Security Experts:

Connect with us

Hi, what are you looking for?



Fake Emails Sent From FBI Address via Compromised Law Enforcement Portal

Thousands of fake emails coming from an FBI email address were sent out on Friday by someone who exploited a vulnerability in a law enforcement portal. The FBI has confirmed the breach, but said impact was limited.

Thousands of fake emails coming from an FBI email address were sent out on Friday by someone who exploited a vulnerability in a law enforcement portal. The FBI has confirmed the breach, but said impact was limited.

Threat intelligence organization Spamhaus reported seeing more than 100,000 fake emails being sent out in two waves.

Spamhaus warning

The hoax emails, coming from “[email protected],” carried the subject line “Urgent: Threat actor in systems.” The message appeared to come from the DHS and it informed recipients about “exfiltration of several of your virtualized clusters in a sophisticated chain attack.”

Fake FBI email

The emails claimed the threat actor was identified as Vinny Troia. Troia is a security researcher who claims to have been targeted numerous times by some hackers for exposing them.

Troia on Twitter said he suspected an individual who uses the online moniker “pompompur_in” was behind the attack. He said the individual is associated with a cybercrime group named The Dark Overlord, whose alleged members were exposed in a report published last year by Troia’s company, NightLion Security.

Indeed, an individual with the online nickname pompompurin contacted security blogger Brian Krebs shortly after the fake FBI emails were sent out, taking credit for the attack.

In a statement issued on Sunday, the FBI said the emails were sent out by someone who leveraged a “software misconfiguration” affecting the Law Enforcement Enterprise Portal (LEEP), which is used by the agency to communicate with state and local law enforcement partners.

“While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service,” the FBI stated. “No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”

Pompompurin told Krebs that they exploited a vulnerability in the LEEP portal account registration process to be able to send out emails from the email address.

Specifically, the registration process involves sending a one-time passcode to the email address of the user who creates an account on the LEEP portal. Pompompurin discovered — or learned from someone else — that this one-time passcode was generated on the client side and included in a POST request. The same request also included parameters for the subject and body content of an email coming from eims(at), which the hacker replaced with their own subject and content.

The hacker created a script that automated the process, enabling them to send out thousands of fake emails.

The FBI says it has taken steps to prevent exploitation of the weakness leveraged in this attack.

Related: ​​Phishers Target C-Suite with Fake Office 365 Password Expiration Reports

Related: Enterprises Warned About Zix-Themed Credential Phishing Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.