Share this page!

Maybe Scrolly?
Conspirador Norteño Profile picture
Twitter logo
30 Apr, 8 tweets, 4 min read
How does one find bot/sock networks? One technique that sometimes bears fruit is to gather a bunch of tweets with some common characteristic (in this example, Turkish tweet sent with TweetDeck), plot the account creation dates, and look for spikes.

cc: @ZellaQuixote
Two of the creation date spikes (Jan 1 and Mar 15, 2021) are batches of accounts that are part of the same botnet: a 32-account porn network whose members tweet at the same times each day via TweetDeck and occasionally via the Twitter Web App. Most were created in 2020 or 2021.
The botnet also contains three accounts created in 2009. It is possible that these were purchased/hacked/otherwise repurposed, as all three have changed their display name significantly and one has changed its @-name as well.
This network posts two types of tweets: original tweets sent mostly via TweetDeck, and retweets sent via the Twitter Web App. The original tweets are repetitive porn tweets with images, while the retweets are mostly of other accounts in the network.
The scheduling features of both TweetDeck and the Twitter website (usually) post scheduled tweets in the first second of the minute for which they are scheduled. Based on this, this pornbot network's TweetDeck tweets appear to be scheduled, while its web tweets do not.
(thread with more background on the timing of scheduled TweetDeck tweets)
Every account in this botnet follows or is followed by every other account in the botnet. (Some follows are mutual, some are not.) The bots follow very few accounts outside the network, mostly large Turkish accounts and porn accounts.
As is popular with pornbot networks, these accounts use stolen profile pics. TinEye proved to be more effective than Google or Yandex at finding other uses of these images on the internet. Most are cropped versions of larger photographs.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Conspirador Norteño

Conspirador Norteño Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @conspirator0

Conspirador Norteño Profile picture
1 May
What's up with all these recently created accounts with identical biographies and a fondness for using UNNECESSARY CAPITAL LETTERS in their display names? #SundaySpam

cc: @ZellaQuixote Image
Answer: they're part of a botnet, consisting of (at least) 568 accounts, all but three of which were created between October 2020 and April 2021. All have identical biographies and links to a telegram channel called "TRADING NATION" on their profiles. ImageImageImage
All of this network's recent tweets were (allegedly) sent via the Twitter Web App. The three accounts that have older tweets have periods where they used IFTTT and Twitter Web Client (the old version of the Twitter website) as well. ImageImage
Read 8 tweets
Conspirador Norteño Profile picture
29 Apr
Are these spammy replies from accounts with cat avatars some mysterious form of feline communication? Nope, it's another botnet, and the cats are fake (GAN-generated, similar to those produced by thiscatdoesnotexist.com).

cc: @ZellaQuixote
The reply spammers with the GAN-generated cat pics follow a bunch of other accounts with GAN-generated cat avatars, as well as GAN-generated human face pics and anime pics (and some other things), all with similar follow stats and all created in April 2021.
By recursively exploring the follow relationships of the initial group of accounts, we found 5007 accounts that we believe to be part of the botnet, created in batches between April 2nd and April 27th, 2021.
Read 10 tweets
Conspirador Norteño Profile picture
25 Apr
It's a great day to look at an incredibly repetitive pornbot network that tags its tweets with random numbers. #SundaySpam

cc: @ZellaQuixote
This botnet consists of 99 accounts created between 2010 and 2015 (mostly 2013). All have some variant of "p o r n" as their display name, and all were mostly dormant until mid-April 2021.
This pornbot network tweets prolifically via TweetDeck (223566 tweets from 99 accounts over the span of just two weeks). The majority of the accounts tweet round-the-clock, with some ceasing operation after a few hours or days of activity.
Read 8 tweets
Conspirador Norteño Profile picture
24 Apr
Why did this @serdaribrahimke tweet objecting to Biden's acknowledgement of the #ArmenianGenocide mostly get retweeted by accounts created this month with names ending in 4 digits? #SaturdaySpam

cc: @ZellaQuixote
Answer: a retweet botnet, consisting of 45 accounts made between April 22nd and April 24th, 2021. All have names ending in four digits, and all (allegedly) send most of their tweets via Twitter for iPad with occasional use of Twitter for Android.
This botnet has thus far posted no original content whatsoever. All of its 3016 tweets are retweets, almost all of which are of Turkish-language content.
Read 6 tweets
Conspirador Norteño Profile picture
23 Apr
It's a great day to look at a network of #SEO/#DigitalMarketing spam accounts with GAN-generated profile pics. #SEOShenaniGAN

(GAN = "generative adversarial network, the AI technique behind the fake faces generated by thispersondoesnotexist.com and similar tools)

cc: @ZellaQuixote
This network consists of 24 accounts created between May 2019 and December 2020. All have GAN-generated face images as their profile pics. Presently, all 24 (allegedly) tweet via the Twitter Web App.
The current generation of GAN-generated face pics have the anomaly that the major facial features (particularly the eyes) are in the same pixel position on each image. This trait becomes easy to see when we blend the images together, as in this video:
Read 6 tweets
Conspirador Norteño Profile picture
19 Apr
Meet @JaredLCarter (permanent ID 150677979), a "Cyber Security PhD" with a GAN-generated profile pic and a blue verification checkmark.

(GAN = "generative adversarial network", the AI technology behind the fake face pics generated by thispersondoesnotexist.com)

cc: @ZellaQuixote
This video shows the process of blending @JaredLCarter's profile pic with 9 pictures generated by thispersondoesnotexist.com, demonstrating that the major facial features (particularly the eyes) are in the exact same place, a fingerprint of unmodified GAN-generated face pics.
(more threads on the use of GAN-generated images and how to detect them here: )
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @conspirator0 has new unrolls!

Check out other threads from @conspirator0!

Read all threads by @conspirator0