Two hackers charged with last year’s DEA portal breach

Two men were charged for their alleged roles hack last year of the web portal of the Drug Enforcement Agency, no reported earlier by Gizmodo. In a press release posted earlier this week, the Justice Department said Sagar Steven Singh and Nicholas Ceraolo stole a police officer’s credentials to access a federal law enforcement database they used to extort victims.

Prosecutors claim 19-year-old Singh and 25-year-old Ceraolo are members of a hacking group called Vile, which often steals personal information from victims and then threatens to dox them online if they don’t receive payment. While the DOJ did not explicitly say which agency Singh and Ceraolo allegedly hacked, it said the portal contained “detailed, non-public records of narcotics and currency seizures, as well as law enforcement intelligence report.” It tracks the a report from Krebs on Security which indicates the hack is related to the DEA.

According to the complaint, Singh used information from the federal portal to intimidate his victims, and in one instance, wrote to someone that he would hurt their family unless they gave him the credentials to their Instagram accounts. . He then attached the victim’s social security number, driver’s license number, home address, and other personal information he collected from a government database to his threat.

“Through [the] portal, I can request information on anyone in the US doesn’t matter who, nobody is safe,” Singh allegedly wrote to the victim. “You will follow me if you don’t want anything bad to happen to your parents.”

Meanwhile, Ceraolo used the portal to obtain email credentials belonging to a Bangladeshi police officer. Ceraolo allegedly posed as an official in his correspondence on an unnamed social media platform, and convinced the site to provide the home address, email address, and phone number of a particular user under the guise that the victim had “participated on ‘child extortion,’ blackmail, and threatened the Bangladeshi government.” Ceraolo allegedly attempted to scam a popular gaming platform and facial recognition company in the same way, but both refused the requests.

Ceraolo’s scam is becoming common. Last year, a report from Bloomberg already shown Apple, Meta, and Discord have fallen victim to the same schemes involving hackers posing as police looking for emergency data requests. While law enforcement sometimes asks social media sites for data about a particular user if they are involved in a crime, this requires a subpoena or search warrant signed by a judge. however, emergency data requests this type of approval is not required, which is something hackers take advantage of.

As pointed out by Krebs on SecurityCeraolo has actually been described as a security researcher in many reports crediting him with discovering security vulnerabilities related to T-Mobile, AT&Tand Cox Communications. Law enforcement raided Ceraolo’s home in May 2022 before searching Singh’s residence in September.

While Singh was arrested in Pawtucket, Rhode Island on Tuesday, Ceraolo entered himself shortly after the DOJ announced its charges. According to the DOJ, Ceraolo faces up to 20 years behind bars for conspiracy to commit wire fraud, and both Ceraolo and Singh could face up to five years in prison for conspiracy to commit computer intrusions.