Infostealer Infections Lead to Hacking of Google, TikTok, and Meta Law Enforcement Systems

Edit 03/02/24 – ‘Tamagami’ reveals they also possess access to Kodex which enables EDR / Subpoena requests for services such as LinkedIn, Discord, Tinder, Binance, Coinbase, Chainlink, SendGrid, and others

A worrying trend emerges as threat actors hack into the law enforcement systems of major organizations, gaining the ability to legally request personal details of users. This abuse often leads to identity thefts, extortion, and financial losses.

Just weeks ago we wrote about Binance and Brazil’s police suffering similar breaches due to Infostealer infections. Today, Google, TikTok, and Meta are also affected.

A threat actor who goes by the handle ‘Tamagami’ on a popular cybercrime forum has gained access to several law enforcement systems and is attempting to monetize the access in two ways:

  1. Selling full access to the account (price not mentioned)
  2. “Requests” — 1-time subpoena requests ($500)
Image from the hacker’s thread advertising their access to Google’s law enforcement request system (lers.google.com)
Similar advertisement for Meta’s law enforcement request system
Asking price for the access to TikTok’s law enforcement requests system, similar asking prices for Meta & Google

In the past we have established that threat actors often gain access to law enforcement systems by exploiting credentials obtained from Infostealer Infections, typically those of real law enforcement officers who neglectfully have their computers compromised.

Today, Hudson Rock researchers identified over 50 different sets of credentials for Google’s law enforcement system from various Infostealer infections.

Image from Hudson Rock’s cybercrime intelligence database, Cavalier
Additional logins found for lers.google, each one enables the access to Google’s law enforcement system

Some of these credentials are from computers we traced to infected employees at:

  • Civil Police of Brazil
  • Police of Arkansas (USA)
  • GDF — Italian law enforcement agency under the authority of the Minister of Economy and Finance
  • Government of Mexico City
  • Court of Justice of the State of São Paulo
  • Government of Tierra del Fuego in Argentina
  • Government of the Indian state of Uttar Pradesh
  • Center for Judicial Studies in Portugal

Hudson Rock estimates that it is very likely the hacker gained access to the systems using these types of credentials. Especially considering the threat actor’s posting history on the cybercrime forum, which mentions the hacker’s ability to take advantage of an allegedly legal service called IntelX. This service is intended for cybersecurity researchers to look up Infostealers related data, but it appears to be exploited by cybercriminals, potentially due to a lack of proper security management by the company.

In other instances the threat actor’s posting specifically refer to their ability to “search links in logs” which refers to searching URLs within a database of Infostealers credentials datasets.

Please note that this investigation is in continuation to a similar investigation we published around a threat actor exploiting Kodex to sell access to Binance’s law enforcement panel – https://www.infostealers.com/article/hacker-sells-access-to-binances-law-enforcement-portal-cryptocurrency-holders-at-risk/

Although this was denied by Kodex and dismissed as a “scam” it is important to add that it was confirmed to us by Binance that they were aware of such access:

It is crucial for organizations to take notice of this trend and establish proper security protocols to ensure that only the legitimate owners of the accounts can access these law enforcement systems.

In order to help mitigate this issue, Hudson Rock will contact the relevant organizations and provide them with an ethical disclosure regarding the identified credentials.

To learn more about how Hudson Rock protects companies from imminent intrusions caused by info-stealer infections of employees, partners, and users, as well as how we enrich existing cybersecurity solutions with our cybercrime intelligence API, please schedule a call with us, here: https://www.hudsonrock.com/schedule-demo

We also provide access to various free cybercrime intelligence tools that you can find here: www.hudsonrock.com/free-tools

Thanks for reading, Rock Hudson Rock!

Follow us on LinkedIn: https://www.linkedin.com/company/hudson-rock

Follow us on Twitter: https://www.twitter.com/RockHudsonRock

Don’t Stop Here

More To Explore

Infostealers Webinar – Hudson Rock

Learn about Infostealers with actual real life breaches caused by Infostealer infections with Leonid Rozenberg, Hudson Rock’s Head of Partnerships & Integrations. To discover how

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise