Threat Actor 0056113 Selling Compromised Law-Enforcement Emails and EDR-as-a-Service for Fraudulent Emergency Data Requests
A threat actor operating under the alias 0056113 has posted a marketplace listing offering compromised law-enforcement and government email accounts across multiple countries for the explicit purpose of submitting fraudulent Emergency Data Requests (EDRs) to major technology platforms including Instagram, Facebook, WhatsApp, TikTok, Snapchat, Microsoft, and Apple. The same listing also advertises forged court orders, MLATs, and subpoenas, an EDR-as-a-service offering against named platforms, and domain-suspending services targeting non-major domains.
An active fraud-as-a-service marketplace listing offering tools for the most consequential category of platform abuse currently in circulation. Successful EDR fraud directly enables doxing, stalking, swatting, sextortion of minors, and physical-world harm to platform users. The listing is a live operational threat to every named platform's trust and safety operations.
Incident Summary
Incident Overview
A threat actor going by 0056113 has posted a marketplace listing on a public cybercrime forum offering tools for what is currently one of the most consequential categories of platform abuse: fraudulent Emergency Data Requests (EDRs). EDRs are an exception to the normal subpoena process under which major technology platforms (Meta, Google, Apple, Snap, TikTok, X, Discord, Microsoft) will release subscriber information, IP logs, recent location data, and in some cases message metadata to law enforcement without a court order when there is "imminent danger of death or serious physical injury." Because the bar for verification is necessarily a chain-of-trust check on the requesting officer's email domain, attackers who control a working law-enforcement email account can submit fake emergencies and obtain victim data within hours.
The published listing offers a comprehensive fraud-as-a-service menu organised into three categories:
- Compromised Government and Police Email AccountsThe actor advertises stock of working email accounts at law-enforcement and government agencies across ten countries spanning four regions, including Asian, Latin American, African, and European jurisdictions. Per-account prices range from roughly $20 at the low end to $100 for higher-value or harder-to-obtain accounts. The listing claims each account comes with usable access to the agency's portal and can be used for both routine subpoenas and emergency requests.
- Forged Legal DocumentsCustom-crafted court orders, MLATs (mutual legal assistance treaty requests), and subpoenas for sale at $100. These are intended either to accompany an EDR submission or to support a stand-alone subpoena request through normal channels at platforms that require documentation for non-emergency requests.
- EDR-as-a-Service and Domain SuspendingThe actor offers to execute the EDR end-to-end on behalf of buyers against named platforms (TikTok, Snapchat, X/Twitter, Facebook, and others) starting at $200. A separate $300 offering covers fraudulent domain-suspension requests against non-major domains, intended to take target sites offline.
The categories of data the actor states buyers can obtain include IP logs, device information, email-to-phone linkages, and in some cases message logs. In practice, EDR fraud has been documented in the past several years to enable doxing, stalking, swatting, and the targeting of minors for sextortion, with multiple deaths linked directly to information obtained this way.
Listing Components
Screenshots
