Two men have been charged for their alleged involvement in last year’s trick of the web portal of the Drug Control Agency, as previously reported by gizmodo. In a press release published Earlier this week, the Justice Department says Sagar Steven Singh and Nicholas Ceraolo stole a police officer’s credentials to access a federal law enforcement database that they used to extort money from victims.
Prosecutors want Singh, 19, and Ceraolo, 25. they are members of a hacking group called Vile, which often steals victims’ personal information and then threatens to scam them online if they don’t receive a payment. While the Justice Department does not explicitly say which agency Singh and Ceraolo allegedly hacked into, it does state that the portal contains “detailed, non-public records of narcotics and money seizures, as well as law enforcement intelligence reports.” This track with a report of Krebs on security that indicates the hack is related to the DEA.
According to the complaint, Singh used the information from the federal website to threaten his victims and, in one case, wrote to a person that he would harm their family unless they gave him their Instagram account credentials. He then attached to his threat the victim’s social security number, driver’s license number, his home address and other personal information he collected from government databases.
Bogus requests for emergency data are becoming more common.
“Through [the] portal, I can request information on anyone in the US no matter who, no one is safe,” Singh allegedly wrote to the victim. “You will comply with me if you do not want anything negative to happen to your parents.”
Meanwhile, Ceraolo used the portal to obtain the email credentials belonging to a Bangladeshi police officer. Ceraolo allegedly impersonated the officer during his correspondence with an unnamed social media platform and convinced the site to provide a specific user’s home address, email address, and phone number under the guise of that the victim “participated in ‘child extortion’.” blackmail and threaten the government of Bangladesh.” Ceraolo allegedly tried to scam a popular gaming platform and a facial recognition company in the same way, but both refused the requests.
The Ceraolo scam is becoming more common. Last year, a report Bloomberg revealed that Apple, Meta, and Discord fell victim to similar tactics involving hackers posing as police officers seeking emergency data requests. While law enforcement sometimes requests data about a particular user from social networking sites if they are involved in a crime, this requires a subpoena or search warrant signed by a judge. However, emergency data requests you don’t need this kind of approval, which is something hackers are taking advantage of.
As has been pointed out by Krebs on securityCeraolo has actually been described as a security researcher in numerous reports crediting him with discovering security vulnerabilities related to T-Mobile, AT&Tand Cox Communications. Police raided Ceraolo’s home in May 2022 before searching Singh’s residence in September.
While Singh was arrested in Pawtucket, Rhode Island on Tuesday, Ceraolo it was delivered shortly after the DOJ announced their charges. According to the DOJ, Ceraolo faces up to 20 years behind bars for conspiracy to commit wire fraud, and both Ceraolo and Singh could face up to five years in prison for conspiracy to commit computer intrusions.