• TTP found more than 100 Facebook groups where users buy and sell Facebook business manager accounts that can run multiple pages and ad campaigns.
• Facebook is allowing this activity despite the fact that its policies prohibit the buying and selling of accounts as well as misrepresentation and inauthentic behavior.
• Many of the accounts come linked to someone’s credit card, indicating they were hacked or stolen. They are often sold in bulk quantities.
• Some sellers tout the fact that accounts have been approved to run ads on social, political, and election issues, raising concerns they could be used for election interference.
• Accounts are offered in specific countries, including the U.S., India, and Brazil.

Facebook is allowing users to buy and sell Facebook business manager accounts that can run multiple pages and ad campaigns, creating new opportunities for online scams, disinformation, and election interference, according to a Tech Transparency Project (TTP) investigation.

TTP found more than 100 Facebook groups, some with tens of thousands of members, where users openly buy and sell these accounts in violation of Facebook policy.

Business manager accounts allow social media managers and marketers to direct a collection of Facebook ad accounts, Facebook pages, and Instagram accounts from one dashboard. Facebook parent company Meta promotes them as a “one-stop shop” for advertising and marketing on its platforms.

These accounts are particularly valuable to scammers, given that business managers can run a series of ad campaigns—and easily add new users and ad accounts to expand their reach.

In the Facebook groups examined by TTP, users frequently sell these accounts in bulk quantities, and many of the accounts come linked to someone’s credit card, indicating they were hacked or stolen. In some cases, sellers offer accounts approved to advertise on political, election, and social issues.

This black market raises some troubling questions for Meta, since these ad-enabled accounts clearly have the potential to be used for fraud and coordinated inauthentic behavior, including election interference.

Given Facebook’s longstanding scam ad problem and its history with Russian election interference, it’s not clear why Meta isn’t doing more to combat this illicit trade.

For this investigation, TTP searched Facebook for phrases like “ad approved account,” “buy and sell business accounts,” and “verified ad account.” The platform surfaced a total of 110 groups trading in Meta business manager accounts, or “BM” accounts, as sellers call them.

Some of the groups have been active for years, while others were created as recently as September. Collectively, the groups identified by TTP have over 531,000 members. Some are Facebook “buy and sell” groups designed specifically for commercial transactions.

Many of the groups make no secret of their activity. For example, the largest group identified by TTP, with over 75,000 members, is explicitly named “Verified Business Manager Buy&Sell Trusted Group.” Other groups are called “Verified Business Manager | Verified Ads Manager Buy Sell,” and “Verified bm trusted market.”

Members of these groups often sell accounts in bulk, require payment in cryptocurrency, and ask interested parties to contact them on WhatsApp, Meta’s encrypted messaging platform. They frequently sell accounts for specific countries, including the U.S., India, and Brazil.

The accounts trafficked in these Facebook groups are frequently offered with a prepaid ad balance or linked to someone’s credit card, indicating they were hacked or stolen.

This Facebook black market is so well established that sellers have their own lingo.

For example, sellers frequently describe business manager accounts as including “two line” accounts, which have been approved by Facebook to advertise, or “three line” accounts, which were previously restricted from advertising but have since had their ad privileges restored. (The “lines” appear to refer to the amount of text in Facebook verification messages).

Sellers also offer “no limit” accounts that they claim have no upper limit on ad spending, as well as “immortal” accounts (also known as “zombie” or “everlasting” accounts) that they claim can run ads indefinitely.

The idea behind immortal accounts is that even if a business manager account is restricted or disabled, it can still add user accounts that have the ability to advertise. TTP was not able to independently confirm this, but Facebook’s rules state that “if a user account is restricted from advertising on a Business Account or ad account, other members of those accounts may still be able to advertise.”

This trading activity violates multiple layers of Meta’s platform policies. Facebook explicitly bans buying, selling, or exchanging digital accounts as well as misrepresentation and inauthentic behavior. The company also says groups on its platforms “must not incentivize people to misuse Facebook features or functionality.”

Facebook has had a longstanding problem with hackers taking over accounts to run scam ads using people’s credit card information, and it’s easy to see how business manager accounts could be useful to scammers, given their ability to run multiple ad campaigns at the same time.

In fact, owners of business manager accounts have frequently recounted how hackers commandeered their accounts, raising their billing threshold to rack up thousands of dollars in spending on scam ads that direct people to questionable ecommerce websites.

TTP’s investigation also found sellers offering accounts that can run ads on social issues, elections, or politics, raising concerns they could be used for coordinated inauthentic activity and election interference—issues that have plagued Facebook for years.

