FOR589 Blog: Cybercrime Counterintelligence

This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities.

Cybercrime counterintelligence is important for many reasons; some of them are outlined below:

• Practitioners need to be aware that cybercriminals seek information about themselves, their infrastructure, business dealings, and rivals from cybersecurity vendors and LE platforms.
• CTI vendors and LE agencies must improve platform security settings such as requiring multi-factor authentication (MFA) and implementing endpoint protection.
• Incidents can lead to significant disruptions to ongoing investigations, loss of evidence, and can severely impact the trust and reputation of organizations.
• Weaponization of stolen data can cause considerable harm to the individuals whose information is exposed.

What is Cybercrime Counterintelligence?

Cybercrime counterintelligence can be defined as efforts by cybercriminals to gather, analyze, and act upon information about LE investigations or cybersecurity researchers’ activities. CTI vendor platforms are lucrative targets for cybercriminals. They host large volumes of intelligence reports and sensitive data, including breached datasets. LE information sharing networks and online provider’s legal process request systems also contain highly sensitive information that is enticing to cybercriminals.

This blog will review case studies where cybercriminals have targeted platforms to gain access to this information.

Tactics, Techniques, and Procedures (TTPs)

The TTPs involved in targeting these secure platforms often focus on account creation and account hijacking. Threat actors use a variety of TTPs to achieve this goal.

To target accounts in CTI platforms and LE sharing platforms, cybercriminals have been known to search for domains in infostealer markets and purchase access. After acquiring credentials, they can log in to accounts without MFA enabled.

To target LE emergency data request portals, threat actors have been observed using compromised email accounts belonging to police officers or government officials. Again, these accounts are likely sold on infostealer markets or cybercrime forums.

Once authenticated, the adversary typically aims to scrape as much data as possible. After obtaining the stolen files, criminal actors often take screenshots as evidence of access and subsequently offer either the access itself or the stolen data for sale.

In some cases, instead of performing account takeovers or infiltrating platforms, adversaries have impersonated LE to receive information from others. For example, a Telegram channel called “@EuropolRewards” appeared seeking information on the Qilin administrators. Europol later confirmed that this Telegram channel was a scam and not affiliated with the LE agency.

FBI InfraGard Targeted

In December 2022, the FBI’s InfraGard portal (a vetted information-sharing network with more than 80,000 members in private industry and LE) was compromised. A cybercriminal successfully registered a fake account by impersonating a CEO of a major corporation, using personal details such as their Social Security Number (SSN) and date of birth. Once the fraudulent account was approved, the attacker gained access to the system, including internal messaging functions and its API.

The intruder leveraged this access to scrape member data from the portal’s API, ultimately compiling a database of InfraGard users containing names, organizations, and contact information. This dataset was then advertised for sale on a cybercrime forum for $50,000 USD before being subsequently leaked (see Figure 1).

The threat actor behind this intrusion went by the handle “USDoD”, a well-known cybercriminal with a reputation on various underground forums, such as RaidForums and BreachForums. While the breach did not expose FBI internal systems or LE data related to investigations, it highlighted significant weaknesses in identity verification and access controls within one of the FBI’s flagship information-sharing programs.

Europol EPE Targeted

In May 2024, Europol confirmed that its Europol Platform for Experts (EPE), a secure portal used by LE officials, NGOs, and academics to collaborate, had been breached. The attacker, who went by the handle “IntelBroker” on multiple cybercrime forums, accessed the system using stolen credentials, bypassing the need to exploit a technical vulnerability. EPE is designed for knowledge exchange, housing collaborative tools, wikis, and forums rather than live operational data, like InfraGard. Still, unauthorized access raised concerns about the exposure of sensitive discussions and personal information.

Europol stated that “no operational data” was compromised but admitted that non-operational data was accessible to the intruder. The platform connects thousands of vetted experts worldwide, meaning even the exposure of names, affiliations, and login details could have notable security implications.

