This botnet consists of 99 accounts created between 2010 and 2015 (mostly 2013). All have some variant of "p o r n" as their display name, and all were mostly dormant until mid-April 2021.
This pornbot network tweets prolifically via TweetDeck (223566 tweets from 99 accounts over the span of just two weeks). The majority of the accounts tweet round-the-clock, with some ceasing operation after a few hours or days of activity.
Is this botnet using TweetDeck's scheduling feature to accomplish its 24/7 presence? Almost all scheduled TweetDeck tweets are posted within the first second of the minute for which they are scheduled, which isn't true of this botnet's tweets.
The botnet's tweets do have a timing anomaly, however. It began by posting its tweets shortly before the start of each minute, but it is slowly falling behind: on 4/20, it was tweeting ~10 seconds into each minute, and today (4/25) it is tweeting ~23 seconds into each minute.
What would explain this behavior? A likely explanation is that the botnet operators wrote their own scheduling software that fails to account for some form of latency, and thus slowly falls behind schedule when run for a long period of time.
What does this botnet actually tweet? The tweets are extremely repetitive and consist of single words such as "XXX" or "video" followed by four tags of one of two porn accounts (@/porn_sex_linkkk and @/sex_porn_linkk), followed by a random number.
The two tagged porn accounts in turn have what appear to be blogspot links that actually redirect to endless signup pages for an obscure "dating site" in multiple languages. The site is likely unsafe and we recommend neither visiting it nor providing it any information.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Why did this @serdaribrahimke tweet objecting to Biden's acknowledgement of the #ArmenianGenocide mostly get retweeted by accounts created this month with names ending in 4 digits? #SaturdaySpam
Answer: a retweet botnet, consisting of 45 accounts made between April 22nd and April 24th, 2021. All have names ending in four digits, and all (allegedly) send most of their tweets via Twitter for iPad with occasional use of Twitter for Android.
This botnet has thus far posted no original content whatsoever. All of its 3016 tweets are retweets, almost all of which are of Turkish-language content.
This network consists of 24 accounts created between May 2019 and December 2020. All have GAN-generated face images as their profile pics. Presently, all 24 (allegedly) tweet via the Twitter Web App.
The current generation of GAN-generated face pics have the anomaly that the major facial features (particularly the eyes) are in the same pixel position on each image. This trait becomes easy to see when we blend the images together, as in this video:
This video shows the process of blending @JaredLCarter's profile pic with 9 pictures generated by thispersondoesnotexist.com, demonstrating that the major facial features (particularly the eyes) are in the exact same place, a fingerprint of unmodified GAN-generated face pics.
(more threads on the use of GAN-generated images and how to detect them here:
One of the accounts that @DrunkAlexJones was forced to follow by the "Round Year Fun" app is @drago1171, an account created in 2009 with a GAN-generated face pic that follows several other old accounts with GAN-generated face pics. #SaturdayShenaniGANs
By recursively exploring the followers/followees of these accounts, we found a network of 54 accounts created in 2009 or 2010 with GAN-generated faces. All were dormant from late 2012 until April 2021, when all 54 began tweeting via the Twitter Web App.
Here's an animated visualization of blending all 54 profile pics together, showing the identical facial feature placement that is a fingerprint of GAN-generated pics such as those created by thispersondoesnotexist.com. (GAN = "generative adversarial network", the AI technique used.)
PSA: These "fun" apps from roundyear(dot)fun ("My Twitter Family" etc) have a downside: they gain near-total control of your account and (at the very least) use it to follow other accounts without your knowledge. #FunAllYearRoundUntilYourAccountGetsCompromised
We had @DrunkAlexJones test some of the Round Year Fun apps. The list of permissions the apps request is extensive and encompasses pretty much every action one could possibly take with one's Twitter account. The apps produced the expected "My Twitter Crush" etc tweets.
These eight accounts were all created on either February 18th or February 21st, 2021. Thus far, they have tweeted very little (only 58 tweets), and have sent all their tweets via the Twitter Android app. Two of them (@An_mal12 and @An_mal14) currently have identical biographies.
The majority of these accounts' tweets so far are extremely brief replies to each other (and sometimes replies to each other's replies to each other, and so on). They have also posted a few follower growth tweets, including retweets of a tweet that contains a likely malware link.