Two hackers charged in last year’s DEA portal breach

The two men have been indicted for their alleged role in hacking the Drug Enforcement Agency’s web portal last year, as previously reported. Gizmodo. In a press release posted earlier this week, the Justice Department said Sagar Steven Singh and Nicholas Ciraolo stole a police officer’s identification card to access a federal law enforcement database they used to blackmail victims.

Prosecutors claim 19-year-old Singh and 25-year-old Ceraolo Members of a hacking group called Vile, who often steal victims’ personal information and then threaten to dox them online if they don’t get paid. While the DOJ did not specifically say which agency Singh and Serraolo are accused of hacking, it said the portal contained “detailed, non-public records of narcotics and currency seizures, as well as reports from law enforcement intelligence.” Follow up with a report from this Krebs in security that indicates The hack is related to the DEA.

According to the complaint, Singh used information from the federal portal to threaten his victims and in one instance wrote to a person that he would harm their family unless they gave him credentials on their Instagram account. He then added Social Security numbers, driver’s license numbers, home addresses and other personal information gleaned from government databases to his threats.

False requests for emergency information are becoming more and more common.

“By the way [the] portal, I can request information about anyone in the United States, no matter who, no one is safe,” Singh wrote to Shikar. “If you don’t want anything negative to happen to your parents, you’ll obey me.”

Meanwhile, Ceraolo used the portal to obtain the email credentials of a Bangladeshi police officer. Ceraolo posed as an officer during his correspondence with an unnamed social media platform and convinced the site to provide a certain user’s home address, email address and phone number under the guise that the victim was participating in “child extortion”, blackmailed and threatened the Bangladesh government. gave Ceraolo similarly tried to scam a popular gaming platform and a facial recognition company, but both rejected the request.

Ceraolo scams are becoming more and more common. Last year’s report Bloomberg revealed that Apple, Meta and Discord have fallen victim to similar tactics where hackers pose as police officers looking for emergency information. Although law enforcement sometimes asks social media sites for information about a particular user if they are involved in a crime, this requires a subpoena or search warrant signed by a judge. However, urgent data requests do not require such authorization, which hackers take advantage of.

As indicated by Krebs in securityIn fact, numerous reports have described Ceraolo as a security researcher for the disclosure of security vulnerabilities related to T-Mobile, AT&T, and Cox Communications. Law enforcement officials raided Ciraolo’s home in May 2022 before searching Singh’s residence in September.

When Singh was arrested Tuesday in Pawtucket, Rhode Island, Ceraolo turned himself in shortly after the DOJ announced his indictment. According to the DOJ, Ceraolo faces up to 20 years in prison for conspiracy to commit wire fraud, and both Ceraolo and Singh could face up to five years in prison for conspiracy to commit computer break-in.