Google Law Enforcement Request System Targeted

In September 2025, Google disclosed that a fraudulent account had been created inside its Law Enforcement Request System (LERS). This system is used by police and government agencies to submit subpoenas, warrants, and emergency disclosure requests to obtain user data.

A malicious actor successfully registered for access, raising the risk that Google could be tricked into handing over user data based on forged legal requests. Fortunately, Google confirmed that the account was disabled before it was used to submit any fraudulent requests.

This attempt was linked to a cybercrime group on Telegram calling themselves the “Scattered Lapsus$ Hunters,” who are associated with the broader set of English-speaking cybercriminals known as TheCom who have been targeting SaaS platforms.

The incident was significant because LERS is a high-trust system. An attacker with valid credentials could have impersonated law enforcement, issued fabricated data requests, and potentially gained access to sensitive private data belonging to Google users.

While this specific attempt did not result in any known data loss, it highlighted how cybercriminals increasingly target law enforcement and government request systems not only for data theft but also for the reputational damage that comes from undermining public trust in these portals.

CTI Vendors Targeted

On 8 May 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Worldview platform containing CTI reports about adversary activities focusing on industrial control systems (ICS). The adversary reportedly gained access by compromising the personal email address of a new sales employee prior to their start date and subsequently used their personal information to impersonate the Dragos employee and complete initial steps in the onboarding process.

On 21 April 2022, a threat actor on BreachForums claimed to have gained access to Mandiant Advantage, another CTI platform. The adversary managed to access reports, including analysis of activities on BreachForums written by Mandiant analysts. The accessed accounts were offered for sale.

On 22 August 2022, the admin of BreachForums, Pompompurin, created a post stating they were looking to buy access to CTI platforms, such as DarkBlue Intel, Flashpoint, GeminiAdvisory, Intel471, and SOCRadar. The threat actor also said they had already used SOCRadar via a trial license, further highlighting the need for KYC checks.

US Courts System Targeted

In September 2025, it was revealed via an unsealed indictment that SCATTERED SPIDER targeted the help desk of the US Courts system, performed a password reset, and looked up keywords like “scattered spider” and “subpoena” and the contents of a judge’s account.

Using this knowledge, the adversary could identify whether law enforcement had uncovered their identities. With this information, they could act accordingly to destroy digital evidence, delete accounts, and go into hiding to evade arrest.

Recommended Best Practices

• Enforce mandatory multi-factor authentication (MFA) upon account creation for CTI platforms and information-sharing systems.
• Leverage phishing-resistant MFA to mitigate identity-based attacks such as SMS phishing, SIM swapping, and other social engineering methods used by members of TheCom.
• Enforce endpoint protection and regular checks for infostealer malware
• Run security awareness training focused on infostealer malware delivery vectors, credential phishing, and social engineering.
• Implement role-based access control (RBAC) for platform accounts and restrict access to parts relevant to job roles.
• Maintain a robust know-your-customer (KYC) program for CTI platform customers along with anti-fraud detection tools to detect anomalies.
• Run an insider threat program to support identification of malicious abuse of CTI platform data.
• Ensure CTI platforms have activity logging capabilities to identify anomalous behavior, such as logins in from anonymization networks like Tor, proxies, and VPNs.

Additional Resources

• Defending Against SCATTERED SPIDER and TheCom with Cybercrime Intelligence
• Hunting SaaS Threats: Insights from the FOR589 Course on Cybercriminal Campaigns

How SANS FOR589: Cybercrime Investigations Can Help

Cybercrime counterintelligence operations pose a significant threat to investigations and the reputation and trust of organizations. Combating these adversaries requires comprehensive monitoring of the cybercrime underground.

Leveraging cybercrime intelligence to augment threat-informed defense programs can increase the chances of your organization withstanding the next intrusion attempt.

Sign up for a FOR589 demo on or register for FOR589: Cybercrime Investigations to develop actionable intelligence skills and defend against the most notorious cybercriminals.