My Authors
Read all threads
We left this ID-based profile harvesting process running after posting this thread, and checked on it today to find that we've accumulated profile information for 184 million accounts created in 2011 and 2012. Can we pull out some botnets? #ThursdayThoughts

cc: @ZellaQuixote
We wanted to find bot/sockpuppet networks made up of long-ago created accounts that are still active today (or have recently reactivated.) To this end, we narrowed our search to groups of accounts with identical biographies where at least 2/3 of the accounts had tweeted in 2020.
The first botnet we looked at strikes us as relatively benign. It consists of 120 automated accounts (118 created in bulk) that tweet daily weather reports for various locations in Canada once a day via an app called "Canada Weather." Moving on. . .
The second botnet we examined consists of 140 Turkish accounts tweeting porn spam (no tweet screenshots included because NSFW) via Twitter Web App. (The fact that all 140 accounts are tweeting via the website and none via the phone is itself a potential sign of automation.)
This network has a couple of other behaviors that indicate automation despite the accounts theoretically tweeting via the Twitter website. Firstly, they repeat tweets, both within and across accounts. . .
Secondly, the network tweets in a very mechanical fashion, continually cycling between accounts and tweeting (usually) nine times on each. It's possible this is a human doing a very boring job, but we're inclined to think it's automated as this behavior would be easy to script.
One final observation on the Turkish pornbot network: these accounts were dormant for years before their present spam campaign, and the accounts involved appear to have been not only repurposed (old content mostly doesn't look like porn) but also renamed.
The third network we looked at is a group of 104 accounts tweeting in Korean with identical profile pics that claim to be a "hack and ddos expert red team" and appear to be advertising various hacking services.
Much like the Turkish pornbots, this network currently tweets almost exclusively via Twitter Web App (again, organic large-scale activity generally involves the phone apps too.) The content is repetitive but duplicate tweets are rare as the list of services gets shuffled.
Also like the Turkish porn botnet, the Korean "hack and ddos expert red team" botnet appears to have emerged from a period of dormancy. We didn't see any signs of renames with this group, however.
We'll stop there for now, but will be looking at more of the botnets surfaced by this technique and may add those which we find sufficiently interesting.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Conspirador Norteño

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!