Technique Spotlight: Compromise Legitimate Accounts (T0011)

Compromise Legitimate Accounts (T0011) is a technique used by threat actors to Establish Legitimacy (TA16) while Preparing for an influence operation.

Basically, when somebody receives a new piece of information they need to decide whether to believe it. One way they can do this is check whether they trust the source; is the person giving me the information usually authentic? A threat actor can hijack someone’s credibility by accessing their social media accounts (for example by using stolen passwords), and posting as them.

Real World Examples

Twitter Accounts of European Politicians Hijacked to Spread CCP Propaganda

ISD has identified a small network of 33 Twitter accounts that appear to have been hijacked and used to spread pro-CCP (Chinese Communist Party) narratives. The network includes the verified account of the French MP Bernard Reynès and the account of Liliana Pérez Pazo, a local politician in Spain.

By ISD on 22 Apr 2022
Major US Twitter accounts hacked in Bitcoin scam

Billionaires Elon Musk, Jeff Bezos and Bill Gates are among many prominent US figures targeted by hackers on Twitter in an apparent Bitcoin scam.


“Everyone is asking me to give back,” a tweet from Mr Gates’ account said. “You send $1,000, I send you back $2,000.”


By Joe Tidy on 16 Jul 2020
Coronavirus: Inside the pro-China network targeting the US, Hong Kong and an exiled tycoon

The BBC found evidence that at least some of the Facebook pages and accounts originally belonged to users from Bangladesh before they were either hijacked or sold and repurposed to post in Chinese. These accounts had multiple personal pictures on their timelines, listed users predominantly from Bangladesh among their Facebook friends and sometimes even exchanged comments in Bengali on their timelines, before abruptly changing their language and identity overnight.

By Benjamin Strick, Olga Robinson and Shayan Sardarizadeh on 28 May 2020

Relevant Content from the Article Archives