A new report out today from human behavior security company Abnormal AI Inc. details how cybercriminals are increasingly selling active law enforcement and government email accounts on dark web marketplaces, turning institutional trust into a low-cost commodity.

According to the report, cybercriminals are selling law enforcement and government email accounts for as little as $40 a piece. Access to the accounts gives attackers the credibility and authority of official government communications, allowing them to impersonate officials, send fraudulent subpoenas and access restricted systems.

Abnormal’s researchers say they have found compromised accounts from the U.S., U.K., Germany, India and Brazil in recent weeks, highlighting the global scale of the threat.

The accounts found for sale are not spoofed or dormant credentials but fully active accounts with legitimate histories, making them more likely to bypass both automated security filters and human skepticism. Abnormal identified three main compromise methods: credential stuffing using reused or weak passwords, infostealer malware that harvests saved logins from browsers and targeted phishing or social engineering attacks. Once obtained, the accounts are often sold via encrypted platforms like Telegram, with buyers receiving full SMTP, POP3 or IMAP credentials for immediate use.

The capabilities unlocked go well beyond sending convincing emails, with compromised accounts potentially being able to be used to issue fraudulent emergency data requests that companies may feel legally compelled to fulfill, access sensitive law enforcement-only portals, or exploit investigative tools to obtain personal data. In one example, attackers used a compromised account to access the X Legal Request Submission system, enabling account takedowns and private data retrieval. The U.S. Federal Bureau of Investigation has also previously reported a rise in fake data requests originating from hijacked police emails.

Threat actors were also found to have demonstrated access to sensitive investigative databases, license plate lookup dashboards and even social media investigative portals. Abnormal researchers warn that this moves the threat from simple impersonation into direct exploitation of privileged law enforcement capabilities, allowing attackers to compel disclosures, surveil targets and gather intelligence for further crime.

The issue with attacks using legitimate government domains with valid authentication records is that they can pass Sender Policy Framework and DomainKeys Identified Mail checks and avoid detection by rule-based secure email gateways, making them difficult to detect.

At a minimum, the researchers suggest the need for stronger credential hygiene, wider use of multifactor authentication and advanced anomaly detection.

Image: SiliconANGLE/Reve