When a privacy specialist at the legal response operations center of Charter Communications received an emergency data request via email on September 4 from Officer Jason Corse of the Jacksonville Sheriff’s Office, it took her just minutes to respond, with the name, home address, phone numbers, and email address of the “target.”
But the email had not in fact come from Corse or anyone else at the Jacksonville Sheriff’s Office. It was sent by a member of a hacking group that provides doxing-as-a-service to customers willing to pay for highly sensitive personal data held by tech companies in the United States.
“This took all of 20 minutes,” Exempt, a member of the group that carried out the ploy, told WIRED. He claims that his group has been successful in extracting similar information from virtually every major US tech company, including Apple and Amazon, as well as more fringe platforms like video-sharing site Rumble, which is popular with far-right influencers.
Exempt shared the information Charter Communications sent to the group with WIRED, and explained that the victim was a “gamer” from New York. When asked if they worried about how the information they obtained was used against the target, Exempt said: “I usually do not care.”
The victim did not respond to WIRED’s requests for comment.
“It is definitely concerning to hear criminals impersonating officers in such a manner, more so when they are claiming to be one of our employees,” says Christian Hancock, the media relations manager at Jacksonville Sheriff’s Office. Officer Corse declined to comment.
Charter Communications declined to comment.
While this method of tricking companies into handing over information that can be used to harass, threaten, and intimidate victims has been known about for years, WIRED has gained unprecedented insight into how the one of these doxing groups operates, and how, despite years of warning, companies appear to have been able to do little to close this loophole.
The Charter Communications incident was one of up to 500 successful requests Exempt claims to have made in recent years. To back up his claims, the hacker shared multiple documents and recordings with WIRED, including what they claimed were screenshots of email requests, fake subpoenas, responses from tech companies, and even a video recording of a phone call with one company’s law enforcement response team who were seeking to verify a request. Exempt also shared evidence that suggested a current law enforcement officer (Exempt refused to provide the officer’s location or name) was in contact with the group about allegedly working with them to submit requests from his own account in return for a cut of the profits.
“All I need is an IP address, which I can gain pretty easily, [and] next thing you know I have names, addresses, emails, and cell numbers,” says Exempt, adding that they can then use that information to make emergency data requests. “And with a subpoena and search warrant, I can access DMs, texts, call logs. That’s someone’s full life in my hands in the space of hours, depending on the response times of the company or provider.”
This type of doxxing appears to be a lucrative business. Exempt claims his group brought in over $18,000 in the month of August alone. In one case, Exempt claims he was paid $1,200 for a single dox of a person who they claim was supposedly “grooming minors on an online gaming platform he owns. The individual was then allegedly promptly swatted.”
WIRED reviewed the information posted online about a 23-year-old from the southwestern US, which includes their home address, phone number, email addresses and social media accounts. The person did not respond to WIRED‘s request for comment. WIRED was unable to independently confirm if the person was swatted.
In the US, federal, state, and local law enforcement agencies who need to find out the identity of the owner of a social media account, or details about a specific phone, send the relevant company a subpoena or warrant requesting the information.
All major companies operating in the US have departments and specific staff assigned to dealing with these requests, which are typically sent via email. The companies, once they review the subpoena and see it has come from what looks like a law enforcement agency, typically comply with the requests, sometimes taking additional verification steps such as phoning the officer involved to confirm they did indeed send the request.
But officers can also make emergency data requests, or EDRs, in cases involving a threat of imminent harm or death. These requests typically bypass any additional verification steps by the companies who are under pressure to fulfil the request as quickly as possible.
This is the weak point that hackers like Exempt, who says he is “a Gen Z male located within the Europe area,” can exploit.
The problem partly stems from the fact that there are around 18,000 individual law enforcement agencies in the US alone, all of which use their own email naming conventions and domain registrations, including .us, .net, .org, .gov, and .com.
The hackers typically use one of two ways to trick companies into making them believe the emails being sent are coming from real law enforcement agencies. In some cases, they use authentic law enforcement email accounts that they have compromised via social engineering or using credentials stolen in previous hacks. Other times, they create convincing fake domains that closely mimic legitimate police departments.
“This was an email address that looked like the real thing,” says Exempt, explaining the mechanics of how he tricked Charter Communications. “The real domain of the Jacksonville Sheriff’s Office in Florida is jaxsheriff.org. We purchased jaxsheriff.us and then spoofed our number as the department’s, so that when we called them to verify receipt of the legal process, when they searched the number, it would come back to the sheriff’s office, giving them no reason to doubt it. We use real badge numbers and officer names as well.”
The hackers also craft highly convincing fake official documents by mimicking official records.
