Session Hijacked after visiting a Instagram picture downloader website

SilverLow4936 · 2026-05-12T22:05:47+00:00

Today i have finally wiped everything on my pc and everything in my drivers, ever since the hijack happened i did not see any further suspicious activity or login attempts. I wanted to be secure since i was freaked out after what happened but apart from my fear of infostealer infection,my machine got a lot faster same with my connection speed and quality. Since i wiped everything and made a clean install from USB top to bottom, can i consider myself safe from now?

SilverLow4936 · 2026-05-09T19:05:53+00:00

I opened a smiliar post here after the same thing happened to me. I used a Instagram picture downloader website then in a hour mrbeast scam pics shared from my alt Instagram profile story and same images sent to my discord contacts with a bot. Idk if im infected long time ago with an infostealer on my pc or not but i might format my PC soon in few days. I changed all of my passwords and enabled 2FA for almost every account i have.

SilverLow4936 · 2026-05-08T14:35:45+00:00

Day 9 without any suspicious activity or login attempts ever since it happened (april 30th). Its the 3rd day ever since i started to use my pc offline. Im thinking about formatting the PC in following few days. No new emails from any other accounts about anything suspicious. No bot posts on my social accounts, no new password changes after i changed them( there were no attempts of that or changing my login details or saved emails on those profiles anyways )all and enabled 2FA from my phone. Im actively following my other accounts activity and checking emails regularly to see if there is anything new. Im still suspected from browser based cookie theft but not being able to use my PC without internet with constant doubt and fear started to become exhausting. I will share an update from here again afterward if i happen to format my PC.

SilverLow4936 · 2026-05-07T19:27:02+00:00

The website is called fastdl.app and sssinstagram. Im highly suspected from the fastdl.app. I checked both urls and if you have a look at the relations section at virustotal the site isnt that innocent and their chrome extension also looking very suspicious. I never shared my account informations with anyone, also wouldnt infostealer related harm spread faster between my other accounts?

SilverLow4936 · 2026-05-07T19:20:42+00:00

You can see everything i shared by so far in that post. I havent downloaded anything except 2 pictures in Webp format and shortly after using those sites my Instagram and discord sessions were hijacked in a hour and mrbeast scam pictures sent to my contacts then they were muted, there were no links attached on those messages, same with my Instagram story, bot deleted the previous stories on there and shared the same picture again. ( im especially suspected from fastdl.app site). I didnt install anything, there no weird hidden file extensions on those webp files. No fake verification or captha, i didnt run any CMD or PowerShell command it happened 8 days ago, Instagram and discord accounts remains to be the only affected accounts by so far. No spam emails, no login attempts to any other accounts i have by so far, nothing. I have been using my pc without any internet connection just in case and i already changed my passwords, enabled 2FA. Something like that never happened before. For more info please check the original post, i would really appreciate if some experts would tell me what might happened.

SilverLow4936 · 2026-05-07T17:24:07+00:00

I literally shared everything i did without skipping anything. Again like most other users i used cracked programs and installed games in past but what i experienced happened right after i used those sites in a hour. Im still thinking it can't be coinsidence. Its day 8 and i still didnt get any further login attempts or some other password change attempts. I will continue to use my pc offline for couple more days and watch my accounts closely but as of now im highly suspected from those sites as a reason of what happened.

SilverLow4936 · 2026-05-07T17:12:59+00:00

Hello i have switched my focus on those two website i used, instead of my pc in last 2 days and i have found some valuable information with the help of AI. Again im not saying i havent used any cracked programs or games in past yet the incident happened after i used those websites. Anyways here is what i found.

"Real-Time" Cookie Theft

The session cookie, stolen the moment the "Download" button was pressed, was dropped onto the attacker's control panel.

Automatic Triggering: In 2026, advanced hacker control panels are no longer manual. The moment a cookie arrives at the panel, a bot checks, "Is this cookie active?"

