Cybercriminals have been sexually extorting children and women using data stolen from large tech companies, according to a new report.
Apple, Twitter, Google’s parent company Alphabet, Discord, Meta, and Snap Inc. have all recently handed over sensitive user information to criminals, which has frequently been used to hack into victims’ accounts or to initiate sextortion schemes against them, Bloomberg reports, citing federal law enforcement and industry investigators. The data—which includes names, email addresses, and IP and physical addresses—has been stolen using fake legal requests filed by the hackers.
The incidents appear to be part of a bizarre new cybercrime trend that involves criminals using hacked police email systems to acquire data via fake subpoenas. How would hackers get their hands on a government agency’s email account in the first place? You can purchase such access on the dark web. Because police commonly request subscriber information during law enforcement investigations, many of these fraudulent requests have appeared legitimate to the companies involved.
According to sources that spoke to Bloomberg, the hackers would sometimes use the basic subscriber information to hack into victims’ accounts. In other cases, the hacker would use the information to befriend the victim and encourage them to share sexually explicit material. If the victim refused, the hackers would frequently threaten them with various forms of online harassment, including swatting and doxxing. The requests for sexual images would escalate into outright blackmail. Most disturbingly, in several cases, victims have allegedly been pressured to carve a cybercriminal’s name into their skin and share pictures of the wound. Many of the perpetrators of these schemes are believed to be teenagers, some of whom are based in the U.S., according to Bloomberg. It’s not totally clear how many times this happened, when it happened, or what companies’ data was used in the sextortion schemes.
There’s not otherwise a whole lot of information available about this horribleness, although I think I speak for everybody when I say yuck. It’s creepy enough to imagine hackers posing as cops to steal personal information. What they’re apparently doing with the information is ten times worse.
We reached out to the companies listed above for comment.
Meta spokesperson Andy Stone told Gizmodo that the company reviews “every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse.”
A Discord representative, meanwhile, told us that they “validate all emergency data requests by checking that they come from a genuine source and have systems in place to prevent abuse, including flagging domains known to be compromised from making requests.”
A Google spokesperson told Bloomberg:
“In 2021, we uncovered a fraudulent data request coming from malicious actors posing as legitimate government officials. We quickly identified an individual who appeared to be responsible and notified law enforcement. We are actively working with law enforcement and others in the industry to detect and prevent illegitimate data requests.”
A Snap spokesperson pointed us to the statement given to Bloomberg, which says that the company carefully reviews every data request “to ensure its validity.” Twitter and Apple did not respond to Bloomberg or Gizmodo’s requests for comment.