Is astroturfing with HootSuite still a thing in April 2021? It sure looks that way - we found a network (or possibly two networks) using HootSuite for synchronized retweets, which the accounts then undo after a few hours. #Lobsterfest
First, here's a thread with some background on tweetdecking, the form of astroturfing this network engages in, which involves groups of accounts that retweet the same tweets at the same time, and then undo their retweets after the tweets go viral.
We found 28 accounts that appear to be using the Hootsuite app for astroturfing. We found two separate groups (each amplifying its own lineup of tweets), one consisting of 18 accounts and one consisting of 10 accounts. The larger group appears to undo their retweets more quickly.
Retweet network for the Hootsuite astroturfing network(s). The network consists of two clusters, matching the two groups of accounts we previously identified. (There is some crossover where accounts from one cluster amplify accounts from the other.)
How much reach does the amplification from these networks provide? These 28 accounts have a total of 333891 distinct followers, so coordinated retweets from them does provide a substantial audience despite the relatively small number of accounts involved in the operation.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Meet @BlancaMatos13, a four-week old Twitter account with a penchant for using stolen photos and a distaste for Ecuadorian presidential candidate Andrés Arauz. Unsurprisingly, this account is not a solo act.
The @BlancaMatos13 account is part of a network of (at least) 63 accounts created in batches in March 2021 that all tweet almost exclusively via TweetDeck and have Ecuador as their profile location. Most operate on very similar schedules.
This network is likely using TweetDeck's scheduling feature, which disproportionately posts its tweets during the first second of the minute for which they are scheduled. (It's also possible that TweetDeck is being automated using other software with similar scheduling behavior).
What's with all these recently-created accounts with variations on "Selected Items. Deals. Product Information. Daily Updated. (eBay Links)" in their profiles?
Answer: these accounts are part of a spam botnet consisting of 73 accounts created between October 2020 and March 2021 (most of them in February or March 2021). All the accounts in this botnet are named after various products (automotive supplies are a frequent theme).
The bots in this network do all of their tweeting via automation service dlvr(dot)it, with most of the accounts being active round-the-clock. The network has tweeted 123037 times thus far, with almost all of the volume in February and March 2020.
Meet @coshdisme10853 (and its thirty thousand automated siblings). Back in 2015 and 2016, this account was tweeting in Spanish, but it went to sleep for a few years and recently woke up and started retweeting English cryptocurrency tweets. #SundaySpam
The @coshdisme10853 account is part of a botnet consisting of 31014 accounts created back in May 2014. Accounts were created in batches and followed the big accounts they follow en masse. (Each bot follows 20-30 or so of the other bots in the network).
Who does this botnet follow? Primarily Spanish-language accounts (mostly Mexican public figures and brand accounts), with @Chertorivski, @MaruchanRamenMx and @MaruchanMx at the top of the list. (We believe that this is the first botnet we've found following a ramen company.)
By reverse image searching a GAN-generated face pic (i.e. the "faces" produced by thispersondoesnotexist.com), one can often find Twitter accounts with GAN-generated profile pics. Today's search led to a massive botnet with a bit of everything. #ThursdayShenaniGANs
This botnet consists of 16512 accounts, created in batches between February 18th and March 21st, 2021. All either follow or are followed by dozens or hundreds of other members of the botnet (and by very few accounts that are not part of the botnet).
The bots in this network are grouped into clusters of a few hundred accounts each that follow or are followed by many other accounts within their cluster. The accounts mostly don't follow accounts in other clusters, but do reply to them.
In the aftermath of the Boulder shooting, a variety of speculation about the attack made the rounds on Twitter. We categorized the tweets based on keywords used. The most common categories:
• apprehended + white
• Muslim, Syria(n), or ISIS
• Boebert
The themes of the tweets changed over time. Tweets mentioning vaccines were common early on, but were quickly eclipsed by the apprehended+white and Boebert categories. The Muslim/Syria and Washington Post/anti-Trump categories took off after the shooter's name was released.
Retweet network for tweets prior to the announcement of the shooter's name containing "Boulder" or "Table Mesa" and one or more of the keywords we analyzed. It's almost all left-wing accounts, mostly focused on the apprehended+white and assault rifle ban/overturn categories.
It's either the second day of spring or fall (depending on where you are), so here's a look at a botnet following the official Twitter account of right wing think tank @Heritage Foundation. #SundaySpam
This botnet consists of 28971 accounts, created Nov 2013 - Jan 2014. All their tweets were sent via "Twitter Web Client", and none has tweeted since 2014. None has liked a tweet, and all have the same display name as @-name (including lack of space between first and last name).
Who does this botnet follow? The majority of the beneficiaries of its bogus follows are the official accounts of businesses (including some fairly large companies such as @Citibank and @WhiteCastle). The @Heritage Foundation (followed by 2845 of the bots) is a notable outlier.