The blueprint of the world's largest social graph, turned into a weapon. SPECTER META is the world-first commercial Meta/Facebook ecosystem exploitation engine. Graph API v19.0 enumeration across pages, groups, ad accounts, businesses, and pixel installations. Meta Pixel JavaScript supply chain poisoning via the Marketing API. Messenger worm propagation through the internal GraphQL interface. BizMassacre cascade deletion of campaigns, creatives, audiences, and funding sources. 2FA-Snatch removes all second factors and enrolls the attacker's phone. Account destruction via the DESTROY gate: email change, password change, deactivation, deletion. 8 subsystems. 280 tests.
SPECTER META operates across the full Meta ecosystem: Facebook consumer platform, Instagram, Messenger, WhatsApp Business API, and the Meta Business Suite. The Graph API v19.0 exposes a unified attack surface across all products. Ad accounts, pixel installations, business assets, and user data are all accessible from a single access token with sufficient scope.
Primary attack interface. Single access token with ads_management + pages_manage_ads + business_management scopes exposes the full business asset graph: pages, groups, ad accounts, pixels, businesses, funding sources. SURVEY maps the entire asset graph. GROUP-SEIZE hijacks admin control. HARVEST exfils profile PII, photos, and Messenger conversation history.
PIXEL-POISON injects attacker-controlled JavaScript into Meta Pixel tracking code via the Marketing API. Every visitor to every website running the poisoned pixel executes attacker JS. LOOKALIKE-ARMY creates full campaign chains targeting cloned custom audiences: campaign → adset → creative → ad. Full ad spend control under UNLEASHED gate.
MESSENGER-WORM targets the internal Facebook GraphQL API at /api/graphql/ using doc_id 6234680946573087 — the Messenger send-message mutation. Propagates flood payloads to the full contact list of the compromised account with randomised per-message delay (1–2.5s) to evade rate limiting. Requires harvested c_user + xs + datr session cookies.
TWO-FA-SNATCH targets the account security surface: removes authenticator app 2FA, SMS 2FA, and recovery codes via the /security/two_factor/remove/ endpoint, then enrolls the attacker's phone number as the new trusted device. ACCOUNT-DESTROY chains email change → password change → account deactivation → permanent deletion. DESTROY gate. Irreversible.
Full asset graph enumeration via Graph API v19.0. Pages, groups, ad accounts, businesses, pixel installations. Builds a complete target intelligence package: asset IDs, permission levels, pixel coverage, business relationships. Generates attack surface score. OPEN gate — no write operations, no account interaction.
PII and credential exfiltration. /me?fields=email,birthday,hometown,location,political,religion for profile data. /me/photos for image harvest. /me/conversations?fields=messages,attachments for full Messenger conversation history including file attachments. Linked credential discovery from app permissions and OAuth tokens. INJECT gate.
Facebook Group admin takeover. Enumerates all current admins via /{group_id}/members?fields=administrator. Attempts role manipulation to add attacker account as admin via /{group_id}/members. Removes original admins once control is established. Generates group seize report with member count and page count. INJECT gate.
Meta Pixel JavaScript supply chain attack. Enumerates all pixels owned by the business via /{business_id}/owned_pixels. For each pixel, injects attacker-controlled JavaScript via POST /{pixel_id} with code= parameter — the same Marketing API endpoint used for legitimate pixel configuration. Poisoned JS executes on every website running the pixel. INJECT gate.
Full ad campaign chain deployment targeting cloned custom audiences. Creates: custom audience from uploaded customer list → lookalike audience → campaign → ad set → ad creative → ad. Dry-run mode returns DRY_ prefixed IDs for scoping without live deployment. Live execution requires UNLEASHED gate. WMD: facebook_ad_supply_chain_poison.
Messenger flood propagation via internal GraphQL interface. Posts to /api/graphql/ using doc_id 6234680946573087 (Messenger send-message mutation). Propagates to every contact in the compromised account's contact list. Randomised delay of 1–2.5s per message for rate limit evasion. Requires session cookies: c_user, xs, datr. UNLEASHED gate. WMD: facebook_messenger_worm.
