Ukrainian Hackers Who Stole 100 Million Instagram Accounts Face 15 Years in Prison

Ukrainian Cyber Police have apprehended three suspected members of an organized crime ring that specialized in hacking Instagram accounts for resale on the dark web.

“The cyber police of Kharkiv region, together with the investigators of the State Police of the region, under the procedural guidance of the Kharkiv regional prosecutor's office, identified three criminals aged between 20 and 40 who stole the e-mail accounts and accounts of the Instagram social network of Internet users,” reads a machine translation of the Ukrainian-language press release published by the Cyber Police of Ukraine.

Over the course of a year, the suspects allegedly used brute-force techniques to guess the passwords to some 100 million Instagram accounts – presumably accounts lacking multi-factor authentication.

Police conducted 7 searches at various residences in Kyiv, Odesa, Vinnytsia, Ivano-Frankivsk, Donetsk, and Kirovohrad, and seized more than 70 computers, 14 phones, bank cards, and around $3,000 in cash. Three suspects were arrested.

“The organizer distributed responsibilities among the performers, and the latter formed databases of hacked accounts and put them up for sale on the darknet,” according to the press release.

Most of the operation focused on selling compromised accounts to fraudsters on the dark web. Buyers would typically impersonate the account holders engaging in fraudulent schemes like “Friend Asks for a Loan.”

Fraudsters would reach out to the account holders’ contacts and fabricate an emergency then ask for a loan. However, at least some compromised accounts were also allegedly used to “conduct IPSO in the interests of the Russian Federation,” according to the Ukrainian Cyber Police.

The culprits are charged with several counts of illicit cyber activities and face up to 15 years in prison each.

Instagram now enforces multi-factor authentication. This important security layer was presumably off for the users of the compromised accounts at the time this hacking campaign took place.

At Bitdefender, we not only recommend you use multi-factor authentication with every service that offers it, but we also recommend you move away from SMS-based multi-factor authentication and instead adopt a trusted authenticator app, which makes it much harder for bad actors to intercept one-time authentication codes to your accounts. For peace of mind, consider also deploying a dedicated security solution on all your personal devices, including your phone.