Deter Account Takeover Attacks on Social Media Platforms with Arkose Protect™

How Much Money is Made by Attacking Social Media Accounts?

The Economics of Account Takeover Attacks, explains the factors that affect the monetization of compromised social media accounts. In fact, potential returns from an account takeover attack on social media accounts depends on these factors:

Hit rate

This defines the number of valid sets of credentials that can be harvested from a credential stuffing attack. For social media accounts, the estimated hit rate is about 15% because consumers usually use email addresses as user IDs. Also, it is relatively easy to find combo lists with email addresses and passwords. Assuming an average quality combo list with 1 million credentials, attackers can harvest nearly 150,000 credentials at 15% hit rate.

Reputation of the attacker

Like any marketplace or auction site, a reseller’s reputation directly affects how much of their inventory they can sell. For example, new sellers with no/low reputation may sell up to 20% of their inventories, while more experienced resellers with a medium reputation may sell up to 40% of their inventory. Long-term proven resellers with a very good reputation may sell at least 60% of their inventory.

Market value of the compromised accounts

The market price of a user’s credential varies by industry. For social media accounts, average revenue per credential is $0.10 which can amount to $9,000 for an attacker with good reputation, $6,000 and $3000 for attackers with medium and low reputations, respectively.

A website’s level of protection

Less-protected or unprotected websites are easy targets for attackers; they don’t need to have superior technical skills, and they don't need to create an attack infrastructure. On the other hand, highly protected websites may block or challenge close to 100% of the attack traffic, increasing the need for the attacker to resubmit requests, extending the timeline to completion, and raising the cost of the attack. Less-patient or skilled attackers are likely to give up an attack before it completes and move on to an easier target.

How Much Does It Cost to Attack a Social Media Account?

The Economics of Account Takeover Attacks reveals the monthly and annual costs of attacking a single and multiple (5) websites with various levels of protection namely: with a WAF, a bot management solution, and an advanced bot solution such as Arkose Protect™.

The revenue potential for attackers of varying reputations for websites protected with various levels of security solutions are described in the table below:

Website protected with WAF

Number of sites attacked 1 2 3 4 5
Total cost (yearly) $624 $624 $624 $624 $624
Potential Income:
Low reputation $2,376 $5,376 $8,376 $11,376 $14,376
Medium reputation $5,376 $11,376 $17,376 $23,376 $29,376
High reputation $8,376 $17,376 $26,376 $35,376 $44,376

Website protected with a bot management solution

Number of sites attacked 1 2 3 4 5
Total cost (yearly) $9,000 $9,600 $10,200 $10,800 $11,400
Potential Income:
Low reputation -$6,000 -$3,600 -$1,200 $1,200 $3,600
Medium reputation -$3,000 $2,400 $7,800 $13,200 $18,600
High reputation $0 $8,400 $16,800 $25,200 $33,600

Websites protected with Arkose Protect™

Number of sites attacked 1 2 3 4 5
Total cost (yearly) $18,080 $27,760 $37,440 $47,120 $56,800
Potential Income:
Low reputation -$15,080 -$21,760 -$28,440 -$35,120 -$41,800
Medium reputation -$12,080 -$15,760 -$19,440 -$23,120 -$26,800
High reputation -$9,080 -$9,760 -$10,440 -$11,120 -$11,800

Increasing Costs, Decreasing ROI, Force Attackers to Give Up

Social media platforms using Arkose Protect™ can deter account takeover attempts by making them costlier and increasing the time to complete. Attackers will need to create an elaborate infrastructure, possibly consisting of a laptop orchestrating a set of virtual machines (VM) deployed in a cloud infrastructure generating the attack traffic load balanced through a large set of residential and mobile proxies. The software running on the VM may be an advanced script written in Python or similar languages, or run a full-blown headless browser able to execute JavaScript and mimic more advanced behavior like mouse movement or key presses.

In addition, attackers must invest in a costly proxy service leveraging mobile and residential ISP IP addresses, as a basic proxy service would no longer suffice. Their hosting costs will double (about $100 per month) per site they attack to manage the more complex workflow of solving the Arkose Protect™ challenges. Further, they must integrate the botnet with a CAPTCHA-solving service, which costs about $2.12 per 1,000 requests. 

Attackers will spend significantly more time to complete a credential stuffing attack, making the attack more noticeable and prone to mitigation, which increases the number of retries required. Considering that the CAPTCHA solving service requires four tries for every successful validation, a million credentials would need four million requests to validate, costing about $8,480. Therefore, the total annual cost to attack a single website protected with Arkose Protect™ is more than $18,000.

To avoid detection, attackers must revisit and devise a more-sophisticated attack strategy to ensure:

The traffic is spread through a large number of nodes, seeing a botnet consisting of over 10,000 nodes spanning several continents is common;

The traffic looks like it is coming from residential and mobile ISP, since traffic coming from data centers is generally considered more suspicious;

The attack traffic mimics the legitimate traffic as much as possible. For example, if users are expected to follow a specific path before reaching a resource, such as first visiting the site’s home page, then accessing the login page, and eventually logging in, the attack traffic must follow a similar workflow;

The expected data is sent with some variety in the fingerprint, yet guaranteeing that the fingerprint is valid to avoid being detected. This is because bot or fraud detection products typically collect a fingerprint client-side consisting of device and browser characteristics and user preferences, which is then evaluated to differentiate bots from humans or uniquely identify devices.

Failed attempts are resubmitted as a large majority of the attack traffic will be successfully detected and blocked or challenged. This increases the time to complete the attack.


Arkose Labs helps leading social media platforms protect their platforms and consumers’ digital accounts with its future-ready bot management solution, while preserving the user experience. The smart bot management solution increases the cost of attacks and diminishes potential returns, forcing bad actors to abandon the attack or look for an unprotected target.

Book a Meeting

Meet with a fraud and account security expert

Request a customized demo to learn more.