GAN-generated profile pics (such as those produced by thispersondoesnotexist.com) have become quite popular among botnets promoting cryptocurrency blogs/websites. Here's a look at one such botnet that was mostly made just before Christmas. #HolidayShenaniGANs
We found a group of 12 accounts with GAN-generated profile pics linking cryptocurrency-themed websites and blog posts. All but one of these accounts was created between December 22nd and 25th, 2020.
Here are the profile pics of all 12 bots in the network. When overlaid, one can see that the major facial features (particularly the eyes) are in the same location on each image. The images contain other artifacts too: the metallic droplet on @SwiftAlene's forehead, for example.
These accounts link to a variety of cryptocurrency/blockchain-themed websites and blogs, with the most common being blockgeeks(dot)com. Their tweets are repetitive (which isn't surprising, since they're mostly verbatim copies of article titles).
The majority of the tweets posted by these bots are sent via an app called Socialchief. The tweet schedule is quite regular: 6 batches of tweets per day, with the first posted at 1 AM Pacific time and subsequent batches posted at 2-hour intervals.
We enlisted @DrunkAlexJones to find out more about the Socialchief app. The app is a social media scheduling service for Twitter, Facebook, and LinkedIn. Its default behavior is to post six times a day at two hour intervals, which explains the botnet's schedule.
Unlike most free tweet scheduling apps we've experimented with, Socialchief allows bulk scheduling of tweets via CSV import, which might be part of its appeal to the operators of the botnet we found. We had @DrunkAlexJones schedule a few tweets via CSV (results shown in collage).
• • •
Missing some Tweet in this thread? You can try to
force a refresh
If you're looking for a "news feed" account whose website consists entirely of news stories harvested from other websites (many of them less than reliable themselves), then @1BUV_News just might be right up your alley.
Where does the content on 1buv(dot)com, the website promoted by @1BUV_News come from? The present lineup includes 20 different websites, the most common being Sputnik, Breitbart, and ZeroHedge. Antivax/conspiracy site Natural News is another interesting inclusion.
The majority of @1BUV_News's content is automated, posted round-the-clock by a custom app with no name. (We've seen a few bots that post via nameless apps before, but without a visible name, it's hard to tell if they're the *same* no-name automation app.)
This botnet is made up of 241 accounts, created in batches between February 28th and March 3rd, 2011. All have names consisting of a first and last name followed by 2 or 4 digits, follow similar numbers of accounts, and have never liked a tweet.
The accounts in this botnet don't just follow similar numbers of accounts - they follow a lot of the same accounts, with 543 accounts followed by all 241 members of the network. The accounts they follow are mostly promotional accounts, many of which followed the bots back.
It's a day that ends in "Y", and a posse of pornbots is prolifically posting tweets advertising a group of websites, with the novel twist that the websites are included in images rather than linked directly from their tweets. #SundaySpam
These bots were created in batches, and their image tweets contain hashtags and were (allegedly) sent via the Twitter Web App. We found 2147 batch-created accounts that fit this pattern, but how do we eliminate the ones without website names emblazoned on their image tweets?
Answer: we used OCR (optical character recognition), specifically the pytessaract library. It couldn't make much sense of the raw images, which use gray text on colored backgrounds, but tweaking the brightness/contrast on grayscale negatives resulted in machine-readable text.
In the aftermath of the Nashville bombing, a wide variety of rumors and conspiracy theories about motives/affiliation of the bomber(s) began circulating on Twitter. Trump supporters, antifa, and Dominion voting machines were some of the most common themes.
The themes of the rumors varied somewhat over time. Antifa was a common topic shortly after the bombing, tweets about Dominion spiked twice after popular tweets, and Trump supporters were a common theme throughout, increasing slightly after CBS named a person of interest.
Here are some examples of tweets containing terms from each group. Some of the tweets fit into multiple groups - for example, some of the tweets about Dominion voting systems also reference the AT&T building.
TFW you're a four-month old #MAGA Twitter account who "works around Intel specialist" and the Congressman you claimed was in FBI custody inconveniently tweets less than half an hour later.
The @MelaniasRhonda account has doubled down on its dubious claim that Adam Schiff has been arrested. This appears to be false, as Schiff continues to post on social media, but that hasn't stopped folks from running with the bogus narrative and causing Schiff's name to trend.
Several of the tweets claiming Adam Schiff was arrested include a screenshot from lacountyarrestrecords(dot)org, which is extremely unlikely to be accurate given that it also contains "LA county arrest records" for multiple former British prime ministers.
We found a network of 16 accounts tweeting links to latestdatabase(dot)com, all but two of which were created in 2020. These accounts tweet on extremely similar schedules and (allegedly) posted all of their recents tweets via the Twitter web app.
Although other sites turn up occasionally, the majority of the network's content is tweets linking latestdatabase(dot)com, a website that supposedly sells lists of people's email addresses and cell phone numbers. (As always, be wary of clicking links to unknown websites.)