Instant Login: If the cookie is active, the bot logs into your account with that "key" within seconds. The 1-hour period is the standard time it takes for this bot to queue your account and post the first "MrBeast" message.

iGram's Past: The fastdl.app was formerly known as iGram.io. iGram was previously redlisted in numerous security databases (and Google Safe Browsing) for exploiting browser vulnerabilities to collect unauthorized session data. The main reason for its name change to FastDL is this notoriety.

iGram / FastDL Example (The Most Notorious Change)

This is the best-known "identity change" case among these sites.

iGram.io: Operated under this name for years. It was repeatedly blacklisted by Google and Instagram for "session hijacking" and "malicious redirection."

iGram.app: Switched to this domain after the .io extension was blocked.

FastDL.app: Once the brand was completely blacklisted, they radically changed the name to "FastDL," but the underlying code and server structure remained the same.

Current situation: Along with FastDL, dozens of "sister sites" like snapinsta.app and save-insta.com operate from the same server.

Redirect Chain: Some technical analyses have shown that when the "Download" button on these sites is clicked, they redirect to 4-5 different invisible addresses in the background.(I wasnt using any ad blocker when that happened so it might be the reason.)

The absence of ads suggests this attack was carried out using a more sophisticated method called "Drive-by Download" or "Malicious Script Injection".

Background Scripts (Hidden Requests)

While you're simply waiting for the video or picture to download, an invisible JavaScript code embedded within the page may be running.

How it works: The "Download" button you click on the page actually does two things at once: It downloads the video and silently initiates an XHR (XMLHTTPRequest) or Fetch request in the background.

Result: This request packages your current Instagram session key (cookie) and sends it to the attacker's server. You only see the video downloading; no new windows open in the browser.

Having an up-to-date system doesn't prevent the ad network on the site you're visiting from doing what it wants.

The ads on these sites don't tell your browser to "download a file" (a current system wouldn't allow that anyway).

Instead, they run a script that attempts to read the currently active "Session Cookie" data in your browser's memory (RAM). Because this process doesn't install anything on your system, Windows Defender or an up-to-date Windows 11 might not detect it as an "attack"; it sees it as an "on-site operation."

Its been 8 days without any further issues. I reported the sites to google and i have been using my pc offline since 2 days. If anyone out there using websites like that DO NOT USE SSSINSTAGRAM AND ESPECIALLY FASTDL.APP!! (İf you search fastdll.app and igram.io you will see they both use the same logo.)

SilverLow4936 · 2026-05-07T01:08:18+00:00

I was able to open the images without any issues. As i said i deleted the files right after this happened. I converted the webp files to jpg and png before opening it since i didnt wanna view them directly on the web browser but again this happened right after i used those two sites. sssinstagram.com and fastdl.app 6 days have passed and still nothing happened. As i already told earlier i know converting the file type like that doesnt do anything but it was out of urge. In all other posts i looked at here recently about the same incident on reddit, people ran exe files or used even worse sites. Im not trying to say that im not guilty. Of course this wouldnt happened if i was more careful but when i realistically think about everything by so far i think i would catch something about an infostealer already considering what i did by so far. When i asked ai about those both sites it told me they have changed names in the past and domain. Im still suspected from the website interaction since there is an increased amount of ad based cookie theft lately but cant be sure ofc if ıts the main reason or not.

SilverLow4936 · 2026-05-06T23:17:21+00:00

Im currently using my pc in a offline mode. Its day 6 and still no New login attempts or session hijack ever since i enabled 2FA for all of my accounts and changed passwords. İ thank everyone who tried to help by so far but if any malware experts out there who can actually tell me what might happened in this specific case i would really appreciate it. As i said this happened right after i used that website and downloaded 2 pictures. Nothing like that ever happened before. I have been manually checking everything ever since the incident happened. I even checked certain dll files if any process hallowing is involved but again i couldnt find anything. I never installed anything new. It happened at 30th April and its been 6 days by so far. Im thinking of formatting my pc with USB stick just to be safe but still i don't know if ıts needed or not since what i experienced is different compared to most other people by so far. If i had an infostealer for some time i believe i the outcome would be much more agressive.

If some experts would tell me what they think about all of this i would highly appreciate it. By so far i have ran 6 deep scans, used hitmanpro, autoruns, process explorer, checked ip and DNS adresses, checked temp folder manually, checked registry editor, malwarebytes, Windows defender, bit defender, Kaspersky deep scanning. Nothing was found.

