The short version.
A scammer compromises one teen's Instagram or Snapchat account, then DMs every contact saying 'I need help getting my account back — can you send me the 6-digit code Instagram is about to text you?' The code that arrives is the recovery code for the contact's own account, generated by the scammer entering the contact's username into a password-reset flow. The teen, trying to help a friend, sends it. Within minutes their account is gone too, and the same script radiates outward.
The platforms and contexts.
Instagram, Snapchat, and increasingly Discord DMs. The script is identical because the same automated tooling drives most of the scams.
The timeline.
This particular scam variant has been running at industrial scale since around 2020. Platforms have added warnings to the code-delivery SMS but the visual urgency of the friend's request usually overrides them.
The core facts a parent needs.
- Real platforms never need your contact to send a code to recover their account. The 6-digit code is always for the account it was sent to.
- The compromised friend's account is often controlled by someone who's lived inside it for weeks reading DMs — the impersonation is convincing because they know how the friend actually talks.
- Once a teen's account is gone, ransom demands sometimes follow: 'Pay $200 in crypto or I post your DMs.' Paying never works.
What's actually at stake.
- Loss of years of saved content, contacts, and the social value of the account.
- DM exposure: every private message ever exchanged is now in the scammer's hands.
- Downstream sextortion: any sensitive image or message in DMs becomes leverage for follow-on extortion.
Concrete next steps.
- Set the family rule, today: 'We never share any code we receive by text or email, with anyone, even friends. Real platforms never ask for it.'
- Turn on hardware 2FA (an authenticator app or security key) on every social account. Then text-message codes can't be the attack vector.
- If an account has been taken, use the platform's compromised-account recovery flow immediately — and warn every contact via a different channel that the DMs are not from you.
See it for yourself.
Platform compromised-account recovery flows · FBI ic3.gov · NCMEC if any minor's intimate image is at risk.