What's up with all these accounts with AI-generated profile pics linking the same article on cointelegraph(dot)com at the same time using the same hashtags? #SaturdayShenaniGANs
We found a total of 47 accounts spamming links to cointelegraph(dot)com via automation service dlvr(dot)it, all created in September or October 2020. The volume of this botnet has increased as more accounts were added.
The cointelegraph(dot)com website promoted by this botnet is a cryptocurrency "news" site registered in the Cayman Islands, according to WHOIS records. Almost all of this botnet's tweets (1222 of 1295, 94.3%) contain links to this website.
All 47 of the accounts in this botnet use GAN-generated profile pics (similar to those produced by thispersondoesnotexist.com). These images have the telltale sign that the eyes, nose, and mouth line up almost perfectly when overlaid/blended.
Animated visualization of blending the profile images of all 47 accounts in the botnet, demonstrating the pattern in facial feature placement. (GAN-generated face pics have other artifacts as well: nonsensical backgrounds/clothing/jewelry, for example.)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
We've repeatedly noted that @ARTEM_KLYUSHIN is both followed and retweeted by large bot networks. He also follows nearly one million accounts. Is there anything interesting going on there? (Spoiler: yes.)
We downloaded all of the accounts followed by @ARTEM_KLUYSHIN and plotted the order he followed them by the creation dates of the accounts followed. There are several streaks where he followed thousands of accounts in (mostly) reverse order of creation date. What's going on?
Answer: @ARTEM_KLYUSHIN on multiple occasions followed large swaths of the followers of large accounts in most-recent-follower-first order. For example, @ARTEM_KLYUSHIN followed @history_RF's first ~52K followers in the opposite order that those accounts followed @history_RF.
Just for fun, we started digging through the accounts followed by 60 popular verified #MAGA accounts to see what there is to see. We found one weird thing that stuck out like a sore thumb (and will add more if/when we find more). . .
Meet @ScottIngwers. This account has never tweeted, never liked any tweets, has no bio, and uses a default profile pic. Despite this, its 342 followers include @DonaldJTrumpJr, @IvankaTrump, and @EricTrump.
Since the account has no content, there's not really much about @ScottIngwers to analyze, but we did notice that despite the account being totally empty, it's picked up followers in a variety of languages.
Answer: they're part of a spam network of unknown purposes, consisting of 23 accounts that tweet on remarkably similar schedules via "Mobile Web (M2)" (early tweets were sent via "Twitter Web App"). 98.9% of the tweets posted by these accounts are replies.
Although these accounts reply mostly in English, a significant minority of their content is in a variety of other languages. The content is all over the map, ranging from random feel-good replies to coupon codes to comments on the present Armenia/Azerbaijan conflict.
If you're looking for Twitter accounts promoting an ad-infested website with a deceptively similar name to UK news agency Sky News, then this botnet's for you. #MondayMotivation#Scamalicious
The real website for Sky News is sky(dot)com (and various subdomains, such as news(dot)sky(dot)com). The fake site is sky-news(dot)co(dot)uk, with a hyphen.
This botnet consists of six accounts, all created on October 11th, 2020. These accounts tweet via automation service IFTTT. All use female profile pics and have bitly links on their profiles that lead to sky-news(dot)co(dot)uk, which is not actually Sky News.
Meet @bmjisoo, a self-described Events & Program Manager, Adventurous Foodie, Global Trotter, and National Park Explorer. Based on its flurry of recent pro-Trump and anti-Biden retweets, it would at first glance appear to be a #MAGA account.
The full story is a bit more complicated. @bmjisoo began its Twitter life as a Korean-language account back in 2014, took a five-year hiatus, and then woke back up in 2020, first retweeting a bunch of Indonesian follower farming spam before assuming its current #MAGA persona.
The account presently known as @bmjisoo also changed names at least once: when it was tweeting in Korean back in 2014, it was named @blbml08t6e. (Its permanent ID is 2287181347, just in case it swaps names again.)
Twitter accounts being sold on dodgy websites frequently have fake followers, and @nokilllogwtmp (permanent ID 529412597) is no exception, with several thousand batch-created accounts following it. We decided to further explore this bulk follow network.
To find more accounts that are part of this bulk follow network, we downloaded the followers of accounts followed by the bogus-looking followers of @nokilllogwtmp, and repeated the process until we hit diminishing returns.
We found 23794 accounts we believe to be part of this bulk follow network. Most were created in batches between 2012 and 2014. Some were not, but we suspect they're part of the network anyway due to the order in which they followed the accounts they follow (among other things).