In February 2024, we wrote a post (provocatively) titled Avoiding Digital STDs about a colleague whose Facebook account was hijacked to run a crypto scam.

That post created a hypothetical scenario about a woman we called “Tina” whose Instagram account gets taken over by a bad actor who then uses her real photos for exploitation.

We wrote that as a warning of where things were heading. As it turns out, a federal court case proved us right almost detail for detail.

In late February, a 22-year-old Alabama man named Jamarcus Mosley pled guilty to computer fraud, extortion, and cyberstalking after hijacking the social media accounts of hundreds of young women, including minors, over a three-year period.

And shortly before that, a 27-year-old Illinois man named Kyle Svara pled guilty to hacking nearly 600 women’s Snapchat accounts. He sold and traded their stolen private photos online and even offered his hacking services on Reddit.

Two men. Two guilty pleas. Nearly 900 victims combined. And neither one used any sophisticated hacking tools.

The Back Door to Your Account

Both of these cases relied on the same basic approach, and it’s worth understanding because it does not require technical skill. It’s social engineering, which means manipulating people into giving up information they shouldn’t.

Think of it this way.

Your social media account has two doors. The front door is your password.

Most people have gotten reasonably good at locking that one (or at least they know they should). The back door is your account recovery system, the process platforms use to help you get back in when you’re locked out. That back door is now a huge target.

In both federal cases, the attackers didn’t crack passwords. They tricked victims into handing over the keys to the back door.

Share

Two Cases, One Playbook

The Mosley Case

According to the U.S. Attorney’s Office for the Northern District of Georgia, Mosley ran his scheme from April 2022 through May 2025. His method was straightforward. He would use an already-compromised account belonging to a victim’s actual friend to reach out on Instagram or Snapchat. Because the message appeared to come from someone the victim knew and trusted, the request seemed legitimate.

In one case, Mosley used an Instagram account belonging to a 20-year-old Georgia woman’s high school friend. Pretending to be that friend, he asked the woman to help him recover “his” Snapchat account. She provided a recovery passcode, not realizing it was for her own account. Mosley used it to take full control, accessed her private images and videos, and then threatened to post them unless she complied with his demands.

When an 18-year-old Florida woman refused his demands for additional explicit photos, Mosley followed through on his threat and posted her stolen private photos publicly. He also targeted a 17-year-old in Illinois, tricking her into sharing her Snapchat “My Eyes Only” passcode. He then used her compromised account to contact her 13-year-old sister, sending a Snapchat map screenshot to show he knew where the younger girl lived.

The case was investigated by the Kennesaw Police Department and the U.S. Secret Service.

(Sources: BleepingComputer, WSB-TV, FOX 5 Atlanta, Marietta Daily Journal)

The Svara Case

Svara’s operation ran from May 2020 through February 2021. He took a slightly different approach.

Instead of impersonating friends, he posed as a Snapchat support representative. When his unauthorized login attempts triggered Snapchat’s security system to send verification codes to victims’ phones, he would text the victims using a free VoIP service and ask them to share those codes. He contacted over 4,500 women. Roughly 570 provided the codes, and he accessed at least 59 of their accounts to download private images.

Svara then sold or traded the stolen photos on internet forums and advertised on Reddit that he could hack Snapchat accounts on demand. One of his paying clients was Steve Waithe, a former Northeastern University track and field coach who hired Svara to hack the accounts of student athletes he had coached. Waithe was sentenced to five years in federal prison in 2024 for cyberstalking and sextortion.

(Sources: The Record, CBS Chicago, Reuters via U.S. News, BleepingComputer)

This Is a Pattern, Not an Anomaly

These two cases are not outliers. They are part of a well-documented surge.

The FBI has reported a significant increase in sextortion cases involving minors in recent years. In fact, we wrote a heartbreaking post earlier in the year about a teen boy who took his own life because of a sextortion scam. See here:

How Scammers Studied a 15-Year-Old's Public Profile (Then Destroyed His Life in 3 Hours)

Jan 28

Read full story

But between October 2021 and March 2023 alone, the FBI and Homeland Security Investigations received over 13,000 reports of online financial sextortion of minors, involving at least 12,600 victims. At least 20 of those victims died by suicide. The FBI observed a 20% increase in financially motivated sextortion reports involving minors in a six-month period compared to the prior year.

The National Center for Missing & Exploited Children (NCMEC) reported that online enticement reports increased by more than 300% between 2021 and 2023. Research published by Thorn in late 2025 found that one in five teens reported experiencing sextortion.

And on Safer Internet Day in February 2026, just weeks before the Mosley plea, the FBI issued yet another public warning about the growing threat.

(Sources: FBI Nashville, FBI Kansas City / Safer Internet Day 2026, NCMEC via Our Rescue, Thorn)

Recovery Codes Are the New Passwords

What stands out about these two cases is not that they happened. We know sextortion is a rapidly growing criminal activity. Rather, it’s how these cases happened.

Neither Mosley nor Svara needed to write a single line of code. They didn’t exploit a software vulnerability. They didn’t deploy malware. They used the platform’s own account recovery process as a weapon. Mosley impersonated friends. Svara impersonated Snapchat support. Both convinced real people to hand over recovery codes voluntarily.

This is the evolution we flagged in the 2024 article. Back then, the dominant threat was credential stuffing, where attackers take stolen username/password combos from data breaches and try them on other platforms. That’s still a problem, and password managers remain essential protection against it.

But attackers have adapted.

As more people adopt stronger passwords and two-factor authentication, the attack surface has shifted to the recovery process itself. Recovery codes bypass your password entirely. They bypass your two-factor authentication. They are designed to be the override, and that makes them the most valuable target.

The reality is that platform security features designed to help you regain access are now being turned against you. And the platforms have done very little to address this. Snapchat’s recovery process was exploited in both of these cases across a span of five years, from 2020 to 2025.

If these cases involved one isolated attacker, you could dismiss it. Two separate federal cases with nearly 900 combined victims should make it clear that this is a pattern, not an anomaly. And while these cases targeted young women, the underlying technique works on anyone. It only requires trust and a recovery code.

Most of the advice you’ll find about protecting yourself online still focuses on passwords. Use a strong one, don’t reuse them, get a password manager.

That’s all still true and it’s necessary. But it’s not sufficient anymore. The attack vector in these cases bypasses all of it.

There are specific steps you can take to protect yourself and your family against recovery code attacks. Some are settings you can change today in about five minutes. Others require a shift in how you think about account security altogether.

What You Can Do About It