Threat actors are using vacant residential properties as "drop addresses" to intercept sensitive mail, combining open-source intelligence with legitimate postal services to enable identity theft and financial fraud.
A new hybrid cybercrime technique is emerging that combines digital intelligence gathering with physical-world exploitation, as threat actors systematically abuse vacant residential properties to intercept sensitive mail and enable identity theft and financial fraud.
Unlike traditional cybercrime methods that rely on malware or phishing, this approach exploits legitimate services and real-world infrastructure. A tutorial recently analyzed by Flare security researchers reveals how attackers identify and exploit unoccupied homes as "drop addresses" to receive mail without alerting rightful occupants.
Finding the Perfect Drop Address
The process begins with identifying vacant properties through real estate platforms like Zillow, Rightmove, or Zoopla. Attackers filter for newly listed rental properties, increasing the likelihood that homes are temporarily unoccupied or between tenants. The tutorial suggests reviewing older listings to find properties that have remained empty for extended periods, making them more reliable as drop locations.
In some cases, threat actors even recommend physically maintaining abandoned properties to make them appear occupied, reducing the risk of drawing attention while using the address for fraudulent purposes.
Digital Intelligence Gathering
Once a suitable address is identified, attackers leverage legitimate digital postal services for remote monitoring. Services like Informed Delivery provide residential consumers with digital previews of incoming letter-sized mail and package tracking. By registering these services for the selected address, attackers can monitor incoming correspondence remotely, identifying valuable items such as financial documents, credit cards, or verification letters before physically accessing the mailbox.
This transforms mail delivery into intelligence gathering, enabling more targeted and efficient fraud. If the address is already registered, the tutorial references change-of-address requests as a way to regain control over mail delivery.
Establishing Persistent Access
After confirming valuable mail is being delivered, the workflow shifts toward establishing long-term access through mail forwarding services. Attackers create personal mailbox accounts to redirect all incoming mail from the drop address to a separate location under their control.
Because these services typically require identity verification, attackers rely on fake identities, forged documents, or purchased personal data to complete the process. This marks a critical transition from opportunistic interception to persistent access.
Once mail forwarding is in place, attackers no longer need to revisit the physical location, reducing exposure while maintaining continuous access to sensitive information. The use of fake identities, often involving fabricated personal details or Credit Privacy Numbers (CPNs), demonstrates how this technique integrates with broader fraud ecosystems.
The Human Element
The method outlined in the tutorial reflects a broader evolution in fraud operations, where digital intelligence gathering is combined with physical-world manipulation. In addition to leveraging online platforms and postal services, actors also describe using individuals (sometimes recruited from vulnerable populations) to physically access mailboxes or collect delivered items.
This introduces a human layer into the operation, allowing attackers to outsource risk and further distance themselves from direct involvement.
Growing Threat Landscape
The activity described in the tutorial reflects a broader rise in mail-enabled fraud documented in recent reporting. According to U.S. Postal Inspection Service–related data, reports of mail theft have increased significantly in recent years, with theft from mail receptacles rising by 139% between 2019 and 2023.
Financially, the impact is substantial, with mail theft schemes linked to hundreds of millions of dollars in suspicious activity tied to check fraud. At the same time, abuse of postal redirection services has also grown, with change-of-address fraud increasing sharply year-over-year.
Beyond Traditional Cybersecurity Controls
The emergence of these techniques underscores a growing challenge for organizations: many of the systems being abused—real estate platforms, postal services, and identity verification processes—exist outside the scope of traditional cybersecurity defenses.
As fraud operations continue to evolve, detection increasingly depends on correlating signals across domains, including address usage patterns, mail forwarding activity, and identity inconsistencies. Without this broader visibility, attacks that rely on legitimate services rather than technical exploits may continue to evade conventional security controls.
This is not an isolated tutorial but part of a broader phenomenon of tutorials on how to find physical drop addresses, some offered for free and others sold on underground markets. The demand for drop addresses continues to grow across dark web forums and Telegram channels, where threat actors share fraud playbooks, stolen credentials, and fake document services.
The hybrid nature of this attack—blending digital reconnaissance with physical-world exploitation—represents a significant evolution in cybercrime methodology, one that requires defenders to expand their monitoring beyond traditional network perimeters to include physical infrastructure and legitimate service abuse patterns.
Comments
Please log in or register to join the discussion