In early October, a publicist received an irresistible message via email. The publicist's client is a top "influencer"—someone who leverages a social-media following to exert influence and, usually, make money, often by selling sponsored posts. "We would be extremely interested in a business partnership," a man calling himself "Joshua Brooks" wrote. His pitch was eye-popping: He was offering "80 Thousand US Dollars" for a single picture.
The publicist hastily agreed. Brooks, who claimed to have worked with other internet stars including Bella Thorne, Amanda Cerny, and Jake Paul, said that to get started, the influencer would simply need to log in to a third-party Instagram analytics tool, Iconosquare—a common request; many brands use tools such as Iconosquare to track the success of their influencer campaigns.
But the link Brooks sent wasn't to iconosquare.com—it was to lconosquare.biz, a cloned version of the site set up for phishing. Once the influencer logged in with the Instagram username and password, Brooks seized control of the account. Within minutes, he was spamming the influencer's millions of followers with offers for a free iPhone.
Brooks has targeted several YouTubers, Instagram stars, and meme pages and used the stolen pages to promote scammy-looking apps and fake offers for free products. In the past month alone, he has seized @Fact, with 7.2 million followers; @Chorus, with 10.1 million; and @SnoopSlimes, with 1.9 million. After the accounts are seized, the hackers update the account's bio to say "managed by SCL Media" and begin reaching out to brands via direct message, telling them to negotiate sponsored-content deals with SCL, not with the previous account holder, going forward.