Image: Cathryn Virginia/Motherboard
Usually when you think of someone taking over an Instagram account, you probably imagine a hacker breaking in with an unearthed password, or tricking the victim into giving up their credentials. But Instagram scammers have another, sometimes more effective method too: just asking Instagram to hand over the account.Scammers do this by creating fake companies and trademarks to convince Instagram they should be the legitimate owner of a username in question, with fraudsters using “trademarking,” as the technique is known, to get ahold of sought-after, valuable handles, according to posts and evidence of the process in action obtained by Motherboard. The scammers can then keep these handles as digital mementos, brag about their acquisition, or resell them at a profit in a thriving underground community.
Instagram allows users to report handles that a person or company believes infringes on their trademark. For example (this is a hypothetical), if the creator of the @disney handle on Instagram was not actually associated with Disney, the company may want to appeal to obtain ownership of the username. If Instagram agrees, it may then hand over control of the account to the original trademark holder. Instagram told Motherboard it has a team that works on trademark and intellectual property issues, and as part of that process, the team reviews whether a complaint may be fraudulent.But scammers are getting through the cracks.Screenshots and a video shared with Motherboard by a source in the underground Instagram account trading community shows how some of the scammers’ conversations go. Motherboard granted the source anonymity to talk openly about a scam without fear of reprisal from other community members.
In the video, showing a scrolling text message conversation on a phone, the scammer talks with someone from Facebook Advertiser Support to get control of a username belonging to another account. In a screenshot of an email, a scammer appears to successfully have had an account reassigned after chatting to Global Marketing Solutions, an advertising-focused section of Facebook (Facebook owns Instagram.)
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
To pull off this account hijacking, the scammer registers a trademark that corresponds to the already-existing username they want with the relevant government department; in the US, this would be the U.S. Patent and Trademark Office for a few hundred dollars. Once that’s done, the scammer will enter the required information into Instagram’s trademark complaint form, which asks for details such as the jurisdiction where the trademark is registered, the trademark registration number, and a link to the registration itself.“Sometimes they pretend to be a real company. Sometimes they register a company online (trivial),” the Instagram account trading community source told Motherboard in an online chat. Often the handles they’re going after are common words or two- or three-lettered usernames.Motherboard could not determine how widespread this practice is, but it is a labor-intensive process considering that obtaining a trademark can take months. Motherboard has not seen any official trademark paperwork directly related to an Instagram handle, but sources in the community, screenshots of conversations between scammers, and posts on hacker forums confirm that the practice is ongoing. Instagram told Motherboard in a statement that it is “aware that bad actors may attempt to gain access to Instagram usernames using falsified trademark reports.”
Several users on the underground forum OGUsers, which focuses on the theft and sale of high value Instagram accounts, appear to engage in the practice.
“I’m looking to get a trademark or fake trademark that will make it look like I own a word so I can get an insta username,” one user posted on the forum last year.“Need someone from the uk to file a trademark from me,” another OGUsers member wrote last year. “Willing to pay fees + 20% in bitcoin.”A previous Motherboard investigation found members of OGUsers often sell handles for thousands or sometimes tens of thousands of dollars worth of cryptocurrency, although most of those account hijackings likely rely on SIM-jacking, where a hacker takes control of a victim’s phone number.According to another thread on OGUsers, the process for hijacking accounts with a trademark can take several days to go through Instagram's systems. But once the transfer is completed, having a trademarked account can be a more robust way of hanging onto a particular username.Trademarking is even an issue for people who they themselves are breaking into accounts, with scammers stealing accounts back.“There [sic] gonna get it back right away lol,” one OGUser member wrote in response to someone trying to get control of an already trademarked account.Instagram acknowledged in a statement that scammers may use fake trademarks to take over accounts.“Our teams have measures in place to assess the validity of [falsified trademark] reports, and to stop usernames from being wrongly reassigned,” an Instagram spokesperson told Motherboard in an email. “That said, bad actors continuously change their tactics—that's why we're continuing to invest in people, technology and in partnership with experts to keep our community safe.”Subscribe to our new cybersecurity podcast, CYBER.