An army of Chinese & Russian-named bots is attacking a Chinese businessman who has been critical of China's response to #COVID19
Over 48hrs I captured tweets on tags #郭文贵 & #milesguo. This THREAD is an #OSINT analysis of how the network operates 🤖👇🤖
cc: @TwitterSafety
Over 48hrs I captured tweets on tags #郭文贵 & #milesguo. This THREAD is an #OSINT analysis of how the network operates 🤖👇🤖
cc: @TwitterSafety
You will have noticed I outlined a cluster in red above, let's zoom in on that.
What we see is a perfect example of how a network works. An account in the middle posts content, and the surrounding accounts interact.
But upon closer inspection, there's something off 🔍
What we see is a perfect example of how a network works. An account in the middle posts content, and the surrounding accounts interact.
But upon closer inspection, there's something off 🔍
Let's start with the centre account @lucanto_crystal. 0 followers, 0 following, 1 post with a lot of activity. So let's look at WHO is supporting this one post.
First thing, notice a pattern? Many of the comments are the same, made by English or Cyrillic names (odd considering the comments are in Chinese).
Images using Yandex image reverse search show they're taken from elsewhere on the web.
But things get more interesting 🤓
Images using Yandex image reverse search show they're taken from elsewhere on the web.
But things get more interesting 🤓
Let's take a look at when those accounts commenting were created...
Almost all were born on:
- April 28, 2020
- or April 27, 2020
Those two dates also show that a whole heap of other accounts were made on that day.
Almost all were born on:
- April 28, 2020
- or April 27, 2020
Those two dates also show that a whole heap of other accounts were made on that day.
Just out of that 48hours of captured data from those two tags, I've found that:
71 accounts were made on 29 April 2020
81 accounts made on 28 April 2020
34 accounts made on 27 April 2020
All with the purpose of furthering the content posted by these main 'feeder' accounts
71 accounts were made on 29 April 2020
81 accounts made on 28 April 2020
34 accounts made on 27 April 2020
All with the purpose of furthering the content posted by these main 'feeder' accounts
For further clarification of the dataset, I took a mix of the new accounts as well as the older accounts to run them through the sniffer dog of bots: botometer.iuni.iu.edu
The findings were no surprise 🤖🤖🤖
The findings were no surprise 🤖🤖🤖
So what have we found so far?
Well there's a concentrated inauthentic use of @Twitter by creating a large number of accounts (again, the sample data is only from 48hrs) to promote an agenda and maintain an information operation.
Oh, and they smell of botlike activity.
Well there's a concentrated inauthentic use of @Twitter by creating a large number of accounts (again, the sample data is only from 48hrs) to promote an agenda and maintain an information operation.
Oh, and they smell of botlike activity.
Some of you might be wondering why those two network clusters from @lucanto_crystal & @key_temperance
look 'linked'. Take a look at the relationship between the two posts, it shows the same style of post, comments, and almost the exact same accounts commenting.
look 'linked'. Take a look at the relationship between the two posts, it shows the same style of post, comments, and almost the exact same accounts commenting.
So back to our 48hr dataset, what about this big messy heap in the middle? It's definitely no orb spider that made that messy web 🕸️
Just for a brief explanation as those node sizes, the bigger ones represent the more 'incoming' edges. So let's take a look at what they are.
Just for a brief explanation as those node sizes, the bigger ones represent the more 'incoming' edges. So let's take a look at what they are.
There's four main nodes (accounts) here that I chose to look at, they are:
@yansiyushui
@wangnianxi
@dzkpxy
@xiyankong
@yansiyushui
@wangnianxi
@dzkpxy
@xiyankong
Notice the traction @yansiyushui's one post got? Bot analysis = not too good. Profile image = not original
What's also quite strange is that the retweets were predominantly by Russian-themed accounts.
You're about to see that this is a really common trait with these tweets.
You're about to see that this is a really common trait with these tweets.
Here is @wangnianxi who only posts about Guo. The bot analysis gave a better score, likely based on the follower count, but when we run a bot check on the followers that doesn't look good. Also profile image = not original
And again, the accounts retweeting appear to hold the same pattern of using Russian/Cyrillic alphabet names.
For @dzkpxy who had one of the highest traction posts, also had retweets predominantly from names only spelt with Cyrillic letters yet targeted other languages. (example: @9RoplWXvKNYtsHY, @jYa4DoZbeGHAuCD, @Ca6BltreJKOg7gd, @uflxBpqWrzoCCEo)
For @xiyankong, another large post for such an account, predominantly retweeted and liked by accounts with Cyrillic names.
WHY is this happening? Well, it's not the first time Guo Wengui has been the target of an info operation. @ASPI_org & @elisethoma5 published a report in September 2019 about a significant & sustained campaign against him. It's likely a continuance of that: aspi.org.au/report/tweetin…
Oh yeah, and just about those retweeter accounts identified using Cyrillic alphabet names. It's likely they're part of an alternative fake network service as they're also retweeting issues across a whole range of languages, but all in the same patterns... (see below)
Here's a better visualisation of their retweets as of 6pm, 29 April 2020.
The only cool thing about this is one of them uses Batman as a profile pic.
Otherwise, it's a coordinated attempt to target certain issues. @TwitterSafety
The only cool thing about this is one of them uses Batman as a profile pic.
Otherwise, it's a coordinated attempt to target certain issues. @TwitterSafety
In the transparency of #OSINT and to assist researchers in studying these networks for early identification techniques to improve @TwitterSafety, I am happy to share more findings in the dataset with specific investigators ✌️
Today indicates divergence in identified network.
Between 1000 & 1500 today (April 30) 50+ accounts were created in network.
Accounts now retweet VERIFIED account pretending to be Elon Musk (@jeffreyzurofsky - likely hacked), calling for end to US to re-open
@TwitterSafety
Between 1000 & 1500 today (April 30) 50+ accounts were created in network.
Accounts now retweet VERIFIED account pretending to be Elon Musk (@jeffreyzurofsky - likely hacked), calling for end to US to re-open
@TwitterSafety
Over four days, the following numbers of accounts were created on @twitter and joined the network:
April 27, 2020: 52 accounts
April 28, 2020: 97 accounts
April 29, 2020: 109 accounts
April 30, 2020: 151 accounts
These can viewed in screenshots of the dataset I made below.
April 27, 2020: 52 accounts
April 28, 2020: 97 accounts
April 29, 2020: 109 accounts
April 30, 2020: 151 accounts
These can viewed in screenshots of the dataset I made below.
It is evident by looking at the data in spreadsheet format that there is a tendency to use Russian names in newly created accounts used for retweeting content in the network.
Odd for this seemingly pro-Chinese govt information operation.
Odd for this seemingly pro-Chinese govt information operation.
That same network of Russian-named Twitter accounts has been also amplifying posts critical of the Hong Kong independence movement and supportive of Hong Kong police.
No surprise there.
No surprise there.
Also quite interesting to find other topics in the network, not just #MilesGuo or #HongKongProtests, but also effort to amplify Elon Musk #cryptocurrency content.
Post below is an example. I linked it to show how same amplifiers of one MilesGuo post amplified crypto content.
Post below is an example. I linked it to show how same amplifiers of one MilesGuo post amplified crypto content.
These are just a few of the indicators of HOW the network operates as well as identifying WHAT and possibly WHO might be behind ‘the great retweet’.
For a more detailed report, please refer to analysis on @bellingcat bellingcat.com/news/2020/05/0…
For a more detailed report, please refer to analysis on @bellingcat bellingcat.com/news/2020/05/0…
