A recent study by Cloudsek reveals that verified X accounts adorned with gold checkmarks are being peddled on the dark web, with prices ranging from $1200 to $2000, depending on their brand recognition and outreach.
The surge in the availability of gold-verified X accounts on dark web forums and marketplaces is attributed to X’s updated paid verification model, which has significantly augmented the value of verified accounts.
Formerly known as Twitter, X transitioned to a new model under the ownership of Elon Musk, wherein personal accounts can obtain a blue tick for a monthly fee of $8, without undergoing identity verification. However, organizations seeking verification must pay $200/month. Upon approval, businesses are awarded a gold tick, while government entities receive a grey one.
Cloudsek’s investigation uncovered advertisements on Telegram and dark web forums promoting the sale of these gold X accounts, indicating a widespread exploitation of these accounts for malicious purposes. Buyers utilize these accounts to disseminate disinformation, perpetrate job and crypto scams, or direct individuals to phishing websites to harvest their credentials and personally identifiable information (PII).
For instance, Cloudsek’s research team identified instances of gold-verified corporate X accounts posting links to malicious sites resembling the company’s legitimate domain name but hosted on different top-level domains (TLDs).
Cloudsek traced these dark web advertisements back to various online shops and marketing partners, including Facebook and Telegram. Pricing for X Gold accounts varied based on the account’s recognition and outreach, ranging from $1200 to $2000, depending on the brand and number of followers.
Moreover, Cloudsek discovered sellers offering bundles of 15 inactive X accounts at $35 per account, with the option to purchase 15 accounts weekly. These accounts require gold activation by the buyer if they wish to utilize them.
The primary targets of sellers offering gold X accounts are dormant organizational accounts predating 2022. They employ techniques such as credential stuffing tools like Open Bullet, SilverBullet, and SentryMBA to brute force the credentials of these accounts. Once complete account takeover is achieved, the perpetrators pay to upgrade the accounts to gold status before selling them.
Additionally, sellers gather X logins using information-stealing malware, validate the credentials, and offer the hacked accounts for sale. Buyers prefer accounts obtained through the former method for their exclusivity, as opposed to publicly available malware-infected accounts.
Cloudsek recommends closing dormant accounts and implementing robust password protection practices to mitigate the risk of credential theft and unauthorized account access.