DisinformationFraud

Account Trafficking Websites in December 2024

This report examines the illicit online trade of aged and verified accounts for platforms like social media, email, and Google Ads. These accounts, often obtained through hacking or phishing, are valuable for bypassing security and leveraging established trust. They fuel a range of activities, from grey-area marketing tactics to serious crimes like fraud and disinformation, highlighting a significant security risk and a growing challenge in the digital landscape.

Details

In December, 2024, over 100 newly registered domains were observed hosting websites alleging to sell pre-verified and aged accounts. These additions to the burgeoning illicit online market for aged and verified accounts alleged to sell accounts across a range of platforms including social media, email providers, cloud services, and advertising networks like Google Ads. These underground marketplaces cater to a demand for pre-existing, reputable digital identities, often acquired through illicit means such as data breaches, phishing scams, or account takeovers.

Buyers are drawn to these accounts for a variety of reasons, primarily the ability to bypass security measures and leverage the established trust associated with older or verified profiles. While some may employ these accounts for seemingly innocuous purposes like gaining an edge in social media marketing or accessing region-locked content, a significant portion fuels malicious activities, including spam campaigns, fraud, disinformation dissemination, and even more nefarious operations. 

This investigation will delve into recently configured domains and websites in the ecosystem of these account markets, examining the types of accounts traded and techniques employed to drive traffic to their sites.

Cloud and BHW Accounts

Based on domain registration overlaps, the following 3 domains were likely created by the same actor. The websites advertise the sale of cloud accounts from top providers as well as ads accounts, Apple developer accounts, Google Voice accounts, and payment gateway accounts such as Amazon Pay and Cash App accounts. The site alleges the accounts are pre-verified and customers are granted full access to the accounts.

  • IP ISP: Hostinger International Limited
  • IP Country: US
  • Website Title contains all: buy, account
topcloudacc[.]com
acctrusted[.]com
buybhwaccounts[.]xyz

Domain `topcloudacc[.]com` purports to sell AWS, Cloud, Ads, and other accounts.

Website Title: “Buy AWS Account | Best 32-vCPU & Credit Account – 2025”

Domain `acctrusted[.]com` purports to sell cloud accounts for AWS, Azure, Vultr, DigitalOcean and others for sale. 

Website Title: “Buy AWS Accounts | Best Vcpu & Credit Account For Sale 2024”

Domain `buybhwaccounts[.]xyz` purports to sell AWS, Google Cloud, Oracle, Digital Ocean, Ads Accounts, and BHW accounts.

Website Title: “Buy BHW Accounts – BHW Accounts For Sale – buybhwaccounts[.]xyz”

Domain `isp-rebellion[.]com` purports to sell Apple 2FA Accounts.

Website Title: “Apple 2FA Accounts for Sale”

Social Media Accounts for Sale

Domain `regularpva[.]com` purports to sell a variety of social media, email and dating accounts such as Facebook, Instagram, Gmail, Outlook, Twitter, and Yahoo. 

Website Title: “Buy Social Media Accounts – Social Media Pages for Sale – SecurePVA”

Domain `shiftxchange[.]biz` purports to be a marketplace for buying and selling social media accounts among other alleged service offerings.

Website Title: “Social Media Accounts for Sale”

Domains twitterxarena[.]com and redditarena[.]com both redirect to discordarena[.]com and purport to sell premium aged social media accounts including Discord and Reddit.

Website Title: “Premium Aged Discord Accounts for Sale | Discord Arena”

Domain `redditaccsbuy[.]com` purports to sell aged reddit accounts

Website Title: “Reddit Accounts with Karma for Sale | Buy Verified, Aged Reddit Accounts Instantly | Affordable Reddit Account Marketplace”

Examining One Such Network: Aged Google Ads Accounts for Sale

Over 100 identical websites were created in December, 2024 purporting to sell aged Google Ads accounts and invite codes to illicit marketplaces. For awareness, selling or buying Google Ads accounts is a violation of Google’s terms of service. Aged accounts might be perceived as having more authority or being less likely to be flagged for suspicious activity, making them attractive to those trying to game the system. 

Registration Overlaps:

  • Registrar: Dynadot LLC
  • Name Server: cloudFlare.com
  • Server Type: CloudFlare
  • ISP IP: CloudFlare Inc.
  • Domain Name or Website Title contains: google ads or adwords

During December 2024, 128 domains were identified with nearly identical domain registration details. All domains were configured with nearly identical website content. The websites contain links to illicit marketplaces such as credit card number verification and acquisition services, and illicit Russian markets. The websites also contain multiple links with the other 128 domains such that all 128 domains have websites directing traffic to each other. 

This configuration of interconnected website links is characteristic of search engine optimization (SEO) manipulation techniques. Specifically, in also considering the illicit content of these websites, this activity may be created solely to build backlinks to a main “money site” to manipulate search engine rankings typically referred to as a Private Blog Networks (PBN). PBNs can be a particularly effective SEO manipulation technique as search engines like Google consider backlinks as a signal of authority. The more backlinks, the higher the ranking. PBNs attempt to artificially inflate these rankings to drive traffic to their main sites. As such, search engine providers may penalize these networks and main sites by dropping their search rankings or completely removing them from search results. 

