August 30, 2017

I awoke this morning to find my account on Twitter (@briankrebs) had attracted almost 12,000 new followers overnight. Then I noticed I’d gained almost as many followers as the number of re-tweets (RTs) earned for a tweet I published on Tuesday. The tweet stated how every time I tweet something related to Russian President Vladimir Putin I get a predictable stream of replies that are in support of President Trump — even in cases when neither Trump nor the 2016 U.S. presidential campaign were mentioned.

This tweet about Putin generated more than 12,000 retweets and likes in a few hours.

This tweet about Putin generated more than 12,000 retweets and likes in a few hours.

Upon further examination, it appears that almost all of my new followers were compliments of a social media botnet that is being used to amplify fake news and to intimidate journalists, activists and researchers. The botnet or botnets appear to be targeting people who are exposing the extent to which sock puppet and bot accounts on social media platforms can be used to influence public opinion.

After tweeting about my new bounty of suspicious-looking Twitter friends I learned from my legitimate followers on Twitter that @briankrebs wasn’t alone and that several journalists and nonprofit groups that have written recently about bot-like activity on Twitter experienced something similar over the past few days.

These tweet and follow storms seem capable of tripping some kind of mechanism at Twitter that seeks to detect when accounts are suspected of artificially beefing up their follower counts by purchasing followers (for more on that dodgy industry, check out this post).

Earlier today, Daily Beast cybersecurity reporter Joseph Cox had his Twitter account suspended temporarily after the account was the beneficiary of hundreds of bot followers over a brief period on Tuesday. This likely was the goal in the campaign against my site as well.

Cox observed the same likely bot accounts that followed him following me and a short list of other users in the same order.

Cox observed the same likely bot accounts that followed him following me and a short list of other users in the same order.

“Right after my Daily Beast story about suspicious activity by pro-Kremlin bots went live, my own account came under attack,” Cox wrote.

Let that sink in for a moment: A huge collection of botted accounts — the vast majority of which should be easily detectable as such — may be able to abuse Twitter’s anti-abuse tools to temporarily shutter the accounts of real people suspected of being bots!

Overnight between Aug. 28 and 29, a large Twitter botnet took aim at the account for the Digital Forensic Research Lab, a project run by the Atlantic Council, a political think-tank based in Washington, D.C. In a post about the incident, DFRLab said the attack used fake accounts to impersonate and attack its members.

Those personal attacks — which included tweets and images lamenting the supposed death of DFR senior fellow Ben Nimmo — were then amplified and re-tweeted by tens of thousands of apparently automated accounts, according to a blost post published today by DFRLab.

Suspecting that DFRLab was now being followed by many more botted accounts that might retweet or otherwise react to any further tweets mentioning bot attacks, Nimmo cleverly composed another tweet about the bot attack — only this time CC’ing the @Twitter and @Twittersupport accounts. Sure enough, that sly tweet was retweeted by bots more than 73,000 times before the tweet storm died down.


“We considered that the bots had probably been programmed to react to a relatively simple set of triggers, most likely the words ‘bot attack’ and the @DFRLab handle,” Nimmo wrote. “To test the hypothesis, we posted a tweet mentioning the same words, and were retweeted over 500 times in nine minutes — something which, admittedly, does not occur regularly with our human followers.” Read more about the DFRLab episode here.

This week’s Twitter bot drama follows similar attacks on public interest groups earlier this month. On Aug. 19, the award-winning investigative journalism site published the story, Leading Tech Companies Help Extremist Sites Monetize Hate.

On the morning of Tuesday, Aug. 22, several ProPublica reporters began receiving email bombs — email list subscription attacks that can inundate a targeted inbox with dozens or even hundreds of email list subscription confirmation requests per minute. These attacks are designed to deluge the victim’s inbox with so many subscription confirmation requests that it becomes extremely time-consuming to fish out the legitimate messages amid the dross.

On Wednesday ProPublica author Jeff Larson saw a tweet he sent about the email attacks get re-tweeted 1,200 times. Later that evening, senior reporting fellow Lauren Kirchner noticed a similar sized response to her tweet about how the subscription attack was affecting her ability to respond to messages.

On top of that, several ProPublica staffers suddenly gained about 500 new followers. On Thursday, ProPublica’s managing editor Eric Umansky noticed that a tweet accusing ProPublica of being an “alt-left #HateGroup and #FakeNews site funded by Soros” had received more than 23,000 re-tweets.

Today, the 500 or so bot accounts that had followed the ProPublica employees unfollowed them. Interestingly, a little more than 24 hours after the tweet that got my account 12,000+ new followers, all of those followers are no longer following @briankrebs.

I thought at first perhaps Twitter had suspended the accounts, but a random check of the 11,500+ accounts that I was able to catalog today as new followers shows that most of them remain active.

