Adversaries are exploiting vacant homes to intercept sensitive mail in a new hybrid cybercrime operation, combining publicly available data, weak identity verification processes, and operational gaps to build scalable fraud workflows. This method transforms mail delivery into a form of intelligence gathering, enabling attackers to gain persistent access to victims' mail.
Adversaries Exploit Vacant Homes to Intercept Mail in Hybrid Cybercrime
Fraud operations have taken a new and concerning turn, as threat actors are increasingly exploiting vacant homes to intercept sensitive mail. This method, which combines publicly available data, weak identity verification processes, and operational gaps, allows attackers to build scalable fraud workflows that are both low-cost and difficult to detect.
According to recent analysis by Flare analysts, a tutorial shared in a fraud-focused chat group provides step-by-step guidance on how to identify and exploit vacant residential properties to intercept sensitive mail. This approach blends open-source intelligence, postal service features, and fake identity fraud into a coordinated workflow designed to gain persistent access to victims' mail.
The method outlined in the tutorial begins with monitoring incoming mail to identify valuable targets. Using legitimate digitalized postal services such as Informed Delivery, attackers can remotely monitor incoming correspondence, allowing them to identify valuable items such as financial documents, credit cards, or verification letters before physically accessing the mailbox. This transforms mail delivery into a form of intelligence gathering, enabling more targeted and efficient fraud.
If the address is already registered, the tutorial references change-of-address requests as a way to regain control over mail delivery. These services are designed for legitimate users relocating their residence and are widely available through postal systems such as USPS. However, the tutorial suggests that actors perceive these controls as potentially insufficient or inconsistently enforced, creating opportunities for abuse if supporting identity information is compromised or fabricated.
Once attackers have confirmed that valuable mail is being delivered, the workflow shifts toward establishing long-term access through mail forwarding services. Actors are instructed to create personal mailbox accounts that allow them to redirect all incoming mail from the drop address to a separate location under their control. Because these services typically require identity verification, attackers rely on fake identities, forged documents, or purchased personal data to complete the process.
This marks a critical transition from opportunistic interception to persistent access. Once mail forwarding is in place, attackers no longer need to revisit the physical location, reducing exposure while maintaining continuous access to sensitive information. The use of fake identities demonstrates how this technique integrates with broader fraud ecosystems, allowing actors to bridge the gap between digital compromise and real-world access.
The emergence of these techniques underscores a growing challenge for organizations: many of the systems being abused – real estate platforms, postal services, and identity verification processes – exist outside the scope of traditional cybersecurity defenses. As fraud operations continue to evolve, detection increasingly depends on correlating signals across domains, including address usage patterns, mail forwarding activity, and identity inconsistencies.
The tutorial reflects a broader evolution in fraud operations, where digital intelligence gathering is combined with physical-world manipulation. Actors also describe using individuals (sometimes recruited from vulnerable populations) to physically access mailboxes or collect delivered items, introducing a human layer into the operation.
This activity described in the tutorial reflects a broader rise in mail-enabled fraud documented in recent reporting. According to U.S. Postal Inspection Service-related data, reports of mail theft have increased significantly in recent years, with theft from mail receptacles rising by 139% between 2019 and 2023. Financially, the impact is substantial, with mail theft schemes linked to hundreds of millions of dollars in suspicious activity tied to check fraud.
At the same time, abuse of postal redirection services has also grown, with change-of-address fraud increasing sharply year-over-year. Together, these trends highlight how control over physical mail has become valuable.
The tutorial acknowledges operational challenges, as virtual addresses and commonly reused locations are increasingly flagged by financial institutions, suggesting that defenders are beginning to incorporate address-based risk signals into their detection models. As a result, actors emphasize the importance of finding "clean" residential addresses that have not yet been associated with fraudulent activity.
While this may look like an isolated tutorial, it is part of a broader phenomenon – tutorials on how to find physical drop addresses, some for free and others paid for. This highlights the growing sophistication and adaptability of threat actors, who are increasingly using legitimate systems and services to enable their fraud operations.
The exploitation of vacant homes to intercept mail represents a new front in hybrid cybercrime, where digital and physical layers are combined to create a complex and evolving threat landscape. As organizations and individuals seek to protect themselves from this type of attack, it is essential to understand the tactics, techniques, and procedures (TTPs) used by attackers and to develop effective countermeasures that address these emerging threats.
Summary:
Adversaries are exploiting vacant homes to intercept sensitive mail in a new hybrid cybercrime operation. This method combines publicly available data, weak identity verification processes, and operational gaps to build scalable fraud workflows. Attackers use legitimate digitalized postal services and fake identities to gain persistent access to victims' mail, transforming mail delivery into a form of intelligence gathering. As organizations struggle to keep pace with this evolving threat landscape, it is essential to understand the TTPs used by attackers and develop effective countermeasures to protect against these types of attacks.
Related Information: