Tech

Inside the DEA Tool Hackers Allegedly Used to Extort Targets

The DEA run "EPIC Portal" includes access to license plate reader information, drug seizures, intelligence reports, and more.
DEA
Image: Ryan Lackey/Flickr
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

Hackers accused of using law enforcement tools and other tactics to extort people online gained access to a sensitive, password protected portal run by the Drug Enforcement Administration, according to a screenshot of the portal obtained by Motherboard.

The new screenshot and other information provides some more clarity on charges unsealed against Sagar Steven Singh, 19, and Nicholas Ceraolo, 25, earlier this week. That pair, who were at one point part of a group called “ViLE,” allegedly went on a wide-spanning hacking spree. That included breaking into the federal U.S. law enforcement portal; using a hacked Bangladeshi police officer’s email account to fraudulently request user data from a social media company; and trying to use it to buy facial recognition services too.

Advertisement

Do you know anything else about this portal, or how criminals are obtaining sensitive data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email joseph.cox@vice.com.

“EPIC Portal,” the top of the screenshot reads, referring to the El Paso Intelligence Center (EPIC). EPIC is a multiagency intelligence center led by the DEA with 21 participating agencies, according to the DEA’s website. The mission of EPIC is not just limited to drugs, but also includes terrorism, human trafficking, money laundering, and more.

The portal appears to provide access to a variety of tools, including one labeled as “LPR,” according to the screenshot. LPR typically refers to license plate readers, which are cameras that take photographs of vehicles as they pass certain points and record where a certain vehicle was at a particular time. A 2010 email obtained by the American Civil Liberties Union says that federal, state, and local agencies have the ability to query an “LPR database via EPIC.” A report from the Department of Justice’s Office of Inspector General says EPIC has access to the “DEA’s License Plate Reader Database,” which stores license plate information captured along the Southwest border.

Advertisement

The screenshot also includes “HSIN,” which is the Homeland Security Information Network, which is used to share intelligence among agencies. The EPIC Portal also provides other areas for users to explore, such as “seizures,” “reports,” and “global drug pricing,” according to the screenshot. (In the complaint against Singh and Ceraolo, prosecutors wrote that “Data available through the Portal is not classified but is sensitive and includes detailed, nonpublic records of narcotics and currency seizures, as well as law enforcement intelligence reports.”)

portal.jpg

A screenshot of someone logged into the EPIC Portal obtained by Motherboard. Image: Motherboard.

The screenshot also shows access to “Jetway/Pipeline,” referring to two different types of training that teach officers how to interdict at airports and highways respectively, and the Deconfliction and Information Coordination Endeavor (DICE), which helps law enforcement officials not double up on investigations.

In May 2022, Singh, also known as Weep, allegedly logged into the portal from the same IP address he had previously used to access a social media account registered to him, according to the complaint. Records from Singh’s computer and the government servers themselves showed Singh accessed multiple guides on how to use the portal, and sections that track narcotic seizures in the U.S., the complaint says. Krebs on Security reported on a breach of the portal at the time. The outlet reported the breach also impacted the Law Enforcement Inquiry and Alerts (LEIA) system, managed by the DEA, which provides search capabilities for EPIC and other external databases. Krebs also reported these latest charges relate to the DEA breach.

Advertisement

“Were [sic] all gonna get raided one of these days i swear,” Ceraolo wrote after Singh shared the login credentials with him, according to the complaint. Ceraolo, who used the handle Convict, also asked an associate how they could scrape data from inside the portal, the complaint says.

Within one day of gaining access to the portal, “Singh was using his access to the Portal to extort victims,” according to a press release from the Eastern District of New York accompanying the charges. Singh also told a contact “that portal had some fucking potent tools,” and listed five search tools accessible through the portal, the court records add. External databases accessible from EPIC include those run by the FBI, Customs and Border Protection, the Federal Aviation Administration, the Federal Bureau of Prisons, and the U.S. Marshals Service.

However, the exact contours of what information Singh may have accessed, or even been able to, is unclear. The complaint acknowledges that Singh was unable to access other databases because they required other login credentials. KT, a leader of ViLE, told Motherboard in an online chat that the claim that Singh used access to the portal to extort victims “is a lie.” KT said a lot of people accessed the DEA portal at the time after it was shared in a “semi large” Telegram group. 

KT said Ceraolo was kicked from ViLE when he was first raided. The complaint says Homeland Security Investigations agents executed a search warrant at Ceraolo’s residence in May, 2022. Motherboard reported Ceraolo handed himself in earlier this week in light of the new charges.

The DEA declined to comment, and directed inquiries to the Eastern District of New York, which also declined to comment.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.