Threat actors are selling active law enforcement and government email accounts on underground forums, turning institutional trust into a commodity available for as little as $40 per account.

In recent weeks, Abnormal researchers have uncovered cybercriminals selling access to law enforcement and government email accounts from the US, UK, India, Brazil, and Germany on underground forums. Unlike dormant or spoofed accounts, these are active, trusted inboxes that attackers have compromised for immediate malicious use.

The ability to convincingly impersonate government officials and law enforcement officers, send fraudulent legal requests, and steal sensitive data is troubling enough. But what makes this especially concerning is that compromised government accounts unlock capabilities that exist almost nowhere else in the digital ecosystem.

The low market price of these accounts reflects the frequency with which government login details are being stolen or hacked. To compromise these accounts, cybercriminals employ a variety of simple but effective methods.

Credential Stuffing and Exploiting Password Reuse

Government employees who reuse passwords or select weak credentials create opportunities for credential stuffing attacks. With billions of stolen passwords from past breaches circulating online, attackers systematically test government email addresses against leaked password databases. Further, many .gov email accounts continue sharing passwords with previously breached accounts, making them prime targets for automated credential testing.

Infostealer Malware

Infostealer malware harvests saved login credentials from browsers and mail clients. When police officers' or government employees' devices become infected, their email credentials are captured and sold in bulk log files on dark web markets. Attackers can purchase these logs wholesale for as little as $5, then test which government emails are still active—potentially converting a minimal investment into a fully functional police email account.

Targeted Phishing and Social Engineering

Some attackers go straight to the source and phish law enforcement and government employees. Well-crafted spear-phishing emails (perhaps masquerading as IT support or a trusted colleague) can trick officials into entering their webmail password on a fake portal. Without two-factor authentication enabled, a single stolen password hands attackers the keys to the inbox.

These accounts are typically sold via encrypted messaging platforms like Telegram or Signal. Once purchased—usually with cryptocurrency—buyers receive complete SMTP/POP3/IMAP credentials, giving them full control over the inbox through any email client. This allows threat actors to immediately begin sending emails or taking advantage of government-only services.

While law enforcement accounts have been quietly sold on the dark web for years, this latest surge marks a shift in strategy. Cybercriminals are no longer just reselling access; they’re actively marketing specific use cases, such as submitting fraudulent subpoenas or bypassing verification procedures for social platforms and cloud providers. This commoditization of institutional trust has broadened the appeal of these accounts and lowered the barrier to entry for impersonation-based attacks.

One listing, for example, offered a bundle of US government email accounts for sale, including an FBI.gov address, along with the owner's personal details, marketed as affordable to attract buyers.

Notably, this trend isn’t limited to U.S. entities. Researchers have identified compromised law enforcement accounts for sale from the UK, Germany, India, and Brazil—underscoring the global scale of this threat.

While stolen private sector credentials are undoubtedly a serious risk, emails sent from .gov and .police addresses have some of the highest likelihood of evading technical defenses and raising little suspicion. Targets are more likely to open attachments, click links, or follow instructions when the sender appears to be a trusted law enforcement agency.

However, this built-in authority is just the beginning. Dark web marketing materials reveal that threat actors view these accounts as comprehensive criminal toolkits, advertising capabilities far beyond simple email impersonation. Underground forum listings systematically promote the full spectrum of malicious applications—from legal compulsion powers to exclusive system access—demonstrating how criminals have weaponized every aspect of government digital infrastructure.

When attackers control these accounts, they effectively inherit the same digital credibility as legitimate officials, making their requests nearly impossible to distinguish from authentic government communications. This represents far more than simple credential theft—it's the weaponization of government authority itself.

Fraudulent Legal Requests

In 2024, the FBI reported a surge in cybercriminal services leveraging compromised police emails to send fraudulent data requests, deceiving recipients into divulging sensitive and personal data.

Dark web advertisements instruct buyers to use compromised accounts for submitting emergency data requests, promising that "successful requests yield data like IP addresses, emails, or phone numbers." These fake legal demands target technology companies and telecom providers who are legally obligated to respond to legitimate law enforcement requests.

Real emergency data requests are used by law enforcement agencies to request information immediately from a business in urgent situations where there is inadequate time to obtain a subpoena. By exploiting the built-in authority and exigency of this process and sending messages that appear to originate from legitimate domains, attackers create circumstances where recipients are far more likely to comply, often without executing typical legal verification processes.

Unauthorized Access to Restricted Law Enforcement Systems

Beyond external data requests, criminal marketplaces also advertise access to "law enforcement portals (e.g., META, TikTok, Twitter/X) for additional data retrieval requests," demonstrating systematic targeting of restricted interfaces and services designed exclusively for law enforcement use.

Dark web forum evidence demonstrates that attackers successfully accessed Twitter's Legal Request Submission system using a compromised account. This capability enables them to pull private user data, issue account takedown requests, or remove content under the guise of an official request.

Intelligence Gathering and Surveillance

Advertisements for compromised government accounts also spotlight the opportunity to "explore the inbox, sent items, and other folders” to identify sensitive data and documents that can be "resold at a premium or used for personal gain."

Additionally, sellers promote leveraging the stolen government credentials to gain enhanced access to premium open-source intelligence (OSINT) services. Ads market the ability to obtain unlimited credits from services like Shodan, Maltego, and Intelligence X—platforms that typically offer enhanced capabilities to verified government users.

The tactics described in the criminal marketing materials aren't just theoretical proposals; they represent real capabilities that threat actors are currently utilizing.

Abnormal researchers were able to initiate a direct engagement with a dark web seller of compromised government and police email accounts. The goal was to verify the real-world implementation of these advertised services and determine exactly what buyers were getting for their money. Our conversation confirmed our suspicion.

These threat actors aren’t simply selling access to inboxes; they are selling access to fully compromised identities. The seller claimed to control hundreds of accounts and provided screenshots that confirmed active compromise.

More alarming, the seller demonstrated access to investigative tools and databases available only to law enforcement, such as dashboards for license plate lookups and federal police reports, along with investigative portals for social media platforms.

Possession of an active .police or .gov account means more than sending convincing emails. It grants the ability to operate within systems designed exclusively for official use—systems that hold a wealth of sensitive personal and investigative data. When these tools are in the hands of threat actors, the potential for abuse is vast. Threat actors can compel disclosure of sensitive records, surveil individuals, and leverage private information to fuel further cybercrime.

This transforms the risk from phishing and impersonation to direct exploitation of privileged law enforcement capabilities, underscoring the urgency of detecting and shutting down such compromises.

The most concerning aspect of this threat lies in its ability to circumvent traditional email security measures. When malicious emails originate from legitimate government accounts—accounts that pass SPF/DKIM authentication checks and maintain histories of legitimate communications—they bypass standard secure email gateway detection mechanisms.

Attackers aren’t spoofing domains or sending emails from known-bad IP addresses. They’re utilizing actual accounts, often directly from the official email servers. This means standard filters that rely on domain reputation, sender authentication, or known malicious content signatures often fail to identify these threats.

Where legacy email security solutions utilize rules and policies to identify attacks, an AI-native, API-based email security platform like Abnormal takes a fundamentally different approach. Abnormal’s behavioral AI evaluates thousands of signals to establish a baseline for typical employee and vendor behavior, allowing it to accurately detect high-risk anomalies. This allows it to precisely detect and then automatically remediate email threats that traditional solutions miss—preventing end-user engagement and keeping your organization safe.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.