Skip to main content

Google Confirms Fraudulent Account Creation in Law Enforcement Portal — CyberDudeBivash Alert By CyberDudeBivash — Threat Intelligence & Incident Response




 cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog

Executive Summary

Google has confirmed that a fraudulent account was created in its “Law Enforcement Request System (LERS)” portal — a system used by verified law enforcement agencies worldwide to request user data under legal processes. The account has since been disabled. Most critically, Google has stated no requests were made with the fraudulent account and no data was accessed. BleepingComputer+1

The actor behind the claim is a group named Scattered Lapsus$ Hunters, which claims to consist of members from known threat groups (Scattered Spider, ShinyHunters, Lapsus$). BleepingComputer+2TechRadar+2

Despite Google’s assurances, this incident raises serious concerns about account verification processes, identity assurance, and potential risk even without observed data exfiltration.

What is LERS & Why It Matters

  • LERS is Google’s Law Enforcement Request System. It’s a secure portal where government agencies submit subpoenas, court orders, emergency disclosure requests, etc. to request user data (emails, account info, metadata). TechRadar+1

  • Access is supposed to be strictly limited to verified law enforcement entities — individuals must be pre-approved. Simply having an agency email address is not meant to be sufficient. TechRadar

  • Any fraudulent access to LERS could enable impersonation of law enforcement, legal abuse, or submission of false requests.

Technical & Security Issues Exposed

ComponentWhat Seems Vulnerable
Identity verification / onboardingA threat actor managed to create a fraudulent account — suggests gaps in verifying organizational legitimacy or credentials.
Approval workflowThe verification / approval process may not have sufficient checks (e.g. cross-agency validation, documentation validation, manual human review).
Monitoring & alertsDetection didn’t occur until after the account creation, meaning logging / account creation detection may be weak.
Potential impersonation riskEven though no data was accessed this time, a fraud account might allow false requests or set up later attacks.

Threat Actor: Scattered Lapsus$ Hunters

  • Self-identified group combining members/traits of Scattered Spider, ShinyHunters, Lapsus$. TechRadar+2BleepingComputer+2

  • Previously involved in data theft from companies like Salesforce, Salesloft, etc. Use social engineering, secret scanning (Trufflehog), GitHub repo leaks. TechRadar+1

  • Recently claimed to be “going dark,” but incidents like this suggest continuing operations even if in stealth. TechRadar+1

Impact & Risk Assessment

While Google confirms no data was accessed, the threat vector here is significant:

  • Fraudulent law-enforcement accounts could exfiltrate user metadata if active.

  • Even non-active, account creation shows platform trust could be abused.

  • Regulatory & legal implications: misused legal request systems can violate user privacy laws (GDPR, CCPA) if abused.

  • Trust erosion: Users, governments, and oversight bodies may lose faith in how such portals are secured.

Indicators of Compromise (Potential / To Monitor)

Although no active compromise has been confirmed, defenders should hunt and monitor for:

  • Unusual successful account creations on LERS or similar law-enforcement portals.

  • Approval emails generated to suspicious domains or unverified agencies.

  • Failed login attempts or account creation protests from known agencies.

  • Use of new accounts in law enforcement or legal request documentation that were not pre-registered.

Detection & Mitigation Recommendations

For Enterprises, Governments, and Google itself — here’s what must happen to reduce the risk of such fraudulent account creation becoming a real breach.

Identity & Onboarding Controls

  • Use multi-factor identity verification for institutions (use of official credentials, international law enforcement registries, cross-agency references).

  • Require documented proof (sealed letters, agency badges, formal government records) during registration.

  • Use third-party verification (e.g. via existing national law enforcement identity authorities).

Access & Authentication Security

  • Enforce strong MFA (hardware token / PKI-based) for Law Enforcement portal accounts.

  • Use strict role-based access controls: least privilege.

  • Maintain audit trails for account creation and approvals.

Monitoring & Alerting

  • Real-time alerts for any new law enforcement account creation.

  • Monitor for account creation to unusual domains, IP reputations, or suspicious geographies.

  • Monitor for later activity from newly created accounts (even if "inactive" Google claims).

Process & Policy Improvements

  • Periodic audit of all law enforcement portal accounts; remove dormant or unexplained ones.

  • Review and strengthen identity verification policies.

