A threat group’s claims led Google to confirm that its Law Enforcement Request System had been misused, though no data was compromised.
According to Bleeping Computer, Google has confirmed that threat actors created a fraudulent account in its Law Enforcement Request System (LERS), a secure platform used by global police and intelligence agencies to submit official data requests. According to Google, the account was identified and disabled before any requests were made or any user data accessed.
The confirmation followed public claims made by a group calling itself "Scattered Lapsus$ Hunters" on Telegram. The group alleged it had gained access to both Google’s LERS and the FBI’s eCheck background check system. Screenshots of these alleged intrusions were posted before the group announced it was “going dark.”
The group behind these claims is linked to several known threat actors: Shiny Hunters, Scattered Spider, and Lapsus$. In recent months, they have carried out large-scale data theft operations, particularly targeting organizations that use Salesforce. Through social engineering, they manipulated employees into connecting Salesforce’s Data Loader tool to corporate environments, which enabled credential theft and data exfiltration.
The attackers also infiltrated Salesloft’s GitHub repository and scanned the codebase using tools like Trufflehog to uncover exposed authentication tokens. These tokens were later used to access additional services and conduct follow-on attacks. Victims of their campaigns reportedly include companies such as Google, Cisco, Louis Vuitton, Adidas, and many more.
A Google spokesperson stated, “We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account. No requests were made with this fraudulent account, and no data was accessed.” The FBI declined to comment on the group's claims.
Security experts interviewed by BleepingComputer noted that the group’s claim of “going dark” is unlikely to mean a complete halt in activity. Based on prior behavior, researchers believe the group may continue operations under the radar.
LERS is a secure platform that allows law enforcement agencies to submit subpoenas, court orders, and emergency disclosure requests directly to Google for user data.
If accepted, a fake request could allow an attacker to obtain sensitive user data under the guise of legal authority. Google’s vetting process is designed to detect and reject such submissions.
Trufflehog scans code repositories for exposed secrets, such as authentication tokens and API keys, which can be used to access protected systems or services.
Developer repositories often contain misconfigured files or secrets embedded in code, making them a valuable entry point for attackers to escalate access within an organization.
This typically implies the group will stop publicizing attacks, but not necessarily stop operations. It may signal a shift toward quieter, less traceable activity.