Example Google search query results for Google Ad accounts for sale:

Conclusion

In conclusion, the illicit market for aged and verified accounts across social media, email, and advertising platforms represents a persistent and evolving threat. Resold accounts are often acquired through illegitimate means and through account farming and reselling. Aged and pre-verified accounts provide a foundation for a spectrum of illicit and grey-area activities, ranging from spam campaigns, fraud, obfuscated ownership of hosting malicious resources on cloud providers, to manipulating online discourse. 

This activity underscores the critical need for enhanced security measures and robust verification processes by platform providers. Detecting and mitigating account handoff behaviors, such as suspicious login patterns or unusual activity spikes, is crucial to prevent the reselling and abuse of verified accounts. Furthermore, marketing and sales teams must exercise heightened vigilance when encountering accounts with seemingly high engagement or suspicious activity. Aged or re-verified accounts may appear more legitimate, but their origins should be carefully scrutinized. 

Proactive threat intelligence, increased awareness among users and businesses, and collaborative efforts between platforms, law enforcement, and cybersecurity researchers are essential to combat the acquisition and exploitation of these compromised accounts, which continue to undermine the integrity and trustworthiness of the digital landscape.

Appendix

Google Ad Account domains related by overlapping registration and hosting detailsadwordsad[.]cv
adgoogle[.]cv
googlead[.]cv
adgoogle[.]my
googlead[.]my
googleadwords[.]biz
adgoogle[.]shop
adsgoogle[.]tube
googleadwords[.]tube
googlead[.]best
adgoogle[.]blog
googlead[.]shop
adgoogle[.]best
adgoogle[.]cyou
googlead[.]co
googleadwords[.]bond
adgoogle[.]qpon
adgoogle[.]sbs
adgoogle[.]pro
googleadwords[.]lol
googlead[.]cheap
adgoogle[.]me
googlead[.]asia
googlead[.]vip
adsgoogle[.]lat
adgoogle[.]help
googlead[.]pro
googleadwords[.]help
googlead[.]lat
adgoogle[.]click
googlead[.]info
googlead[.]click
adgoogle[.]one
googleadwords[.]top
adgoogle[.]lat
adsgoogle[.]lol
adgoogle[.]tube
adgoogle[.]bet
googlead[.]bet
googlead[.]lol
googlead[.]me
adgoogle[.]vip
adgoogle[.]top
googlead[.]bid
googlead[.]cc
adgoogle[.]bid
googlead[.]one
adgoogle[.]cc
adsgoogle[.]bond
adgoogle[.]info
googleadwords[.]beauty
googlead[.]beauty
adsgoogle[.]pics
adgoogle[.]xyz
adwordsad[.]me
adwordsad[.]sbs
adwordsad[.]shop
adwordsad[.]co
adwordsad[.]blog
adwordsad[.]biz
adwordsad[.]best
adwordsad[.]my
adwordsad[.]cyou
adwordsad[.]org
adwordsad[.]art
adwordsad[.]one
adwordsad[.]click
adwordsad[.]pro
adwordsad[.]asia
adwordsad[.]vip
adwordsad[.]bet
adwordsad[.]tube
adwordsad[.]bid
adwordsad[.]cc
adwordsad[.]icu
adwordsad[.]lol
adwordsad[.]pw
adwordsad[.]info
googleadwords[.]cv
adsgoogle[.]cv
adsgoogle[.]sbs
adsgoogle[.]best
adsgoogle[.]blog
adsgoogle[.]cyou
adsgoogle[.]pro
adsgoogle[.]icu
adsgoogle[.]click
adsgoogle[.]one
adsgoogle[.]bid
googleadwords[.]icu
googleadwords[.]shop
googleadwords[.]my
googleadwords[.]lat
googleadwords[.]club
googleadwords[.]info
googleadwords[.]cheap
googleadwords[.]me
googleadwords[.]bid
googleadwords[.]org
googleadwords[.]click
googleadwords[.]vip
googleadwords[.]best
googleadwords[.]blog
googleadwords[.]cloud
googleadwords[.]cc
googleadwords[.]buzz
googleadwords[.]cfd
googleadwords[.]cyou
googleadwords[.]pro
googleadwords[.]sbs
buyadwords[.]cv
buyadwords[.]bid
buyadwords[.]org
buyadwords[.]vip
buyadwords[.]click
buyadwords[.]one
buyadwords[.]my
selladwords[.]cv
selladwords[.]click
selladwords[.]co
buyadwords[.]sbs
buyadwords[.]icu
selladwords[.]xyz
selladwords[.]com
selladwords[.]shop

Social Media Accounts
redditaccsbuy[.]com
user-sale[.]com
regularpva[.]com
shiftxchange[.]biz
twitterxarena[.]com
redditarena[.]com
discordarena[.]com
Game Accountsatshopr[.]com
nonlethalweaponsbook[.]com
mysticmisery[.]com
roadaccounts[.]com
fndrop[.]com
fortniteaccs[.]com
accountshubs[.]com
bootybay[.]gg
totalbattleaccounts[.]com
Apple 2FA Accountsisp-rebellion[.]com

Cloud and BHW Accounts
buybhwaccounts[.]xyz
acctrusted[.]com
topcloudacc[.]com
Retail Accountsinstantaccountshop[.]com