Underground markets of the darknet provide an extensive inventory of illegal goods for sale, including drugs, weapons, hackers and assassins for hire. Also commonly found in darknet marketplaces are a variety of “digital goods,” most notably log-in access credentials for social media accounts across a multitude of sectors. One can as easily purchase credentials for Amazon Prime accounts as they can the credentials of a PayPal account, or an iTunes account that belonged to a previous owner.

What DarkOwl analyst observed as decidedly more prevalent this year is the increase in the existence of completely falsified social media accounts, the creation of which entails posting content to them regularly, generating likes/followers/credibility based on strategic activity, enlisting tools such as SMS verification services to standard bypass security measures, and then selling these powerful “ready-to-go” accounts to eager would-be buyers on the darknet.

After witnessing a surge in the number of fake, pre-packaged social media accounts being advertised for sale over the last year, we took a closer look and found that the demand for these types of accounts has shaped into a sophisticated market, giving individuals with potentially malicious intentions the tools they need to not only obtain social media accounts, but also to leverage them for persistent disinformation campaigns.

Before these purchased accounts can be used to spread and influence others, however, there are a number of hurdles that criminals must cross first: including obtaining accounts that appear to be genuine (i.e. have a history of regular posts and photos), have sufficient clout (i.e. have a number of followers), and navigate security challenges such as two-factor authentication requirements.

Bulk accounts for sale 

The economy of fake, compromised, or otherwise manipulated social media accounts is a booming business. Traditionally, these compromised credentials belong to an unwitting former account holder whose password got in the hands of the wrong individual. 

However, our analysts have recently noticed a surge in an equally if not now more prevalent type of social media darknet marketplace listing. These are that of curated social media accounts that have been created expressly for the purpose of being sold in the future.

The result is another niche economy in which both “fresh” (newly created) and “aged” (accounts with pre-generated followers, or similar) social media accounts are available for purchase across a variety of forums and marketplaces on the darknet.

In taking a closer look at what these listings have in common, we were able to conclude that the demand and price for some social media accounts is closely related to the perceived level of influence and social media platform popularity.

Key takeaways from our observations:

• Of all the social media platform account information listed for sale, YouTube accounts seem to be the most popular overall

• Reddit accounts are also in high demand and are priced based on the amount of Reddit ‘karma’ the account comes with – with some listings advertising accounts with over 50,000 karma points

• In one case, we observed a Russia-based supplier advertising over 30,000 accounts for sale across Facebook and Twitter alone

• In addition to fake accounts created with the aim of selling to the highest bidder – who is then to free to use it to their own accord, a number of darknet vendors continue to offer “combo-lists” (usernames and password combinations) of hacked or leaked account data, many of which were likely retrieved via reused passwords that were compromised in another commercial data breach

• Facebook and TikTok accounts tend to cost the most across most social media account brokers, followed closely behind by LinkedIn, Reddit, and Instagram

• In addition to social media platforms, we also observed vendors selling Gmail accounts, which notably require security measures such as two-factor authentication (2FA)

2FA measures have Created Demand for “Phone Verified Accounts”

Due to the onset of 2FA requirements across multiple platforms, the digital economy of social media accounts has had to adapt. Now, instead of just selling usernames and credentials, vendors are advertising Phone Verified Accounts (PVAs), or accounts that have already been formally associated with a phone number and unique IP address.

For example, if someone were to log into their Gmail account from their personal computer in their home, they will likely be required to allow Gmail to text them a log-in code, which they then enter back into their Gmail account to gain access. In doing so, Gmail then has confirmed this individual’s phone number and IP address, and their account is thereby Phone Verified. Notably, this process requires a mobile device or some other means by which to receive a SMS text.

Google began employing phone verification requirements for account registration as early as 2015. Also in 2015, Facebook began encouraging its users to associate a phone number with their account, and in 2019 made verification via SMS a requirement for all new registrants. Now, both Instagram and Facebook also employ phone verification via SMS with new account registrations and will often block accounts setup using virtual or privatized IP addresses or if accounts are created on the same IP address within a short period of time.

These continued increases in security measures have driven the demand for phone-verified social media accounts, which don’t come cheap. We have steadily observed darknet forum users offering account verification services for accounts created in the USA, UK and China on Facebook, Telegram, Instagram, Gmail and others.

