Doxers Posing as Cops Are Tricking Big Tech Firms Into Sharing People's Data

Posted28 days agoActive25 days ago

iamnothere

140 points

31 comments

wired.comSecuritystory

heatednegative

Debate

80/100

Online SafetyData-PrivacyLaw Enforcement

Key topics

Online Safety

Data-Privacy

Law Enforcement

Scammers are tricking big tech firms into handing over people's private data by posing as law enforcement and exploiting weaknesses in verification processes. Commenters are weighing in on the ease of spoofing official email addresses, with some pointing out that malicious actors can register similar domains or subdomains, such as jaxsheriff.us instead of jaxsheriff.org. One commenter suggests that simply calling back the listed number for the law enforcement agency would thwart these scams, but others counter that determined scammers could still find ways to deceive, like buying Google ads to appear as the top result. The discussion highlights the cat-and-mouse game between scammers and tech companies, with some arguing that stricter domain registration rules or more robust verification processes are needed to prevent these exploits.

Snapshot generated from the HN discussion

Discussion Activity

Very active discussion

First comment

20m

Peak period

0-6h

Avg / period

5.7

Comment distribution34 data points

Loading chart...

Based on 34 loaded comments

Key moments

01Story posted
Dec 13, 2025 at 12:06 AM EST
28 days ago
Step 01
02First comment
Dec 13, 2025 at 12:27 AM EST
20m after posting
Step 02
03Peak activity
22 comments in 0-6h
Hottest window of the conversation
Step 03
04Latest activity
Dec 15, 2025 at 9:27 AM EST
25 days ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (31 comments)

Showing 34 comments

ro_bit

28 days ago

1 reply

> But officers can also make emergency data requests, or EDRs, in cases involving a threat of imminent harm or death. These requests typically bypass any additional verification steps by the companies who are under pressure to fulfill the request as quickly as possible.

How do companies decide which EDRs to fulfill and which ones require a judicial subpoena? Are companies ever even under the obligation to fulfill an EDR?

tdeck

28 days ago

Maybe they type ASDF or donut:

https://www.texasstandard.org/stories/flock-safety-cameras-h...

> So in a lot of the searches that we reviewed, we had about 500,000 to take a look at. We found the word “investigation” – or variations of the word “investigation” – or “suspect” a lot with really no details about what the investigation pertained to or what the suspect may have done.

> A lot of searches also just listed gibberish, like “ASDF” – that’s the sequence of letters in the center row of your computer keyboard. Or just said that they were there for random checks. We even found a search that just said “donut” or that didn’t say anything at all.

OsrsNeedsf2P

28 days ago

2 replies

> “This was an email address that looked like the real thing,” says Exempt, explaining the mechanics of how he tricked Charter Communications. “The real domain of the Jacksonville Sheriff’s Office in Florida is jaxsheriff.org. We purchased jaxsheriff.us and then spoofed our number as the department’s, so that when we called them to verify receipt of the legal process, when they searched the number, it would come back to the sheriff’s office, giving them no reason to doubt it. We use real badge numbers and officer names as well.”

I'm honestly impressed. It's an interesting situation where the companies can only verify the same information that the hackers have access to

ghssds

28 days ago

2 replies

> The real domain of the Jacksonville Sheriff’s Office in Florida is jaxsheriff.org. We purchased jaxsheriff.us

This would not be an issue if RFC 1480 had been taken seriously.

thih9

28 days ago

2 replies

Too many edge cases, some would still be exploitable. Eg if the real address was:

    Sheriff.CI.Jacksonville.FL.US

Malicious actors could register:

    Sheriff.Jacksonville.FL.US

Unless your solution is to add some verification step as part of .us registrations.

marcianx

27 days ago

1 reply

Can people register a subdomain of fl.us willy-nilly though? Isn't the root domain owned by the state?

valleyer

27 days ago

From the RFC (note the "or businesses"):

   Name Space Within States:
   ------------------------

   "locality" - cities, counties, parishes, and townships.  Subdomains
   under the "locality" would be like CI.<city>.<state>.US,
   CO.<county>.<state>.US, or businesses. For example:
   Petville.Marvista.CA.US.

   "CI" - This branch is used for city government agencies and is a
   subdomain under the "locality" name (like Los Angeles). For example:
   Fire-Dept.CI.Los-Angeles.CA.US.

So you'd be counting on the sub-registrar of jacksonville.fl.us not to allow a registration for the fraudulent "business" of Sheriff, Inc. Multiplied by every municipality across the country.

