CloudSEK researchers warn about the leak and sale of Twitter Gold accounts on the dark web. The Gold checkmark, introduced by X (formerly Twitter) a year ago, is used to authenticate official, corporate or media accounts on the social network. The most common targets are unused/abandoned accounts created before 2022.
To compromise Gold accounts, threat actors use brute force attacks and malware designed to steal passwords and credentials. Additionally, criminals are taking control of non-Gold accounts associated with organizations that have been inactive for months, upgrading them to verified status, and flooding dark web platforms with these compromised accounts.
Dark web ads for these hacked accounts range in price from $35 for basic accounts to $2,000 for accounts with a large following.
The researchers said they were able to identify the ads by doing basic searches on popular platforms like Google, Facebook and Telegram using keywords like “Twitter Gold buy”.
“Ads on the dark web can be traced back to various online stores and their marketing partners such as Facebook, Telegram, etc.,” CloudSEK said in a report. “Some X account providers have been successfully hosting their stores for over four years and use the same medium to advertise Twitter Gold accounts.”
Once in the hands of cybercriminals, compromised Twitter Gold accounts become tools for a variety of malicious activities, including phishing, scams, and impersonation of legitimate accounts. CloudSEK’s research uncovered cases where standard accounts associated with companies were hijacked, upgraded to Gold status, and subsequently sold on underground cybercrime forums.
Buyers of these Gold accounts exploit them to spread misinformation, carry out job and crypto scams, or direct unsuspecting users to phishing sites designed to harvest their credentials and personally identifiable information (PII).
Sources: CisoAdvisor, CloudSEK
