Two hackers charged with last year’s DEA portal breach

Two men have been charged for their alleged roles in last year’s hack of the web portal of the Drug Enforcement Agency, as previously reported by gizmode. In published a press release Earlier this week, the Justice Department said Sagar Steven Singh and Nicholas Ceraolo stole a police officer’s credentials to gain access to a federal law enforcement database they used to extort victims.

Prosecutors claim 19-year-old Singh and 25-year-old Ceraolo they’re members of a hacker group called Vile, who often steal victims’ personal information and then threaten to drug them online if they don’t receive payment. While the Justice Department doesn’t explicitly say which agency Singh and Ceraolo allegedly hacked into, it says the portal contains “detailed, non-public records of narcotics and currency seizures, as well as law enforcement intelligence reports.” This tracks with a report from Krebs on safety which indicates the hack is related to the DEA.

According to the complaint, Singh used information from the federal portal to threaten his victims and, in one case, wrote to a person that he would harm their family unless they gave him their Instagram account credentials. He then attached the victim’s social security number, driver’s license number, home address, and other personal information gleaned from the government database to his threat.

Fake emergency data requests are becoming more and more common.

“Through [the] portal, I can request information about anyone in the US no matter who, no one is safe,” Singh reportedly wrote to the victim. “You will obey me if you don’t want something bad to happen to your parents.”

Meanwhile, Ceraolo used the portal to obtain the email credentials belonging to a Bangladeshi police officer. Ceraolo allegedly pretended to be the officer during his correspondence with an anonymous social media platform and convinced the site to provide a specific user’s home address, email address and phone number under the guise that the victim “participated in ‘extortion of minors’, blackmailed and threatened the Bangladesh government.” Ceraolo allegedly attempted to defraud a popular gaming platform and facial recognition company alike, but both denied the demands.

The scam implemented by Ceraolo is becoming more and more common. Last year the a report from Bloomberg revealed that Apple, Meta, and Discord have all fallen victim to the like ploys that involved hackers posing as policemen looking for emergency data requests. While law enforcement agencies sometimes ask social media sites for data on a particular user if they are involved in a crime, this requires a subpoena or search warrant signed by a judge. However, emergency data requests they don’t need this kind of approval, which is something hackers are taking advantage of.

As pointed out by Krebs on safetyCeraolo has actually been featured as a security researcher in numerous reports which credit him with discovering security vulnerabilities related to T-Mobile, AT&TAND Cox communications. Law enforcement officers raided Ceraolo’s home in May 2022 before searching Singh’s residence in September.

While Singh was arrested Tuesday in Pawtucket, Rhode Island, Ceraolo it was formed shortly after the DOJ announced its charges. According to the DOJ, Ceraolo faces up to 20 years behind bars for conspiracy to commit wire fraud, and both Ceraolo and Singh could face five years in prison for conspiracy to commit computer intrusions.


Leave a Comment