We took a closer look at this Arabic-language fake engagement botnet that we found promoting blue-check shady social media services vendor @sendthetrend. It consists of more accounts than we originally noticed (240 accounts rather than 188).

cc: @ZellaQuixote
The 240 accounts in this botnet were created in batches between November 28th, 2016 and January 5th, 2017, with the majority created on January 5th, 2017. Almost all of their tweets are retweets (99.5%) and almost all were sent via Mobile Web (M2) (99.9%).
These accounts retweet a variety of Arabic-language accounts, with the most frequent flier being @dk_alsabah. Since we don't speak Arabic (and don't trust the accuracy of machine translation tools), we're unsure if there's a theme to the accounts/content amplified.
As with the accounts retweeted by the bots in this network, the accounts they follow are mostly Arabic-language accounts. Some aren't, however, and there's a bit of a twist. . .
Although the accounts in this botnet mostly follow Arabic-language accounts, the first ~20 accounts followed by many of the bots have different primary languages (usually English or Russian). We don't have a good explanation for this, and are interested in theories/speculation.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Conspirador Norteño

Conspirador Norteño Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @conspirator0

25 Oct
One of the accounts that this reply spam botnet we recently documented replied to (@oliverzok) began its Twitter life with an infusion of over 1000 batch-created bogus followers. We decided to explore the rest of the network. #SundaySpam

cc: @ZellaQuixote
To find the rest of the network, we downloaded the followers of other accounts followed by the batch-created followers of @oliverzok, and repeated the process for the accounts they follow, and so on.
We found 1835 accounts that we believe to be part of this fake engagement network. All were created between January and March 2017, have been dormant since late 2017, and tweeted exclusively via the Twitter Android app back when they were active. All their tweets are retweets.
Read 6 tweets
25 Oct
Move over, thispersondoesnotexist(dot)com, because deepfake face pics are so 2019. The good folks over on 4chan have made us aware of thiswaifudoesnotexist(dot)net, a site that serves up GAN-generated anime pics. #SaturdayShenaniGANs #ASeriesOfUn4chanateEvents.

cc: @ZellaQuixote
The thiswaifudoesnotexist(dot)net website offers the real anime images used to train the GAN for download (we downloaded via Tor because opsec). We used this along with a set of images it produced to come up with a simple technique for detecting the GAN-generated anime pics.
The GAN-generated anime pics contain a variety of anomalies that aren't present in most of the real ones, but the most obvious (and the one we focused on) is the presence of blotches/very slight random variance in color in areas that would be solid colors on real anime pics.
Read 7 tweets
23 Oct
Oh My God! This botnet is really Enormous Graceful Frame!

(We don't actually know what this means, but since it was repeated by seven different accounts, it's clearly important.)

cc: @ZellaQuixote
This botnet consists of 35 accounts, all created on either October 19th or October 20th, 2020. Thus far all of this network's content is replies (no retweets or original tweets), almost all posted via "Mobile Web (M2)". Some of the account biographies are duplicates.
This botnet is very repetitive, with 77 replies sent at least twice and the most frequent reply ("Oh My God! Your tweet is really Enormous Graceful Frame") used seven times by seven different accounts. (Table includes all replies that were repeated at least three times.)
Read 6 tweets
20 Oct
We took a look at nine days' worth of recent replies to @JoeBiden. Unsurprisingly, the Democratic nominee's account gets a lot of attention - 613039 replies from 266655 accounts between October 11th and 19th, 2020. Very little of the traffic looks automated.

cc: @ZellaQuixote
Although @JoeBiden consistently receives tens of thousands of replies per day, few contained links to news sites before Oct 14, when the New York Post published its story about Hunter Biden's alleged laptop. Links are mostly a mix of NY Post and various right-wing sites.
In keeping with the theme of the NY post story, Hunter Biden and various allegations that Joe Biden is corrupt are a recurring them of recent replies to @JoeBiden, especially the hashtags used. Two of the top four are #CrookedJoeBiden and #BidenCrimeFamily.
Read 5 tweets
19 Oct
If you're looking for a Twitter account that spews a mix of conspiracy theories about Joe Biden and dubious claims that COVID-19 is a Chinese bioweapon, Steve Bannon's @WarRoomPandemic just might be your thing. Who's retweeting it?

cc: @ZellaQuixote
As it turns out, roughly 18% of the accounts (4909 of 27204 accounts) amplifying @WarRoomPandemic's tweets are Chinese-language accoutns, despite @WarRoomPandemic's content being in English.

(Results based on retweets of available via the Twitter API as of 2020-10-18.)
Retweet network for the accounts that recently amplified @WarRoomPandemic. The main cluster is a mix of right-wing English-language accounts and various Chinese accounts. The Chinese accounts are more densely clustered, as they retweet each other frequently.
Read 6 tweets
17 Oct
What's up with all these accounts with AI-generated profile pics linking the same article on cointelegraph(dot)com at the same time using the same hashtags? #SaturdayShenaniGANs

cc: @ZellaQuixote
We found a total of 47 accounts spamming links to cointelegraph(dot)com via automation service dlvr(dot)it, all created in September or October 2020. The volume of this botnet has increased as more accounts were added.
The cointelegraph(dot)com website promoted by this botnet is a cryptocurrency "news" site registered in the Cayman Islands, according to WHOIS records. Almost all of this botnet's tweets (1222 of 1295, 94.3%) contain links to this website.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!