How TikTok and Instagram APIs are being exploited to validate stolen accounts

A disturbing new form of malware is exploiting the open-source software ecosystem by using Python packages hosted on the Python Package Index (PyPI) to covertly validate stolen email addresses against TikTok and Instagram user databases. In an original investigation published by Socket’s Threat Research Team and authored by Olivia Brown, three malicious checker tools—named checker-SaGaF, steinlurks, and sinnercore—were found live on PyPI, all actively abusing undocumented application programming interfaces (APIs) from TikTok and Instagram. The packages were flagged for unauthorized network access, covert account validation behavior, and evasion techniques consistent with credential verification frameworks used by threat actors. The reporting highlighted how these tools automate reconnaissance steps in credential-based cyberattacks, allowing actors to silently build verified user lists that are then weaponized in phishing, spamming, or dark web credential sales.

These malicious utilities exemplify how open-source package repositories can become launchpads for exploit chains targeting both everyday users and developers. Once installed, the software operates behind the scenes, checking the validity of emails through private or deprecated API endpoints without triggering alarms or requiring user interaction. This silent validation process is the first link in a broader attack lifecycle, frequently leading to more damaging exploits like account takeover or identity theft.

What Are “Checker” Tools and Why Are They Dangerous?

Checker tools serve as the preliminary filters in data-driven cyberattacks. Rather than hacking into systems directly, they validate whether a given email or username is active on a particular platform. Their role is deceptively simple yet fundamentally dangerous: by confirming that an account exists, these tools set the stage for further exploitation via credential stuffing, phishing, or targeted social engineering. Because these tools operate silently through APIs, they are able to bypass conventional rate-limiting, multi-factor authentication challenges, and web interface protections.

The significance of such tools in the cybercrime economy is massive. Threat actors routinely collect large dumps of credentials from data breaches and use checkers to refine them into high-value lists. A verified Gmail address associated with a TikTok or Instagram account commands a premium on illicit markets compared to unverified data. These lists are often sold for fractions of a cent per entry, enabling low-cost, high-efficiency attack campaigns that can be scaled with minimal technical sophistication.

How Did checker-SaGaF Exploit TikTok and Instagram?

The checker-SaGaF package is structured to mimic legitimate mobile app behavior and access TikTok and Instagram APIs in a way that circumvents bot detection systems. The function targeting TikTok performs a POST request to an undocumented password recovery endpoint, faking the headers, device identifiers, user-agent strings, and cookies of a typical Android phone running the musical.ly app. This API endpoint, originally built for legitimate account recovery, responds with specific success or failure messages depending on whether the provided email is registered with TikTok. The malware interprets a “Sent successfully” message as confirmation that the email corresponds to a real account.

A similar strategy is employed for Instagram validation. The Insta() function in checker-SaGaF sends a login request using the target email and a dummy password. Instagram’s response error code is then used to deduce whether the email is valid. If the error returned is “bad password” rather than “invalid user,” the email is logged as an active account. The success of both strategies lies in subtle differences in server responses—differences that normal users never see, but threat actors exploit programmatically.

How Does steinlurks Use Multiple API Endpoints to Avoid Detection?

Where checker-SaGaF uses one method per platform, steinlurks is designed with five distinct functions to probe multiple Instagram API endpoints, each with unique request structures and headers. This layered design allows for redundancy. If one endpoint becomes restricted or patched, the tool can simply rotate to another. Additionally, steinlurks randomizes its user-agent strings using device simulation parameters such as screen resolution, CPU architecture, Android version, and even vendor branding like Samsung, Huawei, or Xiaomi. This method of API abuse makes it difficult for Instagram’s backend to fingerprint malicious activity based on traffic patterns.

The functions within steinlurks target various API flows. Some emulate the internal debugging search features, while others impersonate the signup email checker, password recovery initiator, or username lookup services. Each function injects the target email into an API request and interprets the server response to determine account validity. Importantly, all these actions occur in the background, often before any overt attack begins. The tool essentially builds a list of “live” Instagram emails that can later be targeted through phishing or further brute-force attempts. This stealth validation provides both operational value to attackers and a layer of protection against early detection.

What Did sinnercore Do Differently?

Sinnercore employs a different methodology centered around forced password reset requests. Its main function targets a legacy API endpoint used by older Instagram app versions. It forges a request using fabricated user-agents and session tokens to simulate an Android device and submits a reset request for a given username. A successful response indicates that the account is both real and accessible through Instagram’s recovery systems. This method not only verifies accounts but can also serve as a low-grade harassment tactic by spamming users with reset prompts.

Beyond Instagram validation, sinnercore contains OSINT-style functionality. It extracts Telegram user metadata including bios, IDs, and premium status indicators. It also queries Binance for real-time cryptocurrency pricing and performs deep scrapes of PyPI package data, possibly to construct convincing developer profiles or impersonate legitimate contributors. These expanded capabilities suggest that the malware authors are targeting a broad spectrum of users—from average social media consumers to cryptocurrency holders and Python developers.

What Are the Implications for Credential Security and Dark Web Trade?

The confirmed presence of these malicious packages on PyPI signals a growing professionalization in cybercrime tactics. By verifying stolen emails against major platforms before launching an attack, threat actors ensure a higher success rate and a cleaner, more valuable data set. Once emails are verified, they can be used in password-spraying attacks, phishing campaigns, impersonation schemes, or even account suspension attacks. Verified lists of TikTok and Instagram users are already being sold in dark web forums, sometimes for just a few hundred dollars per 100,000 entries. These lists become the bedrock of many low-cost cybercrime operations, and the barrier to entry for threat actors is shrinking.

This has downstream implications for individuals, platforms, and enterprises. For users, having their emails silently validated means that they are being added to threat databases without consent or notification. For platforms, it means that internal API structures are being exploited outside of intended usage patterns, weakening overall security posture.

What Can Developers and Users Do to Mitigate the Risks?

End users can begin by embracing sound credential management practices. This includes not reusing passwords across platforms, using a password manager to generate unique credentials, and enabling two-factor authentication wherever possible. Awareness tools like breach alert services can also provide an early warning if one’s email appears in a leaked dataset.

For developers and security teams, the attack vectors presented by these packages reinforce the urgency of securing the software supply chain. PyPI and other public repositories need stricter vetting mechanisms, while downstream users must adopt tools that provide automated static and dynamic analysis of package behaviors. Socket‘s suite of tools, including their GitHub app, command-line interface, and browser extension, were cited as effective resources for identifying these malicious patterns during installation or code review.

Furthermore, API design must evolve to mitigate such abuses. Sensitive endpoints should provide generic responses that do not reveal account status, and anti-bot mechanisms should extend beyond UI-level protections. Platforms must also monitor traffic for behavioral anomalies, not just volume, especially for backend flows like password recovery and signup validation.

Why This Case Reflects a Larger Supply Chain Security Crisis

This incident underscores a broader vulnerability in the global software development pipeline. As developers increasingly rely on third-party packages to accelerate builds, threat actors are leveraging this trust to infiltrate systems at their origin. The checker packages demonstrate that malware can be introduced not through phishing or browser exploits, but through the very dependencies developers install in good faith.

By blending API abuse with supply chain compromise, these packages offer a roadmap for how future attacks may evolve. The ability to conduct credential reconnaissance at scale using legitimate cloud infrastructure represents a paradigm shift in attack methodology. It illustrates how low-profile reconnaissance tools are now indistinguishable from benign scripts—until it’s too late.

MITRE ATT&CK Mapping and Observed Infrastructure

Security researchers associated the behavior of these packages with several MITRE ATT&CK techniques, including masquerading as legitimate tools, using Python as a command interpreter, and performing credential validation through passive information gathering. The infrastructure exploited by the packages includes internal TikTok and Instagram APIs that were never intended for public use. The packages were uploaded under usernames and email aliases that follow identifiable patterns, but their technical execution reflects a high level of operational discipline.

These findings, as first documented by Socket’s Olivia Brown, serve as a critical case study in modern threat modeling. They demonstrate that API misuse, when combined with open-source dependency hijacking, presents a serious and growing risk to digital ecosystems.