Last year, cybercriminals started using a novel tactic to pilfer subscriber data from social media companies: using stolen passwords purchased on the dark web, digital hoods would hack into police email accounts, then use their access to file something called an emergency data request, or EDR. A type of urgent subpoena that requires no court authorization or broader company review, EDRs are filed by police agencies to social media firms with relative frequency, and law enforcement encourages the companies to turn over subscriber information on particular users quickly. Using information from EDRs, the hackers would carry out campaigns of harassment against users.
Now, two people allegedly involved in one such scheme have been arrested. On Tuesday, federal prosecutors charged two men with computer crimes and accused them of being part of a gang that carried out targeted online harassment and doxxing campaigns. Officials say 25-year-old Nicholas Ceraolo, of New York, and 19-year-old Sagar Steven Singh, of Rhode Island, are part of an online collective known as “ViLE.”
The group is described as having “acquired victims’ information by various means” and then posting that information or threatening to post it “on a public website administered by a ViLE member.”
As part of “ViLE,” Ceraolo and Singh—who also went by the handles “Ominous” and “Weep”—are accused of hacking into a federal law enforcement data portal, then using information from that portal to carry out extortion and harassment schemes against targets. Officials don’t name the police portal involved, merely describing it as “nonpublic, password-protected web portal (the “Portal”) maintained by a U.S. federal law enforcement agency, whose purpose is to share intelligence from government databases with state and local law enforcement agencies.”
However, cybersecurity reporter Brian Krebs reports that the portal in question belongs to the Drug Enforcement Agency, basing this conclusion on his previous reporting about a previous hack of that portal. The DEA portal in question provides access to 16 different law enforcement databases, which would have given the criminals access to a broad swath of sensitive information, Krebs writes.
G/O Media may get a commission
According to federal prosecutors, both Ceraolo and Singh used information stolen from the data portal to cyberstalk, threaten, and extort their victims. In Singh’s case, he allegedly used information directly accessed from the portal to threaten targets. In one case, he contacted a victim and, flaunting access to their social security number, home address, and driver’s license information, told them he would “harm” their family if they didn’t comply with his demands.
In Ceraolo’s case, he is accused of having used access to the portal to submit EDRs to social media companies—which then gave him access to sensitive subscriber data. One incident is described as follows in the complaint…
…between February 2022 and May 2022, Ceraolo accessed without authorization an official email account belonging to a Bangladeshi police official. Ceraolo used the account to pose as a Bangladeshi police officer in communication with U.S.-based social media platforms. In one instance, Ceraolo induced a social media platform (Platform-1) to provide information about one of its subscribers, including the subscriber’s address, email address and telephone number, by asserting that the subscriber had participated in “child extortion” and blackmail and had threatened officials of the Bangladeshi government.
It’s a bizarre story—and an apparent example of the extreme lengths that cybercriminals will go to access information they deem valuable.
“As these charges make clear, the alleged unauthorized access of a US federal law enforcement system and impersonation of law enforcement officials are serious offenses, and the criminals who perpetrate these schemes will be held accountable for their crimes,” said Ivan J. Arvelo, Special Agent-in-Charge with Homeland Security Investigations for New York. “HSI and its law enforcement partners are committed to safeguarding public safety infrastructure from cyber criminals and ensuring that those seeking to compromise these systems face the fullest extent of the law.”
Officials say that Ceraolo, who is charged with both wire fraud and computer crimes, is facing up to 20 years in prison for his charges. Singh, who is faced with computer crimes, faces up to five years behind bars.