This report analyzes Kopeechka, a service that automates social-media account creation to support mass-scale cybercrime operations. It explains how Kopeechka works, its pricing and ecosystem (including ZennoPoster and CAPTCHA/phone-verification bypass), and how criminals use it for spamming, misinformation, and anonymity.
#Kopeechka #ZennoPoster #RuCaptcha #Mastodon
#Kopeechka #ZennoPoster #RuCaptcha #Mastodon
Keypoints
- Kopeechka provides easy account registering services for popular social platforms (Instagram, Telegram, Facebook, X) and even chat sites for minors.
- Cybercriminals can bypass verification steps (email, phone, CAPTCHA) and bypass IP reputation checks using automated scripts and proxies.
- The service offers two email types (own domains or hosted on popular providers) and does not grant access to actual mailboxes, allowing reuse of email references across accounts.
- Kopeechka supports both a web interface and an API, enabling fully automated mass account creation in seconds.
- It markets through underground forums, maintains active Telegram channels, and collaborates with ZennoLab, Bitrix24, and affiliate programs.
- Customers can use Kopeechka to create accounts for various purposes (spam, Mastodon campaigns, Discord/Telegram/Roblox bots) and gain anonymity.
- Defenders are urged to enhance email-verification and AI-based detection to counter automated registrations.
MITRE Techniques
- [T1136] Create Account – Kopeechka enables mass registration of social media accounts via API and web interface, potentially creating hundreds of accounts in seconds. ‘All these processes can be fully automated, which could allow cybercriminals to create potentially hundreds of accounts or more in just a few seconds.’
- [T1090] Proxy – Cyb ercriminals can bypass IP address reputation checks by using residential proxies. ‘cybercriminals can use residential proxies to bypass these measures.’
- [T1562.001] Impair Defenses – CAPTCHA bypass and other verification can be automated, bypassing platform protections. ‘different services now exist that allow malicious actors to bypass CAPTCHAs in an automated way.’
- [T1059] Command and Scripting Interpreter – ZennoPoster automates browser actions as a scripting-like process to register accounts. ‘ZennoPoster allows users to automatically execute browser actions by working like a script that performs one action after another on a browser.’
Indicators of Compromise
- [Domains] Kopeechka-related domains involved in its operations – abynelil.wiki, aturos.ink, and 28 more domains