Cybercriminals Flood Dark Web With X (Twitter) Gold Accounts

Verified accounts for celebs and organizations deliver a deep vein of cybercrime riches for crooks.

Many gold nuggets, closeup
Source: Pixel-shot via Alamy Stock Photo

Cybercriminals are taking over verified "Gold" accounts on X, the social media service formerly known as Twitter — and selling them on the Dark Web for up to $2,000 a pop.

That’s according to research from CloudSEK, which has uncovered a "Gold Rush," as it were, of these accounts showing up in underground marketplaces.

The Gold badge on X means that the service has independently verified the account as legitimately belonging to a high-profile organization or a celebrity. It was introduced a year ago as a paid option after X made the blue checkmark — formerly a designation of legitimacy — a badge that anyone could pay to include on their profiles, no validation needed.

Cybercrime Riches via X Gold Accounts

Cybercriminals are now brute-forcing passwords and stealing credentials through malware in order to gain access to existing Gold accounts, according to CloudSEK researchers; more often, they are also taking over non-Gold accounts associated with real organizations that haven't been used in months and upgrading them to verified status. In all, hundreds of accounts with reach to tens of thousands of followers are on offer in underground forums.

Nefarious types willing to pay can then use the accounts to host phishing links, launch disinformation campaigns and financial scams, or impact brand reputation by posting damaging content.

"Dark Web marketplaces are flooded with advertisements selling Twitter Gold accounts," according to research the firm released this week. "Prices range from $35 for a basic account to $2,000 for accounts with large followings.”

Threat actors advertising to buy X/Twitter Gold accounts on Dark Web marketplaces

The researchers illustrated the danger to organizations from the trend with a compelling example from September: Cyberattackers were able to take over an X account belonging to Vitalik Buterin, the co-founder of Ethereum. They then tweeted out an offer for purportedly free nonfungible tokens (NFTs), with a malicious link embedded that redirected users to a fake website designed to drain cryptocurrency from their wallets.

"Despite being active for about 20 minutes, the hackers managed to siphon off a staggering $691,000 [in] digital assets before removing the fraudulent post," according to the analysis.

How to Protect Against X Account Takeover

The value to crooks in infiltrating major accounts has been a known quantity since at least 2020, when hackers were able to compromise the internal networks of what was then Twitter, gaining access to verified accounts and sending out tweets on behalf of several high-profile individuals.

To protect themselves, organizations should "regularly monitor brand mentions on Twitter and implement strong password policies to protect against account compromise," CloudSEK recommended. Effective brand monitoring means identifying fake profiles, unauthorized product listings, misleading advertisements, and malicious content.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights