We went into a black market where hackers sell verified accounts to make scams seem more real.
On August 15, a scary email came into the inbox of Diana Pearl, a news editor in New York. It said that someone from Moscow logged into her verified Twitter account. Pearl knew what the email was about because it was similar to other automated emails from Twitter, with a simple white background, black text, and blue links.
Pearl was worried about the security of her account, so she clicked the link in the email that was supposed to let her secure it right away. On the next page, she changed her password by entering her old password.
After a few seconds, someone sent a message to a Telegram group. Only a screenshot of Pearl’s Twitter profile and a link were in it. After three hours, the admin sent a text that said, “Sold.”
Pearl had been taken in by a phishing scam. The email didn’t come from Twitter but from a hacker who had copied the look of an official Twitter message. Pearl was out when she got the email, so she thought she couldn’t wait to read it on her computer at home. Plus, the email was written in a way that made it sound like it needed to be answered right away. If she had, she might have noticed the strange email address it came from or the fact that the link didn’t go to the official Twitter URL.
Pearl’s account was just one of many that were sold on the black market, which was huge and very profitable. In this Telegram group, it usually costs a couple hundred dollars to take control of a verified account. Those who buy it usually hope to get their money back by promoting NFT scams. People’s profiles are often stolen. If the number of new listings on marketplaces for verified profiles is any indication, dozens of people lose their profiles every day. Even though the trade has been going on for years, platforms don’t seem to be able to stop it.
When writer Jacob Stern’s account for The Atlantic was hacked in May of this year, it was used to trick Moonbirds NFT owners into sending their tokens to the hacker’s wallet. Over the course of a few hours, the hacker sent out hundreds of tweets announcing a new “drop” with a phishing link. This led buyers to send a certain amount of cryptocurrency in exchange for a fake NFT or nothing at all. In August, the profile of MPR News reporter Dana Ferguson was changed in the same way, except for the username, which would have taken away the verification badge. This was done to steal Killabears’ NFTs. Both hacks led back to the same Telegram group, where the compromised accounts were for sale.
Some hackers even get other NFT artists to help them pull off the scam. When California writer Marissa Wenzke’s account was hacked, it was used to promote the “Meta Battlebots” art project by the group behind the NFT collection. This was a real NFT art project, not a scam. When told that a hacked account was promoting them, the official Twitter account for Meta Battlebots said, “Don’t worry about that.” They blocked the reporter’s account a moment later, which ended the conversation.
A security researcher at UC Santa Barbara who did a thorough study on NFT fraud says that a verification badge adds a stamp of authenticity, and a scammer with a verified Twitter profile can get a lot more attention and have a bigger impact. And by going after the multibillion-dollar NFT ecosystem, hackers and buyers or scammers can get their money back in a few tweets before account owners start the process of recovering their accounts.
He told The Verge that Efani is a good example of an NFT scam. Even if only one out of 10 tries works, that’s a lot of money.
In the past, blue-check thefts from Twitter were both rare and well-planned. Most of the stolen information was sold on marketplaces like Swapd and Ogu.gg. But as the number of NFT scams and promotions that need verified accounts has grown, hackers have turned to easier-to-use channels like Telegram to reach more people. And it’s not as hard as you might think for hackers to get in.
Most hackers are behind blue-check The “credential stuffing” attack is used to steal from Twitter, according to conversations The Verge had with many current and former hackers who asked to stay anonymous because they were afraid of backlash in the security community.
In a credential stuffing attack, hackers start with a large database of leaked username and password combinations. Since large-scale data breaches are becoming more common, these databases aren’t hard to find. The intruder uses brute force to try all possible combinations of usernames and passwords on Twitter’s login form and then sells the ones that work in their groups.
When that doesn’t work, either because the account has two-factor authentication or because they didn’t reuse the password from a breached account, attackers turn to phish. Email phishing is becoming less effective, so many people are trying it on Twitter. They use hacked blue-check accounts to pretend to be Twitter’s support team. A former hacker named “Owen” who worked on developing credential-stuffing programs told The Verge that at any given time, dozens of verified profiles have been hacked and are looking for a buyer. In one DM conversation I saw, a potential buyer said he was looking for someone with experience stealing NFTs from verified profiles.
Even though individual compromises can be a pain for users like Pearl, they happen so rarely that platforms don’t seem to mind that the trade is still going on. Telegram did not answer when asked for a comment.
Twitter’s communications manager, Celeste Carswell, claims the social network works hard to educate users on how to avoid frauds and freezes millions of spam accounts each week. “Unfortunately, scam artists are becoming more intelligent,” added Caldwell.