Got $40? Cybercriminals are selling access to active government or law enforcement email accounts for this little in many cases, according to a recent report from advanced email and cloud security platform Abnormal AI.
The report states a recent investigation uncovered the illegal practice in the U.S., the U.K., India, Brazil and Germany on underground forums while researcher Piotr Wojtyla, head of threat intel & platform at Abnormal AI, engaged them to find out more.
Often bought with cryptocurrency and sold through encrypted messaging apps such as Telegram or Signal, these live accounts include the email login details needed to send and receive messages through any email program — allowing buyers to disguise themselves, slip past security checks and gain full inbox access.
But that’s only the beginning. These black market purchases also contain the credentials and permissions of a legitimate user, allowing the buyer to log in as that person and use any connected systems or services, according to the company. The compromised identities span law enforcement, judiciary and healthcare among others.
During his probe, Wojtyla said he was shown how accounts could be used to log into law enforcement dashboards for license plate lookups, federal police reports and WhatsApp and Facebook investigative portals. And while government accounts have always been susceptible to compromise, today’s landscape is different.
“Historically, .gov and .police email accounts were a niche, high-value commodity — often harder to acquire and sold in limited circles,” he said. “What’s changed is both accessibility and marketing strategy. Infostealer malware, large-scale credential dumps, and password reuse have made these accounts cheaper and easier to obtain. At the same time, sellers are no longer relying on buyers to figure out potential uses.”
Wojtyla said sellers are actively advertising high-impact scenarios such as fraudulent emergency data requests, subpoenas and access to restricted portals.
“This ‘use case marketing’ not only lowers the barrier to entry for less sophisticated buyers but also creates a direct link between the sale of these accounts and their exploitation,” he said.
Once sold, threat actors can immediately begin sending emails or abusing access to government-only services. One listing, for example, offered a bundle of U.S. government email accounts for sale, including an FBI.gov address, along with the owner’s personal details, marketed as affordable to attract buyers.
Stolen accounts can be used to send convincing fake subpoenas to technology companies and telecom providers. They can also use them to steal sensitive data, gain access to camera footage, slip by safeguards and access government portals that reveal insider information, steal other passwords and account information, hijack emails from other countries and sell them on the dark web — or blackmail institutions into paying to keep them private.
Wojtyla said the surge in interest stems from several factors, including poor password hygiene, especially reusing credentials from past breaches.
“On the technical side, infostealer malware has made it trivial to harvest and resell government logins at scale,” he added. “Heightened global demand also plays a role, as access to verified .gov and .police accounts enables high-value exploits like unauthorized data collection and system access. Social engineering is the force multiplier. Attackers increasingly use these trusted accounts to manipulate targets and bypass verification processes.”
He said groups like Scattered Spider show how human-focused tactics, combined with stolen credentials, have created a global, scalable threat.
But there are ways to reduce risk, including choosing strong credentials, using two-factor authentication, being wary of the possibility of scams, and not reusing passwords.
But more is needed, according to Abnormal. One important piece of the security puzzle is behavioral detection. This is especially important for situations where legitimate email accounts are stolen, meaning standard filters that rely on domain reputation, sender authentication or known malicious content fail to catch problems.
“Only advanced email security systems that understand normal communication patterns and behaviors can detect when a legitimate account starts acting abnormally,” according to the report.