{ "id": "a50a48ab-071d-457f-a490-90c1269f8cc2", "created_at": "2026-04-06T00:10:02.066284Z", "updated_at": "2026-04-10T03:28:09.061049Z", "deleted_at": null, "sha1_hash": "5975366892abfc8659323a7e177ae66b83a1e8d0", "title": "FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 827827, "plain_text": "FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked\r\nPublished: 2022-12-14 · Archived: 2026-04-05 16:25:03 UTC\r\nInfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat\r\ninformation sharing partnerships with the private sector, this week saw its database of contact information on more\r\nthan 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers\r\nresponsible are communicating directly with members through the InfraGard portal online — using a new account\r\nunder the assumed identity of a financial industry CEO that was vetted by the FBI itself.\r\nOn Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The\r\nuser database for InfraGard, including names and contact information for tens of thousands of InfraGard members.\r\nThe FBI’s InfraGard program is supposed to be a vetted Who’s Who of key people in private sector roles\r\ninvolving both cyber and physical security at companies that manage most of the nation’s critical infrastructures\r\n— including drinking water and power utilities, communications and financial services firms, transportation and\r\nmanufacturing companies, healthcare providers, and nuclear energy firms.\r\n“InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education,\r\nnetworking, and information-sharing on security threats and risks,” the FBI’s InfraGard fact sheet reads.\r\nIn response to information shared by KrebsOnSecurity, the FBI said it is aware of a potential false account\r\nassociated with the InfraGard Portal and that it is actively looking into the matter.\r\n“This is an ongoing situation, and we are not able to provide any additional information at this time,” the FBI said\r\nin a written statement.\r\nhttps://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/\r\nPage 1 of 6\n\nKrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member who uses the handle\r\n“USDoD” and whose avatar is the seal of the U.S. Department of Defense.\r\nUSDoD’s InfraGard sales thread on Breached.\r\nUSDoD said they gained access to the FBI’s InfraGard system by applying for a new account using the name,\r\nSocial Security Number, date of birth  and other personal details of a chief executive officer at a company that was\r\nhighly likely to be granted InfraGard membership.\r\nThe CEO in question — currently the head of a major U.S. financial corporation that has a direct impact on the\r\ncreditworthiness of most Americans — told KrebsOnSecurity they were never contacted by the FBI seeking to vet\r\nan InfraGard application.\r\nUSDoD told KrebsOnSecurity their phony application was submitted in November in the CEO’s name, and that\r\nthe application included a contact email address that they controlled — but also the CEO’s real mobile phone\r\nnumber.\r\n“When you register they said that to be approved can take at least three months,” USDoD said. “I wasn’t expected\r\nto be approve[d].”\r\nhttps://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/\r\nPage 2 of 6\n\nBut USDoD said that in early December, their email address in the name\r\nof the CEO received a reply saying the application had been approved (see redacted screenshot to the right). While\r\nthe FBI’s InfraGard system requires multi-factor authentication by default, users can choose between receiving a\r\none-time code via SMS or email.\r\n“If it was only the phone I will be in [a] bad situation,” USDoD said. “Because I used the person[‘s] phone that\r\nI’m impersonating.”\r\nUSDoD said the InfraGard user data was made easily available via an Application Programming Interface (API)\r\nthat is built into several key components of the website that help InfraGard members connect and communicate\r\nwith each other.\r\nhttps://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/\r\nPage 3 of 6\n\nUSDoD said after their InfraGard membership was approved, they asked a friend to code a script in Python to\r\nquery that API and retrieve all available InfraGard user data.\r\n“InfraGard is a social media intelligence hub for high profile persons,” USDoD said. “They even got [a] forum to\r\ndiscuss things.”