On August 15th, an alarming email popped up in the inbox of Diana Pearl, a New York-based news editor. Someone in Moscow had logged into her verified Twitter account, it said. Pearl was familiar with the email content’s theme as it resembled previous automated correspondence from Twitter — featuring a minimal white background, black text, and blue links.
Fearing her account’s safety, Pearl clicked the link inside the email that supposedly would instantly let her secure her account and entered her existing password on the following webpage to update it.
Moments later, a message arrived in a Telegram group. All it contained was a screenshot of Pearl’s Twitter profile and a link. Three hours later, the admin texted, “Sold.”
Pearl had fallen prey to a phishing attack. The email wasn’t from Twitter but from a hacker who had copied the look of an official Twitter message. Pearl was out when the email landed and assumed she couldn’t afford to wait till she was home to read it on her computer. Plus, the email’s urgent tone rushed Pearl to react without verifying its details. If she had, she might have noticed the fishy email address it came from or the fact that the link didn’t lead to the official Twitter URL.
Pearl’s account was just one sale in a vast and highly lucrative black market for verified Twitter handles. In this particular Telegram group, control of a verified account usually goes for a couple hundred dollars, which buyers usually hope to make back by promoting NFT scams. Such thefts occur regularly, with dozens losing their profiles every day if the frequency of new listings on marketplaces for verified profiles is any evidence. And despite years of evidence, platforms seem powerless to stop the ongoing trade.
When The Atlantic writer Jacob Stern’s account was compromised in May earlier this year, it was used to dupe Moonbirds NFT owners into transferring their tokens into the hacker’s wallet. Over a few hours, the hacker sent out hundreds of tweets announcing a new “drop” with a phishing link, which prompted buyers to transfer a sum of cryptocurrency in exchange for a fake NFT or none at all. MPR News reporter Dana Ferguson’s profile was similarly rebranded in August — except for the username, which would have revoked the verification badge — to steal Killabears NFTs. Both compromises linked back to the same Telegram group, where the accounts were listed for sale.
Some hackers even enlist smaller NFT artists in the scam. When California-based writer Marissa Wenzke was hacked, her account ran a promotional campaign for the group behind the NFT collection called “Meta Battlebots” — a real NFT art project with no obvious associated scam. When informed that they were being promoted by a hacked account, the official Meta Battlebots Twitter account responded, “No worries on that.” A moment later, they blocked the reporter’s account, ending the conversation.
Dipanjan Das, a security researcher at UC Santa Barbara who conducted an exhaustive study on NFT frauds, says a verification badge adds a stamp of authenticity, and a scammer with a verified Twitter profile can attract much stronger attention and have a higher impact. And by targeting the multi-billion-dollar NFT ecosystem, both hackers and buyers or scammers can recoup their costs in a few tweets before account owners initiate the recovery process.
“In a single ordinary NFT scam, it’s very easy for scammers to make hundreds of thousands of dollars,” Haseeb Awan, the founder and CEO of Efani, a secure mobile service provider, tells The Verge. “Even if one attempt is successful out of 10, it’s a lot of money.”
Previously, blue-check Twitter thefts were both rare and coordinated — largely traded on marketplaces like Swapd and Ogu.gg. However, as demand for verified accounts surges for NFT promotions and scams, hackers have taken to more accessible channels like Telegram to reach broader audiences. And the way hackers break in is easier than you’d think.
Most hackers behind blue-check Twitter thefts rely on an attack called “credential stuffing,” as per the conversations The Verge had with many current and former hackers who requested anonymity over fears of pushback in the security community.
In a credential stuffing attack, hackers begin with a vast leaked database of username and password combinations — which no longer are hard to come by, courtesy of the rise of large-scale breaches. The intruder brute-forces the usernames and passwords from the matched credentials on Twitter’s login form and puts the successful hits up for sale in their groups.
When that approach hits a wall, either because the account has two-factor authentication enabled or they haven’t reused the password from a breached account, attackers turn to phishing. As email phishing grows less effective over email, many have moved to trying it on Twitter, repurposing a hacked blue-check account to impersonate Twitter’s Support team.
A former hacker named “Owen,” who has worked on development for credential-stuffing programs, told The Verge that at any given moment, dozens of verified profiles are compromised and looking for a buyer. In one DM conversation I saw, a prospective buyer said he was looking for someone who has experience stealing NFTs with verified profiles. “I can supply you with roughly 500 ‘verifieds’ within the next month,” he added.
And while individual compromises can be a headache for users like Pearl, it’s remained rare enough that platforms don’t seem troubled by the ongoing trade. Telegram didn’t respond to a request for comment from The Verge.
Twitter’s communications manager, Celeste Carswell, says the social network actively works to educate people about how to avoid scams and locks millions of suspected spam accounts each week. “Unfortunately, scammers have become more sophisticated,” Caldwell told The Verge.