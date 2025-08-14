Cybercriminals are selling access to active law enforcement and government email accounts for as little as $40 on the dark web, according to an investigation by Abnormal AI.

These compromised accounts belong to officials from the US, UK, India, Brazil and Germany, with agencies such as the FBI among those affected.

The ability to impersonate law enforcement and government employees through their own emails offers attackers’ opportunities to conduct sophisticated fraud and data theft schemes. Such schemes include sending fake subpoenas and accessing sensitive information through emergency data requests.

Emails sent from domains such as .gov and .police are more likely to evade technical defenses and less likely to raise suspicion among recipients. The result is a higher ratio of malicious attachments and links are clicked on.

The Abnormal AI researchers noted that while law enforcement accounts have been quietly sold on the dark web for years, there has recently been a marked shift in strategy.

“Cybercriminals are no longer just reselling access; they’re actively marketing specific use cases, such as submitting fraudulent subpoenas or bypassing verification procedures for social platforms and cloud providers. This commoditization of institutional trust has broadened the appeal of these accounts and lowered the barrier to entry for impersonation-based attacks,” they wrote.

“Unlike dormant or spoofed accounts, these are active, trusted inboxes that attackers have compromised for immediate malicious use,” the researchers added.

Customers Offered Immediate Use at Low Cost

The Abnormal AI report, published on August 14, observed that compromised law enforcement and government accounts are typically sold via encrypted messaging platforms like Telegram or Signal.

These are often at a relatively low cost given the unique criminal opportunities such email accounts offer, available for as little as $40 per account.

When buyers make a purchase, usually with cryptocurrency, they receive complete SMTP/POP3/IMAP credentials for those accounts.

This provides the actor with full control over the inbox through any email client, enabling them to immediately begin sending emails or taking advantage of government-only services.