Attackers can use the l.instagram.com subdomain to redirect users to an external URL. Although Instagram scans the URL (which can be bypassed by using a URL shortening service) and includes a time-based token to reduce the chances of abuse.
Command and Control
The Instagram API can be used to make Instagram a C&C server. An open source tool "Social-media-c2" uses the like functionality on Instagram to send commands to infected machines.