Threat Actor 0056113 Selling Compromised Law-Enforcement Emails and EDR-as-a-Service for Fraudulent Emergency Data Requests
Threat actor 0056113 sells compromised law-enforcement emails and EDR fraud services targeting major tech platforms.
Summary
Threat actor 0056113 is operating a fraud-as-a-service marketplace offering compromised law-enforcement and government email accounts, forged legal documents, and end-to-end Emergency Data Request (EDR) submission services targeting platforms like Meta, Google, Apple, TikTok, and Microsoft. The offering enables attackers to fraudulently obtain subscriber data, IP logs, and location information by exploiting the EDR exception to normal subpoena processes, which relies on email domain verification. Past EDR fraud has been documented to facilitate doxing, stalking, swatting, sextortion of minors, and physical harm to victims.
Full text
Active Threat Report ID: DWI-2026-0429-01 Critical Severity An active fraud-as-a-service marketplace listing offering tools for the most consequential category of platform abuse currently in circulation. Successful EDR fraud directly enables doxing, stalking, swatting, sextortion of minors, and physical-world harm to platform users. The listing is a live operational threat to every named platform's trust and safety operations. 01 Incident Summary Date & Time2026-04-29 16:31 UTC Threat Actor0056113 Listing TypeFraud-as-a-Service Primary OfferingCompromised LE / gov emails Use CaseFraudulent EDRs Secondary OfferingsForged orders, EDR-as-service, domain takedown Targeted PlatformsIG, FB, WA, TikTok, Snap, MSFT, Apple, Twitter Jurisdictions in Stock10 countries across 4 regions Pricing Range$20 to $300 per item Account TenureNew (April 2026) Reputation0 NetworkOpen Web Country Multi-jurisdictional 02 Incident Overview A threat actor going by 0056113 has posted a marketplace listing on a public cybercrime forum offering tools for what is currently one of the most consequential categories of platform abuse: fraudulent Emergency Data Requests (EDRs). EDRs are an exception to the normal subpoena process under which major technology platforms (Meta, Google, Apple, Snap, TikTok, X, Discord, Microsoft) will release subscriber information, IP logs, recent location data, and in some cases message metadata to law enforcement without a court order when there is "imminent danger of death or serious physical injury." Because the bar for verification is necessarily a chain-of-trust check on the requesting officer's email domain, attackers who control a working law-enforcement email account can submit fake emergencies and obtain victim data within hours. The published listing offers a comprehensive fraud-as-a-service menu organised into three categories: Compromised Government and Police Email AccountsThe actor advertises stock of working email accounts at law-enforcement and government agencies across ten countries spanning four regions, including Asian, Latin American, African, and European jurisdictions. Per-account prices range from roughly $20 at the low end to $100 for higher-value or harder-to-obtain accounts. The listing claims each account comes with usable access to the agency's portal and can be used for both routine subpoenas and emergency requests. Forged Legal DocumentsCustom-crafted court orders, MLATs (mutual legal assistance treaty requests), and subpoenas for sale at $100. These are intended either to accompany an EDR submission or to support a stand-alone subpoena request through normal channels at platforms that require documentation for non-emergency requests. EDR-as-a-Service and Domain SuspendingThe actor offers to execute the EDR end-to-end on behalf of buyers against named platforms (TikTok, Snapchat, X/Twitter, Facebook, and others) starting at $200. A separate $300 offering covers fraudulent domain-suspension requests against non-major domains, intended to take target sites offline. The categories of data the actor states buyers can obtain include IP logs, device information, email-to-phone linkages, and in some cases message logs. In practice, EDR fraud has been documented in the past several years to enable doxing, stalking, swatting, and the targeting of minors for sextortion, with multiple deaths linked directly to information obtained this way. 03 Listing Components Compromised LE Email Accounts Government Portal Access Forged Court Orders Forged MLATs Forged Subpoenas EDR Submission Service Domain Suspension Requests Multi-Platform Targeting 04 Screenshots FIG 01 · Forum listing by 0056113 (contact handles redacted in this report) This post is for subscribers on the Plus, Pro and Elite tiers Subscribe Already have an account? Sign In