  • For sensitive portals, consider manual human review over purely automated verification.

Strategic Recommendations from CyberDudeBivash

  • Google (and similar providers) should perform threat actor profile monitoring: see whether known groups are trying to impersonate law enforcement.

  • Implement Proof-of-Identity logs (e.g. store OFFICIAL government documents, IP addresses used, prior engagements).

  • Legal and policy oversight: transparency reporting when such fraudulent account creations are attempted.

  • Incident response planning: assume such events may lead to data requests impersonation — prepare legal, PR, and data protection protocols.


#CyberDudeBivash #GoogleSecurity #LawEnforcementRequests #FraudulentAccount #ThreatIntel #PortalSecurity #CyberDefense #ScatteredLapsus #AccountVerification #PrivacyProtection

Conclusion

This Google LERS incident is a wake-up call. Even though no data was accessed, the creation of a fraudulent account in a sensitive portal shows trust systems can be bypassed. As law enforcement portals are critical gateways to private user data, companies must upgrade identity controls, monitoring, and incident readiness.

CyberDudeBivash remains watchful. We recommend users, devs, security teams, and policy makers all treat this as a lesson in how even small gaps in verification can lead to larger risks down the road.

Labels:

Comments

Post a Comment

Popular posts from this blog

CVE-2025-5086 (Dassault DELMIA Apriso Deserialization Flaw) — Targeted by Ransomware Operators

  Executive Summary CyberDudeBivash Threat Intel is monitoring CVE-2025-5086 , a critical deserialization of untrusted data vulnerability in Dassault Systèmes DELMIA Apriso (2020–2025). Rated CVSS 9.0 (Critical) , this flaw allows remote code execution (RCE) under certain conditions.  The vulnerability is already included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog , with reports of ransomware affiliates exploiting it to deploy payloads in industrial control and manufacturing environments. Background: Why DELMIA Apriso Matters Dassault DELMIA Apriso is a manufacturing operations management (MOM) platform used globally in: Industrial control systems (ICS) Smart factories & supply chains Manufacturing Execution Systems (MES) Because of its position in production and logistics workflows , compromise of Apriso can lead to: Disruption of production lines Data exfiltration of intellectual property (IP) Ransomware-enforced downtime V...
Post a Comment
Read more

Fal.Con 2025: Kubernetes Security Summit—Guarding the Cloud Frontier

  Introduction Cloud-native architectures are now the backbone of global services, and Kubernetes stands as the orchestration king. But with great power comes great risk—misconfigurations, container escapes, pod security, supply chain attacks. Fal.Con 2025 , happening this week, aims to bring together experts, security practitioners, developers, policy makers, and cloud providers around Kubernetes security, cloud protection, and threat intelligence . As always, this under CyberDudeBivash authority is your 10,000+ word roadmap: from what's being addressed at Fal.Con, the biggest challenges, tools, global benchmarks, and defense guidelines to stay ahead of attackers in the Kubernetes era.  What is Fal.Con? An annual summit focused on cloud-native and Kubernetes security , bringing together practitioners and vendors. Known for deep technical talks (runtime security, network policy, supply chain), hands-on workshops, and threat intel sharing. This year’s themes inc...
Post a Comment
Read more

Gentlemen Ransomware: SMB Phishing, Advanced Evasion, and Global Impact — CyberDudeBivash Threat Analysis

  Executive Summary The Gentlemen Ransomware group has quickly evolved into one of the most dangerous cybercrime collectives in 2025. First spotted in August 2025 , the group has targeted victims across 17+ countries with a strong focus on SMBs (small- and medium-sized businesses) . Their attack chain starts with phishing lures and ends with full-scale ransomware deployment that cripples organizations. CyberDudeBivash assesses that Gentlemen Ransomware’s tactics—including the abuse of signed drivers, PsExec-based lateral movement, and domain admin escalation —make it a critical threat for SMBs that often lack robust cyber defenses. Attack Lifecycle 1. Initial Access via Phishing Crafted phishing emails impersonating vendors, payroll systems, and invoice alerts. Credential harvesting via fake Microsoft 365 login pages . Exploitation of exposed services with weak authentication. 2. Reconnaissance & Scanning Use of Advanced IP Scanner to map networks. ...
Post a Comment
Read more