A May 3rd 2021 tweet from @SpokespersonCHN about a boy with serious arm injuries being flown to Xinjiang for medical treatment attracted a flurry of retweets and repetitive replies in multiple languages from accounts with default profile pics.
These replies are from a network of 479 accounts created in batches between January and April 2021. All accounts have English first and last names (first names are almost all female). These accounts have thus far posted all of their tweets via the Twitter Web App (allegedly).
This network's content is (mostly) a mix of replies and retweets. The replies are repeated verbatim across multiple accounts. Despite all of the accounts having English-looking names, the accounts are quite multilingual, having replied in 37 different languages thus far.
The bulk of this network's amplification thus far is of two recent tweets about the injured boy's surgery in Xinjiang, which were retweeted and replied to by hundreds of members of the network. Previously, part of the network boosted tweets about COVID conspiracist Li-Meng Yan.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Here's an interesting account: @Right_n_Aware. Almost all of this account's tweets (177 of 193) have the curious property that they are duplicated verbatim on other accounts. #SpamTastic
We found a total of 78 accounts (including @Right_n_Aware) that frequently tweet the same tweets verbatim. Almost all were created in 2020 or 2021, and almost all have more tweets than likes. They post the majority of their tweets via "Twitter for Android".
This network's duplicate tweets are almost all political in nature, with criticism of the governments of China and Pakistan as the primary themes. Most of the duplicated tweets were tweeted first by either @Right_n_Aware or @ProwessSilent.
All twelve of these accounts have the same anomalous pattern in their followers: long spans of time post-2019 where nearly all their new followers are accounts created prior to mid-November 2018. What's up with that? #WednesdayWisdom
The twelve accounts don't have the same anomalous followers, however, and the anomalous followers in question by and large don't look like batch-created accounts or obvious bots. The twelve accounts do have something in common, however. . .
All twelve accounts are being promoted in Twitter's "who to follow" section. We're not precisely sure why, but there appears to be a correlation between this form of Twitter promotion and accounts mostly gaining followers created before November 2018.
Each of the five accounts in this botnet tweets via its own custom automation app, all of which have names beginning with "test" or "testing" and ending in long strings of digits.
The vast majority (90.9%) of this botnet's content is retweets, with replies rounding out the remainder. It mostly retweets and replies to giveaway tweets, generally from cryptocurrency or gaming accounts.
It's not often that the majority of the tweets containing a given hashtag turn out to have been posted with TweetDeck, but so it goes with #UnSoloPaís. 627 of 667 tweets (94%) posted over the last week containing this hashtag were sent via TweetDeck.
Most of these tweets came from a network of 107 Spanish-language accounts that tweet almost exclusively via TweetDeck. These accounts were created between August 2020 and April 2021, mostly in batches of multiple accounts.
These accounts tweet a variety of hashtags, with #UnSoloPais (the unaccented form of #UnSoloPaís) being the most frequent, and various hashtags supporting President-elect of Ecuador Guillermo Lasso and attacking his opponent Andrés Arauz turning up frequently.
What's up with all these recently created accounts with identical biographies and a fondness for using UNNECESSARY CAPITAL LETTERS in their display names? #SundaySpam
Answer: they're part of a botnet, consisting of (at least) 568 accounts, all but three of which were created between October 2020 and April 2021. All have identical biographies and links to a telegram channel called "TRADING NATION" on their profiles.
All of this network's recent tweets were (allegedly) sent via the Twitter Web App. The three accounts that have older tweets have periods where they used IFTTT and Twitter Web Client (the old version of the Twitter website) as well.
How does one find bot/sock networks? One technique that sometimes bears fruit is to gather a bunch of tweets with some common characteristic (in this example, Turkish tweet sent with TweetDeck), plot the account creation dates, and look for spikes.
Two of the creation date spikes (Jan 1 and Mar 15, 2021) are batches of accounts that are part of the same botnet: a 32-account porn network whose members tweet at the same times each day via TweetDeck and occasionally via the Twitter Web App. Most were created in 2020 or 2021.
The botnet also contains three accounts created in 2009. It is possible that these were purchased/hacked/otherwise repurposed, as all three have changed their display name significantly and one has changed its @-name as well.