“We look at real subpoenas through public records where available and use the legally correct wording and sections of the law in the subpoena so that everything is legally correct and binding, so that we realistically have zero percent chance of them second guessing it,” says Exempt. This has worked in multiple states and courts in the US, he claims.
“As an extra verification step, we sometimes check online to see if the named judge is actually in court that day, so that if a company was to phone up and verify, they would be in the building but most likely be too busy to be able to verify the singular document,” says Exempt.
In many cases, Exempt says, the email and attached subpoena is enough to extract the information. In one example shared with WIRED, Exempt claims his group, which he says is made up of around eight other people located across Europe and the US, was able to obtain the information used to register the official Rumble account belonging to British far-right activist Tommy Robinson.
Robinson and Rumble did not respond to requests for comment.
Even in cases where companies do take additional steps to verify the subpoenas are coming from real officers, the hackers are able to circumvent this.
In a recording of a phone call shared with WIRED, a representative from Amazon’s law enforcement response team called the number included in the faked email Exempt sent, and spoke with Exempt to verify that he had received the documents she had sent him via an online portal.
“Amazon identified and blocked someone that was requesting data from us while impersonating law enforcement,” says Adam Montgomery, an Amazon spokesperson. “The impersonator received basic account data for fewer than 10 customers. We quickly took steps to protect these customer accounts, and have put additional safeguards in place to prevent this from happening again.”
When asked for details of what those safeguards were, Amazon declined to comment.
While the hackers are clearly exploiting massive loopholes in the system, in some cases, the tech companies themselves have laid out step-by-step guides on how to craft these requests.
“In order to request that Apple voluntarily disclose information on an emergency basis, the requesting government or law enforcement officer should complete the Emergency Government & Law Enforcement Information Request form and transmit it directly from their official government or law enforcement email address to [a specific @apple.com email address] with the words “Emergency Request” in the subject line,” Apple writes.
Exempt shared with WIRED an example of a request he made to Apple using a fake subpoena as well as the information Apple sent back to him that included an iCloud account holder’s home address, cell phone number, and email addresses. Apple did not respond to a request for comment.
One online database maintained by SEARCH, a nonprofit criminal justice support organization, lists the direct contact details for the law enforcement divisions of over 700 internet service providers and other online content providers.
“The core issue isn’t companies being careless, it’s that traditional communications channels, like email, weren’t built for the level of identity verification, context evaluation, and real-time decisioning that modern investigations and legal compliance require,” says Matt Donahue, a former FBI agent who left the agency in 2020. Soon after, Donahue founded Kodex, a company that works with companies to build secure online portals law enforcement can use to make data requests.
While technologies like Kodex provide a much safer alternative to email, over 80 percent of the companies listed on the SEARCH database still accept emergency data requests via emails, according to one review conducted by Kodex,
But even those who only use Kodex are not in the clear. Exempt claims that they were able to make requests through Kodex for a period of time, using compromised law enforcement email accounts. However, because of Kodex’s enhanced safety features, including whitelisting specific devices from which requests can be made, Exempt and his group have now lost access to the system.
The hacker claims, however, that they are now working to regain access via another avenue.
“We are in talks with a deputy from a large sheriff’s office … who we got paid to dox [and] who is now interested in either renting his Kodex account to us or he may submit the requests for us on his side,” says Exempt. “This is in [the] very early stages of talks. He would want a percentage of the money we make and his dox removed on a well-known doxing site.”
To back up his claim, Exempt shared a screenshot of an alleged text exchange with the officer, including a blurred image that he refers to as his ID card. “Y’all have the SSN and the rest of the info you need about me and my fam,” the alleged officer wrote in a message. “I’m on the fence about it right now, but we will all get what we want out of this if we do a d[eal].”
When asked if he thought it was possible the officer was trying to entrap him, Exempt said probably not, “just for the fact he has been doxed, and within that dox, some pretty damning stuff about said officer came out, which he clearly wants removed. So I’m pretty certain he is being honest about the fact he is considering it.”
Donahue says Kodex’s system could flag such behavior because it is able to “pattern match” the behavior of law enforcement agents and how they interact with companies that use the Kodek platform. “We can and do detect behavioral changes that allow us to protect our customers on a continuous basis as opposed to a one-time verification,” says Donahue.
While the hackers are taking advantage of the weakness in email security, they are also taking advantage of companies’ desire to help law enforcement save lives.
“Public-private sector coordination is an incredibly complex and nuanced space that could very well be the difference between a kid being found in a trunk, or not,” says Donahue. “Lawful government data requests sit at the very unique intersection of data privacy, public safety, security, legal compliance, and civil rights, so anyone suggesting these requests are carelessly responded to in minutes has little to no understanding of the subject matter.“
The post Doxers Posing as Cops Are Tricking Big Tech Firms Into Sharing People’s Private Data appeared first on Wired.