For example, in a Facebook group called “Verified bm trusted market,” one post offered an account approved for running election ads in Germany. The seller even offered the documents used in the approval process as part of the sale.

A similar offer of an election ad-approved account in Germany popped up in a Facebook group called “Verified Business Manager – VBM.” The group admin selling the account posted a screenshot of Facebook’s verification.

TTP did not interact with these dealers and was unable to confirm the status of the accounts, but they clearly believe the ability to run political and election ads is a selling point.

Facebook has a history of allowing foreign state actors to use its platforms to sow political discord—mostly famously during the 2016 U.S. election, when the Kremlin-linked Internet Research Agency used Facebook and Instagram to stir up divisions over race and religion, spread negative messages about Hillary Clinton and boost Donald Trump. The IRA ran nearly 3,400 ads across the two platforms, a Senate Intelligence Committee investigation found.

Since then, Meta has made a show of being more vigilant about rooting out coordinated inauthentic behavior, including by Russia and China. But TTP’s findings show the company is allowing the infrastructure for future election interference campaigns to be bought and sold right under its nose—at a time when U.S. officials are ratcheting up warnings about foreign efforts to manipulate American voters.

Many of the business manager accounts for sale in the groups examined by TTP indicate they have either never run ads before or were previously restricted from running ads but have since had their ad privileges restored. The sellers often share before and after screenshots showing that previously restricted accounts have been approved by Facebook to run ads again—and they frequently display the documentation used to obtain that approval and offer it to buyers as part of a package deal.

In some cases, packages of documents are offered separately, evidently for people who want to do their own Facebook verification. The documents include government ID cards, passports, U.S. Social Security cards, business documents, and utility bills.

Some of the documents appear to be for fake businesses, which sellers claim were used to get business verification from Facebook, TTP found. (Facebook says it verification process involves establishing that businesses are “legitimate” and a “legal entity.”)

For example, on Oct. 5, the admin of one Facebook group posted that he had a “USA verified business manager available” and included a screenshot of an account registered to a business called “IUAA LLC” in Fort Smith, Arkansas.

However, there’s no business by that name in the Arkansas Secretary of State’s database. The web address used to register the account—iuaallc.com—leads to a dead link. Searches on the domain lookup sites ICANN and Whois show that nobody ever registered the domain.

In another Facebook group, a member whose profile listed their location as Bangladesh offered “REALL DOCUMENT VERIFIED BM AVAILABLE FOR SELL NOW.” The seller included a screenshot listing the business as “TLCRT PRO INC” based in the United States, with a website giving an address in Portland, Oregon. Google Maps shows the address listed on the website is for a toy shop, and TLCRT PRO INC. is not registered as a business in Oregon.

This black market—with so many accounts and documents for sale—raises new questions about how much of Meta’s advertising revenue comes from hacked, stolen, and fake accounts.

It’s an issue that has dogged Facebook for years. Meta is facing a class action lawsuit from small ad buyers who accuse the company’s senior executives of knowing for years that its audience reach metric was inflated by fake and duplicate accounts. (The buyers say they overpaid for ads based on the flawed metrics.)

When Facebook revealed that it took down 1.3 billion fake accounts at the end of last year, critics noted the company didn’t say how much ad revenue it had gained from the fake accounts or if the accounts were included in its total user numbers.

BuzzFeed News reported in 2020 that a manager at Facebook’s outsourced content moderation service told moderators to ignore hacked accounts and other violations as long as “Facebook gets paid” for the ads. (A Facebook spokesperson told the publication that a separate team is responsible for investigating hacked accounts.)

TTP’s investigation found that Facebook groups also traded in Google and Amazon accounts.

These included Google AdSense accounts, Google Merchant accounts, and Amazon seller accounts. As with the Facebook business manager accounts, sellers often produced screenshots as proof the accounts had been officially verified.

In some cases, sellers offered to facilitate mail-in PIN notifications, a required security step for Google AdSense accounts and Facebook accounts that want to run political ads.

For more than a decade, people sold hacked or stolen Facebook accounts in illicit online marketplaces. But these sellers no longer have to go to underground sites to do business. In fact, as TTP’s investigation shows, they don’t even have to leave Facebook.

Facebook is allowing this black market to thrive right under its nose. And the kind of accounts that are being sold—business manager accounts capable of running multiple assets and ad campaigns—are well suited to operations of coordinated inauthentic behavior that Meta claims it’s determined to purge from its platforms.

Until Meta takes steps to curb this activity—and enforce its own policies—the problem of spam, scams, and election interference will likely persist.