\r\nTo prove they still had access to InfraGard as of publication time Tuesday evening, USDoD sent a direct note\r\nthrough InfraGard’s messaging system to an InfraGard member whose personal details were initially published as\r\na teaser on the database sales thread.\r\nThat InfraGard member, who is head of security at a major U.S. technology firm, confirmed receipt of USDoD’s\r\nmessage but asked to remain anonymous for this story.\r\nUSDoD acknowledged that their $50,000 asking price for the InfraGard database may be a tad high, given that it\r\nis a fairly basic list of people who are already very security-conscious. Also, only about half of the user accounts\r\ncontain an email address, and most of the other database fields — like Social Security Number and Date of Birth\r\n— are completely empty.\r\n“I don’t think someone will pay that price, but I have to [price it] a bit higher to [negotiate] the price that I want,”\r\nthey explained.\r\nWhile the data exposed by the infiltration at InfraGard may be minimal, the user data might not have been the true\r\nend game for the intruders.\r\nUSDoD said they were hoping the imposter account would last long enough for them to finish sending direct\r\nmessages as the CEO to other executives using the InfraGuard messaging portal. USDoD shared the following\r\nredacted screenshot from what they claimed was one such message, although they provided no additional context\r\nabout it.\r\nhttps://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/\r\nPage 4 of 6\n\nA screenshot shared by USDoD showing a message thread in the FBI’s InfraGard system.\r\nUSDoD said in their sales thread that the guarantor for the transaction would be Pompompurin, the administrator\r\nof the cybercrime forum Breached. By purchasing the database through the forum administrator’s escrow service,\r\nwould-be buyers can theoretically avoid getting ripped off and ensure the transaction will be consummated to the\r\nsatisfaction of both parties before money exchanges hands.\r\nPompompurin has been a thorn in the side of the FBI for years. Their Breached forum is widely considered to be\r\nthe second incarnation of RaidForums, a remarkably similar English-language cybercrime forum shuttered by the\r\nU.S. Department of Justice in April. Prior to its infiltration by the FBI, RaidForums sold access to more than 10\r\nbillion consumer records stolen in some of the world’s largest data breaches.\r\nIn November 2021, KrebsOnSecurity detailed how Pompompurin abused a vulnerability in an FBI online portal\r\ndesigned to share information with state and local law enforcement authorities, and how that access was used to\r\nblast out thousands of hoax email messages — all sent from an FBI email and Internet address.\r\nUpdate, 10:58 p.m. ET: Updated the story after hearing from the financial company CEO whose identity was\r\nused to fool the FBI into approving an InfraGard membership. That CEO said they were never contacted by the\r\nFBI.\r\nUpdate, 11:15 p.m. ET: The FBI just confirmed that it is aware of a potential false account associated with the\r\nInfraGard portal. The story now includes their full statement.\r\nhttps://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/\r\nPage 5 of 6\n\nThis is a developing story. Updates will be noted here with timestamps. \r\nSource: https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/\r\nhttps://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/" ], "report_names": [ "fbis-vetted-info-sharing-network-infragard-hacked" ], "threat_actors": [ { "id": "80edca9f-dcd6-491e-92f3-87ad1f575631", "created_at": "2023-10-14T02:03:14.694988Z", "updated_at": "2026-04-10T02:00:05.021046Z", "deleted_at": null, "main_name": "NetSec", "aliases": [ "NetSec", "Operation Data Breach", "ScarFace_TheOne", "USDoD" ], "source_name": "ETDA:NetSec", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "82a51997-1402-41c3-86df-6f9e522b2ba8", "created_at": "2024-04-27T02:00:03.554045Z", "updated_at": "2026-04-10T02:00:03.63698Z", "deleted_at": null, "main_name": "USDoD", "aliases": [], "source_name": "MISPGALAXY:USDoD", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434202, "ts_updated_at": 1775791689, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5975366892abfc8659323a7e177ae66b83a1e8d0.pdf", "text": "https://archive.orkl.eu/5975366892abfc8659323a7e177ae66b83a1e8d0.txt", "img": "https://archive.orkl.eu/5975366892abfc8659323a7e177ae66b83a1e8d0.jpg" } }