Malicious actors are using increasingly sophisticated methods to get users' account data from many companies, including Apple, with a new report detailing the use of fake law enforcement emails for doxxing.
While scams have existed long before the dawn of email, the internet opened up a whole new avenue for attacks via email. We've all heard of scammers pretending to be royalty, or those saying you've won the lottery, neither of which is a particularly effective approach these days.
More recently, however, scammers have taken up impersonating law enforcement officials as a means of obtaining someone's personal information. To no one's surprise, individuals and groups with ill intent often use email addresses that closely resemble those of legitimate law enforcement agencies.
As Wired points out, however, doxxing groups have, on multiple occasions, also used the compromised email accounts of real government employees and law enforcement officials. The publication interviewed Exempt, an individual affiliated with the doxxing group, offering additional information about their motives and methods of operation.
How and why doxxers target large companies
In short, the group usually impersonates law enforcement and tries to contact the law enforcement response teams of large companies the likes of Apple and Amazon. The goal, understandably, is to trick the company into providing information about a specific user or group, and to later sell that information to a third party.
To accomplish this, Exempt's group buys domains similar to those used by law enforcement entities, with the only difference often being the URL ending in .us instead of .org, for example. The group also spoofs the phone numbers of police and sheriff's offices when contacting companies' law enforcement response teams, making the target more likely to believe it's a legitimate request.
Other times, the group teams up with cops who want a share of the profit, in exchange for their email being used to dox someone via a fraudulent request. Alternatively, they'll use working email credentials sourced from prior hacks and database leaks.
As for the information requests themselves, Exempt's team takes great care to mimic the look and feel of an official document. They'll even go so far as to cite relevant and applicable laws in the requests they send to large companies in the United States.
If the group is sending a fake warrant or subpoena, they'll use the name and relevant information of a judge who happens to be in office on that particular day. That way, if a representative of the company being targeted by the team tries to inquire, they'll learn that the judge is indeed in the building.
Often, judges are unable to verify the information on additional warrants or subpoenas over the phone, which is what the hackers in the doxxing group Exempt and his team are counting on.
How attackers abuse emergency data requests
Still, not every attempt is successful.
Sometimes, fraudulent requests are caught via the target companies' request verification measures. To circumvent this, malicious groups take advantage of so-called emergency data requests, which are meant to prevent immediate harm or even death.
Apple was among those targeted by the hackers.
Apple is among the companies that deliver information when an emergency request is submitted. It's also one of the companies Exempt's group targeted, and they reportedly received the personal information of an Apple Account holder, including their home address, email, and phone number.
Apart from these account details, the account information Exempt's team received did not include data stored on iCloud, such as user photos, notes, and so on.
The iPhone maker outlined the process for an emergency data request in its Legal Process Guidelines.
"In order to request that Apple voluntarily disclose information on an emergency basis, the requesting government or law enforcement officer should complete the Emergency Government & Law Enforcement Information Request form and transmit it directly from their official government or law enforcement email address," reads Apple's documentation.
Apple also emphasizes that the request should contain "the words 'Emergency Request' in the subject line," among other things.
Apart from the attackers themselves, no single company or person is to blame. It's the nature of the emergency information request system and its shortcomings. There's just no simple way to verify a contact via email without it being a drawn out process.
Why there's no cause for alarm
Even so, most users have little reason for concern, unless they suspect they're being targeted directly by a bad actor for a reason. Hackers don't generally go out of their way to target everyday users, unless it's a vendetta, or they believe they can steal or extort money from a person.
As such, there's no immediate action for end users to take, but AppleInsider recommends exercising caution when dealing with suspicious-looking emails. A somewhat similar iMessage scam involving fake government addresses gained traction in November 2025.
