Published on

Instagram - and the Blackhat Market Backing It

Authors
  • avatar
    Name
    n0sec
    Twitter

OGUsers.com & Swapd.co

The sale of OG usernames for any platform has been popular amongst internet fraudsters for the past few years. This is an international market common amongst Americans, British, and Arabic people from what I've observed. An OG username is somewhat of a social symbol, having an 'OG' (original username) is a status of wealth amongst internet fraudsters. In interviews with vendors of OG usernames, I also found that people in the professional industry, such as many NFT salesman, will pay high amounts of cash for original usernames to increase reputability and status. Username sales are popular for sites like Twitter, Instagram, Twitch, and Tiktok, with Instagram usernames typically being the most valuable, Twitter second, Tiktok third, Twitch fourth. These are debatable and the market changes, but from my observations this is the most realistic order of value.

OGUsers.com & Swapd.co both facilitate the sales of these usernames and other usernames. In-game usernames for platforms like PlayStation Network, Xbox Gamertags, and Minecraft usernames are also valid commodities in these communities. A lot of fraudsters tend to play video games and encounter the OG User community via usernames, so it makes sense that a lot of these OG username marketers play video games still. Notably, Minecraft usernames are very valuable and it tends to be that a lot of rich fraudsters in internet communities come from Minecraft.

Instagram Services

While there is a wide market for all platform usernames, this article is specialized for Instagram sales. The common Instagram services include: verification, claims, unbans, and bans. Instagrams can also be botted and pre-claimed usernames can be sold, but those services are the most valuable ones on the market.

Pre-Sold Usernames

Outside of the aforementioned claims of services, there are usernames that are in the market on the aforementioned forums that were not obtained via 'claims'. These usernames can be obtained a few ways, SIM swapping, turboing, and autoclaiming. The origin of most usernames that are being sold on the market is typically long and the usernames have been in the market for years.

When buying a pre-claimed username, people typically prefer it with "OGE" access and "no number linked". OGE refers to original email access, to prevent the seller from attempting to take the username back. The original email can be used to contact Instagram and get the username back along with some other methods that I'm not entirely familiar with. Additionally, the number can be used similarly to reset the password of the account - even if it is changed. For this reason, typically usernames are 'swapped' to another account. This 'swapping' of the username creates a lot of risk for the buyer and creates a designated market for Instagram swapping services.

Instagram swapping services use a software called a 'turbo' to claim the username on an account that will be given to the buyer. This account will be an Instagram account the seller has no access to, meaning the seller has lost absolute control over the username once it has been swapped to a new account. The 'turbo' software claims the username faster than someone could manually on their phone or PC, functioning via sending thousands of requests per second(r/s) to claim a specific username. The username 'swappers' release the username and have the turbo running to claim the username as fast as possible before it can be claimed by anyone manually. People claiming it manually include random people if the buyer is unlucky, the seller may attempt to reclaim the username during the swap (and pretend like it was random, not them), and people who know the deal is going on may attempt to manually claim the username. Most importantly, turbos combat 'autoclaimers', a software similar to turbos that covers a wide net of usernames.

An autoclaimer is like a turbo, but it covers a wide list of usernames at a lower r/s than a turbo would. Sometimes autoclaimers even claim usernames before turbos if the turbo is not optimal and the autoclaimer is lucky. This raises the question - what is an optimal turbo?

The optimal turbo utilizes high amounts of r/s, ping, and efficient code. The ping is determined by the server that is running the tool's distance from Instagram's nearest server to the server the turbo is running on. Typically, turbos run on virtual private servers (VPS) near Instagram servers to minimize ping. An autoclaimer tries to do the same thing, but cannot run as many r/s per username due to server resources.

Mak Swap Service

Instagram Claims, Verifications, Unbans

The aforementioned 'services' are one of the most expensive digital services you can receive on these online services. It cost more to get a username claimed on Instagram than to pay the upfront for a SIM swap in nearly all cases. These claims are done through 'media panels' and third-party agencies with direct connection to Facebook. This is a widely lucrative field, access to a media portal can sell for around 50,000 USD on OGUsers.com, and username claims range from thousands to tens of thousands.

