Connecting the dots: Earlier this year, a forged emergency email claiming to be from a Florida police officer landed in Charter Communications' legal response inbox and it was treated as legitimate. Within minutes, the company handed over the New York gamer's name, home address, phone numbers, and email address. The problem: the email was not from any law enforcement officer. It was a fraud.
According to information reviewed by Wired, the sender was instead a member of a hacking group that sells "doxing-as-a-service," offering access to personal data siphoned from some of the country's largest technology companies.
A member of the group who calls himself "Exempt" admitted responsibility for the Charter incident, telling Wired that similar tricks had succeeded against Apple, Amazon, and the video platform Rumble. "This took all of 20 minutes," he said. Charter confirmed receipt of Wired's inquiry but declined to comment.
Christian Hancock, a spokesperson for the Jacksonville Sheriff's Office, called the impersonation "definitely concerning," especially since the hackers used the names of real officers to lend credibility.
In the US, companies maintain dedicated legal or compliance teams to handle data requests from police and prosecutors. These requests typically arrive as subpoenas or warrants and may take days to process. However, when lives are at risk, officers can submit "emergency data requests" – expedited demands meant to bypass routine verification.
This urgency creates a vulnerability. Hackers like Exempt exploit the fast-track system by mimicking the appearance of legitimate EDRs. Once they obtain a single piece of online information – an IP address, a user handle, or a phone number – they can make requests appear authentic, complete with official seals and legal citations copied from real court documents.
"Next thing you know, I have names, addresses, emails, and cell numbers," Exempt told Wired. In some cases, he said, his group used fabricated search warrants to obtain even more private details, such as text messages or call logs.
Exempt claimed that his group has executed as many as 500 such requests and earned more than $18,000 in August alone. In one case, he said he received $1,200 for doxing an alleged online predator, a job he described casually to Wired. The group's internal evidence – documents, recordings, and screenshots – suggested a sprawling, organized operation. Among the files was a video of a phone call with one tech firm's legal team, in which an employee attempted to verify what turned out to be a fake subpoena.
In another instance, a recording shared with Wired captured a representative from Amazon's law enforcement response team calling to confirm an email request. According to Amazon spokesperson Adam Montgomery, the company blocked the impersonator after detecting irregularities. Montgomery added that Amazon has since implemented new safeguards, but declined to specify what those measures were.
The hackers' tactics rely heavily on exploiting inconsistencies in how US law enforcement agencies manage their communication infrastructure. With roughly 18,000 separate agencies, each using distinct email formats and domains – some ending in .gov, others in .us, .org, or even .com – technological verification remains inconsistent.
In Charter's case, Exempt said his team registered the lookalike domain jaxsheriff.us, closely imitating the department's legitimate jaxsheriff.org. To reinforce the illusion, they spoofed the department's phone number and used accurate badge numbers and real officer names to pass routine checks.
The group also became adept at crafting fake legal documents that mirrored the tone and structure of valid subpoenas. By referencing real legal codes pulled from public records and checking judges' schedules, they made the forgeries appear unassailable. "We realistically have zero percent chance of them second-guessing it," Exempt said.
Though no single company bears sole responsibility, the hackers' success highlights a systemic flaw. Many firms still handle EDRs via email, leaving verification steps vulnerable to social engineering. Some even publish detailed law enforcement guidelines online, inadvertently providing attackers with templates. For example, Apple's publicly available Legal Process Guidelines instruct officers to submit emergency requests from official email accounts to a specific company address with "Emergency Request" in the subject line – a process easily mimicked by anyone with a convincing domain name.
According to evidence shared by Exempt, Apple responded to one such falsified request by providing iCloud account details, including a home address and phone number. Apple did not respond to Wired's inquiries.
An online database maintained by SEARCH, a nonprofit supporting criminal justice agencies, lists direct contact details for legal-response teams at more than 700 companies. A review by Kodex, which develops secure law enforcement portals, found that over 80 percent of listed companies still accept data requests via email. Platforms like Kodex are gaining traction because they use account whitelisting and behavioral monitoring to detect anomalies in how law enforcement users interact with companies.
Yet even those platforms are not foolproof. Exempt says his group once used compromised law enforcement accounts to make requests through Kodex before being locked out. The group now claims to be negotiating with a US deputy who was recently doxed, allegedly offering to rent the officer's access in exchange for removing his personal data from the internet.
Warnings about fake EDRs have circulated for years. In 2022, Krebs On Security reported on hackers "gaining the power of subpoena" through such impersonations. Despite industry awareness, Wired's reporting reveals that the practice remains widespread, exploiting both outdated communication systems and the human impulse to err on the side of saving lives.
Hackers are pretending to be cops – and tech companies keep falling for it
