Share this page!

Conspirador Norteño Profile picture
Twitter logo
20 Dec, 4 tweets, 4 min read
What's up with these identical replies to a @gabry1090 coupon code tweet? #SaturdaySpam

cc: @ZellaQuixote
Answer: unsurprisingly, a botnet. We found 19 accounts that we believe are part of the network, created over the course of a little over an hour on December 7th, 2020. All their tweets thus far are replies sent via either "Mobile Web (M2)" or "Twitter Web Client".
The 19 accounts in this reply spam botnet operate on nearly identical schedules, and often send the same replies. Most replies are in Arabic, with the occasional English reply thrown in for good measure. (As always, take the Google translations with a grain of salt.)
Who and what do these accounts reply to? Mostly coupon/discount code tweets from Arabic-language accounts, but there are some exceptions, including @eduofans, a Chinese-language account that (if the translation is correct) appears to be selling social media engagement.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Conspirador Norteño

Conspirador Norteño Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @conspirator0

Conspirador Norteño Profile picture
20 Dec
We took a quick look at a small online casino botnet that uses GAN-generated profile pics (similar to those produced by thispersondoesnotexist.com). #HolidayShenaninGANs

cc: @ZellaQuixote
This botnet consists of six accounts with GAN-generated profile pics, all created on August 11th, 2020. As is the case with all StyleGAN-generated face pics, the major facial features (particularly the eyes) line up when the images are blended/overlaid. ImageImage
These six accounts tweet on nearly identical schedules and (allegedly) post all of their tweets via the Twitter Web App. Thus far, each accounts has sent exactly 10 tweets; with the exception of their first tweet, they always tweet within an hour of one another. ImageImage
Read 6 tweets
Conspirador Norteño Profile picture
19 Dec
In a bizarre coincidence, this hashtag-crammed @SorabNY tweet was retweeted by a bunch of accounts created in May 2014 with random-looking names. #FridayFeeling

cc: @ZellaQuixote
These accounts are part of a 29-account retweet botnet created on May 25th, 2014. All the accounts have names consisting of 11 or 12 lowercase letters, beginning with a consonant and followed by alternating vowels and consonants. We suspect the names were generated randomly.
The accounts in this botnet have thus far posted all of their tweets (allegedly) via "Twitter Web App". Despite being created back in 2014, we found no evidence any of them tweeted prior to September 2020, with most accounts activating for the first time on December 9th, 2020.
Read 5 tweets
Conspirador Norteño Profile picture
17 Dec
We've seen @justinsuntron turn up occasionally in our research on fake engagement networks, so we started perusing his followers to see what there is to see, and found an interesting little group of batch-created accounts.

cc: @ZellaQuixote
The botnet we found following @justinsuntron consists of 886 accounts created on September 24th and October 1st, 2020. Their initial wave of tweets was set via TweetDeck, and subsequent tweets were (allegedly) sent via the Twitter Web App. All have female names.
These accounts do four things:

• quote tweet cryptocurrency giveaway tweets (mostly from @justinsuntron)
• retweet cryptocurrency tweets
• reply "good" to a tweet from @OneSwap
• post original tweets composed of random nonsense
Read 6 tweets
Conspirador Norteño Profile picture
16 Dec
What's up with these accounts with German biographies retweeting "election fraud" conspiracy theories from Trump and his supporting cast? #Spamtastic

cc: @ZellaQuixote
Answer: they're part of a botnet, consisting of 12 accounts automated via a custom app called "TweetFoxx". Although they do have occasional organic tweets, the vast majority of their content (19802 of 20233 tweets since September 1st, 2020, or 97.9%) is automated.
The majority of accounts in this botnet operate on very similar schedules. The exception is @TaioSchmid , which is active for fewer hours a day and skips out on retweeting some of the tweets amplified by its compatriots.
Read 6 tweets
Conspirador Norteño Profile picture
15 Dec
What's up with all these accounts tweeting links to K-Pop news site soompi(dot)com and tagging @null (a suspended account)? #TuesdayThoughts

cc: @ZellaQuixote
We found a group of 22 accounts sending automated tweets linking to soompi(dot)com, created between 2010 and 2014. Although some have older organic tweets, all recent content was posted via automation service twittbot(dot)net.
What does this botnet do? It links soompi(dot)com, and does literally nothing else (or at least hasn't in the most recent ~3200 tweets from each account, every single one of which contains a link to soompi(dot)com).
Read 5 tweets
Conspirador Norteño Profile picture
14 Dec
While looking at something mostly unrelated, we ran across @coinkit_, a tool that allows one to pay cryptocurrency to the first N accounts that retweet/quote tweet one's tweets. We can't help but notice that this appears to be a TOS violation.

cc: @ZellaQuixote Image
The get-paid-cryptocurrency-to-retweet feature of CoinKit is triggered by adding to one's tweets the phrase "@coinkit_ mon" followed by information about how much one intends to pay for the astroturfing assistance. Are folks using multiple accounts to game the payouts? Image
Answer: yes. We downloaded recent tweets containing "@coinkit_ mon" and found a number of spikes in account creation dates indicating batch creation of accounts. We looked at the largest six spikes, which correspond to five distinct bot/sock networks. Image
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @conspirator0 has new unrolls!

Check out other threads from @conspirator0!

Read all threads by @conspirator0