It's either the second day of spring or fall (depending on where you are), so here's a look at a botnet following the official Twitter account of right wing think tank @Heritage Foundation. #SundaySpam
This botnet consists of 28971 accounts, created Nov 2013 - Jan 2014. All their tweets were sent via "Twitter Web Client", and none has tweeted since 2014. None has liked a tweet, and all have the same display name as @-name (including lack of space between first and last name).
Who does this botnet follow? The majority of the beneficiaries of its bogus follows are the official accounts of businesses (including some fairly large companies such as @Citibank and @WhiteCastle). The @Heritage Foundation (followed by 2845 of the bots) is a notable outlier.
Here are follower plots for nine of the accounts followed by portions of the botnet, with the portion containing the bots zoomed. In most cases, the botnet seems to have followed the accounts in multiple batches over time, with brief periods of organic follower growth in between.
Unlike many of the astroturfy botnets we've studied, this one doesn't retweet the accounts it follows (or any others). All of its content is brief tweets (generally generic comments on personal relationships) that are frequently duplicated by thousands of the bots in the network.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Some Twitter botnets do all sorts of elaborate things, but this is not one of them. The accounts in this botnet have thus far all followed exactly two accounts (@@polkastarter and @ConvergenceFin) and done nothing else - no tweets, no likes, no other follows.
This botnet consists of 1004 accounts created on February 25th and February 26th, 2021. In addition to the similarities already noted (no tweets, no likes, following the same two accounts), none has a biography or header image and all have female names.
Almost all of the accounts in this botnet do have profile pics, and (big shock) they appear to be stolen, with many of them having previously been used on other Twitter accounts, most of which are now suspended.
It's a day ending in "y", and a bunch of similar-looking accounts are attaching four letter codes to their otherwise identical tweets denying genocide and downplaying human rights abuses in Xinjiang. #TuesdayAstroturf
We found a network of 113 accounts posting duplicate tweets about Xinjiang with random four letter codes appended. All were created between December 2020 and February 2021, generally in batches of accounts with similar naming schemes. Most use photos of scenery as profile pics.
These 113 accounts (allegedly) post all of their tweets via the Twitter Web App, generally in brief tweetstorms where most/all of the accounts tweet within an hour or so of each other. Most tweets are in English or Chinese, but the network has tweeted in 31 languages thus far.
Most of the Twitter account listings on accs-market(dot)com include the account's @-name, but in this case the seller has hidden it. The account's display name, profile pic, and follower count are included, and it is apparently verified (blue check), so maybe we can find it.
Sure enough, a verified account named @DakotaPrukop (ID 310045063) exists and has roughly the same number of followers as the account advertised as for sale. It appears to have changed its profile pic, but a recent archive of its feed shows the same pic featured in the listing.
Daylight savings time has begun (in the USA, at least), and what better way to mark the occasion than by looking at a quote tweet astroturf botnet? #SundaySpam
This network consists of 4399 accounts, created between January 23rd and January 25th 2021. The 4399 bots all follow the same 13 cryptocurrency/blockchain-themed accounts (or a subset thereof) and no other accounts.
The accounts in this network send all of their tweets via the Twitter Web App (allegedly). All of their content is either retweets or quote tweets - no original tweets or replies.
As it turns out, the @BlockchainCutie account amplified by the botnet described in this previous thread has a bunch of fake followers. We took a closer look at the largest network following it.
3117 of @BlockchainCutie's followers are batch-created accounts created in late 2020 that we believe to be part of a single botnet. To find the rest of the botnet, we explored the followers of the other accounts these 3117 bots follow.
This botnet consists of 9640 accounts, created in batches between October 15th and December 18th 2020. All of these accounts tweet exclusively via the Twitter Web App - no tweets sent via Android or iPhone, which is itself anomalous.