Researchers from CloudSEK have warned of a surge in cybercriminal activity on the dark web involving the compromise and sale of Twitter Gold accounts.
The Gold checkmark, introduced by X (formerly Twitter) a year ago, is used to authenticate official, corporate, or media Twitter accounts.
The most common targets are unused/abandoned accounts set up before 2022. To compromise Gold accounts, threat actors use brute-force attacks and malware designed to steal passwords and credentials. Additionally, criminals are taking over non-Gold accounts associated with real organizations that have been inactive for months, upgrading them to verified status, and flooding dark web platforms with these compromised accounts.
The dark web advertisements for these hacked accounts reveal prices ranging from $35 for basic accounts to $2,000 for accounts with large followings.
The researchers said they were able to identify the advertisements by doing basic searches on popular platforms like Google, Facebook, and Telegram using keywords such as “Twitter Gold buy.”
“The advertisements on the dark web can be traced back to multiple online shops and their marketing partners, such as Facebook, Telegram, etc.,”said CloudSEK in a report. “Some X account providers have hosted their shops successfully for over four years and used the same medium to advertise Twitter Gold accounts.”
Once in the hands of cybercriminals, compromised Twitter Gold accounts become tools for various malicious activities, including phishing, scams, and the impersonation of legitimate accounts. CloudSEK's research has uncovered instances where standard accounts associated with businesses were hijacked, upgraded to Gold status, and subsequently sold on underground cybercrime forums.
The buyers of these Gold accounts exploit them for spreading disinformation, conducting job and crypto scams, or directing unsuspecting users to phishing websites aimed at harvesting their credentials and personally identifiable information (PII).