Criminals will be able to request personal information on behalf of law enforcement officials.
A particularly unsavory item has appeared on underground forums : access to verified email accounts of US police departments and to the Kodex Global portal, through which law enforcement agencies send subpoenas, warrants, and emergency data requests. According to Dataminr, the same seller initially listed a standalone Kodex Global account for $2,000, then nine days later expanded the offer to include official US police email accounts for $1,000 each. For an additional fee, the buyer was promised a fake law enforcement ID and instructions on how to use this access for longer periods without attracting unnecessary attention.
The danger here isn't the actual sale of credentials , but rather the fact that such access allows one to impersonate a real police officer when requesting data from major online platforms. Kodex Global is used as an intermediary for legally significant requests, including Emergency Data Requests (EDRs), which are submitted when waiting for a court decision is supposedly impossible due to a life-threatening or other urgent situation. Under normal circumstances, a court document, such as a subpoena or warrant, is required to obtain information. An EDR uses a shorter process and therefore opens up a convenient window for abuse.
If an attacker gains access to a legitimate police email account and a work account at Kodex Global, the fake request becomes much more convincing. The platform, online service, or telecom operator sees not an anonymous email, but a request that appears to be coming through a familiar channel and formatted in the same way law enforcement processes similar requests. Consequently, the risk of fraud, phishing, extortion of personal data , and the illegal acquisition of information about specific individuals increases dramatically.
Kodex Global plays a key role in this situation. The portal processes subpoenas, warrants, and emergency requests, meaning the system is connected to a large array of sensitive information about those affected by legal proceedings. This could include personal data, technical attributes, transaction information, and other data that companies provide as part of official requests. The fall of such a tool into the hands of criminals is dangerous not only because of the potential for isolated incidents, but also because it provides a ready-made infrastructure for legitimate-looking abuse.
Dataminr recorded the first public posting of a separate Kodex Global law enforcement account for sale on February 17, 2026, at 6:27 PM. Nine days later, on February 26 at 12:44 AM, researchers discovered a new listing from the same seller. This second listing included a more extensive set of items: email credentials for US police departments, fake IDs, and access to Kodex Global. This upgrade is particularly telling. The seller wasn't offering just one compromised service, but a nearly complete set of tools for faking an official request on behalf of law enforcement.
The seller used the nickname "lucy." He had a high GOD status on the forum and an additional tag, "Twisted Spider," which, as was specifically emphasized, is not associated with the well-known group of the same name. According to the deal description, the buyer received a complete login kit: an email address and a valid password, with the transfer to occur immediately after payment confirmation. A fake law enforcement ID was sold for an additional $500. The kit also included a setup guide and recommendations to help maintain access and reduce the risk of detection by the platforms to which requests would be sent.
The range of payment methods also appears typical of a criminal market: the seller accepted BTC, LTC, ETH, SOL, USDT, and Monero, with Monero being the preferred option. This detail typically suggests a desire to further obscure the financial trail of the transaction. The seller's motivation, judging by the description, was straightforward: to profit from the resale of high-value access. But the consequences extend far beyond the simple trading of credentials. When the ability to impersonate a police officer is sold on the black market, other crimes emerge further down the chain: illegal data dumping, harassment of specific individuals, doxxing, pressure on victims, and social engineering attacks .
Similar abuses have occurred before. In 2021, Apple and Meta * responded to fake emergency requests and transmitted basic subscriber information, including addresses, phone numbers, email addresses, and IP addresses. In 2024, the FBI issued a separate advisory to the private sector, reporting a rise in such schemes. The current episode shows that the problem hasn't gone away, with criminal vendors now selling not only fake documents but also full access to the channels through which such requests are typically processed.
The Kodex Global story particularly highlights the weakness of the entire procedure. When a company receives an urgent request purportedly from the police, compliance officers may rely on a familiar domain, an official-looking document, and a familiar communication channel. If the attacker uses a genuine agency email address or a work account on a specialized portal, standard visual indicators of forgery may no longer be sufficient. In such a situation, relying solely on the formal attributes of the letter or request is dangerous.
