Notifications
Clear all
Topic starter
27/06/2026 2:03 pm
TL;DR: Threat actors are selling active .gov and .police email accounts for as little as $40, while bulk infostealer logs can cost $5 and fraudulent emergency requests can bypass normal verification because they originate from legitimate accounts, according to Abnormal AI. The real governance failure is not spoofed mail but trusted identity compromise that turns institutional authority into an attack channel.
NHIMG editorial — based on content published by Abnormal AI: government and law enforcement email accounts sold on underground forums
By the numbers:
- Threat actors sell active .gov and .police email accounts for as little as $40 per account.
Questions worth separating out
Q: How should organisations handle compromised government or law enforcement email accounts?
A: Treat them as privileged identity incidents, not simple mailbox abuse.
Q: Why do compromised official email accounts bypass normal email security controls?
A: Because the message originates from a real, trusted account rather than a spoofed domain or known-bad sender.
Q: What do security teams get wrong about emergency data requests from trusted accounts?
A: They assume the sender identity proves the request is legitimate.
Practitioner guidance
- Harden official mailbox authentication Require phishing-resistant MFA for all government and law enforcement email accounts, and remove password reuse risk by enforcing unique credentials across all official services.
- Monitor for identity misuse, not just spam Use behavioural detection to flag unusual sending patterns, new devices, abnormal geographies, and sudden access to high-risk folders or law enforcement portals.
- Separate legal verification from email trust Create out-of-band confirmation steps for emergency data requests, takedowns, and other sensitive actions so a valid sender address is never sufficient on its own.
What's in the full article
Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:
- Forum screenshots and seller claims showing how compromised official accounts are marketed to buyers
- Examples of fraudulent legal request use cases across law enforcement, telecom, and technology workflows
- Discussion of how law enforcement-only portals and OSINT services become reachable through stolen identity
- Abnormal's behavioural AI approach for detecting account compromise patterns that legacy email filters miss
👉 Read Abnormal AI's analysis of government email account takeover and trust abuse →
Government email account takeover is commoditising trust?
Explore further
27/06/2026 3:38 pm
Institutional trust has become a tradable security control failure. The article shows that attackers are not just selling access to inboxes, they are selling the authority attached to a government or police identity. That changes the governance problem from mail security to trust-chain abuse, where a valid account becomes the mechanism for fraud, surveillance, and data extraction. Practitioners should treat institutional identity as a high-value attack capability, not a communications asset.
A few things that frame the scale:
- DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
A question worth separating out:
Q: Who is accountable when a compromised official account is used for fraud or surveillance?
A: Accountability is shared across identity, security, legal, and operations teams because the failure crosses technical and procedural boundaries. Identity teams must secure the account, security teams must detect abuse, and legal or operational owners must verify sensitive requests through separate channels before acting on them.
👉 Read our full editorial: Government email account takeover commoditises institutional trust
