What is Kodex EDR, the data weapon of Threat Actors?

Hello, everyone. Today, we're not going to talk about actors using technical 0days or newly released malware, but rather a much simpler yet equally impressive topic: threat actors walking around with police badges :D

We sometimes hear about Kodex Global and Fake EDR (Emergency Data Request) incidents. However, some data shows that this issue is not limited to a few incidents in the past, but has evolved into a massive underground service today. Let's examine how this legal theft is carried out and the scale of the danger.

💥 Market Opening: Tamagami and the First Echo

The first echo actually hit the mainstream in early 2024 when a threat actor named “Tamagami” dropped the bomb on BreachForums. His claim was simple but devastating:

At that time, access cost a hefty sum of $5,000 or $300 per query. The list didn't just include crypto exchanges. Social networks such as Discord, Tinder, and LinkedIn were also under threat. So we're talking about a power that could expose not only someone's wallet but also their private life.

🎲 How Do They Gain Access?

So how do these actors gain access? Kodex's systems are technically secure (at least that's what they claim). The problem is that hackers are becoming the police.

The process works as follows: First, InfoStealer logs or phishing are used to obtain email addresses with the .gov or .police extension belonging to an official police department.

As you can see, the actors are openly selling Italian Government Mail and adding, “With this, you can do EDR and register with Kodex.”

After registering with Kodex by sending an email stating “Hello, I am Employee X,” the notification panel that appears will look exactly like this:

This screen is for creating an Emergency Request about a Discord user. When options such as “Life threatening situation” or “Suspected terrorism” are selected, Discord's legal team, due to panic and procedural requirements, usually hands over your IP, phone number, address, or data to this fake police without waiting for a court order.

☣︎ The Current State of the Threat

The threat has not diminished; on the contrary, it is spreading and increasing. Take a look at this announcement dated February 2025

Actor Kleissner is now selling Kodex accounts opened through Italian police for just $400. The drop in price means that even low-profile attackers, known as script kiddies, can now dox you through legal means.

There are even groups that have shifted to an “EDR as a Service” model. The following images are from December 2025, i.e. the present day

Groups openly advertise that they are verified by European government emails and can pass EDR upon request.

💀 Result: Virtual Data, Physical Violence

Once the fun part of this job is over, the real work begins. The data obtained (home address, phone number) is used not only for disclosure but also for physical threats.

The attacker uses the exact home address they have obtained to make a false but high-priority report to the police, such as claiming there are hostages in the house or that a bomb has been planted. The aim is to send SWAT teams or Special Operations to the target's home, creating chaos in which the person is shot or traumatized. This is a method that has led to fatalities in the United States, and Fake EDR provides the targeting data required for this purpose.

₍^. .^₎⟆ The Secret Weapon of Threat Actors and APTs

Based on my observations, the marketplace where everyone used to buy and sell has now gone somewhat underground. These access points have now become a strategic asset in the hands not only of street scammers, but also aggressive gangs like Lapsus$ and Scattered Spider, as well as state sponsored APT groups.

For ransomware groups, Kodex is a Social Engineering Monkey that unlocks locked doors.

Triple Extortion Encrypting (1) and leaking (2) data is no longer enough. Groups are now engaging in Personal Harassment (3).

Attack: Did the company not pay the ransom? The group identifies the phone numbers of C-level executives spouses and children via Kodex. Messages filled with disclosures about the manager's sensitive situations at work or personal life are sent to family members. Police are sent to their homes with false reports. This is the dirtiest method used to break down corporate resistance.

APT groups don't want money, they want intelligence. For them, Kodex is a way to monitor the target without infecting it with malware.

The group wants to track a diplomat, journalist, or dissident

The group uses a compromised Brazilian Police account to send EDR to Uber, Airbnb, or a GSM operator about the target individual.

The attacker obtains the target's current location, last visited addresses, and call logs. There is no malware on the target's phone, but the person is monitored 24/7.

Stealer Log Analyz

Before closing, I would like to note that with our OsintCTI product, we carefully monitor important government leaks, primarily kodex global, 24/7, and notify the necessary institutions to destroy them before hackers gain access. Below is an example from our control panel.

The End...

In short, those $400 ads we saw were just the tip of the iceberg. Deep down, these systems reveal how far the world of cybercrime can go.

---

→ ←