Instagram is taking aggressive action against members of the so-called OGUsers community, which hack, extort, and scam their way to controlling high profile, and high value, usernames across a spectrum of apps and social media networks. Instagram told Motherboard it had unmasked the real identities of multiple people involved in the trade of these usernames, disabling a number of accounts the scammers had stolen, and sent cease and desist letters to people it had identified.
The news signals an escalation from tech companies towards a subsection of the cybercrime world that has run amok for years, and which has steadily been getting more audacious in its tactics. TikTok and Twitter told Motherboard it has also taken some action around OGUsers. It is highly unusual for social media companies to publicly announce that it has identified the real names of pseudonymous users and to announce publicly that it has sent them legal threats.
The cease and desist lays out how the recipient has violated Instagram's terms, demands that they stop all activity on the company's platforms, and requires a response within 48 hours, Instagram told Motherboard. The letter also demands that the recipient provide information to Instagram about others who are involved in the activity, and says that the company may take additional measures if the person ignores the cease and desist, Instagram added.
Are you a member of the OGUsers community? Did you receive this cease and desist? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Instagram told Motherboard it was disabling hundreds of high value accounts obtained and sold by OGUsers members. This includes accounts belonging to middlemen, who act as a third party between buyer and seller to ensure no one is scammed and take a cut of the sale, and swappers who move the high value usernames over to fresh Instagram accounts out of the reach of their original owners.
"Middleman Service; fast; always available," one middleman writes on the OGUsers forum.
As Motherboard visited multiple Instagram profiles apparently owned by OGUsers community members on Thursday, Motherboard observed the profiles become unavailable in real time.
One of the profiles Motherboard saw removed from Instagram. Image: Motherboard
"Sorry, this page isn't available," a message on the now disabled profiles reads.
One of the accounts Instagram disabled belonged to an OGUsers middleman who used the handle Farzad.
"There is incorrect information. I'm being associated with bad people just because they're on the website that I use too," they told Motherboard in an online chat. "I help people deal safely, that's all," they added, tacitly acknowledging their role as a middleman. They also said that they were "speaking with their lawyer this afternoon."
One user on the OGUsers forum who goes by the username waah wrote in a forum post after Instagram’s action "Everyone who buys, sells, or provides services relating to Facebook products (aka Instagram) please delete your threads and com accounts. I got a lawsuit on my hands so I closed my services, and my Instagram got banned after I got a Cease and Desist Order. again, please be careful guys."
A spokesperson for Facebook, which owns Instagram, said that the company has taken similar enforcement actions against OGUsers members before, but this is the first time they are doing so publicly. The company says it is doing this in part to show that this sort of behavior violates the site's terms of service, but also to highlight the real harms members of the community are causing.
Motherboard first published an in-depth investigation into the OGUsers forum in 2018, which showed that members sold social media and gaming handles sometimes for thousands of dollars each. For years, members of the forum and the nebulous community around it have deployed SIM swapping techniques to steal these usernames. SIM swapping is where a hacker will take over a target's phone number, perhaps by social engineering or bribing a telecom's employees, or, as Motherboard has found, deploying malware inside the telecoms' systems themselves. The hacker can then use this access to request a password reset or defeat the website's two-factor authentication protections and take over the account depending on the particular service targeted.
Instagram said that while SIM swapping and phishing do remain popular, its teams have also observed a rise in other methods, including the use of sextortion, swatting, extortion, and offline and online harassment that scammers are using to obtain usernames. With sextortion, hackers will gain access to a target's email or cloud storage accounts, comb them for intimate photos, and then use those to blackmail the victim into handing over a valuable username, a Facebook spokesperson explained.
The swappers who move Instagram handles from one account to another are also using automated tools to quickly grab available usernames before others can claim them, Instagram said.
One of the profiles Motherboard saw removed from Instagram. Image: Motherboard
Facebook spokespeople declined to elaborate on what specific methods they used to identify the people behind certain account takeovers and sales, but said at least some of it involved open source intelligence (OSINT) collection. This is generally where researchers, journalists, law enforcement, or a company pieces together bits of information spread across different sites or services to identify or locate a particular person. Facebook and Instagram also likely have access to a large amount of user-related data such as IP addresses.
Other tech companies also took action against the OGUsers community recently. A TikTok spokesperson told Motherboard in a statement "As part of our ongoing work to find and stop inauthentic behavior, we recently reclaimed a number of TikTok usernames that were being used for account squatting. We will continue to focus on staying ahead of the ever-evolving tactics of bad actors, including cooperating with third parties and others in the industry."
In a statement, a Twitter spokesperson said "We permanently suspended a number of Twitter accounts included in the network you referenced under our platform manipulation and spam policy." Twitter added that some of the accounts had high follower counts and/or short, unique handles; traits that are particularly valuable to OGUsers members.
A Facebook spokesperson said that the companies are not coordinating on decisions to enforce, but the Facebook threat intelligence teams and those from the other companies regularly talk about threats, including what techniques hackers may be using. The Twitter spokesperson added in their statement that "I can confirm that this investigation was done in tandem with Facebook."
Instagram said that it is also collaborating with local law enforcement agencies and governments to hold people accountable for crimes it sees on the social network. Law enforcement agencies have increasingly investigated members of the OGUsers community, although typically when members move onto stealing bitcoin or other funds from victims.
One of the Facebook spokespeople said that OGUsers requires a wider societal response though, considering that many of the perpetrators are young.
Although not always specifically related to OGUsers, Instagram users have often had issues regaining access to their hacked account due to lackluster support from Instagram, and have instead had to rely on white-hat hackers to help.
Update: This piece has been updated to include comment from an OGUsers member and a quote from a forum post.
Subscribe to our cybersecurity podcast CYBER, here.