Inside the Dark Web’s Trade in Government Access: Trustwave Warns of a Growing Threat to Public Sector Systems

The dark web has long been the backroom of the internet — where threat actors trade exploits, leak stolen credentials, and barter access to networks most people assume are secure. But new research from Trustwave SpiderLabs paints a sobering picture: public sector organizations, from local municipalities to national agencies, are now a hot commodity in this underground economy.

VPNs for Sale: A Backdoor into Government Networks

SpiderLabs researchers found a bustling market for VPN access to government systems, often sold for as little as a few hundred dollars. These listings — some tied to agencies in Mexico and Algeria — advertise everything from domain credentials to screenshots as proof of access.

The reason for the surge is simple: many public sector institutions still rely on VPNs as the backbone of remote work and inter-agency collaboration. Once compromised, those same VPNs give attackers unrestricted internal access. From there, ransomware groups, espionage operations, and hacktivists can move laterally through networks with minimal resistance.

According to the report, many of these credentials are harvested through familiar tactics — phishing, credential stealers, brute-force attacks, or insider leaks. The end result is a thriving resale economy that connects initial access brokers with larger criminal operations.

SpiderLabs recommends that government IT teams enforce multifactor authentication (MFA), continuously monitor VPN sessions for anomalies, and begin transitioning to zero-trust architectures. “The goal is to reduce reliance on perimeter defenses that attackers already know how to evade,” the researchers warn.

The Insider Economy: When Trust Becomes a Weapon

Beyond stolen credentials, Trustwave’s investigation uncovered a more insidious trend — the recruitment of insiders within public agencies. Posts on Russian-speaking dark web forums now openly advertise cash rewards for government employees willing to share access credentials, documents, or intelligence.

The motivations vary. Some insiders are enticed by money, others by ideology, and some are blackmailed. But the impact is the same: sensitive law enforcement data, classified intelligence, and operational details from agencies like Interpol or Europol are surfacing in dark web communities.

This isn’t espionage in the traditional sense. The process is fully digitized — recruitment, payment, and communication all handled through encrypted channels and cryptocurrency. Trustwave researchers note that remote work and digital transformation have expanded this risk, giving more employees unsupervised access to critical systems.

Countering insider threats, they say, requires more than firewalls. Agencies must strengthen vetting, behavioral analytics, and cultural awareness programs to identify stressors or anomalies before they escalate into breaches.

Government Emails for Rent — and the Trust They Carry

Perhaps the most alarming discovery is the sale and rental of live, fully functional government email accounts. Unlike leaked credentials on paste sites, these accounts can send and receive legitimate communications — a goldmine for phishing and fraud.

Attackers use these accounts to impersonate officials, authorize fake payments, and distribute malware-laced documents under the guise of legitimate government correspondence. Trustwave’s analysis shows listings offering access to public administration inboxes across multiple countries.

Even when the accounts are reclaimed, the reputational fallout is lasting. “Once trust in a government domain is broken, every future communication becomes suspect,” one researcher said.

Reclaiming Cyber Resilience in the Public Sector

The Trustwave report doesn’t just catalog threats — it lays out a roadmap for response. The key message: cybersecurity must be built by design, not as an afterthought.

The team urges governments to:

• Adopt recognized cybersecurity frameworks such as NIST, CIS Controls, and ISO 27001.

• Move toward zero trust verification for all users and devices.

• Deploy AI-based detection tools for faster breach identification.

• Enforce continuous employee training to counter phishing and social engineering.

• Strengthen patch management, segmentation, and offline backups to limit damage when — not if — a breach occurs.

As Trustwave puts it, the last five years have shown that cyberattacks on public administration are the new normal. But they’ve also shown that resilience is possible. Municipalities that invested early in modern defenses are already avoiding the worst outcomes.

The dark web may continue to trade in stolen government access, but with vigilance and modernization, public sector organizations can shift from being high-value targets to hardened ones.