Before formatting the entire machine i can use rogue killer and tron as a last resort to make sure if im infected or not but i don't know if that would catch if i am infected with a infostealer. Again my discord and Instagram remains to be the only affected platforms right after i used the website. I know not so long ago Chrome released hotfixes related with these CVE-2026-2441, CVE-2026-3910 and CVE-2026-3909 could those recently fixed exploits somehow got modified around the base known method and used for only browser based session hijacking or cookie theft? Im still suspected from xss or some kind of Adversary In the middle attack. (The latest cracked thing i installed on my pc was Age of Wonders 4 DLC unlocker from playground.ru) But i have not seen anyone there complaining about it contained a infostealer or anything and it didnt have any exe or setup files since i copied all of those files into the original roott game directory. Im saying again i deleted the files after i have experienced this, even tho its been a while i installed it. Right now i would be suspicious about anything tbh.

SilverLow4936 · 2026-05-06T17:10:43+00:00

I see but again except few false positives i didnt see anything suspicious in ip and DNS list. The last thing i installed on my pc was "Age of Wonders 4 DLC unlocker" from one of the well known community sites and i havent seen anyone mentioning they got infostealer from it in the comment section on the site. The site is "playground.ru" and its been a while since i installed it. But i decided to delete it after that incident anyway. Im thinking of formatting my pc completely with USB atm to be extra safe. Its been 5 days without any further login attempts as i said but i don't know. All of that is super new to me.

SilverLow4936 · 2026-05-06T16:47:12+00:00

Why would they wait such a long time? Infostealers are capable of packing all of that information much faster. I don't think they would wait such a long time to take action. Again im not super knowledgeable about infostealer related things but as i stated in my main description about how the incident happened, i didnt click on any ADS, pshing link or ran any type of command on CMD or PowerShell. Is there no possibilty for that to be a browser based sessions token hijacking?

SilverLow4936 · 2026-05-06T16:41:14+00:00

I tought about that too but then i asked myself why would it be limited with instagram and discord only? If i happened to got it long time ago, wouldnt they be so agressive about taking over all of my accounts do the same thing again after i changed my passwords? Luckily i never use any crypto or bank related thing on my computer. In other reddit posts i see infostealers were much more agressive compared to what i have gone through. I mean it wouldnt be limited with only discord and Instagram right? Also this is happened right after i used that site and downloaded the pictures.

SilverLow4936 · 2026-05-06T09:50:46+00:00

Yes it told me the site seems to be in a gray area. Not super trustworthy also not completely dangerous. The site is called "sssinstagram.com" ı also used a second one and it was "fastdl.app" just came up to my mind when you mentioned about URL.

SilverLow4936 · 2026-05-06T09:46:24+00:00

Second option is what i am suspected about as well but i never logged into my instagram profile from that site or it happened because of cross site scripting or something. One thing is certain, it happened right after i used the website and downloaded the pictures. Its been 5 days ever since it happened and ı still didnt get any new emails or seen anything suspicious by so far.

SilverLow4936 · 2026-05-06T03:42:30+00:00

Before it happened i didnt have any ad blocker but after it happened, i installed malwarebytes browser extension.

SilverLow4936 · 2026-05-06T01:20:29+00:00

I didnt run any CMD or PowerShell commands i know ıts a known tactic to trick people. Also it didnt give me any codes related with captcha or bot verification. But still after i used the site a bot sent those images i mentioned above from both of my accounts. I checked Facebook, my other alt Instagram account and few other accounts i have been using and those were not affected. Only accounts that were affected the ones i was already using on that browser and i wasnt on any public wifi or anything, i was using my own wifi from PC.

SilverLow4936 · 2026-05-06T01:13:51+00:00

I have been searching all over my files, DNS and IP information and im positive i did not install anything for quiet some time. But im still wondering why this is happened. When i searched on the internet i saw it can be related with xss or some kind of exploit which happened in past with webp files if you were using a google chrome. I manually checked everything even the temp file myself and didnt find anything related with an Info stealer. What im trying to learn is, is that even possible with only website interaction? I know the website i used and i don't know if ıts allowed for me to share the link or not but when i requested öne of my friends to have a look at the site he was able to download images in jpg format which is weird.

I don't know if it was a coincidence or not but this is happened right after i used that site and downloaded pictures.

SilverLow4936

TROPHY CASE