Hackers sent fake security alerts from an FBI address to smear a critic

Tens of thousands of people received scam emails from a compromised FBI address last week.

Cropped photo of FBI agent using laptop in office

A hacker exploited an FBI login portal last week, sent messages via an official FBI email to warn tens of thousands of people about a nonexistent cybersecurity threat, and then attributed said threat to a cybersecurity critic they hate... all for shits and giggles, apparently.

“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails,” reads an updated statement from the agency yesterday, which describes LEEP as an IT infrastructure used to coordinate communications between state and local authorities. Although the hacked email — — originated from an FBI server, the server in question was only used for pushing LEEP notifications and no one “was able to access or compromise any data or [personally identifiable information] on the FBI’s network.”

The hacker claiming responsibility, “Pompompurin,” explicitly names cybersecurity researcher, Vinny Troia, in the emails as the person engineering the (fake) cyberattack, and falsely attributes Troia as a member of the hacking group, The Dark Overlord. That’s certainly one way to burn someone, we suppose.

“FBI Customer Service, how may I be of snitch assistance?”Shutterstock

Could have been much worse — As Pompompurin explained to Krebs on Security shortly after the hack, they could have made life a lot worse for everyone involved (not to mention themselves, were they to be caught). “I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc.,” wrote Pompompurin. “And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”

“Needless to say, this is a horrible thing to be seeing on any website,” they continued. “I’ve seen it a few times before, but never on a government website, let alone one managed by the FBI.”

Claims of whitehat motives — Pompompurin alleges their embarrassing hack was carried out to expose the glaring security issues on a major government agency’s site, although seeing as how their Twitter bio states “I AM NOT A WHITEHAT, don't follow me if you expect those types of tweets,” we’re going to assume there was a bit more of a trollish motive behind the decision.

As Ionut Illascu of BleepingComputer explains, members of a prominent private data leaking forum “have a long standing feud with Troia, and commonly deface websites and perform minor hacks where they blame it on the security researcher,” later adding that Troia himself claims Pompompurin is “associated in the past with incidents aimed at damaging the security researcher’s reputation.” Regardless of intent, one thing is for certain: The FBI needs some serious help with its in-house cybersecurity.