For $40, you can buy stolen police and government email accounts

August 20, 2025

One of the key tools that helps users distinguish between genuine messages and phishing attacks, especially through email, is the ability to distinguish between real government accounts and malicious copies. Generally, if an email comes from a legitimate government account, most individuals would consider the message genuine. Unfortunately, that may not prove the case in the future. Recent research from cloud network researchers Abnormal AI has uncovered a widespread trade in compromised law enforcement and government accounts being sold on the dark web. These are active, trusted inboxes that are available for immediate use. More shocking is the extremely low barrier to entry for use of such accounts: many of them are available for as little as 40 USD per account. One listing, for example, included a full data dump of multiple US government accounts, including an FBI email address, with the statement “I don’t really care what price just throw some offers,” indicating that these addresses were cheap to acquire.

How are these accounts obtained? Generally, these come from one of three sources. The most common is probably credential stuffing. As usual on the internet, the biggest threat to security is password reuse, and it is not difficult for a threat actor with a list of leaked passwords from another database to set up an automated credential testing tool to attempt these passwords against government email addresses. Another method is bulk collection of credentials from infostealers. These programs can capture bulk log files full of credentials which are offered wholesale on the dark web, which a threat actor can purchase and test to locate functional accounts. The last main method is through the use of more targeted spear phishing, but that is less likely to be used for bulk acquisition.

As part of the recent surge in activity, some buyers have been actively suggesting use cases for their compromised accounts, including submitting fraudulent subpoenas. Some have even suggested these addresses could be used for access to law enforcement portals in order to retrieve data from social media. These attacks are more than just dangerous: they commoditize institutional trust. Possession of an active .police or .gov account means more than sending convincing emails. It grants the ability to operate within systems that hold a wealth of sensitive personal and investigative data. When these tools are in the hands of threat actors, the potential for abuse is vast. Threat actors can compel disclosure of sensitive records, surveil individuals, and leverage private information to fuel further cybercrime.

The solution to this problem is not clear, but it is likely to involve behavioral analysis. Holders of trusted credentials should be required to establish multifactor authentication in order to stymie efforts at compromise, and security personnel that monitor these trusted credentials should make use of behavioral analysis tools to identify when the credentials may have been compromised.

More from Blackwired

August 13, 2025

Exploring the Top Cyber Threats Facing Agentic AI Systems

Agentic AI boosts efficiency but brings new security risks; key issues are context corruption, tool sourcing, and authorization flaws.

Read more
August 6, 2025

Foreign adversaries are trying to weaponize open-source software, report finds

Nation-states exploit open-source software, posing global risks; trust, security, and code vetting are now more crucial than ever.

Read more
July 30, 2025

Flaw in Gemini CLI AI coding assistant allowed stealthy code execution

AI coding tools like Gemini CLI can hide malicious commands; users must prioritize security and sandbox all interactions.

Read more

© 2024 Blackwired. All Rights Reserved.