New verification system on X gives boost to dark web sales of stolen accounts
Dark web forums and marketplaces are increasingly selling access to hijacked X accounts verified with specialized tags only given to paying customers.
Researchers at the cybersecurity company CloudSEK said they have noticed the phenomenon since Tesla CEO Elon Musk took over the company and changed the social media site’s verification system.
When Musk took over, he changed the relatively arcane merit-based verification process and made it so anyone could simply purchase verification. He also rolled out other changes that allowed organizations to verify themselves with different colored checkmarks.
Government organizations and NGOs can get gray check marks while companies can get gold. Anyone else can purchase blue verifications. All three require paid monthly subscriptions.
“Dark web forums and marketplaces have a dedicated section where social media sales are extensively observed. Recently, there has been a surge of posts where threat actors were selling accounts with Twitter Gold verification,” the researchers said.
“A strikingly similar series of advertisements was also seen on Telegram channels, indicating that malicious campaigns are brooding on a large scale that requires a Twitter Gold account. The advertisements on the dark web can be traced back to multiple online shops and their marketing partners, such as Facebook, Telegram, etc.”
They added that the amount of shops and service providers today is “humongous” and can be found with simple searches on Google, Facebook and Telegram.
The cybercriminals behind these efforts offer a range of prices for different X accounts. They get the accounts through several different methods:
- By manually creating accounts and getting them verified before offering them for sale
- By hacking existing accounts through previously leaked username and password lists
- By using information stealer malware that can steal credentials from infected devices
For accounts acquired through information-stealing malware, hackers sell access based on the company being exploited, the number of followers and the region the account is based in.
There have been several recent examples of high-profile X accounts being taken over by hackers.
This week, an account belonging to Google-owned cybersecurity firm Mandiant began hawking cryptocurrency scams, and another blockchain security firm had its account hijacked on Thursday night. On Tuesday, a Canadian senator had their X account taken over to spread a scam.
CloudSEK referenced other high-profile situations, including attacks on accounts owned by the co-founder of Ethereum. That incident allowed hackers to use the founder’s account to spread malicious links that allowed them to steal cryptocurrency. The hackers only had the account for 20 minutes and stole nearly $700,000 before the posts were removed, according to CloudSEK.
CloudSEK said most Gold accounts were sold for about $500 while long-running account that had been converted to Gold after Musk's takeover was available for between $1,200 to $2,000. Accounts with blue verification are available for $35, and accounts over five years old were on sale for $1.50.
An example of a dark web post selling X accounts provided by CloudSEK.“Different threat actors across the open and dark web had multiple claims while providing Twitter Gold accounts. An actor engaged with our source mentioned providing 15 inactive accounts every week that should be further converted into gold subscriptions by the purchaser,” the researchers explained.
“This makes over 720 accounts annually... Another set of advertisements openly mentioned the companies that were offered for sale, and depending on the brand and followers of this account, the accounts with a gold badge ranged from $1,200 to $2,000.”
All of the purchases were conducted through middlemen, and sellers said they could increase the number of followers of the accounts if needed. For $135, they could add 30,000 to 50,000 extra followers.
The accounts for sale are dormant, effectively going unused as cybercriminals offer them for sale, and once an account is sold, the original user is locked out.
CloudSEK researchers purchased six accounts on sale that had between 2,000 and 72,000 followers. One account with 28,000 followers had been dormant since 2016 and was on sale for up to $2,500.
The researchers found one Twitter Gold account with its main domain as abc.com. It had been inactive since 2019 before a post was created in 2022, “after purchasing gold from cyber criminals.”
“Following this thread, the post was redirecting its readers to another domain, 'ABC.XYZ, ' which was created two months ago. Upon checking the passive DNS resolution, the IPs interacting with this redirecting domain had malicious detections,” the researchers said.
Most of the people purchasing these kinds of accounts are looking to either spread disinformation or conduct phishing campaigns that either harvest credentials or steal cryptocurrency.
The sellers typically target accounts created by organizations before 2022 that were abandoned or unused. The recovery email is changed once access is gained and all contact details are replaced.
CloudSEK urged organizations to shut down dormant accounts or at the very least create complex passwords that cannot be brute forced.
“With the steep rise in accounts being compromised and advertised daily on the dark web using different methodologies, it is evident that threat actors would not budge from such profit-making businesses anytime soon,” they said.
Cybercriminals seized on the chaos that ensued following Musk’s takeover of the social media giant. As soon as the verification changes were instituted, threat actors immediately abused them, allowing hackers to launch verification phishing campaigns that largely targeted media and entertainment figures, journalists, and other users who are already verified on X.
Even before Musk’s takeover, cybercriminals offered access to compromised X accounts and bots with the ability to inflate follower accounts. But Musk’s dismantling of the company’s security teams exacerbated the issue and exposed the company to wider scam efforts.
Those who find security issues in the platform have reported issues understanding who to contact. Last month, two researchers discovered vulnerabilities in X that were not addressed for weeks by the social media site’s team.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.