On August 15, Diana Pearl, a news editor based in New York, unexpectedly received a concerning email. It stated that someone in Moscow had accessed her verified Twitter account. The subject line of the email seemed familiar to Pearl because it resembled an earlier automated Twitter message with a plain white background, black text, and blue links.

Pearl, worried about the security of her account, clicked the email's supposedly instantaneous account security link. Pearl updated her password by entering her current one on the following page. A short while afterwards, a message was sent into a Telegram group. Just a link and a screenshot of Pearl's Twitter profile were sent. Three hours later, the administrator texted 'Sold'.

Pearl had fallen for a phishing scam. The email was sent by a hacker, not Twitter, who appeared to be imitating an official Twitter message. Pearl guessed that since she was out when the email arrived, she couldn't wait to examine it on her computer when she returned home. Pearl reacted without carefully reading the email because of how urgent it was. 

In the enormous and extremely profitable underground market for verified Twitter handles, Pearl's account was but one sale. In this particular Telegram group, control of a verified account often costs a few hundred dollars, which purchasers typically try to repay by pushing NFT scams. Such thefts often happen, with dozens of profiles being lost each day, if the frequency of new ads on markets for verified accounts is any indication. In addition, despite years of evidence, platforms remain powerless to stop the continuous trafficking.

Jacob Stern, a journalist for The Atlantic, had his account stolen earlier this year in May, and it was used to trick owners of Moonbirds NFT into sending their tokens to the hacker's wallet. The hacker announced a new 'discount' in hundreds of tweets over the course of a few hours using phishing links, which led customers to transfer money in cryptocurrency in exchange for a phoney NFT or nothing at all. Except for the username, which would have removed the verification badge, MPR News reporter Dana Ferguson's profile was similarly rebranded in August to take Killabears NFTs. The accounts were offered for sale in the same Telegram group, which was the source of both compromises.

Previously, blue-check Twitter account theft was rare and well-organized; it mostly took place on exchanges like Swapd and Ogu.gg. However, as the need for verified accounts for NFT promotions and scams grows, hackers have shifted to more approachable networks like Telegram to reach bigger audiences. And gaining access is easier than you may imagine for hackers.

Almost all hackers use blue-check According to conversations The Verge had with numerous current and former hackers who sought anonymity out of concern about backlash in the security industry, Twitter thefts rely on an assault known as 'credential stuffing.'

Hackers start a credential stuffing attack using a sizable leaked database of username and password combinations, which are no longer difficult to find thanks to the increase in significant data breaches. The hacker uses the matching credentials on Twitter's login form to brute-force the usernames and passwords, selling the successful hits in their groups.

Attackers switch to phishing when that strategy fails, either because the account has two-factor authentication set or because they haven't utilised the password from a compromised account. Many people are now trying email phishing on Twitter by using a hacked blue-check account to pose as Twitter's support staff as email phishing becomes less effective.