Etheryte

28 days ago

Many top-level TLDs have requirements you need to fulfill, .edu is a good example. Similarly you need to prove you're a local entity for many country-specific TLDs. At the end of the day though, this attack vector will always be there, no matter how diligent you are about it. Phishing is all about numbers and one in is often all you need.

monerozcash

28 days ago

Wouldn't make any difference, you'd just hack one email at any random sheriff department in the country. Or pay $5 for one, anyway.

mh-

28 days ago

1 reply

"No problem, Deputy Smith. I'll call you back at your listed number now to complete your request."

What am I missing? Not doing this is negligent. Same advice we'd give to phishing targets.

Maxious

27 days ago

Their listed number on jaxsheriff.us? What if they bought Google ads to get the first result for Jacksonville Office?

ngcc_hk

28 days ago

1 reply

Still not heard of people pretending ice, kidnapping then ransom. Strange?

Frenchgeek

28 days ago

Why pretend when they are still hiring?

wmf

28 days ago

1 reply

This same kind of hack was mentioned in Mr. Robot nine years ago and it isn't fixed. https://www.theverge.com/2016/9/7/12835320/mr-robot-hack-rep... (Back then it was fax-based.) I'm not surprised but I am annoyed that we can't fix this.

matheusmoreira

27 days ago

2 replies

Police will complain about "endless pointless red tape" if it's fixed.

wmf

27 days ago

1 reply

Maybe some verification upfront would save a lot of red tape later.

olyjohn

27 days ago

[delayed]

Lord-Jobo

25 days ago

They complain about endless red tape right now, when they barely have to send a properly formatted letter to a company to receive tons of personal data

OSaMaBiNLoGiN

28 days ago

2 replies

It's always the ISP. It has always been the ISP. The old hot thing was very similar. This no longer works and likely hasn't since 2016ish. But it was rampant starting in 2009.

You'd connect to a live chat (or phone call) and tell the customer support rep that it's your first day on the job and the man training you has a thick accent, making it very difficult to understand him. You then ask a hypothetical, e.g "If someone phones in asking for help with regaining access to their account, or setting up security questions, what tool do I open up?". You'd then get more specific with the hypotheticals, gradually. The only thing you cared about were the name of the tool and the steps to pull up an account by IP address. At the time, almost all ISPs had their own software suite. Verizon used something related to Coffee. I think it was just called Coffee tbh. Anyway, the goal is to get them to tell you both the name of the internal tool they use + the rough steps on how to pull up an account. Most of the time, via phone and sheer confidence, you would get the information you needed within two to three attempts. You could also take it a step further if you were bored and try to get screenshots from the rep of the software.

Edit: You'd also ask the rep for their employee identification number, if applicable. You'd then use that if you need to hard-sell it in the next call. It really didn't matter if the ID was valid, so long as it was the correct length/format. Yes, they would really just tell you. I do not know why.

After you had that information, you'd phone back, making sure you got separate rep. Depending on size of ISP, you may have had to call back after a shift change.

You inform them your regional servers are down and you're unable to connect. You could flush this out more if you had additional information on the ISPs tech. You then would go on to say "I have a customer on the line who's rightfully upset after their account was apparently accessed without authorization. The customer is saying they changed the PII on the account and they're unable to recover it." This gives you a shitty, but somewhat valid-ish excuse to pull the account up by IP. You'd then use the information attained from the first step to sell that you are indeed an employee. Name of the tool, input labels (roughly), steps needed, button names, etc. If the rep is remotely technical, hang up, try again. You'd then confirm the information on the account with the rep. It helped if you had some information about the person already, e.g first name or rough location.

Comcast was the worst offender. Charter second. Verizon was a bit more tough, but not by much. People started doing this as a first-step in targeted identity fraud, which got a lot more attention on it. Along with all the typical information (street address, postal code, state) you'd also almost always be able to get the last four of the social on the account + last 4 of any card on auto-pay.

If you're worried about this sort of thing, the best advice I can give you is to check with your ISP and see if they allow a verbal password that can be tied to your account. Anyone calling in for support or connecting to live chat would need to provide it before the account's accessed.

I'm not sure how relevant swatting is nowadays, but if you're at all in a position where you have concerns over it happening, it would be wise to phone your local police department and let them know there's a possibility this might happen. From what I remember, most of the time they ask for your cell number. In the event that this does happen, they will still send the full swat team to your residence. But they will phone your cell and ask you to come out prior to kicking down the door.

Source: was bored in when I was 15/16 and doxxed pedophiles.

monerozcash

28 days ago

1 reply

The Verizon software is CoFEE, AT&T had Clarify and SystemX, Cox had Polaris, Charter had Sigma, Comcast had Grandslam, TWC/RR had Real and Unify

Netflix had Obiwan, Amazon had CRC.

