In an interesting coincidence, this tweet linking what appears to be an unauthorized livestream of a sporting event was retweeted by a bunch of similarly-named accounts created in May 2013. #SundaySpam
These accounts are part of a botnet promoting what we believe to be pirated livestreams of a variety of sporting events. (Among other things, many of the accounts have had tweets removed for copyright violations.
This botnet consists of two types of accounts: 206 accounts that link the pirated streams in their tweets, and 16 accounts that retweet them.
The 16 accounts retweeting the streams were all created on May 15th or May 16th, 2013. All have lowercase usernames ending in three digits, and display names that don't match the usernames (@martingyc509's display name is "Wendell Thelina", for example.
Nearly all of their retweets are allegedly sent via "Twitter Web Client" (the old version of the Twitter website). These 16 accounts operate on very similar schedules, although not all have participated every time the network has activated.
The 16 retweeters in turn amplify 206 accounts that actually link the pirated livestreams in question. Unlike the retweeters, these accounts were created over a period of several years, but every single one tweets almost exclusively via TweetDeck.
We weren't able to find out much about the websites these bots link, although they do look virtually identical. Either no streams were live when we visited, or the streaming does not work over Tor, which we used for opsec reasons (always be careful when visiting dodgy websites).
One more interesting property of this botnet: both the retweeters and the accounts being retweeted (222 accounts in all) have all their tweets processed by the same Twitter datacenter, which is consistent with them originating from the same portion of the Internet.
(previous thread dicussing Twitter datacenter IDs and a right-wing conspiracy theory account)
We explored the followers of the accounts followed by @JaMaalBuster's batch-created followers to see if we could find more accounts that were part of the same botnet, and did not return empty-handed. #TuesdayThoughts
We found a total of 36698 accounts, all created in July or August 2013. None of these accounts has ever tweeted or liked a tweet, and the first name and last name in their display names do not match their @-names (@Gerlach_Dianna9 is "Estella Fritsch", for example).
Who do the accounts in this botnet follow? As is often the case with bulk follow botnets, there's a lot of variety. One account, @Wolfvee11, is followed by all 200 of the accounts in our sample (and 36510 of 36698 of the bots in the network, 99.5%).
What's up with all these accounts who are getting divorced and moving to <insert place name here> following the revelation that their wives voted for Joe Biden? (Spoiler: they're not bots.)
We downloaded tweets (excluding retweets) containing "my wife told me", "she voted for Joe Biden", and "divorced", yielding 1119 tweets from 604 accounts. A grand total of 2 of those accounts (@CrapAmericaSays and @tsbcomng) appear to be automated, so bots aren't the story here.
Here are the first 15 accounts to tweet "my wife told me (that) she voted for Joe Biden" and mentioning getting divorced. Almost all of them, including the first account (@wernerstarCEO) are UK football fan accounts rather than politically-themed accounts.
If you're looking for tweets discussing half of a wanderer or spider and don't mind the utter absence of coherent sentences, this botnet will be right up your alley. #SundaySentenceFragments
This botnet consists of 25 accounts, all created in October or November 2020. All of their biographies are lengthy resumes of seemingly random occupations, and all tweet exclusively via "Twitter Web Client" (the old and hypothetically unavailable version of the Twitter website).
Each account in this botnet has thus far activated exactly once, firing off 4-6 tweets over the span of a minute or two, and then going silent. The tweets themselves are (likely randomly generated) mashups of words, phrases, and sentence fragments rather than complete sentences.
Meet @SRRRJ, @Srm1n, @DemiLovatoTH, @banci__, and @gdibarry, a quintet of automated accounts that tweet CNN articles accompanied by partial headlines and tag @null (a suspended account) in each tweet.
These five accounts presently send all of their tweets via automation service twittbot(dot)net. There are two distinct schedule patterns, so it's possible this is two separate botnets, but since the accounts are otherwise similar we analyzed them as a single network.
What does this botnet tweet? It's quite single-minded: all recent tweets (the last ~3200 from each account) contain links to CNN, accompanied by the beginning of the title of whatever article/video is being linked.
We've seen some glitchy GAN-generated images used as Twitter profile pics before, but @jtatejtate1 kinda takes the cake with the utterly surreal "clothing" and "hat". #SaturdayShenanigans
Here's a video showing @jtatejtate1's profile pic blended with a bunch of other GAN-generated images. The major facial features (eyes, nose, and mouth) are in the same location on each image.
(more on GAN-generated face pics and the usage thereof on Twitter accounts)
We've analyzed a variety of bot/sock networks using coordinated retweeting to make content look more popular than it actually is (astroturfing). For a change of pace, here's a look at a network from 2018 that used quote tweets for artificial amplification.
This June 2018 tweet from @OrigoNetworks received more than 3 times as many quote tweets as retweets (quote tweet/retweet ratio of ~0.05 appears to be average). Furthermore, the accounts that quote tweeted it were disproportionately created in June/July 2018. What happened?
To explore further, we looked at other tweets with lopsided quote tweet/retweet ratios quote tweeted by the bulk-created accounts that quote tweeted the @OrigoNetworks tweet, and indeed found more accounts created in June/July 2018 that quote tweeted a lot of the same tweets.