One such current listing offers “High Quality Facebook Marketplace Accounts” for sale. Each account comes with:

– Anywhere between 2 to 9 years of daily activity

– Over 1,000 friends/followers

– An associated email address

– An associated Facebook password

– 10 backup 2FA codes

– The date of birth needed for account verification and/or recovery.

The phone verification account market has been thriving since these platforms instilled such security protocols, even outside of the darknet. Examples of such vendors include:

• On the surface web, PVACreator (pvacreator.com) provides PVA accounts for a variety of platforms and the one-time, single use account price ranges from $62 to $348 USD depending on the platform. Users of their service can sign-up for unlimited accounts across all the sites they have access for $1200.

• Rental property management software, Hemlane is the most expensive website PVAs are available for, while most run on average $100 USD each. 

• On a popular deep web forum, one user offered access to a SaaS-like platform called, GramCreator for creating Instagram PVAs in mass for a flat fee. GramCreator’s marketing material highlights their ability to protect their users interest and evade detection by Instagram.

Because an SMS service is necessary to create a PVA, the widespread marketing of PVAs has subsequently driven the demand for SMS services, which we are increasingly seeing on offer across the darknet.

Traditionally, SMS services have been employed by scammers and phishing-focused cybercriminals, who will then spam mobile phones with targeted, malicious phone calls and texts. In doing so, they are then able to siphon users personal information and/or compromise their mobile device or home network when connected to wi-fi. 

Now, SMS services enable entrepreneurs in the social media account economy to combine social media account credentials with new, unique SMS-enabled phone numbers that have been pre-associated with the credentials, thereby allowing any purchaser of these pre-made social profiles to bypass 2FA challenges.

Bots are also in high demand

In looking at the vendors in this space, we also observed that the digital economy for social media bots is thriving. For example, on the underground market OpenBazaar, a number of vendors sell Instagram and YouTube promotion bots to increase a fresh social media account’s views and likes.

Other offers guarantee to “drive over 10,000++ of real, genuine human traffic” from search engine and social networking sites in 100 days for as little as $5 USD.

Not only that, but bot services appear to be getting more sophisticated and have evolved to be more persistent. On Telegram, some developers offer exclusive access to their automatic traffic generator programs for website and social media platforms. 

Other, older darknet market solicitations advertise social media bots that can auto-generate 400 to 600 likes per hour.  The longevity of these auto-generated likes and followers is uncertain. Adding to the notion that they may not be reliable is the case of one darknet forum user, who recently posted that all 100 Instagram followers that they had purchased from a similar service had disappeared after a single week. Comments on the thread from other social media bot providers stated if they used their service, they would refund a significant percentage of the purchase price if the follower left.

On a popular Russian criminal darknet forum, members also discuss the employment of social media crawlers such as Saveogram to crawl and harvest content from the real Instagram accounts of influencers, which they then used as a template to recreate and modify messages in accordance with their larger disinformation goals. Earlier this year, TikTok deleted Kendall Jenner’s verified account after it turned out the account was fake. The fake account gained over half a million followers in less than 2hrs of the account creation.

Impact of the “pre-packaged” social media account engine

In the last decade the proliferation of social media applications from Facebook and Twitter to now controversial TikTok, is rampant with one or more applications on nearly every adult’s smartphone, connecting people around the world through follows, likes, and retweets. Keeping abreast of current news via social media is increasingly popular. In late 2019, a Pew Center research study concluded that 55% of adults in the US rely on social media to get their news, while a follow-up study conducted from October 2019 through July 2020 indicates that nearly one in five US-based adults receive political and election related coverage exclusively via social media. Facebook, Twitter and Reddit lead the platforms with the most news-centric userbase.

Users acknowledge the impact of false and misleading information on these sites. In 2016 and the months leading up to the US Presidential Election, social media was flooded with false political advertisements assessed by the Special Counsel’s Investigation to be mostly engineered by agents of the Russian Government. While we understand that nation-state governments actively conduct disinformation campaigns, spreading the propaganda of their choosing in increasingly creative and cunning means, the disinformation methods of government intelligence agencies are now readily available to those needing such services commercially on the darknet.

In this initial report, we focused on how fraudulent social media accounts are traded and sold on the darknet. Stay tuned for our follow-up pieces that will detail how these accounts are leveraged to execute disinformation content campaigns, and what potential impacts this underground economy will have on the upcoming US-elections.