Sometime a bit over a decade ago I used to have teamviewer on all of these :)

OSaMaBiNLoGiN

27 days ago

Haha, I remember taking what I learned from doing this and trying to apply it to everything I could think of.

In my head, I miss those days. But I don't miss lacking a moral compass. I think I miss the feeling of fewer online barriers existing.

coldfoundry

28 days ago

This brings me back, I had this happen to me on comcast back in ~2014 - reset the master key on the account and attacker gained access into all my parents emails as well since they were also via comcast. I’ll never forget waking up to that one! Always wondered what SE happened behind the scenes to make it happen - thanks for sharing.

sjducb

28 days ago

2 replies

I think we need a law that government agencies must support out of band identity proofing.

The root of the problem is that government agencies can request personal details and if the tech company fails to comply then the tech company is sanctioned. However the government agency forces the tech company to provide details in an insecure way often over email. If the tech company tries to demand reasonable security then the law enforcement agency views this as non-compliance and starts the sanctions.

monerozcash

27 days ago

Somewhat pointless given that for most of these companies this would have to be an international effort.

burnt-resistor

28 days ago

That would first require a reduction in institutional law enforcement hypocrisy that is culturally-incompatible with "rules for thee, but not for me."

tehwebguy

27 days ago

Cops posing as subpoenas are tricking the 4th amendment into barely existing

Stancyhd8

26 days ago

I got access to my husband’s mobile phone through the help of Mr Henry . He helped me in Hacking my husband’s iPhone and I got all his text messages, call details, WhatsApp details, and Facebook messenger. I’m so sad he is cheating on me. I’m sending all evidence to my lawyer. Contact him via his email – Henryclarkethicalhacker @ gmail.com

domoregood

28 days ago

For everyone else who's getting "You’ve read your last free article" like me:

https://archive.is/RltXf

orwin

28 days ago

Why this kind of thing doesn't require a judge to confirm the demand? And the judgement published publicly? (Or at least, on a government website that have specific access for TelCo/bigCo to read them)?

general1465

28 days ago

If we would have a way how to tell that request for data is coming from investigation and this request should be signed by a judge. Like a search warrant against an affidavit and tell cops to get lost until they will produce it?

journal

28 days ago

One day all your clouds will be made public.

alexpotato

27 days ago

I used to watch videos from social engineers like Jayson Street [0] and think "Is it really that easy to break into serious firms with social engineering?" and then the below happened:

- COVID lock down and I can't access my internal PC from home

- Call help desk line and say "hi, it's <ME> and I can't login. Btw, there is another person at the firm named <ME> (which was true) but that's not me HA HA."

- Help Desk removes 2FA

- Still doesn't work so I call back and reference the first call.

- Help Desk removes IP restriction

- This keeps happening (can't login, Help Desk removes something) until basically I can login with no password or 2FA (which did temporarily)

AT NOT POINT did someone ask me for a document/challenge/manager name to verify who I was.

Just being myself, knowing a couple pieces of info that were easily searchable on LinkedIn and I was in.

Scary stuff and a reminder that ALL of these systems are a lot easier to break into than many of us realize.

0 - https://jaysonestreet.com/media.php

zkxjzmswkwl1

28 days ago

It's always the ISP. It has always been the ISP.

The old hot thing was very similar. This no longer works and likely hasn't since 2016ish. But it was rampant starting in 2009.

You'd connect to a live chat (or phone call) and tell the customer support rep that it's your first day on the job and the man training you has a thick accent, making it very difficult to understand him. You then ask a hypothetical, e.g "If someone phones in asking for help with regaining access to their account, or setting up security questions, what tool do I open up?". At the time, almost all ISPs had their own software suite. Verizon used something related to Coffee. I think it was just called Coffee, tbh. Anyway, the goal is to get the mto tell you both the name of the internal tool they use + the rough steps on how to pull up an account. Most of the time, via phone and sheer confidence, you would get the information you needed within two to three attempts. You could also take it a step further if you were bored and try to get screenshots from the rep of the software.

After you had that information, you'd phone back, making sure you got separate rep. Depending on size of ISP, you may have had to call back after a shift change.

Source: was bored in when I was 15/16 and doxxed pedophiles.

tcherasaro

28 days ago

Art of deception in full effect here. Kevin Mitnick would be proud.

View full discussion on Hacker News

ID: 46252171Type: storyLast synced: 12/16/2025, 4:55:18 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN