Skip to content

A Coordinated Takedown Targets ‘OGUser’ Account Thieves

Since 2017, the online marketplace OGUsers has fueled a community focused on buying and selling access to short or flashy social media and gaming handles, like @xx or @drug. Last year, hackers affiliated with OGUsers allegedly launched a massive attack on Twitter, temporarily taking over dozens of accounts with short or prominent handles, like @Apple, @JeffBezos, and @Uber. Today, as part of ongoing efforts to address OGUsers account takeovers, Instagram, Twitter, TikTok, and other platforms are reclaiming swaths of those stolen accounts and sending cease and desist letters to known OG-handle hackers.

Instagram is taking action against hundreds of accounts as part of Thursday’s action. While it’s done this kind of enforcement for years, it’s speaking publicly about it for the first time to raise awareness about the extent of the threat. Skilled OGUsers hackers not only target individual account owners to get credentials, but have launched sophisticated phishing attacks and even extortion attempts against customer service and IT technicians at big companies—as in the Twitter hack—to get bulk access to more accounts. OGUsers are notorious for using this type of access to pull off SIM-swapping attacks, in which hackers take control of victims’ phone numbers and the online accounts attached to them.

WIRED spoke with two senior officials at Instagram parent company Facebook, but agreed not to use their names; OGUsers forum members have “swatted” tech company employees, including some at Facebook and Instagram, in an effort to intimidate them. Swatting attacks are false calls to 911 about made up emergencies at a target’s address with the goal of having police storm the residence.

“We want to make it clear both to the OG members we’re enforcing against here and anyone else who’s contemplating similar techniques that we’re not going to permit them to commercialize this type of deception, harassment, and abuse,” one Facebook official told WIRED. “And we want to raise awareness among people who might try to buy these accounts that the way the individuals get access to the accounts involves hacking, blackmail, and swatting that can cause real harm to innocent people.”

Twitter says it permanently suspended a number of accounts related to OGUsers activity in recent days, including some with high follower counts and short or otherwise unique handles. The company conducted its investigation in tandem with Facebook.

“As part of our ongoing work to find and stop inauthentic behavior, we recently reclaimed a number of TikTok usernames that were being used for account squatting,” a TikTok spokesperson told WIRED in a statement. The company also said it has been cooperating with other industry organizations to combat the problem. 

“The challenge that I pose to these high-value companies, social media sites, or cryptocurrency platforms is if you take a look at your password reset flow and you can reset the password by owning the phone number, you’ve got yourself a problem,” says Rachel Tobac, CEO of SocialProof Security, which focuses on social engineering. “You can take punitive action against cybercriminals, but you also need to minimize the value of the attack methodology of SIM swaps.”

Multifactor authentication using code-generating apps or physical authentication tokens can prevent hackers from stealing two-factor codes sent via SMS. Instagram introduced third-party app authentication in 2018, and encourages all of its users to add that extra layer of protection. Facebook is also in the process of expanding its “Facebook Protect” security program for prominent accounts, which offers support on multifactor authentication and additional monitoring. 

While OGUsers hackers often rely on SIM-swapping, researchers emphasize that it isn’t the only type of attack companies need to guard their users against. Many of the actors are talented social engineers and phishers. Some go beyond stealing credentials, and use those techniques to install malware inside customer service departments or even on individuals’ devices. This means the response needs to be even more comprehensive.