According to research by Cloudsek, X (formerly Twitter) gold-certified accounts are increasingly appearing on dark web forums and social media sales sections of marketplaces.
This surge is tied to X’s new paid verification model, which increases the value of verified accounts.
The old “Twitter Blue” program assigned verified accounts a blue checkmark without charging a fee. Elon Musk introduced a new model after acquiring Twitter in October 2022 and renaming it to X. If you pay $8 a month for a personal account, you’ll get a blue checkmark, but there’s no identity verification. Alternatively, organizations can pay $200 per month to have their accounts verified. If X approves the account, businesses will receive a gold tick, while government agencies will receive a gray tick.
Besides the dark web, Cloudsek also observed advertisements on Telegram selling X Gold accounts. This indicates that malicious campaigns are using these accounts at scale. Buyers can use these gold accounts to spread false information, job scams, cryptocurrency scams, or direct them to phishing websites to collect credentials and his PII (Personally Identifiable Information). I can. For example, CloudSek’s research team was able to identify gold-verified accounts. Company X account posts a link to a malicious site that is similar to the company’s actual domain name, but in a different top-level domain (TLD).
“Advertising on the dark web can be traced to multiple online shops and their marketing partners, such as Facebook and Telegram,” CloudSek said in the report. “Some X account providers have been successfully hosting shops for over four years and are using the same medium to promote their Twitter Gold accounts.”
CloudSek was able to find some of these ads by performing a basic search on Google, Facebook, or Telegram. By simply searching for the keyword “Twitter Gold buy,” users were able to find dark web ads being sold through Facebook.
The price of ads selling X Gold accounts was set based on the value of the account in terms of awareness and reach. “A series of ads openly mention companies that are up for sale, and depending on the account’s brand and followers, an account with a gold badge can cost as much as $1,200,” CloudSek said in a report. It ranged from $2,000 to $2,000.”
CloudSek sources on the dark web were able to obtain a quote for 15 inactive X accounts at a cost of $35 per account. The seller also offered to sell 15 such accounts each week, bringing the number to 720 accounts per year. Additionally, all of these accounts must be “gold” activated if the buyer desires.
Campaign targets dormant X accounts
The most common targets for Gold X account sellers are organizational accounts that have been dormant since 2022 or earlier. One of the techniques they try is to brute force the credentials of these accounts using credential stuffing tools such as Open Bullet, SilverBullet, and SentryMBA. Once the account has been completely taken over by changing the recovery email address and contact details, the thief will pay to convert the account to gold status and put it up for sale.
Another method used by merchants is to collect X logins using information-stealing malware. These credentials are verified using configuration and brute force techniques. In both cases, hacked accounts are first put up for sale and then converted into gold depending on the buyer’s needs.
According to the report, the latter hijacking method is easier to implement due to the abundance of common malware logs, while the former requires some level of sophistication. However, buyers prefer accounts hacked using the former method because it guarantees exclusivity, unlike accounts infected with publicly available malware. Closing long-dormant accounts and implementing password protection best practices when you suspect credential theft are CloudSek’s top two recommendations to protect yourself from these money thieves. This is an effective mitigation method.