Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

EDR-as-a-Service: The Dark Side of Cybercrime's New Black Market



Cybercrime's new black market: EDR-as-a-Service is taking hold, with law enforcement agencies and government accounts being exploited for sensitive information. This emerging phenomenon poses a significant risk to individuals, businesses, and governments worldwide, highlighting the need for enhanced security measures and cooperation between authorities.

  • Cybercrime is on the rise, with EDR-as-a-Service (Emergency Data Requests - as a Service) being a new and emerging threat.
  • EDR-as-a-Service involves exploiting law enforcement and government agency accounts to send false Emergency Data Requests to online platforms.
  • The service has become increasingly complex, involving all phases of the process, including handling requests and delivering data.
  • Payments are made through cryptocurrencies like Bitcoin or Monero, ensuring confidentiality and irreversibility.
  • A marketplace for EDR services has emerged, with moderators providing escrow services and users reviewing and rating each other's transactions.
  • The availability of law enforcement accounts and the ease of renting an EDR service poses a significant threat to governmental infrastructures and citizens' privacy.
  • The emergence of ransomware groups using these techniques foreshadows further evolution of their criminal model.
  • Experts recommend strengthening validation procedures, including stricter authentication systems for law enforcement requests and targeted cross-checks by tech companies.



    • Cybercrime has long been a persistent threat to individuals, businesses, and governments around the world. In recent years, however, a new phenomenon has emerged that is taking the cybercrime landscape by storm: EDR-as-a-Service (Emergency Data Requests - as a Service). This dark side of cybercrime's black market has been making headlines in recent weeks, with law enforcement agencies and cybersecurity experts sounding the alarm about the growing threat.

    EDR-as-a-Service is a type of cybercrime that involves exploiting compromised accounts belonging to law enforcement and other government agencies to illicitly forward Emergency Data Requests (EDRs) to major online platforms. These falsely obtained credentials enable cyber criminals to successfully mimic a real-world investigation by inducing platform operators to provide extremely sensitive information.

    The phenomenon has rapidly upgraded complexity, as detailed in the Meridian Group report. While initially, criminals merely sold credentials belonging to government agencies or law enforcement, a "turnkey" model later emerged, covering every phase of the process. The service may thus involve directly handling the request to the platforms, up to delivering the data to whoever commissioned the operation.

    Payments are handled through mechanisms long rooted in underground trades. In Dark Web environments as well as on specialized forums, sellers are posting synthetic ads inviting potential buyers to contact them privately, often via Telegram, Session, and other encrypted messaging apps. Payments are mostly made in Bitcoin or Monero, to ensure confidentiality and irreversibility.

    In more organized circuits, some moderators provide an escrow service, i.e., they hold the amount in deposit until the buyer confirms the validity of the data received. This assurance system, combined with users' feedback and reviews, contributes to the creation of a full-fledged marketplace displaying a level of internal organization and transparency quite similar to that of legitimate e-commerce channels.

    As further evidence of the increasing professionalization of this illicit sector, Meridian Group reports the publication of informational content designed to guide the proper use of EDR services. Guidebooks are also available to instruct on how to correctly complete and unlawfully submit the requests.

    The availability of accounts linked to law enforcement and other government agencies, combined with the ease Threat Actors have in "renting" an EDR service, jeopardizes both the security of governmental infrastructures and the protection of citizens' privacy. In case a criminal obtains private information, such as IP addresses, phone numbers, and domiciles, it may be exploited to initiate fraudulent schemes, blackmail, or doxing operations.

    This can impact not only the general public but also pose a heightened risk to individuals with significant media exposure, including activists, journalists, and politicians. Moreover, the emergence of ransomware groups using these techniques and methods foreshadows a further evolution of their criminal model.

    Meridian Group therefore recommends strengthening validation procedures, including stricter authentication systems for law enforcement requests and targeted cross-checks by tech companies for EDRs—while ensuring that such measures do not compromise the responsiveness these emergency channels were originally designed to provide. Indeed, only close collaboration and a swift overhaul of existing processes can curb a trend which, if allowed to flourish and become further organized, would pose a serious threat to the integrity of institutional channels and the privacy of a vast number of citizens.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/EDR-as-a-Service-The-Dark-Side-of-Cybercrimes-New-Black-Market-ehn.shtml

  • https://securityaffairs.com/176266/cyber-crime/edr-as-a-service-edr-cybercrime.html


    • Published: Mon Apr 7 03:53:25 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us