A hacker claims to have accessed a law enforcement system used by clients including crypto exchanges Coinbase and Binance.
But none of the parties involved—the security firm that reported it, the company that's supposedly been compromised, or the crypto exchanges at risk—seem to agree on whether to take the hacker's threat seriously.
Cybercrime intelligence firm Hudson Rock published the claims on its InfoStealers blog, noting that a threat actor with the handle "Tamagami" claimed to have accessed law enforcement systems including Kodex. That's the system used to handle subpoena requests for companies including Chainlink, Coinbase and Binance.
The hacker offered to sell access to the account for $5,000, along with individual subpoena requests for $300. If any of the hacker's claims are legit, then someone who bought the ill-gotten credentials could use them to impersonate law enforcement and subpoena a whole host of sensitive data related to crypto exchange users.
Hudson Rock CTO Alon Gal told Decrypt that while it's "hard to validate Tamagami's claims," they had also claimed to have accessed Google and Meta's law enforcement systems and provided "what appears to be genuine images from the platforms." He added that the user had around 250 reputation points on the cybercrime forum, "indicating that users vouch for their legitimacy."
Hudson Rock additionally claimed to have identified more than 50 different sets of credentials for Google’s law enforcement system from a variety of Infostealer infections, with Gal noting that hackers purporting to sell access to law enforcement systems is a known threat vector rather than an isolated incident.
"The reported illicit sale of access to the Law Enforcement Request Portal does not represent a breach of Binance's system," a Binance spokesperson told Decrypt. "Instead, it may involve compromised law enforcement accounts."
They added: "With a thorough documentation process in place and constant monitoring for any compromised accounts, we remain committed to safeguarding our user data against any form of unauthorized access."
A spokesperson for Kodex disputed the claims in a statement emailed to Decrypt, noting that, "folks are confusing access to the Kodex platform as access to its functionality," and that the screenshots advertised from hacker forums and Telegram channels "only show incomplete processes—no evidence that a request was actually sent or that any data was actually returned."
The spokesperson added that the firm operates under the assumption that simply having access to a law enforcement email address is insufficient verification, and that the firm monitors account behavior for suspicious activity.
"Multiple flags were tripped in our system to suspend the account before any requests were sent," the spokesperson said in an email, adding that every account associated with a flagged email domain is suspended until reverified by Kodex's team. "Emergency Data Requests (EDRs) go through additional layers of verification and this account was never authorized," they said.
Edited by Stacy Elliott.