstream breaches resulting from this campaign, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Zscaler and Palo Alto Networks warned of potential social engineering attacks resulting from the campaign. Cloudflare confirmed that some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Palo Alto Networks' Unit 42 recommends conducting an immediate log review for signs of compromise and rotating exposed credentials. The breach started with the compromise of Salesloft's GitHub account between March and June 2025. UNC6395 accessed the Salesloft GitHub account and downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred between March 2025 and June 2025 in the Salesloft and Drift application environments. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications. Salesforce restored the integration with the Salesloft platform on September 7, 2025, but Drift remains disabled. 22 companies have confirmed they were impacted by the supply chain breach. ShinyHunters and Scattered Spider were also involved in the Salesloft Drift attacks.
Data breach at Auchan exposes sensitive information of hundreds of thousands of customers
French retailer Auchan experienced a cyberattack that exposed sensitive personal data of several hundred thousand customers. The compromised data includes full names, titles, postal addresses, email addresses, phone numbers, and loyalty card numbers. The breach did not affect bank data, passwords, or PIN numbers. The company has notified affected customers and the French Data Protection Authority (CNIL). Auchan has advised customers to be vigilant against potential phishing attacks using the stolen information. The incident follows similar breaches at other large French entities, but no evidence links these attacks to a coordinated campaign. This is the second data breach that Auchan has disclosed over the past year. The company sent the same notification to its customers in November 2024.
Cybercriminals exploit Lovable vibe coding service for malicious site creation
Cybercriminals have been exploiting the Lovable vibe coding service to create malicious websites for phishing attacks, crypto scams, and other threats. Lovable, a Stockholm-based startup, launched its AI-powered platform in late 2024 to help users build applications and websites. Since then, tens of thousands of Lovable URLs have been detected in malicious activities, including phishing kits, malware distribution, and credential harvesting. The abuse of Lovable highlights the growing trend of threat actors leveraging AI tools to enhance their attacks. Lovable has implemented new security protections, including Security Checker 2.0, an AI-powered platform safety program, and real-time detection of malicious site creation. Despite these measures, cybercriminals continue to find ways to abuse the platform.