Cyber Incident Victim: Schauwerk Sindelfingen
Date:
Feb 2022
Location:
Germany
Summary
Multiple German museums, including Schauwerk Sindelfingen, experienced Instagram account takeovers via phishing attacks impersonating platform verification requests. Attackers gained access through fraudulent links in messages, subsequently posting malicious "Link in Bio" prompts and WhatsApp contact instructions while disseminating further phishing content to followers. Compromised accounts disappeared entirely in some cases, severing critical communication channels and erasing years of digital engagement. The affected institutions struggled to regain control due to unresponsive support from Meta, though Schauwerk Sindelfingen briefly recovered access before losing its account permanently. Investigations indicated alignment with widespread phishing patterns targeting authentication credentials through integrated messaging systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early February 2022, multiple German cultural institutions including Schauwerk Sindelfingen, Kunstmuseum Stuttgart, Kunstmuseum Ulm, and Hamburger Kunstverein fell victim to coordinated Instagram account takeovers. Attackers initiated the compromise by sending phishing messages impersonating Instagram's verification system, exploiting the museums' prior applications for official blue verification badges. These fraudulent communications contained malicious links that harvested login credentials when clicked, granting attackers full control over the accounts. Upon gaining access, the hackers altered profile information to display a "Link in Bio" directing to suspicious destinations and replaced legitimate contact details with WhatsApp numbers potentially intended for ransom demands. The Kunstmuseum Stuttgart's account disappeared entirely after initial compromise, while Schauwerk Sindelfingen briefly regained access before permanently losing their profile. By February 7, the Hamburger Kunstverein had lost access to its 20,000-follower account, with attackers similarly modifying its contact information. Compromised accounts automatically distributed phishing messages to followers, propagating the attack cycle.
The incidents caused significant operational disruption, with Schauwerk Sindelfingen and Kunstmuseum Ulm losing all access to profiles containing years of curated content and audience engagement. Affected institutions immediately published warnings on their websites urging followers not to interact with suspicious links or messages sent from their accounts. Multiple museums attempted to contact Meta through official reporting channels but encountered unresponsive support systems, describing the process as frustrating and ineffective. The State Criminal Police Office of Baden-Württemberg confirmed the attacks followed established phishing patterns targeting authentication credentials, noting criminals increasingly exploited built-in messaging functions across social platforms. While Berlin's C/O photography center successfully recovered its 94,000-follower account earlier in 2022 through persistent legal and corporate outreach, most affected museums faced permanent profile losses. The incidents highlighted institutional vulnerabilities stemming from reliance on third-party platforms, with compromised accounts severing primary digital communication channels cultivated especially during COVID-19 lockdowns when online engagement became critical.