This article originally appeared on VICE US.
"Hello. We just hacked your account," the text message read. The hackers had just taken over the Instagram account of an adult entertainment star with nearly two million followers, and were now asking her for $5,000 to hand the account back to its owner, according to screenshots of the messages obtained by Motherboard.
The adult entertainment star didn't want to pay, and her friend asked for help from a white hat hacker in Los Angeles who protects celebrities from hacking, stalking, and other digital threats. The white hat said they managed to regain access to the account through contacts at Instagram, but not before they discovered which hackers were behind the extortion attempt.
The white hat found an exposed server the hackers used which contained phishing pages, scripts, and Instagram usernames and passwords the hackers had seemingly harvested from victims. Motherboard granted anonymity to the white hat to speak more candidly about a sensitive incident.
Motherboard then downloaded and analyzed the data, which gives insight into who is behind at least one campaign of Instagram hacking, seemingly targeting high profile users. One file on the exposed server, with the word "idiots" in the filename, includes what appears to be a list of victim data, such as passwords. The apparent victims include a soccer player, actress, and model.
"I see these phishing attempts and account takeovers happen all of the time. Every single day," the white hat told Motherboard.
Do you know anything else about Instagram hacking? Do you work at Instagram? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Recently Instagram has faced a wave of hackers breaking into accounts to then extort their owners. Hackers have targeted everything from food to fashion to travel focused accounts. Victims have been confused and left stranded by Instagram's account recovery methods, meaning they've had to turn to white hat hackers for help. One of these white hats gets so many requests, he now employs a team to help field requests from hacking victims, is charging thousands of dollars for his own service, and considers this his full-time job.
Judging by the data linked to the targeting of the adult entertainment star, these most recent hackers took control of a legitimate website owned by someone else, and then used that as a platform for launching their own phishing attacks. According to online archives, the site was originally a licensed reseller of Disney merchandise before it was hijacked.
To entice targets to unknowingly hand over their username and password, the hackers send them an email claiming that someone has filed a complaint to Instagram for copyright violation.
"Your account will be permanently deleted from our servers withib [sic] 48 hours," one of the messages reads. On the next screen, the target is then asked to enter their login details. Another phishing page on the exposed server poses as a method for targets to become verified on Instagram.
Some of the code on the exposed server contained email addresses of the hackers collecting Instagram logins. One of the hackers, who went by the name of Anar Chosa, told Motherboard in an email written in Turkish, "I don't know how you found me I guess you're the real hacker."
Chosa says "of course" he makes money from hacking Instagram accounts, but that because of Turkey's poor economy, he is "forced" to work a lot. Chosa stressed that he doesn't primarily hack Instagram accounts, but usually websites.
Some of the hackers frequent Turkish language hacking forums, and are linked to previous defacements of other websites, according to search results of their email addresses.
Instagram said in a statement, "If you get a suspicious email or message claiming to be from Instagram, don't click any links or attachments. For extra security, we advise members of the Instagram community to ensure two-factor authentication is in place."
Subscribe to our cybersecurity podcast, CYBER.