Instagram claims can be categorized two ways in most scenarios, generic and non-generic. A non-generic username typically must be 6 letters or longer in length and cannot be a generic English word like 'rainbow', these usernames are done via 'low level media claims'. Instagram has a hierarchy of 'media panels' and 'agencies' where Instagram formally organizes the priority of customers and claims. Non-generic claims are obviously done by lower priority customers in the eyes of Facebook, priority is indicated by the amount of money spent on Facebook ads and tier as a celebrity to my knowledge. This is very likely more complex than I think it is, but that is the limited knowledge we know about how Instagram ranks request. Instagram has formal divisions for requesting services from Instagram, ranking media panel tiers from C to A, in the order C, B, B+, A, A+. The higher the level, such as A+, indicates the most priority. High priority customers get their username request fulfilled quicker and Instagram's internal team is more likely to grant these high priority customers request, including generic usernames. Low level media panel tiers like C likely will not approval for a generic username and will get slower responses from Instagram.

Generic username claims are obviously far more valuable than a non-generic 6L+ claim, generic claims I've seen in the past are usernames like: @6, @egirl, etc. These usernames hold tens of thousands of dollars of value and can be re-sold onto the market, non-generic usernames are better for businesses, meaning they won't hold the same value a generic username in the market, as generic usernames hold prestige everyone can appreciate it. Unbans can be facilitated by many different tiers of media support, but speed differs depending on the tier of the panel. Unbans are typically sold at a flat rate, a percentage of the value of the username, ranging from 10-30%.

Username non-generic claim service
Username claim service

Verification services are more valuable than unbans and sometimes match the price of generic username claims. Verifications, just like claims, happen at different levels. A low-level panel will require that the account being verified has 'press' surrounding the account, meaning published articles about the owner of the account. Typically 10-15 articles will suffice, but it is worth noting that there are different levels of press quality. This makes sense, Instagram values a random nobody newspaper far less than an established source like Forbes. Low level media panels typically make press for their client artificially, hiring people from sites like Fiverr to write and publish articles for fees ranging from 50 to 200 USD depending on the source. Another valuable media source is having a Google panel, which is what comes up for celebrities when you look up their name.

A 'Google Panel'

Verification services aren't exclusively for people with press, verification can be done without press for higher priority clients, but at a steeper price. These can prices can run as high as a generic username claim.

Legitimate verification servies are sold to many people though it is important to note. This market isn't just blackhat people on OGUsers, it is legitimate people who just cannot get verification without paying a service. Social media agencies exist for this person, which some people on OGUsers and Swapd work with to submit request to Instagram. This will be covered far more in the next header regarding how this process is done.

Swapd.co ad

How Are People Getting These Panels?

All Instagram request are handled via Facebook, Instagram's parent company. So, when people have 'media portals' and are able to provide Instagram services, they are typically using a representative at Facebook. Facebook's Business department handles a lot of account related issues, as Facebook values ad's heavily when evaluating how important a customer is to their platform. Facebook has employees who are designed to be support agents for customers, ranging from musicians, businesses, celebrities, etc. Social media agencies are the easiest way to get a request pushed to Facebook to my knowledge. Social media agencies are companies that have contact with Facebook employees or have a media portal for their clients, but can be sketchy and cost lots of money. These services are intended for celebrities and influencers primarily, but people from black markets are aware they exist and try to pay social media agencies to do username claims and verifications with their access to Facebook communications. Social media agencies can have poor or excellent communications, depending on who their clients are and the amount of money they spend with Facebook, so it's a volatile market and isn't advisable for purchasing verification or username claims.

Social Media Agency

The step after social media agencies is social media insiders at companies. Many companies have social media departments with people hired just to manage social media accounts and communicate with social media companies, think of the infamous Wendy's Twitter account, known for trolling. That person is on payroll at Wendy's and was hired as a social media manager likely. These social media managers typically have direct contact to Facebook on a media portal, sometimes high priority depending on the status of the company or celebrity, and these employees have a lot of power with that connection. While they are supposed to only use that contact for company related affairs, the employee can submit request unrelated as long as the parent company doesn't notice these unauthorized request to Facebook. So, people in the OG username community attempt to find social media managers for large companies like Hulu, with intent to persuade the employee to submit unauthorized request for large sums of money. These are more consistent than social media agencies, as multi-million dollar companies at times are the ones these media portals are intended for, opposed to just a social media agency. These request are likely to be approved, and approved quickly, opposed to a social media agency due to the priority large companies have at Facebook. I have even heard instances of where social media agencies are utilizing their connections to social media managers for company's to submit unauthorized request to Facebook. Social media managers are powerful in this market, and while they do get offered tens of thousands of dollars, they risk job security and potential legal action if their employer discovers this unauthorized usage of the media portal. Fraudsters tend to find social media managers via LinkedIn and RocketReach and convince the manager to communicate via WhatsApp, where they will bribe the manager with a big amount of Bitcoin.

