Answer: they're from a reply spam botnet we didn't know quite what to make of when we first saw it. It is now on a mission to promote forex trading/cryptocurrency content. ("Nicholas Shawn" appears to be a reference to the "Nick Shawn" Youtube channel.)
This botnet consists of 48 accounts, all created in September or October 2020. (We found 35 accounts when we first looked at it). Almost all tweets are replies sent via "Mobile Web (M2)".
Who does this network reply to in a spammy fashion? Mostly cryptocurrency and forex trading accounts, but there are a few political accounts in the mix too: @NYCMayor, @Cernovich, @IlhanMN, and @ChuckGrassley are among the 30 accounts it most frequently replied to.
This botnet's replies are quite repetitive. Most are promoting crypto/forex trading, with many claiming to have earned sizable sums of money. Supposedly 19 of them attended a conference in Birmingham (in the middle of a pandemic) and wrote identical tweets about the experience.
This botnet also (very, very occasionally) posts tweets that aren't replies. These tweets are almost all in Portuguese, and unlike the replies, they don't seem to be promoting anything.
As we noted in our previous thread, this network uses stolen profile pics (almost all female). We'll continue to keep an eye on this botnet here and there in case its behavior evolves further.
We took a look at the follower of popular right-wing Twitter account @ColumbiaBugle. The vast majority of its followers look like run-of-the-mill #MAGA accounts, but we found an interesting group of batch-created accounts lurking among its earliest followers.
We searched the followers of the other accounts followed by @ColumbiaBugle's early batch-created followers to see if we could find more, but came up empty handed. Interestingly, @ColumbiaBugle is the *only* account followed by all 154 accounts.
The accounts in this fake follower network were created in batches in late 2015 and early 2016. None have tweeted or liked a tweet. Several have names that are takeoffs on 2016 GOP presidential candidates (@MRubioooooo, @TedCruzzinn, @cruzin_teddy). All have default profile pics.
This seems like an excellent day to look at a (mostly) Russian-language follower/retweet botnet that uses GAN-generated pics (presumably created using thispersondoesnotexist.com or a similar tool). #FridayShenanigans
This botnet consists of 53 accounts created between August 12th and August 16th, 2020. All have randomly generated usernames consisting of digits and lowercase letters and Cyrillic display names.
Here are the profile pics of all 53 accounts in the botnet, as well as the result of blending them together. The eyes align perfectly (as do the mouth and ears other than slight variations in angle and position), a trait common to all unmodified face pics generated with StyleGAN.
Oh hey, it's a post on blackhatworld(dot)com offering 50 free Twitter followers to whomever replies. Let's see what they look like. #SeemsLegit#ThursdayThoughts
We downloaded the followers of six of the accounts that replied to the blackhatworld(dot)com post offering free followers, and indeed each has a streak of batch-created followers from summer 2020, most of which have never liked a tweet.
These batch-created followers are part of a fake engagement botnet consisting of 96 accounts, all created between June and August 2020. They supposedly tweet via the Twitter website, but due to frequent 24/7 activity (among other things), we believe them to be automated.
Cryptocurrency content is an ever-popular target for spammy Twitter botnets. Here's a look at a group of accounts that all quote tweet the same cryptocurrency tweets. #WednesdayWisdom
This cryptocurrency network consists of 34 accounts, all created on March 3rd, 2019. Despite cramming their profiles with abundant #followback hashtags, they haven't had much success in gaining followers.
These 34 accounts all operate on very similar schedules (which isn't surprising as they all amplify the same tweets), and allegedly tweet via the Twitter website ("Twitter Web App"), although we have our doubts that the tweets are actually organic.
We explored the followers of the accounts followed by @JaMaalBuster's batch-created followers to see if we could find more accounts that were part of the same botnet, and did not return empty-handed. #TuesdayThoughts
We found a total of 36698 accounts, all created in July or August 2013. None of these accounts has ever tweeted or liked a tweet, and the first name and last name in their display names do not match their @-names (@Gerlach_Dianna9 is "Estella Fritsch", for example).
Who do the accounts in this botnet follow? As is often the case with bulk follow botnets, there's a lot of variety. One account, @Wolfvee11, is followed by all 200 of the accounts in our sample (and 36510 of 36698 of the bots in the network, 99.5%).
What's up with all these accounts who are getting divorced and moving to <insert place name here> following the revelation that their wives voted for Joe Biden? (Spoiler: they're not bots.)
We downloaded tweets (excluding retweets) containing "my wife told me", "she voted for Joe Biden", and "divorced", yielding 1119 tweets from 604 accounts. A grand total of 2 of those accounts (@CrapAmericaSays and @tsbcomng) appear to be automated, so bots aren't the story here.
Here are the first 15 accounts to tweet "my wife told me (that) she voted for Joe Biden" and mentioning getting divorced. Almost all of them, including the first account (@wernerstarCEO) are UK football fan accounts rather than politically-themed accounts.