A particularly unsavory item has appeared on underground forums : access to verified email accounts of US police departments and to the Kodex Global portal, through which law enforcement agencies send subpoenas, warrants, and emergency data requests. According to Dataminr, the same seller initially listed a standalone Kodex Global account for $2,000, then nine days later expanded the offer to include official US police email accounts for $1,000 each. For an additional fee, the buyer was promised a fake law enforcement ID and instructions on how to use this access for longer periods without attracting unnecessary attention.
The danger here isn't the actual sale of credentials , but rather the fact that such access allows one to impersonate a real police officer when requesting data from major online platforms. Kodex Global is used as an intermediary for legally significant requests, including Emergency Data Requests (EDRs), which are submitted when waiting for a court decision is supposedly impossible due to a life-threatening or other urgent situation. Under normal circumstances, a court document, such as a subpoena or warrant, is required to obtain information. An EDR uses a shorter process and therefore opens up a convenient window for abuse.
If an attacker gains access to a legitimate police email account and a work account at Kodex Global, the fake request becomes much more convincing. The platform, online service, or telecom operator sees not an anonymous email, but a request that appears to be coming through a familiar channel and formatted in the same way law enforcement processes similar requests. Consequently, the risk of fraud, phishing, extortion of personal data , and the illegal acquisition of information about specific individuals increases dramatically.
Kodex Global plays a key role in this situation. The portal processes subpoenas, warrants, and emergency requests, meaning the system is connected to a large array of sensitive information about those affected by legal proceedings. This could include personal data, technical attributes, transaction information, and other data that companies provide as part of official requests. The fall of such a tool into the hands of criminals is dangerous not only because of the potential for isolated incidents, but also because it provides a ready-made infrastructure for legitimate-looking abuse.
Dataminr recorded the first public posting of a separate Kodex Global law enforcement account for sale on February 17, 2026, at 6:27 PM. Nine days later, on February 26 at 12:44 AM, researchers discovered a new listing from the same seller. This second listing included a more extensive set of items: email credentials for US police departments, fake IDs, and access to Kodex Global. This upgrade is particularly telling. The seller wasn't offering just one compromised service, but a nearly complete set of tools for faking an official request on behalf of law enforcement.
The seller used the nickname "lucy." He had a high GOD status on the forum and an additional tag, "Twisted Spider," which, as was specifically emphasized, is not associated with the well-known group of the same name. According to the deal description, the buyer received a complete login kit: an email address and a valid password, with the transfer to occur immediately after payment confirmation. A fake law enforcement ID was sold for an additional $500. The kit also included a setup guide and recommendations to help maintain access and reduce the risk of detection by the platforms to which requests would be sent.
The range of payment methods also appears typical of a criminal market: the seller accepted BTC, LTC, ETH, SOL, USDT, and Monero, with Monero being the preferred option. This detail typically suggests a desire to further obscure the financial trail of the transaction. The seller's motivation, judging by the description, was straightforward: to profit from the resale of high-value access. But the consequences extend far beyond the simple trading of credentials. When the ability to impersonate a police officer is sold on the black market, other crimes emerge further down the chain: illegal data dumping, harassment of specific individuals, doxxing, pressure on victims, and social engineering attacks .
Similar abuses have occurred before. In 2021, Apple and Meta * responded to fake emergency requests and transmitted basic subscriber information, including addresses, phone numbers, email addresses, and IP addresses. In 2024, the FBI issued a separate advisory to the private sector, reporting a rise in such schemes. The current episode shows that the problem hasn't gone away, with criminal vendors now selling not only fake documents but also full access to the channels through which such requests are typically processed.
The Kodex Global story particularly highlights the weakness of the entire procedure. When a company receives an urgent request purportedly from the police, compliance officers may rely on a familiar domain, an official-looking document, and a familiar communication channel. If the attacker uses a genuine agency email address or a work account on a specialized portal, standard visual indicators of forgery may no longer be sufficient. In such a situation, relying solely on the formal attributes of the letter or request is dangerous.
