Hackers advertise Indian government emails for sale; here's why it's dangerous

Compromised gov.in email IDs can be misused in online fraud, allowing cybercriminals to request personal information from big tech and social media companies about specific targets.

In Short

• Cybercriminals selling Indian government email access
• Hackers bypass security, sell for Rs 12,600 each
• US FBI warns of misuse for data requests

Cybercriminals are selling usernames and passwords of email IDs allegedly belonging to Indian government employees. If accessed, these emails could open ways for a plethora of illegal activities, with potentially severe consequences for individuals and businesses alike.

A hacker on a private forum claims that purchasing access to these government email accounts can make anyone willing to pay a few thousand rupees “become” a government officer.

“Once you purchase the access, you will be able to reset the password or do as you please,” reads a post on the hacking forum.

But how exactly could these government emails be misused? Take, for example, "digital arrest." With basic information like a person’s name, phone number, and address--often readily available in public records—cybercriminals posing as law enforcement can “arrest” their victims and extort large sums of money. This tactic, known as "digital arrest," has become a lucrative form of online fraud.

Now imagine what a cybercriminal could do if they know what their target purchased, whom they sent money to, what they searched online, which websites they visited, or with whom they chatted on social media.

Earlier this week, the United States Federal Bureau of Investigation (FBI) issued a warning that cybercriminals are using compromised government email accounts and falsified court orders or summons to demand information from US-based private companies.

Sale of .gov.in email accounts

India Today’s Open-Source Intelligence (OSINT) team found three listings on a private hacking and data sale platform, the most recent posted on November 6, advertising the sale of email IDs and their passwords.

The team reviewed a sample of nine email accounts with the @tn.gov.in domain, belonging to Tamil Nadu government officials, which a seller was offering as part of a batch of 700 such credentials. One of these accounts appeared to belong to an IAS officer.

Though government-issued email accounts require two-factor authentication for access, the Indian government mandated the use of the Kavach app, developed by the National Informatics Centre (NIC), in 2020. This app requires the original user to approve any sign-in attempts from new devices. However, it appears that hackers may have found a workaround to bypass this security measure.

Another cybercriminal, in a secure chat with India Today, claimed they charged $150 (about Rs 12,600) for the credentials of a single government email ID. They offered to prove access to these accounts by logging into one as a demonstration. This process involves an escrow service on the hacking forum, where administrators act as intermediaries, holding the buyer's payment until the seller successfully logs into the compromised account.

Other sellers are offering "logs" that contain data which can be further exploited to extract email usernames and passwords. "Today I’ll be selling Indian Government Logs. The file contains over 40,000 lines full of logs,” read a forum post by a cybercriminal in September this year.

FBI advisory

In its November 4 advisory, the FBI warned about the most dangerous activity a compromised .gov.in email account could enable emergency data requests to companies, falsely claiming that the information is necessary for an investigation or to save a life.

The FBI advisory and hacker posts indicate that compromised government emails could be misused to request call logs from telecom companies, extort money, conduct scams, and facilitate crimes like digital arrests. Some compromised emails could also be used to seek information from social media platforms and cryptocurrency exchanges about their users. For example, Meta’s “Law Enforcement Online Requests” centre allows authorised government email addresses to request user data.