- Compromised FBI.gov emails are being sold for $40 on encrypted dark web channels
- Criminals use stolen government accounts to submit forged emergency requests to tech companies
- Sellers offer full SMTP, POP3, or IMAP credentials for complete account control
Cybersecurity researchers have raised concerns over the sale of compromised FBI.gov and other government email accounts on the dark web, warning the activity could enable malware campaigns on a large scale.
A report from Abnormal AI claims these accounts are being offered through encrypted messaging services such as Telegram and Signal, with some priced as low as $40.
In some cases, sellers have offered bundles containing multiple US government accounts, including those with FBI.gov domains, which carry a high level of credibility.
Hackers offer full access and high credibility
The cost of these accounts is relatively small, but the potential impact is substantial because the accounts can be used to impersonate trusted authorities.
When purchased, typically using cryptocurrency, the buyer receives full SMTP, POP3, or IMAP credentials. This level of access allows control over the account through any email client, enabling the sending of messages, attaching malicious files, or accessing online platforms that require government verification.
Some ads encourage buyers to submit fraudulent emergency data requests.
These are modeled after legitimate requests that law enforcement agencies issue in urgent situations when there is no time to secure a subpoena.
Technology companies and telecom providers are legally obliged to respond to valid requests, meaning forged ones could potentially lead to the disclosure of sensitive data such as IP addresses, emails, and phone numbers.
Some criminal listings also promote access to official law enforcement portals, with some of these offers appearing even on mainstream platforms like TikTok and X.
Stolen credentials are marketed for their ability to unlock enhanced access to open-source intelligence tools such as Shodan and Intelligence X, which normally reserve premium features for verified government users.
The methods used to obtain these accounts are often straightforward but effective.
One major approach is credential stuffing, where attackers exploit password reuse across multiple platforms.
Another method involves infostealer malware, which is software designed to extract saved login credentials from browsers and email clients.
Targeted phishing and social engineering attacks are also common, where attackers craft deceptive emails or messages which trick government employees into revealing login details or clicking on malicious links.
Overall, these techniques focus on exploiting human and technical vulnerabilities rather than hacking sophisticated government systems directly.
That said, emails originating from domains such as .gov and .police tend to bypass many technical filters, making recipients more likely to open attachments or click on embedded links.
This advantage increases the success rate of phishing attempts or malware delivery.
While compromised law enforcement accounts have been sold for years, researchers say there has been a recent shift toward marketing specific criminal use cases rather than simply offering access.
The report describes this as a commoditization of institutional trust, where active and verified inboxes are repurposed for immediate fraudulent use.