“Your Instagram has been hacked,” the message sent to various high profile Instagrammers reads. If the victim doesn’t pay up a Bitcoin ransom, “we will have to delete your account within 3 hours,” the hackers’ message continues.
Kevin Kreider, a fitness-focused Instagrammer from Los Angeles, told Motherboard that paying $100 in cryptocurrency didn’t save his account. The hackers still deleted it, and Kreider lost more than 100,000 followers and an important part of his social media focused business.
Kreider eventually got his account back—it’s not clear how though, Instagram didn’t say—but Kreider is not the only person to fall victim to these hackers this month. The hackers have hijacked multiple targets’ accounts, with an apparent focus on ‘lifestyle’ accounts and other people who use Instagram for business. Instagram has not acted on requests for help from some of the victims. A second victim wrote on her personal website, “Instagram doesn’t care.”
Kreider shared a slew of emails, screenshots, and receipts with Motherboard that detail the hacking and extortion episode. At first, someone identifying themselves as ‘Lana’ emailed Kreider under the pretence of being a press relations staffer from fashion company French Connection. They offered a sponsorship deal, and provided a link to their own Instagram account.
That link, despite looking legitimate on the face of it, did not actually go to a real Instagram page. Instead, it redirected to a fake Instagram login portal designed to steal a target’s credentials. According to online records kept by Bit.ly, a link shortening service the hackers used, the link has been clicked 65 times at the time of writing, although it’s not clear if those are all victims.
“I was at the gym going through my emails and thought it was an opportunity with a brand I respected and thought I could put on my Instagram, and when I saw that my Instagram [@kevin.kreider] disappeared from my app, my heart dropped to my stomach,” Kreider told Motherboard.
The hackers were in. Shortly after using that fake Instagram login page, the hackers contacted Kreider demanding their ransom. Kreider paid the hackers just over $110 in Bitcoin, according to a receipt from Bitcoin exchange Coinbase Kreider shared with Motherboard. The hackers, it appears, still deleted his account, as it became unavailable.
Lindsey Simon, another Instagram user and hacking victim, told Motherboard in an email she “kept in contact with the hacker while also getting help from a computer-savvy friend of mine. I ended up paying, but less than they were asking for. I stalled and sent small increments until my friend recovered my password.”
Cassie Gallegos, a third apparent victim also focused on providing lifestyle content on Instagram, wrote in a blog post that she “had 57k followers that I had work tirelessly for, posting my own photography (that I was very proud of, and was my LIFE) along with my stories and adventures on traveling, living your best life, and being financially savvy.” Gallegos says she negotiated the hackers down to a “measly” $122, and she paid in bitcoin. The hackers still have control over her account, Gallegos wrote.
Instagram’s response to the hacks and extortion campaigns has been mixed. All three victims said they contacted Instagram multiple times, resulting in either generic or seemingly automated responses. Simon only regained access through her friend’s help, and Gallegos’ account is still unavailable.
After Motherboard contacted Instagram asking for comment on the hack of Kreider’s account, Kreider said he “got it back” although at the time of writing his account is not appearing in Instagram search results. It is not entirely clear if the events are connected, as Instagram has not responded to Motherboard’s requests for comment. A fourth victim wrote on her blog that Instagram did provide her access once again, but only after her fans and others pressured Instagram to do so in their own posts and messages.
“I never heard from Instagram. Not one word. I don’t know how they fixed it,” that fourth victim, lifestyle blogger Anna Wood, wrote.
A previous Motherboard investigation found, in a separate set of attacks, so-called SIM jackers have targeted peoples’ phone numbers to hijack valuable Instagram accounts. These attacks relied on tricking a telco into porting a victim’s number over to the hackers SIM card, so they can then intercept any two-factor authentication tokens.
Instagram is doing more to help with account security though. Instagram recently introduced app-based two-factor authentication, which can stop a hacker from accessing an account even if they do manage to obtain a target’s passwords, and does not rely on using a mobile phone number. There is no indication that any of these victims had two-factor authentication enabled.
An email sent to the hacker’s address went undelivered, with an error message saying no such address existed. However, Motherboard confirmed that the username “pumpams,” which the hacker used on a particular email service, was indeed in use. According to a screenshot a security researcher shared on Twitter, the scammer may be based in Ukraine.
“I had an emotional breakdown. I had worked so hard to become an influencer, to make the life I wanted to be living, I had partnerships with Hotels.com, PierHouse Key West, Dick’s Sporting Goods, Living Proof lined up to name a few. GONE. ALL OF MY WORK WAS GONE,” Gallegos adds in her blog post.