Guide · Fraudulent EDRs
A fraudulent emergency data request is a fake EDR: a criminal uses a compromised or spoofed law enforcement email account to demand user data from a company, exploiting the emergency exception that lets companies disclose without a warrant. Apple, Meta, Discord, and Verizon have all complied with fake EDRs. The data went to criminals who used it to stalk, extort, and defraud the very users it described.
Start with the legitimate version, because the fraud only makes sense against it.
Under US law, nearly every disclosure of user data to law enforcement requires legal process: a subpoena, a court order, or a warrant, each signed and each reviewable. The full ladder. The exception is 18 U.S.C. § 2702(b)(8): when a provider believes in good faith that someone faces danger of death or serious physical injury, it may disclose voluntarily, immediately, with no legal process at all. A kidnapping in progress can't wait ten days for a court order.
Real EDRs are common and mostly legitimate. Verizon received more than 36,000 of them in a single half-year and complied with around 90%; across the industry, emergency requests run somewhere between 5% and 30% of total law enforcement request volume. The emergency exception exists because it saves lives. That's exactly what makes it worth stealing.
The attack has three steps, and none of them is technically sophisticated.
This is how members of the Recursion Team and Lapsus$, several of them teenagers, pulled user data out of Apple, Meta, and Discord in 2021 using forged emergency requests sent from hacked agency accounts. Bloomberg and Krebs on Security documented the wave in 2022, and it hasn't stopped since.
Because everything about the emergency channel is optimized for speed, and every speed optimization is a verification gap.
A fraudulent EDR only has to work once. Verification has to work every time.
Common enough to have a price list. The trajectory since 2021:
The direction is one way: cheaper, faster, more packaged. The emergency exception isn't going away, and neither is the incentive to abuse it.
The data goes to someone whose next step is the reason they wanted it.
Bloomberg's reporting traced data from forged EDRs to campaigns sextorting women and minors: the attacker uses the real name and address to make the threat credible. The Verizon case put an armed stalker at a victim's door. Fraudsters use EDR data to defeat identity checks at banks and exchanges. Doxing and swatting crews use it to attach a home address to an online handle.
For the company, the harm compounds. It disclosed a user's data to a criminal, in a channel with no court order to point to, under an exception that exists on good faith. The legal exposure is unsettled and being tested in litigation; the trust damage isn't unsettled at all.
Not by reading the email more carefully. Checking the sending domain, the letterhead, and the badge number verifies the costume, and the costume is the thing being faked.
Verification that holds up answers three questions independently: is the agency real, confirmed against a registry of agencies rather than what the email claims; is the requester real, the individual investigator verified as a person who works there; and is the behavior right, does this request fit the requester's history and their agency's legitimate pattern of work.
The third question is the one no company can answer alone, because no single company sees enough requests to know what normal looks like. That's the argument for verifying at the network level: on Kodex, 15,000 government agencies and 150,000 investigators are verified once, and their request behavior is visible across every company they contact. A requester who fails verification at one company has failed it everywhere. No verification layer makes fraud impossible, which is why verification is layered with monitoring and revocation rather than resting on any single check. How requester verification works.
Law enforcement email compromise, LEEC, is the upstream crime that makes fake EDRs possible: the takeover of law enforcement email accounts for use in fraud. It's the law enforcement version of business email compromise, with one difference that changes everything: a compromised business account can move a company's money, while a compromised police account can move any company's data.
Fake EDRs are the most dangerous use of LEEC, but not the only one. Compromised agency accounts also send forged subpoenas and forged court orders through the same trusted channel. See what the network catches.
Slowly. Senators Wyden, Tillis, and Whitehouse introduced the Digital Authenticity for Court Orders Act, which would require digital signatures on court orders; it has not passed. The FBI's 2024 advisory tells agencies to harden their email and tells companies to scrutinize emergency requests, which is sound advice aimed at the two parties least equipped to act on it alone.
The structural fix doesn't require legislation. Fake EDRs work because requests travel over open email between strangers. Verified infrastructure, where every requester is known before they can ask, removes the condition the fraud depends on. That's the fix companies can adopt today, one at a time, and it gets stronger with each one that does.
What is the difference between an EDR and a subpoena?
A subpoena is legal process, issued under legal authority and reviewable by a court. An emergency data request is a voluntary disclosure: the company may share data under the emergency exception in 18 U.S.C. § 2702(b)(8), but no law compels it.
How do criminals get law enforcement email accounts?
By phishing officers, buying stolen credentials, or purchasing already-compromised agency accounts on criminal forums. The FBI's November 2024 advisory documented government email credentials from more than two dozen countries offered for sale.
Is a company liable if it complies with a fake EDR?
The law is unsettled and being tested in litigation. The emergency exception protects good-faith disclosure, but plaintiffs have argued that complying with requests missing required verification steps falls outside good faith.
Which companies have been tricked by fake EDRs?
Publicly documented cases include Apple, Meta, Discord, and Verizon. Given that the attack targets any company holding user data, the documented cases are a floor, not a census.
How should a company verify an emergency data request?
Independently of the email itself: confirm the agency exists, confirm the individual requester's identity, and check the request against the requester's known pattern of legitimate activity. Domain and letterhead checks verify only what the attacker controls.