It's not often that the majority of the tweets containing a given hashtag turn out to have been posted with TweetDeck, but so it goes with #UnSoloPaís. 627 of 667 tweets (94%) posted over the last week containing this hashtag were sent via TweetDeck.
Most of these tweets came from a network of 107 Spanish-language accounts that tweet almost exclusively via TweetDeck. These accounts were created between August 2020 and April 2021, mostly in batches of multiple accounts.
These accounts tweet a variety of hashtags, with #UnSoloPais (the unaccented form of #UnSoloPaís) being the most frequent, and various hashtags supporting President-elect of Ecuador Guillermo Lasso and attacking his opponent Andrés Arauz turning up frequently.
The content the network retweets is similar: pro-Lasso and anti-Arauz tweets. 3158 of 19822 of tweets retweeted by the botnet are of other accounts in the network, with the remainder mostly being larger political/media accounts.
In addition to the political content, most of the accounts in this network tweet repetitive Spanish greetings/pleasantries. (Some of these are obviously common phrases that are also tweeted by accounts that aren't bots/socks, but some of the repeated tweets are more distinctive.)
Finally, as is often the case with bot/sock networks, these accounts use stolen profile pics. TinEye was more effective at dealing with this bunch of images than either Google or Yandex reverse image searches.
Footnote: this network is similar to another (now suspended) Ecuador-focused TweetDeck network we looked at back in March:
Each of the five accounts in this botnet tweets via its own custom automation app, all of which have names beginning with "test" or "testing" and ending in long strings of digits.
The vast majority (90.9%) of this botnet's content is retweets, with replies rounding out the remainder. It mostly retweets and replies to giveaway tweets, generally from cryptocurrency or gaming accounts.
What's up with all these recently created accounts with identical biographies and a fondness for using UNNECESSARY CAPITAL LETTERS in their display names? #SundaySpam
Answer: they're part of a botnet, consisting of (at least) 568 accounts, all but three of which were created between October 2020 and April 2021. All have identical biographies and links to a telegram channel called "TRADING NATION" on their profiles.
All of this network's recent tweets were (allegedly) sent via the Twitter Web App. The three accounts that have older tweets have periods where they used IFTTT and Twitter Web Client (the old version of the Twitter website) as well.
How does one find bot/sock networks? One technique that sometimes bears fruit is to gather a bunch of tweets with some common characteristic (in this example, Turkish tweet sent with TweetDeck), plot the account creation dates, and look for spikes.
Two of the creation date spikes (Jan 1 and Mar 15, 2021) are batches of accounts that are part of the same botnet: a 32-account porn network whose members tweet at the same times each day via TweetDeck and occasionally via the Twitter Web App. Most were created in 2020 or 2021.
The botnet also contains three accounts created in 2009. It is possible that these were purchased/hacked/otherwise repurposed, as all three have changed their display name significantly and one has changed its @-name as well.
Are these spammy replies from accounts with cat avatars some mysterious form of feline communication? Nope, it's another botnet, and the cats are fake (GAN-generated, similar to those produced by thiscatdoesnotexist.com).
The reply spammers with the GAN-generated cat pics follow a bunch of other accounts with GAN-generated cat avatars, as well as GAN-generated human face pics and anime pics (and some other things), all with similar follow stats and all created in April 2021.
By recursively exploring the follow relationships of the initial group of accounts, we found 5007 accounts that we believe to be part of the botnet, created in batches between April 2nd and April 27th, 2021.
This botnet consists of 99 accounts created between 2010 and 2015 (mostly 2013). All have some variant of "p o r n" as their display name, and all were mostly dormant until mid-April 2021.
This pornbot network tweets prolifically via TweetDeck (223566 tweets from 99 accounts over the span of just two weeks). The majority of the accounts tweet round-the-clock, with some ceasing operation after a few hours or days of activity.
Why did this @serdaribrahimke tweet objecting to Biden's acknowledgement of the #ArmenianGenocide mostly get retweeted by accounts created this month with names ending in 4 digits? #SaturdaySpam
Answer: a retweet botnet, consisting of 45 accounts made between April 22nd and April 24th, 2021. All have names ending in four digits, and all (allegedly) send most of their tweets via Twitter for iPad with occasional use of Twitter for Android.
This botnet has thus far posted no original content whatsoever. All of its 3016 tweets are retweets, almost all of which are of Turkish-language content.