Motherboard obtained webinar slides by a company called SpyCloud presented to prospective customers. In that webinar, the company claimed to "empower investigators from law enforcement agencies and enterprises around the world to more quickly and efficiently bring malicious actors to justice".
The slides were shared by a source who was concerned about coppers buying access to hacked data. SpyCloud confirmed the slides were authentic and bragged that it was turning the criminals' data against them, "or at least we're empowering law enforcement to do that".
The sale highlights a somewhat novel use of breached data, and signals how data ordinarily associated with the commercial sector can be repurposed by law enforcement too.
Motherboard is concerned that the news raises questions about whether law enforcement agencies should be using information originally stolen by hackers.
It also raises the issue of coppers obtaining access to hacked data on people who are not associated with any crimes -- the vast majority of people affected by data breaches are not criminals -- and would not need to follow the usual mechanisms of sending a legal request to a company to obtain user data.
Based on our knoweldge of the GDPR, that would be a huge breach of European Law. Not that legality seem to matter much in the US at the moment.