“Howdy Joseph,” the email a journalist named Joseph got from Zdravko Krivokapić, who was the Prime Minister of Montenegro until last year, read.
Obviously, this wasn’t actually Krivokapić emailing him. Instead, it was a hacker who had gained access to what seemed to be Krivokapić’s personal Gmail account. The hackers proceeded to send him a mass of alleged documents from the government of Montenegro, including some related to the country’s Ministry of Finance. Alongside those, the hacker also sent photos of cash, flashy watches, and weapons, which appear to be from the hacker’s own collection and not the former Prime Minister’s.
Beyond wanting to flex their access to Krivokapić’s account, the hacker said they might use the compromised email to then target other services, using the former Prime Minster’s identity as a cover. It’s unclear how successful that attempt may have been, but the brazenness of emailing a journalist from an official’s email account did highlight something gaining popularity in the digital underground. Hackers are compromising the email accounts of government and law enforcement officials, selling them on the open market, and in some cases using that access to trick social media giants and other legitimate companies to hand over their customers' data. Desired targets include TikTok, Discord, Snapchat, Facebook, and Instagram. The groups where these email accounts are often advertised include criminals who use personal information to target people for harassment, extortion, or physical violence.
The hacker’s initial email to him ended with “LOL.”
Cybercriminals sell access to these compromised government accounts across a variety of forums and groups chats, especially on the messaging app Telegram. One person who is a reputable seller of personal information on Telegram also claims to be selling such email accounts. One screenshot they shared on Telegram shows an inbox allegedly belonging to a Brazilian municipality; the seller said they are offering accounts for $400 each. In another post and accompanying screenshot, they claimed to have access to an FBI email account.
A second apparent seller wrote in one popular Telegram group they are “SELLING INDIAN GOV MAILS, $100 A PIECE, CAN ACCESS FB LAW PANEL/EDR IG/FB ACCS.” The post adds they are selling “other third world gov mails” for $50 each.
Other messages advertise emails belonging to the governments of Thailand, the UK, Germany, Bangladesh, and Nepal.
Many of the adverts explicitly say that buyers can use these email accounts to then make Emergency Data Requests, or EDRs. EDRs are a common mechanism across social media or tech companies designed to provide user data to law enforcement in high stakes situations. This, for example, might include a child kidnapping, where authorities may need data quickly in an attempt to apprehend a suspect or locate a victim.
One Telegram group where government emails are being explicitly advertised as a way to gain access to sensitive user data is focused on physical violence against targets. Here, members can hire one another to perform shootings, stabbings, robberies, and more.
Companies each have their own way for handling EDRs, be that a locked-off web portal or a dedicated department to contact. But they typically require anyone requesting data to contact the company from an official government or law enforcement agency email address.
That’s why these compromised accounts are so valuable to criminals. They allow hackers to tap into a stream of data that is usually off limits, simply by pretending to be a law enforcement officer. In March last year cybersecurity reporter Brian Krebs reported on the rise of fraudulent EDR requests among cybercriminals and pointed to a specific case involving Discord. A day later, Bloomberg reported that Apple and Meta had given up user data in response to such demands.
In more recent Telegram messages, the criminals specifically discuss the ability to make fraudulent EDRs with TikTok, Instagram, Facebook, and GoDaddy. Others have shown interest in targeting Discord and Snapchat.
Meta informed that it blocks known compromised accounts from making requests to its dedicated Law Enforcement Response Team (LERT).
TikTok confirmed that it more commonly sees fraudulent requests from people impersonating law enforcement agencies in foreign countries. TikTok said it has successfully blocked some fraudulent requests, but declined to say whether any have managed to get through. TikTok added it has additional safeguards in place to vet EDRs and tools to protect those requests.
A Discord spokesperson told in a statement that “Like any company, we are obligated to comply with law enforcement requests. To ensure the legitimacy of requests from law enforcement, we follow thorough guidelines to carefully evaluate them and ensure they come from a genuine source and that they are not overly broad or vague.”
Snapchat and GoDaddy did not respond to a request for comment.
Krivokapić, the former Prime Minister of Montenegro who a hacker appeared to have targeted, did not respond to multiple requests for comment.