CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Active Law Enforcement & Government Email Accounts Sold on Dark Web

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

Active law enforcement and government email accounts from the US, UK, India, Brazil, and Germany are being sold on the Dark Web for as low as $40 per account. Cybercriminals exploit these accounts using various methods, including credential stuffing, infostealer malware, phishing, and social engineering. These accounts provide full access to inboxes and government-only services, enabling fraudulent activities and evading technical defenses. The sale of these accounts represents a shift in strategy by cybercriminals, who are now actively marketing specific use cases, such as submitting fraudulent subpoenas or bypassing verification procedures for social platforms and cloud providers. The compromised accounts are sold on encrypted messaging platforms like Telegram or Signal, with buyers receiving SMTP, POP3, and IMAP credentials.

Timeline

  1. 14.08.2025 23:09 πŸ“° 1 articles Β· ⏱ 1mo ago

    Active Law Enforcement & Government Email Accounts Sold on Dark Web

    Active law enforcement and government email accounts from the US, UK, India, Brazil, and Germany are being sold on the Dark Web for as low as $40 per account. Cybercriminals exploit these accounts using various methods, including credential stuffing, infostealer malware, phishing, and social engineering. These accounts provide full access to inboxes and government-only services, enabling fraudulent activities and evading technical defenses. The sale of these accounts represents a shift in strategy by cybercriminals, who are now actively marketing specific use cases, such as submitting fraudulent subpoenas or bypassing verification procedures for social platforms and cloud providers. The compromised accounts are sold on encrypted messaging platforms like Telegram or Signal, with buyers receiving SMTP, POP3, and IMAP credentials.

    Show sources

Information Snippets

  • Active law enforcement and government email accounts from multiple countries are being sold on the Dark Web.

    First reported: 14.08.2025 23:09
    πŸ“° 1 source, 1 article
    Show sources
  • The accounts are compromised using methods such as credential stuffing, infostealer malware, phishing, and social engineering.

    First reported: 14.08.2025 23:09
    πŸ“° 1 source, 1 article
    Show sources
  • Purchased accounts provide full access to inboxes and government-only services.

    First reported: 14.08.2025 23:09
    πŸ“° 1 source, 1 article
    Show sources
  • Cybercriminals are marketing specific use cases for these accounts, such as submitting fraudulent subpoenas.

    First reported: 14.08.2025 23:09
    πŸ“° 1 source, 1 article
    Show sources
  • The accounts are sold on encrypted messaging platforms like Telegram or Signal.

    First reported: 14.08.2025 23:09
    πŸ“° 1 source, 1 article
    Show sources
  • Buyers receive SMTP, POP3, and IMAP credentials upon purchase.

    First reported: 14.08.2025 23:09
    πŸ“° 1 source, 1 article
    Show sources

Similar Happenings

Increased browser targeting by threat actors

Threat actors are increasingly targeting web browsers as a primary attack vector. This shift is driven by the browser's central role in accessing sensitive data and cloud applications, making it an attractive target for credential theft and session hijacking. High-profile incidents, such as the Snowflake breach, underscore the need for enhanced browser security measures. The browser's role in accessing sensitive data and cloud applications makes it a prime target for attackers. The Snowflake breach, which exploited stolen credentials, highlights the risks associated with browser-based attacks. Experts emphasize the need for stronger browser security to mitigate these threats. Browser-based attacks include phishing for credentials and sessions, malicious copy & paste (ClickFix), malicious OAuth integrations, malicious browser extensions, malicious file delivery, and exploiting stolen credentials and MFA gaps. These attacks exploit the browser's role in accessing business applications and data, making it crucial for security teams to focus on browser security.

Salesloft Disables Drift Following OAuth Token Theft

Salesloft has taken Drift offline due to a security incident involving the theft of OAuth tokens and unauthorized access to Salesforce data. The breach began with the compromise of Salesloft's GitHub account, affecting multiple major tech companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, Zscaler, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd. The incident was attributed to a threat cluster tracked as UNC6395 and GRUB1. The breach occurred on September 5, 2025, affecting the marketing software-as-a-service product Drift. The attackers exploited vulnerabilities to steal authentication tokens, leading to unauthorized access to sensitive data. Salesloft has temporarily disabled Drift to conduct a comprehensive review and enhance security measures. The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The threat actors' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. The number of impacted companies has been updated to 29. Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens. Salesforce restored integration with the Salesloft platform, except for the Drift app, which remains disabled until further notice. The breach also affected Qantas, where executives had their short-term compensation reduced by 15% due to a data breach that impacted approximately 5.7 million passengers.

GhostRedirector Campaign Targets Windows Servers with Rungan and Gamshen

A threat cluster named GhostRedirector has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam. The attacks deployed a passive C++ backdoor called Rungan and an IIS module named Gamshen. The threat actor has been active since at least August 2024. The primary goal of the attacks is to manipulate search engine results to boost the ranking of specific websites, including gambling sites. The campaign targets various sectors, including education, healthcare, insurance, transportation, technology, and retail. Initial access is gained through an SQL injection vulnerability, followed by the use of PowerShell to deliver additional tools. The threat actor is assessed with medium confidence to be China-aligned.

Malicious link spreading via Grok AI on X

Threat actors are exploiting X's Grok AI to bypass link posting restrictions and spread malicious links. They hide links in the 'From:' metadata field of video ads, which Grok then reveals when queried, boosting the links' credibility and reach. This technique, dubbed 'Grokking,' leads users to various scams and malware. The abuse leverages Grok's trusted status on X, amplifying the reach of malicious ads to millions of users. Potential solutions include scanning all fields, blocking hidden links, and enhancing Grok's context sanitization to filter and check links against blocklists. The technique involves using adult content as bait to attract users. The links direct users to sketchy ad networks, pushing fake CAPTCHA scams, information-stealing malware, and other suspicious content. The domains are part of the same Traffic Distribution System (TDS). Hundreds of accounts have been engaging in this behavior over the past few days, posting non-stop until they get suspended. Grok's internal security mechanisms are less robust compared to its competitors, making it vulnerable to prompt injection attempts. X's Grok 4 model lacks fine-tuning for security and safety, prioritizing performance over security.

TamperedChef Malware Campaign Targets Users via Fake PDF Editors

A cybercrime campaign using malvertising to distribute a new information stealer called TamperedChef has been discovered. The malware is disguised as a fake PDF editor, AppSuite PDF Editor, and is designed to steal sensitive data, including credentials and web cookies. The campaign began on June 26, 2025, with malicious capabilities activated on August 21, 2025. The malware operates as a backdoor, supporting various features for data exfiltration and system manipulation. The campaign involves multiple fraudulent websites promoting the PDF editor, which, once installed, makes covert requests to an external server to drop the PDF editor program and set up persistence on the host. The malware gathers information about installed security products and attempts to terminate web browsers to access sensitive data. The campaign includes more than 50 domains and apps signed with fraudulent certificates from at least four companies. The threat actor has been active since at least August 2024, promoting other tools like OneStart and Epibrowser, which can turn hosts into residential proxies.