Last year, cybercriminals began using a novel method to steal subscriber data from social media companies: they would hack into police email accounts using stolen passwords purchased on the dark web, then utilise their access to file an emergency data request, or EDR. EDRs are a type of urgent subpoena that does not require court approval or broader company review. They are frequently issued by police agencies to social media companies, and law enforcement encourages the companies to turn over subscriber information on specific users as soon as possible. Hackers would conduct harassment campaigns against users using information from EDRs.
Two people have been arrested in connection with one such scheme. Federal prosecutors charged two men with computer crimes on Tuesday, accusing them of being members of a gang that engaged in targeted online harassment and doxxing campaigns. Officials say Nicholas Ceraolo, 25, of New York, and Sagar Steven Singh, 19, of Rhode Island, are members of the "ViLE" online collective.
The group is said to have "acquired victims' information through various means" before posting or threatening to post it "on a public website administered by a ViLE member."Ceraolo and Singh, also known as "Ominous" and "Weep," are accused as part of "ViLE" of hacking into a federal law enforcement data portal and then using information from that portal to carry out extortion and harassment schemes against targets. Officials do not identify the police portal in question, only describing it as a nonpublic, password-protected web portal (the "Portal") maintained by a United States federal law enforcement agency, whose intent is to share information from government databases with state and local law enforcement agencies.
According to cybersecurity reporter Brian Krebs, the portal in question belongs to the Drug Enforcement Agency, based on his previous reporting about a previous hack of that portal. According to Krebs, the DEA portal in question provides access to 16 different law enforcement databases, giving the criminals access to a wide range of sensitive information.
Ceraolo and Singh, according to federal prosecutors, used information stolen from the data portal to cyberstalk, threaten, and extort their victims. In Singh's case, he allegedly threatened targets using information obtained directly from the portal. In one instance, he contacted a victim and threatened to "harm" their family if they did not comply with his demands, despite having access to their social security number, home address, and driver's licence information.
Ceraolo is accused of using his portal access to submit EDRs to social media companies, giving him access to sensitive subscriber data. In the complaint, one incidentt is described as follows...
"…between February 2022 and May 2022, Ceraolo accessed without authorization an official email account belonging to a Bangladeshi police official. Ceraolo used the account to pose as a Bangladeshi police officer in communication with U.S.-based social media platforms. In one instance, Ceraolo induced a social media platform (Platform-1) to provide information about one of its subscribers, including the subscriber’s address, email address and telephone number, by asserting that the subscriber had participated in “child extortion” and blackmail and had threatened officials of the Bangladeshi government."
It's an odd story — and an obvious example of the lengths cybercriminals will go to obtain valuable information.
“As these charges make clear, the alleged unauthorised access of a US federal law enforcement system and impersonation of law enforcement officials are serious offences, and the criminals who perpetrate these schemes will be held accountable for their crimes,” said Ivan J. Arvelo, Special Agent-in-Charge with Homeland Security Investigations for New York. “HSI and its law enforcement partners are committed to safeguarding public safety infrastructure from cyber criminals and ensuring that those seeking to compromise these systems face the fullest extent of the law.”
Ceraolo, who is charged with both wire fraud and computer crimes, faces up to 20 years in prison, according to officials. Singh faces up to five years in prison if convicted of computer crimes.