Ben Nimmo Profile picture
29 Jan, 23 tweets, 12 min read
Great report by @satariano on a fake network that @Graphika_NYC (and others) found in December.

Twitter accounts with GAN faces, boosting Huawei, boosted by Huawei execs, and attacking Belgium's 5G policies.

Not enough evidence to prove who ran them.…
We found this network when it was boosted by Spamouflage, a pro-China operation.

Independently, @mvanhulten of @TI_EU and @ArbiterOfTweets of @Knack found it with different methods.

It's not a friendly environment for fake campaigns, folks.…
This was the first account we found.

"Alexandre, PhD", apparently a CEO.

But no surname, no indication of what he's a CEO of, and a GAN-generated profile pic.
Alexandre's had a bit of an obsession with Belgium and #5G recently.

Especially, Belgium's security limitations on 5G providers, which are reportedly mainly about Huawei and ZTE.

Alexandre didn't like the Belgian approach much.
The account was created in 2017. It only started tweeting in early December, 2020, but its first posts were retweets of tweets from November 2017-18.

They were meant to be about VR, as in virtual reality. Oddly, one was actually about Victorian Railways in Australia. Awkward.
Pivoting off that account, we found 13 more that were behaving the same way, created around the same time, and all had GAN faces and similar bios - including a "best-selling author" who, um, didn't name any of his actual books.
Handy rule-of-thumb way to check for obvious GAN faces on multiple accounts: reduce them all to 35% opacity and superimpose them.

Not infallible, and the GAN will get better fast, but... see how the eyeballs align?
They all retweeted posts on #5G and #telcos. Character building.

Each posted 8-10 authored tweets, each a share of a web article plus a comment (usually in English), about #Belgium, #5G, #Huawei or #ZTE.
A couple of the articles were sponsored by Huawei, and labelled as such.

@satariano has some great insights into this one.
Looks like @ArbiterOfTweets has something interesting coming out soon, too.

"New and relatively explosive."

Watch this space.

Other articles appeared independent and ran on multiple (but connected) websites.

When that happened, different fake accounts tweeted the same article from different sources - an attempt to make it harder to spot them all with a URL search?

12 assets, one article, 3 URLs.
The two most aggressively anti-Belgium articles were different, though.

They were attributed to the fake personas themselves.

Looks like the operation was going for the direct approach.
We don't have enough evidence to prove who was running the campaign. But its most important amplification (in terms of follower numbers and frequency of amplification) came from Huawei staff, including the Huawei Europe verified Twitter account.
For example, here's Huawei Europe retweeting four fake accounts that tweeted the article on Belgium being corrupt.

As far as we can tell, the article was planted on a website by one of the fake accounts.
Here are Twitter accounts attributed to Huawei Europe figures, including two verified ones, retweeting the fake accounts, which were tweeting the operation's articles.
And here.
Searching for all mentions of all 14 fake accounts over the past year, and sorting the mentioners by following using @Meltwater, these are the top amplifiers.

Note the number of times each one mentioned one of the fake accounts (red box).
Per @satariano, Huawei is investigating.

Looking forward to the results of that one.
A couple of things stand out about this campaign.

One was the theme. This looked like an exercise in dark lobbying: try and raise the heat on the Belgian government on an issue that's of interest to a corporate titan.

Business, not party politics.
That's not unexpected, but it's important.

Most of the influence ops we've tracked so far have been in the political or geopolitical space.

Dark lobbying like this will be something to watch for more.
Second thing, though, is how many people identified this.

We found it via Spamouflage. @mvanhulten and @ArbiterOfTweets spotted sponsored posts that led there.

There's a growing community of people who can spot this stuff, explain it and expose it.
That's important too.

Running influence ops may seem like an attractive option, but they're going to have to be a lot less dumb than this one was to avoid getting exposed.
These fake Twitter accounts never had much impact while active.

But their exposure landed them in @nytimes and @knack, and not in a good way.

Was the operation worth the blowback? Let's keep watching to find out.…

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Ben Nimmo

Ben Nimmo Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @benimmo

29 Jan
And this, just out from @MsHannahMurphy and @SVR13: questions about the hundreds of thousands of followers that the same Huawei Western Europe execs have.…
I'll leave it to others to analyse the 800k+ accounts involved in these followings, but one anecdotal sidelight on the fake network of accounts that attacked Belgium: some of its other amplification came from glambots from a network that also boosted Huawei Europe.
Glambots = automated accounts that use profile pictures taken from glamour shoots and similar sources.
Read 7 tweets
23 Jan
One sidelight on the Russian protests today: #Navalny is probably the single most consistent target of Russian disinfo and influence operations.

He's been a target for at least 8 years, by ops including the Internet Research Agency, Secondary Infektion, and the Kremlin.
Way back in September 2013, @Soshnikoff investigated the then newly founded Internet Research Agency, and reported that it had been trolling Navalny when he ran for Mayor of Moscow.
January 2014: op Secondary Infektion set up its most prolific persona, with a pic of Navalny’s face painted blue. It started out by attacking the Russian opposition.

The username, bloger_nasralny, is a toilet pun on his name.
Read 11 tweets
23 Jan
Question for the #OSINT community: can anyone else find TikTok videos about protests for Navalny that become unavailable if you watch via a Russian server?

I’ve got 8 so far on #свободунавальному and #23января2021.

Nearly 2 million likes between them.

#DigitalSherlocks Image
Background: the Russian telecoms authority, Roskomnadzor, said it’s got platforms to take down calls for minors to join the protests.…
If you check TikTok for key hashtags about Navalny and the protests, some of the most popular videos don’t show up when browsing through a Russian VPN.

Four of the nine most popular on #свободунавальному, for example. Image
Read 9 tweets
12 Jan
Just out: @Facebook's latest update on influence op (IO) takedowns. Fourteen new ones in this report, from nine countries. @Graphika_NYC did a write-up on one of them, from separatist-held Ukraine.

Never a dull week on the IO front...…
Here's the Graphika report.

A cluster of inauthentic assets on FB, boosting a network of fake websites focused on Europe and the former USSR: pro-Kremlin, anti-Ukraine, anti-Navalny, anti-EU.

Also, interestingly, anti-China in Central Asia.…
H/t @alexejhock and @DanielLaufer for the first reporting on parts of this network, based around a fake outlet called Abendlich Hamburg ("evening Hamburg").

A couple other sites had "evening" in their names, others had "echo of [country]".…
Read 11 tweets
17 Dec 20
Fun read here from @conspirator0 on a botnet that uses clips from Dracula, for that authentic "I'm a human so I write text" look.

Presumably designed to fool algorithms, as it wouldn't fool a human.

At @Graphika_NYC, we call it "Dracula's botnet".…
We came across part this botnet in the summer, when it was boosting the pro-Chinese network "Spamouflage."

This, from @conspirator0, is a typical profile. Note the broken sentence and word in the bio. No human typed that... at least not on that Twitter account.
Now compare the bio with the version of Dracula that's online at Tallinn Technical University:…

Read 9 tweets
15 Dec 20
BREAKING: @Facebook just took down two foreign influence ops that it discovered going head to head in the Central African Republic, as well as targeting other countries.

More-troll Kombat, you might say.

Report by @Graphika_NYC and @stanfordio:…
There have been other times when multiple foreign ops have targeted the same country.

But this is the first time we’ve had the chance to watch two foreign operations focused on the same country target *each other*.
In the red corner, individuals associated w/ past activity by the Internet Research Agency & previous ops attributed to entities associated w/ Prigozhin.

In the blue corner, individuals associated w/ the French military.

@Facebook report here:…
Read 23 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!