Trend Micro -
If the user unwittingly hands over their real credentials, the cybercriminals proceed to change the account’s password so that the original owner loses access to the account. They then mine the account by downloading all images and messages either manually or through instagram’s data backup feature. The hackers might even modify the account bio, share content via the stories feature, or reach out to the victim’s contacts.
At the same time, the hackers start to negotiate with the victim. They usually operate the hacked account while the victim talks with them using a different account. They then demand payment in the form of bitcoin, prepaid credit cards, or vouchers in exchange for the restoration of access. Based on the activity spotted in some of the bitcoin wallets related to this campaign, it seems that some targets might have paid up.
However, the negotiation is merely a ruse. They do this only so that the victim will not be compelled to report the incident via the proper channels, and so that they can buy some time, as downloading all the data from the account can take up to two days. After the victim pays up, the hackers will not give back