Key Takeaway
Flare research documents how threat actors register vacant properties as mail drop addresses by abusing USPS Change of Address mechanisms and synthetic identities to intercept physical mail containing PII, financial credentials, and authentication material. The methodology chains public foreclosure data, dark web identity documents, and reshipping mules into a functional fraud pipeline targeting bank card deliveries, government correspondence, and OTP letters. Individuals should enroll in USPS Informed Delivery and freeze their addresses online; security teams should re-evaluate physical mail as a weak authentication channel.
Vacant Property Mail Interception: How Threat Actors Convert Drop Addresses Into Fraud Infrastructure
Overview
Research published by Flare exposes a fraud methodology in which threat actors register vacant residential and commercial properties as mail drop addresses to intercept physical correspondence and exploit postal service delivery mechanisms. The technique enables identity fraud, financial account takeover, and document theft at scale, targeting individuals and institutions that rely on physical mail for sensitive communications.
Who Is Affected and What Was Exposed
Flare's research does not describe a single discrete breach with a defined victim count. Instead, it documents a systemic abuse vector affecting any individual or organization whose sensitive mail — bank statements, government documents, credit card deliveries, tax correspondence, and identity verification letters — is routed to an address that bad actors have registered or claimed control over.
The exposed data categories include:
- Personally Identifiable Information (PII): Full legal names, dates of birth, Social Security Numbers on mailed documents
- Financial instrument data: Credit and debit cards mailed to new cardholders, account statements, wire transfer confirmations
- Government-issued credentials: Driver's license renewals, Medicare and Medicaid cards, IRS correspondence
- Authentication material: One-time password letters, account verification codes sent via physical mail by financial institutions and government agencies
Any individual whose mail is routed through a compromised drop address is at risk. High-density urban areas with high residential turnover and foreclosed or bank-owned properties represent elevated-risk zones based on the described methodology.
Attack Vector
The technique chains several abuse primitives together into a functional fraud pipeline.
Step 1 — Address Registration: Threat actors identify vacant properties through public foreclosure records, real estate listings, or physical reconnaissance. They submit a United States Postal Service (USPS) Change of Address (COA) form — either physically or via the USPS online portal — redirecting mail from a target's legitimate address to the vacant property. The USPS online COA process requires only a credit card charge of $1.10 for identity verification, which attackers bypass using stolen card data or prepaid cards linked to synthetic identities.
Step 2 — Identity Fabrication: Synthetic identities built from a combination of real and fabricated PII are used to establish apparent residency at the drop address. Flare documents how fraud actors purchase or manufacture supporting documentation — utility bills, lease agreements — on dark web marketplaces and Telegram channels to reinforce the fraudulent address claim.
Step 3 — Mail Harvesting: Once the COA redirect is in place, the threat actor either physically retrieves mail from the vacant property or coordinates with a local accomplice acting as a reshipping mule. Intercepted mail yields raw PII, financial credentials, and authentication tokens.
Step 4 — Downstream Fraud Execution: Harvested data feeds account takeover (ATO) operations, new account fraud (NAF), tax refund fraud, and benefits fraud. Physical cards intercepted in transit are immediately usable for card-present transactions and ATM withdrawals before the legitimate account holder reports non-receipt.
Flare's analysis highlights that fraud rings operating this methodology maintain lists of viable drop addresses, rotating through vacant properties to avoid pattern detection by postal inspectors. Some operations use purpose-registered LLCs with virtual office addresses as a cleaner alternative that is harder to tie to a specific individual.
Operational Security Failures That Enable This Vector
The USPS COA process has documented weaknesses. The $1.10 verification charge does not confirm the requester's identity against any authoritative database. USPS does send a Move Validation Letter to both the old and new address after a COA is submitted, giving legitimate residents a 10-day window to identify unauthorized redirects — but this control fails entirely when the original address is vacant or when the account holder does not monitor mail closely.
Financial institutions and government agencies that send authentication material or financial instruments via physical mail without layered out-of-band verification compound the exposure. Mailing a new credit card to an address without requiring in-person pickup or digital confirmation creates a dependency on postal security that this fraud vector directly undermines.
