I’m the owner of two small galleries which sell 20th-century ceramics and artworks. One of the ways we’ve become known is through Instagram. We’ve got almost 50,000 followers and sell a lot of work through there.
In May, I was away for the weekend with friends in Somerset in western England. On Saturday morning, I saw an email in our shared work account (purporting to be) from Instagram. It was congratulating us for getting a blue tick — verification that confirms the account is an ‘authentic presence’.
Thrilled, I clicked the link in the email to confirm. It took me to an official-looking Instagram page where I entered our login details. I was then met with a landing page thanking me for confirming our account’s status.
I thought nothing of it. But that evening, I received an email from Instagram saying someone had logged into our account from an unrecognized computer. Shortly afterwards, another email arrived saying the registered email address associated with the account had been changed. Then another appeared saying the username had been changed.
I tried logging into Instagram but couldn’t. Panicking, I started searching for our Instagram page. Nothing came up. I frantically messaged colleagues, hoping one of them might have done it. Slowly, however, it dawned on me that the account’s disappearance was related to the blue tick email.
Then a message appeared from a ‘Joh Courtney’. The subject line was explicit: ‘Instagram account hacked.’ The message read, ‘We have seized control of your Instagram account. It will be deleted within two hours if you do not reply to this email. We require $1,000 to grant you your account back.’
After trying — and failing — to contact Instagram, I decided we couldn’t afford not to pay. My friend found a website where someone had written about something similar happening to them — and said their account had been returned after they paid the ransom.
I replied to ‘Joh’ asking how I could be sure they would return the account and also for proof they had access to it. The response was brief, but it included a screenshot of our page. The username and description, however, had been changed to Russian. Strange as it sounds, it felt reassuring to know the account still existed and that they had control of it.
I replied, offering $250. No, they said. They wanted $500 — paid in bitcoin. My heart sank. I know nothing about cryptocurrencies. By a stroke of luck, however, one of my friends revealed he owned some bitcoin. After we got the hackers’ details, he made the transaction.
I soon began to doubt the online testimonial. What if the hackers had written it themselves? Their English had been surprisingly good, after all. Suddenly an email appeared. ‘We need more,’ it said. They wanted the full $1,000. I replied that I could do another $250, so $750 in total. They agreed. We made the second bitcoin transfer. I was beginning to have real doubts.
Six minutes later, the hackers emailed, telling us to try logging in. It didn’t work. But they were still engaging; they hadn’t left the conversation, so that was something. They then sent another email with a new username and password for the account — which thankfully worked. The relief was overwhelming after what had been a mentally exhausting couple of hours.
Three days later, I got a message on Instagram from a bakery in Sydney. Their account had just been hacked by the same group and they’d been told to contact us for a TripAdvisor-style testimonial. Could we confirm that if they paid, they’d get their account back? I was sorry to say that yes, we could.