Cascade business asset deletion. Ordered destruction sequence: ad campaigns → ad creatives → custom audiences → funding sources → business asset groups → business pages. Each resource type fully enumerated before deletion. Ed25519-signed MET-{hex12} report records every deleted resource ID. DESTROY gate + --confirm-account-destruction required. WMD: meta_business_destruction.
Second-factor removal and attacker enrollment. CSRF token extracted from xs cookie (xs.split(":")[0]). Removes: authenticator app 2FA via /security/two_factor/remove/ with type=app, SMS 2FA with type=sms, recovery codes with type=recovery_codes. Enrolls attacker phone number as trusted device. DESTROY gate + --confirm-account-destruction. Irreversible.
Full account destruction chain. Four-step irreversible sequence: (1) email change to attacker-controlled address via /settings/contact/, (2) password change to 32-character random string, (3) account deactivation via /deactivate/, (4) permanent deletion via /delete/. Ed25519-signed MET-{hex12} report. DESTROY gate + --confirm-account-destruction. WMD: meta_ecosystem_annihilation.
Ed25519-signed MET-{hex12} reports. MITRE ATLAS AML.T0043/T0051/T0054. OWASP LLM01/LLM06/LLM08. Financial blast radius: ad spend hijacked (USD), pixel poisoning reach (site count × daily visitors), Messenger worm propagation count, business asset destruction cost. JSON + Markdown output.
SPECTER META implements a four-gate authorisation system. OPEN performs passive enumeration. INJECT activates read/write operations. UNLEASHED fires live campaigns and worm propagation. DESTROY enables irreversible business and account destruction — the only Meta exploitation engine with a cryptographically-enforced destruction gate.
SURVEY subsystem only. Full asset graph enumeration via Graph API v19.0. No write operations. Pages, groups, ad accounts, businesses, pixel installations mapped and scored. Safe for pre-engagement scoping and authorised penetration testing. Access token required but no write scopes exercised.
HARVEST, GROUP-SEIZE, PIXEL-POISON. PII exfiltration, Messenger conversation harvest, group admin takeover, Meta Pixel JavaScript injection. Requires operator key. Operations are logged and Ed25519-signed. Pixel injection is reversible; group-seize admin changes may be reversible depending on platform state.
LOOKALIKE-ARMY, MESSENGER-WORM. Live ad campaign deployment consuming real ad budget. Messenger worm propagation to full contact list. Both operations interact with live Meta infrastructure and produce real, observable effects. Requires --i-understand-this-is-live-fire flag. Irreversible ad spend.
BIZ-MASSACRE, TWO-FA-SNATCH, ACCOUNT-DESTROY. Cascade deletion of business assets. 2FA removal and attacker phone enrollment. Account destruction chain (email → password → deactivate → delete). All operations are irreversible. Requires: Ed25519 operator key + ROE file containing "account destruction authorised" + --confirm-account-destruction flag.
Full account destruction confirmed: email changed, password changed, account deactivated, permanent deletion initiated. Original account owner has no recovery path. All linked business assets, pages, and ad accounts are inaccessible. DESTROY gate required. Irreversible. Ed25519-signed evidence in MET-{hex12} report.
Meta Pixel JavaScript injection confirmed. Attacker-controlled code is executing on every visitor to every website running the poisoned pixel. LOOKALIKE-ARMY ad campaign is live, consuming real ad budget and targeting cloned custom audiences. The entire ad supply chain from pixel data collection through audience targeting is compromised.
Messenger worm propagation confirmed. Flood payload delivered to full contact list via internal GraphQL doc_id 6234680946573087. Every contact has received the worm message. If worm message contains a payload that harvests recipient credentials, the infection is self-propagating. UNLEASHED gate required. Rate limit evasion via randomised delay.
BizMassacre confirmed: all ad campaigns, creatives, custom audiences, funding sources, and business asset groups deleted. Business pages detached. Destruction is ordered to avoid dependency conflicts. Financial impact: full ad spend pipeline destroyed, pixel data collection terminated, audience data permanently lost. DESTROY gate required.