What Affected Users and Security Teams Should Do
Individuals:
- Enroll in USPS Informed Delivery at informeddelivery.usps.com to receive daily email digests of incoming mail. An unauthorized COA will appear as a discrepancy between expected and received items.
- Place a USPS Mail Hold or use a P.O. Box for sensitive financial and government correspondence.
- Register a USPS.com account to lock your address against unauthorized online COA submissions — a registered account adds an authentication layer the paper form bypasses.
- Monitor credit reports via AnnualCreditReport.com and place a security freeze at Equifax, Experian, and TransUnion if unauthorized address changes are suspected.
- File a complaint with the USPS Postal Inspection Service (postalinspectors.uspis.gov) immediately upon discovering an unauthorized redirect.
Security Teams and CISOs:
- Flag mailed authentication tokens (OTP letters, card mailers) as a weak link in identity verification chains. Supplement or replace physical mail verification with digital out-of-band channels.
- Include physical mail interception in threat models for account onboarding and recovery workflows.
- When evaluating third-party identity verification vendors, confirm whether address validation includes vacancy and COA fraud screening. Vendors such as Melissa Data, LexisNexis Risk Solutions, and Experian Precise ID offer address risk scoring that flags high-velocity COA activity and vacant property status.
- Monitor dark web sources and Telegram fraud channels for mentions of your organization's card BINs or mailed credential programs appearing in drop address trade listings — a use case directly supported by platforms like Flare.
Fraud and Risk Teams:
- Treat non-receipt reports for newly issued cards or documents as a potential drop address indicator, not simply a fulfillment failure.
- Cross-reference customer-provided addresses against USPS vacant property and COA velocity databases before dispatching sensitive mail.
- Implement stepped-up authentication for any account where the mailing address has changed within the prior 30 days.
Original Source
BleepingComputer
Related Articles
US Justice Department, Canada, and Germany Dismantle Four Major IoT Botnets Behind Record DDoS Attacks
The U.S. DOJ, alongside Canadian and German authorities, dismantled four major IoT botnets—Aisuru, Kimwolf, JackSkid, and Mossad—that compromised over three million devices and launched hundreds of thousands of DDoS attacks. The disruption targeted infrastructure used to attack Department of Defense IPs and aimed to prevent further infections and attacks. Users should audit and update IoT devices and monitor for suspicious activity.
Cisco Talos Links Large-Scale Credential Harvesting Campaign to React2Shell Exploitation
Cisco Talos has attributed a large-scale credential harvesting operation to a tracked threat cluster exploiting the React2Shell vulnerability to steal AWS secrets, SSH keys, GitHub tokens, Stripe API keys, database credentials, and shell history at scale. The campaign used automated post-exploitation tooling to sweep compromised systems for secrets across multiple credential categories simultaneously. Affected organizations should immediately patch React2Shell, rotate all exposed secrets, and review cloud and source control access logs using IOCs published by Talos.
Drift Protocol Loses $280 Million After Attacker Seizes Security Council Admin Controls
Drift Protocol, a Solana-based decentralized perpetuals exchange, lost at least $280 million after an attacker compromised the signing keys of its Security Council multisig and used administrative privileges to drain protocol-controlled vaults. The attack targeted the governance layer rather than a smart contract vulnerability, exploiting insufficient key management practices among Security Council signers. Affected users should withdraw remaining funds, revoke token approvals, and avoid unofficial recovery contracts.
TeamPCP Supply Chain Campaign: Fifth Intelligence Update Confirms Expanded Targeting Through April 1, 2026
TeamPCP, a threat actor group weaponizing security scanning tooling in supply chain attacks, has expanded its campaign through April 1, 2026, with confirmed victims including Databricks and AstraZeneca across dual ransomware and data exfiltration operations. This fifth intelligence update extends coverage from Update 004 and consolidates two days of new developments. Affected organizations should audit CI/CD and scanner tooling, hunt for lateral movement from build infrastructure, and verify backup isolation immediately.