Hacking and Sourcing X Accounts promoting Crypto Scams and NFTs: Techniques Explained
Non-fungible tokens have taken modern cyberspace into a new realm of revolution. For those who need context, it is an online digital artifact or item that belongs to a person. All the actions on this artifact, such as selling, buying, or distribution, are maintained in a blockchain ledger. The owners of these NFTs often take to their social media to advertise their new and upcoming plans. It includes X (formerly Twitter) as well.
What is the threat?
Recently, on and around NFT, cybercriminals have discovered their brooding ground on X (Twitter) to conduct and encourage malicious campaigns. A recent research paper highlights the significant surge in dark web activities surrounding Twitter’s new ‘Gold’ verification feature. Dark web forums and marketplaces have a dedicated section where social media sales are extensively observed.
Understanding the TTP
Cybercriminals operating on the dark web engage in manual creation of the X accounts, getting them verified, and making them ‘ready to use’ for their buyers. This is ideal for criminals who need pseudo-identity and do not want to be attributed to their actions, says the above research paper. This is one of the methods how X accounts are introduced for cybercrime.
Following the (possible) success of Gold accounts, cybercriminals have now targeted NFT-based account creation to be able to execute scam or phishing campaigns. Refer to the advertisement created over a cybercrime forum below:
Based on the description, the TA advertises ‘wholesale’ provision of NFT Twitter accounts. This was initially advertised so that existing accounts get popularity through likes and retweets. The profile of this account looks exactly like any other user interested in NFT and Crypto, and the advertisers also mention that there will be no shadow ban.
Some existing accounts provided by such threat actor groups are on Twitter today. Additionally, samples were also shared on their shop website. Some of these accounts were even verified with a blue badge for authenticity.
Tracking NFT-themed X accounts likely created out of a Cybercriminal Service.
These accounts can be hunted based on the X account bio. Most accounts created by manual methods of cybercriminal service will have the same bio. They can be tracked by Google Dorking, as given below. Additionally, the same bio can help cybersecurity researchers to trace back to the TA providing this service.
Note: This dork was used after seeing existing sample accounts shared by threat actors.
Such accounts aim to promote by reposting and liking different links themed around ‘free tokens,’ ‘free airdrops,’ and ‘Web3’. However, from a threat intelligence perspective, monitoring such accounts is equally essential because not all promoted links will be legitimate.
Thus, it can be conclusive with mild confidence that the accounts sourced and provided from the cybercriminal marketplace are likely used to propagate the existing campaigns. Making Twitter their playground, the threat landscape has emerged from newly availed features such as Gold and Grey or trending concepts such as NFT.
