The U.S. Federal Bureau of Investigation (FBI) on Saturday confirmed unidentified threat actors have breached one of its email servers to blast hoax messages about a fake “sophisticated chain attack.”

The incident, first reported by threat intelligence non-profit SpamHaus, involved sending rogue warning emails with the subject line “Urgent: Threat actor in systems” from a legitimate FBI email address “eims@ic.fbi[.]gov” framing the attack on Vinny Troia, a security researcher and founder of dark web intelligence firms Night Lion Security and Shadowbyte, while also claiming him to be affiliated with a hacking group called TheDarkOver.

SpamHaus cited its own telemetry data to point out that the email blasts happened over two “spam” waves, one shortly before 5:00 a.m. UTC and another one shortly after 7:00 a.m. UTC.

However, according to Marcus Hutchins of Kryptos Logic, the purpose appears to be to undermine Troia. “Vinny Troia published a book that revealed details on the hacker group TheDarkOverlord. Someone began removing ElasticSearch clusters shortly after, leaving his name behind. Later, his Twitter account was hacked, followed by his website. This is being sent by a compromised FBI email server “Hutchins sent out a tweet.

Brian Krebs of Krebs on Security, who also received an independent missive from the perpetrator, detailed in an independent report that the “spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities.”


The breach was carried out by exploiting a flaw in the FBI’s Law Enforcement Enterprise Portal (LEEP), which not only allowed anyone to apply for an account, but also leaked the one-time password that’s sent to the applicant to confirm their registration, effectively enabling them to intercept and tamper the HTTP requests with their own phony message to thousands of email addresses, according to Pompompurin, the hacker entity’s online handle.

“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails,” the agency said in a statement. “While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network.”

“Should I be happy that the youngsters who hacked the FBI email systems opted to do it in my name?” Troia tweeted later, implying that Pompompurin was behind the slander effort. Those in control of the Pompompurin Twitter account earlier in the day said: “I don’t participate in any criminal actions. Please be aware that [Vinny Troia] is also in charge of this account.”