Two account-takeover stories: dark web markets are selling compromised X Gold accounts for up to $2,000 each — one hijacked account drained $691,000 in crypto assets in 20 minutes — while a Google OAuth vulnerability allows info-stealer malware to maintain account access even after a password reset by preserving stolen session tokens.
Stories Covered
Compromised X Gold Accounts Sold on Dark Web: $691,000 Drained in 20 Minutes via One Hijacked Celebrity Account
CloudSec researchers documented a dark web marketplace flood of compromised X (formerly Twitter) Gold verified accounts, listed at prices ranging from $35 for basic accounts to $2,000 for accounts with large followings. Gold verification is attached to organizations and public figures, giving the accounts a layer of perceived legitimacy that makes them effective for scam operations. Attackers obtain these accounts primarily through credential theft — either brute-force password attacks or info-stealer malware that harvests login credentials from infected machines — and then either use them directly for fraud or resell them on criminal marketplaces. The threat is not theoretical: in September 2023, attackers who compromised the X account of Vitalik Buterin, co-founder of Ethereum, used it to tweet a link to a fraudulent NFT giveaway. The malicious link directed followers to a fake site that drained cryptocurrency from connected wallets. The fraudulent post was live for approximately 20 minutes before being removed; in that window, $691,000 in digital assets was stolen from accounts that clicked the link and connected their wallets.
The mechanics of this attack class are straightforward and the trend is accelerating. Social media accounts with large followings function as trust amplifiers: followers are conditioned to treat posts from an account they follow as credible. When an attacker takes over that account, they inherit the trust relationship between the account and its audience. The more prominent the account, the more people will click without verifying. Crypto giveaway scams are the dominant use case because the payout is immediate, irreversible, and difficult to trace — a victim who connects a wallet to a malicious site and signs a transaction has no recourse after the fact. For organizations and public figures with significant followings, the security posture of their social accounts requires the same attention as any other high-value credential: unique strong passwords, app-based multi-factor authentication (not SMS), and awareness that credential-stealing malware targeting connected devices is the primary attack vector. For followers, the defensive heuristic is simple: no legitimate person or organization will offer free cryptocurrency through a social media link. No exceptions.
Google OAuth Session Token Exploit: Changing Your Password Is Not Enough
CloudSec researchers identified a zero-day exploitation technique targeting an undocumented Google OAuth endpoint called “MultiLogin,” first publicly surfaced by a threat actor known as Prisma in October 2023. The vulnerability allows info-stealer malware to steal Google account session tokens in a way that persists even after the account owner changes their password. Six info-stealer malware families had already incorporated the technique by the time of reporting, including Lumma and Rhadamanthys, with Eternity Stealer actively developing an implementation for a future update. The technical mechanism centers on session tokens: when a user authenticates to a Google account, the server issues a session cookie that allows subsequent requests to be made without re-entering credentials. Standard security advice tells compromised users to change their password, which invalidates the stolen username-and-password pair. However, if the malware has stolen a valid session token rather than (or in addition to) the password, the session remains valid until it expires or is explicitly revoked — and session expiration windows can be days or weeks. Changing the password does not automatically invalidate existing sessions.
Google confirmed the vulnerability and clarified the correct remediation: changing your password is insufficient if session tokens have been compromised. The correct response is to log out of all active sessions (which invalidates the session cookies) and revoke access on any compromised devices, then reauthenticate to establish new sessions. This forces the server to issue new session tokens, rendering any previously stolen tokens worthless. Google noted that this style of attack — stealing session tokens to maintain persistent access — is known but not frequently seen at scale. The exploitation through the MultiLogin endpoint is the novel element that gives attackers a reliable path to maintaining access across password changes. The practical takeaway for users: if you have reason to believe your Google account was accessed by malware or unauthorized parties, a password change alone is not the complete remediation. Log out of all sessions, revoke device access, and then re-establish access from a clean device. For organizations, this finding reinforces why session management and anomalous login detection matter — a session token stolen by malware can persist across the password reset that most users assume closes the door.
Leave a Reply