After social media managers, there are direct Facebook employees. Facebook employees are powerful insiders, but the power for most cases isn't unlimited. All request that go through panels must be reviewed by the Facebook Internal Team, who is aware of blackhat activity related to verification, claims, and unbans, thereby they monitor for such activities. Even if a social media manager of Facebook insider is helping a blackhat submit request, the internal team may detect these blackhat request and decline them. Facebook insiders come at different levels, you could theoretically have a Facebook insider in the internal team, which would allow for high levels of access. To my knowledge, the 'ideal' Facebook insider are engineers and internal team employees, but these are rare as they are well compensated and likely well monitored as insider threats. Low level support is easier to get ahold of, as they are paid less and have much less to risk. Concierge support members are more likely to be insiders, at the cost of having less ability to give a customer priority. Some mid-level Facebook employees can give media panels, but typically not very high-level media panels. A common target for Facebook insider threats is currently a company named TDCX, who Facebook outsources some support work to under the moniker #ProjectLike. These ProjectLike employees are slowly being targeted to become insider threats and distribute panels to blackhats for big amounts of cash. These employees tend to be monitored well though and have little working rights as they are in foreign domains, thereby they are not an excellent option, but I have heard of cases where they can get successful request through.

'Hacked Accounts'

Like many other companies, Facebook has had its fair share of data breaches. Facebook has never had any passwords leaked to my knowledge, but there have been times where Instagram account information including email and phone numbers had been leaked. The most popular leak that fluctuates around the blackhat community behind Instagram is one that contains phone number and emails attributed to usernames, making each target on that data leak a good target for SIM swappers. Accounts used to be frequently obtained via SIM swapping, but we see this occur far less often now that SIM swapping cryptocurrency has been identified as far more lucrative by blackhats. When this data leak happened, many accounts were getting SIM swapped and then sold to the community. But, now this data breach has found a new purpose to fraudsters.

There is a group of fraudsters who managed to get a media portal where they can report 'hacked accounts'. If the fraudsters have the email of an account, they can retrieve full access to the account via Facebook support it is said. While this is primarily rumors, in an interview I was shown suffice evidence to believe this as a potential possibility of how this group of fraudsters is obtaining access to usernames and accounts so quickly. While getting an email to an account may seem like a significant barrier, keep in mind the previous operation of DoxAGram, a once famous service that could lookup Instagram usernames and return the corresponding private information such as email and phone number for just $10. This has since been patched, but there are other popular means such as the aforementioned database that was leaked with phone numbers and emails.

DoxAGram

The February Takedown

The following KrebsOnSecurity article discusses how Instagram has combatted these sellers. In the market, there are designated middlemen to help deals go by smoothly and require no trust by either parties, after all. OGUsers came for these prominent middlemen by banning their Instagram accounts, creating chaos in the community and motivating middlemen to avoid utilizing the platform. Additionally, it is said that cease and desist orders were issued to many prominent 'swappers' in the community, those who transfer usernames from account to account. This disrupted the economy temporarily, but it has since recovered. Instagram has been seen as early as 2018 banning OG Instagram accounts that were stolen in waves, and there is no doubt they will continue. Instagram looks bad as a platform to customers when accounts are so easily compromised, thereby they have made it their responsibility to attempt to stop this marketplace that results in accounts being compromised that damage the reputation of the site.

Miracle talking about the cease and desist from Instagram he received. Prominent swapper in the community.

Conclusion

It is evident that there is a clear, distinguished market for username claims, verifications, and unbans for Instagram that has transactions ranging to the hundreds of thousands of dollars. While it is being actively fought against by Facebook, the market is still thriving and popular as ever, as shown by the thriving market activity on forums like OGUsers and Swapd

Discuss on TwitterView on GitHub