Share this page!

Conspirador Norteño Profile picture
Twitter logo
15 Dec, 5 tweets, 4 min read
What's up with all these accounts tweeting links to K-Pop news site soompi(dot)com and tagging @null (a suspended account)? #TuesdayThoughts

cc: @ZellaQuixote
We found a group of 22 accounts sending automated tweets linking to soompi(dot)com, created between 2010 and 2014. Although some have older organic tweets, all recent content was posted via automation service twittbot(dot)net.
What does this botnet do? It links soompi(dot)com, and does literally nothing else (or at least hasn't in the most recent ~3200 tweets from each account, every single one of which contains a link to soompi(dot)com).
The accounts in this network operate on identical schedules, which isn't surprising as they appear to be posting the exact same content. Most tweets are repeated across all 22 accounts, and consist of partial headlines accompanied by article links and tagging @null.
We've seen this behavior before, in a twittbot(dot)net botnet that spammed CNN links. We suspect that @null isn't an attempt to tag the suspended account in question and is instead a bug resulting from an unassigned variable.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Conspirador Norteño

Conspirador Norteño Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @conspirator0

Conspirador Norteño Profile picture
16 Dec
What's up with these accounts with German biographies retweeting "election fraud" conspiracy theories from Trump and his supporting cast? #Spamtastic

cc: @ZellaQuixote Image
Answer: they're part of a botnet, consisting of 12 accounts automated via a custom app called "TweetFoxx". Although they do have occasional organic tweets, the vast majority of their content (19802 of 20233 tweets since September 1st, 2020, or 97.9%) is automated. ImageImage
The majority of accounts in this botnet operate on very similar schedules. The exception is @TaioSchmid , which is active for fewer hours a day and skips out on retweeting some of the tweets amplified by its compatriots. Image
Read 6 tweets
Conspirador Norteño Profile picture
14 Dec
While looking at something mostly unrelated, we ran across @coinkit_, a tool that allows one to pay cryptocurrency to the first N accounts that retweet/quote tweet one's tweets. We can't help but notice that this appears to be a TOS violation.

cc: @ZellaQuixote Image
The get-paid-cryptocurrency-to-retweet feature of CoinKit is triggered by adding to one's tweets the phrase "@coinkit_ mon" followed by information about how much one intends to pay for the astroturfing assistance. Are folks using multiple accounts to game the payouts? Image
Answer: yes. We downloaded recent tweets containing "@coinkit_ mon" and found a number of spikes in account creation dates indicating batch creation of accounts. We looked at the largest six spikes, which correspond to five distinct bot/sock networks. Image
Read 8 tweets
Conspirador Norteño Profile picture
13 Dec
Earlier tonight, a Twitter account named @Fauci sent out a tweet impersonating Dr. Anthony Fauci and was quickly suspended. We did some research on it before the ban, and decided to present our findings as a tutorial of sorts on detecting impostor accounts.

cc: @ZellaQuixote
First off, the (subsequently suspended) @Fauci account sent what it claimed was its first tweet in December 2020, despite being created in 2009. It's also potentially odd that Fauci would retweet the Biden transition team while still working for the Trump administration.
Secondly, we looked at old tweets tagging @Fauci, and most of them don't appear to have much to do with virology or any other medical topic. Some are in Indonesian, which as far as we have been able to discern, the real Dr. Fauci does not speak.
Read 4 tweets
Conspirador Norteño Profile picture
13 Dec
We've done a few analyses lately of anomalies lurking in the followers of various large #MAGA accounts. Here's a thread linking all of them. First up: the account presently known as @Wizard_Predicts (although it's had at least a dozen other names thus far).

cc: @ZellaQuixote
Next we have @ColumbiaBugle, recently retweeted by Trump. It began its existence with an infusion of empty accounts that seem to have been created exclusively to follow @ColumbiaBugle.
We found multiple anomalies in @SidneyPowell1's followers, one of which (a recent infusion of Japanese accounts) also turns up in the followers of fellow #Kraken tentacles @LLinWood and @RudyGiuliani.
Read 4 tweets
Conspirador Norteño Profile picture
11 Dec
Meet @AppSame, a Conservative SuperPAC with 338418 followers, most of whom don't seem to be interested in retweeting its tweets. Since it attacks the legitimacy of other people's followers, its own follower growth is surely beyond reproach, right?

cc: @ZellaQuixote
Although @AppSame's last ~50K accounts look largely organic, the story is quite different early on, with lengthy streaks where it was followed by thousands or tens of thousands of accounts with zero likes or which follow more than 50 times as many accounts as they have followers.
200448 of @AppSame's 338418 followers (59.2%) followed it during these periods of inorganic growth. Helpfully, @AppSame was running a follower-tracking app back in its early days, confirming that it repeatedly gained tens of thousands of followers in a single day.
Read 6 tweets
Conspirador Norteño Profile picture
11 Dec
It's a Thursday, and a bevy of identical tweets in Indonesian have been tweeted via TweetDeck. We took a gander. #Spamalicious

cc: @ZellaQuixote Image
The identical tweets were posted by a newly-created botnet, consisting of 10 accounts created over the span of 10 minutes on December 9th, 2020. All 10 accounts have female profile pics, and none has ever liked a tweet or followed another account. Image
As is often the case with spammy botnets, the profile pics are stolen, generally from stock photo sites. We found Google reverse image search effective for tracking them down (although we didn't try any other search site, as we didn't need to with this group). Image
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @conspirator0 has new unrolls!

Check out other threads from @conspirator0!

Read all threads by @conspirator0