Asked to respond to criticism that it isn’t doing enough to find and ban bot accounts on its network, Twitter declined to comment, directing me instead to this post in June from Twitter Vice President of Public Policy Colin Crowell, which stated in part:

While bots can be a positive and vital tool, from customer support to public safety, we strictly prohibit the use of bots and other networks of manipulation to undermine the core functionality of our service. We’ve been doubling down on our efforts here, expanding our team and resources, and building new tools and processes. We’ll continue to iterate, learn, and make improvements on a rolling basis to ensure our tech is effective in the face of new challenges.

We’re working hard to detect spammy behaviors at source, such as the mass distribution of Tweets or attempts to manipulate trending topics. We also reduce the visibility of potentially spammy Tweets or accounts while we investigate whether a policy violation has occurred. When we do detect duplicative, or suspicious activity, we suspend accounts. We also frequently take action against applications that abuse the public API to automate activity on Twitter, stopping potentially manipulative bots at the source.

It’s worth noting that in order to respond to this challenge efficiently and to ensure people cannot circumvent these safeguards, we’re unable to share the details of these internal signals in our public API. While this means research conducted by third parties about the impact of bots on Twitter is often inaccurate and methodologically flawed, we must protect the future effectiveness of our work.

It is possible that someone or some organization is simply purchasing botted accounts from shadowy sellers who peddle these sorts of things. If that’s the case, however, whoever built the botnet that retweeted my tweet 12,000 times certainly selected a diverse range of accounts.

Ed Summers, a software developer at the Maryland Institute for Technology in the Humanities, graciously offered to grab some basic information about the more than 11,500 suspected new bot followers that were still following my account earlier this morning. An analysis of that data indicates that more than 75 percent of the accounts (8,836) were created before 2013 — with the largest group of accounts (3,366) created six years ago.

Summers has published the entire list of suspected bot accounts at his Github page. He’s also published a list of the 20,000 or so suspected bot accounts that re-tweeted Nimmo’s fake death, and found an overlap of at least 1,865 accounts with the 11,500+ suspected bot accounts that targeted my account this week.

I mentioned earlier that most of these bot accounts should have been easy to detect as such: The vast majority of bot accounts that hit my account this week had very few followers: More than 2,700 have zero followers, and more than half of the accounts have fewer than five followers.

Finally, I’ve noticed that most of them appear to be artificially boosting the popularity of a broad variety of businesses and entertainers around the globe, often using tweets from multiple languages. When these bots are not intimidating or otherwise harassing reporters and researchers, they appear to be part of a business that can be hired to do promotional tweets.

An analysis of the data by @ChiefKleck

Further reading:

Twitter Bots Drown Out Anti-Kremlin Tweets

Buying Battles in the War on Twitter Spam Tracking Russian Influence Operations on Twitter

Update: 9:52 a.m. ET: Corrected spelling of name for managing editor of ProPublica.

86 thoughts on “Twitter Bots Use Likes, RTs for Intimidation

  1. Will

    Bots still count towards daily active users, still probably view advertisements that Twitter makes money on etc, so no wonder they are okay with them.

  2. Chris

    I defeated this problem by not participating. I do not tweet, going nor coming. I do not care enough about celebrities to get their tweets. They are all twits, as far as I am concerned.

  3. MowGreen

    Henceforth the “Moronials” who accept tweets at face value shall be known as ” Twidiots ” !

  4. Brian Fags

    Twitter is for fags and empty headed journalists like Brian here.

    1. Tonic

      Um, a lot of those in the LGBT community I know don’t use Twitter at all. In what way is it for them?

      1. Sam

        Being confused about your gender belies bigger personal problems than merely using a stupid social networking service.

  5. J

    It’s getting to the point that Twitter needs to either stop the bots or shut itself down. It’s seriously damaging democracy. Evil people leverage it much more than decent people because the latter won’t break rules (i.e., create fake accounts, especially with bots) to magnify their voices.

    PS Ole chap, I don’t understand another poster who claims Twitter is primarily for cigarettes and empty headed journalists. It seems the poster is a 12-year old boy lobbyist for Phillip Morris — diabolically clever. Just another guerilla campaign promoting cigarettes to children by having a junior high commenter completely humiliate himself in order to evoke adults’ painful memories of their own difficult time going through puberty. We’re on to you, big tobacco.

    1. Eric

      There are times that I would tend to agree, but there are certain things (news alerts from reputable news sources, updates from National Hurricane Center, etc), that it is quite useful.

      Shutting down all of the bot accounts would likely result in them being re-registered under different credentials. If Twitter simply fixed it so that other users never saw any tweets from the bot accounts it would be a big step forward.

      1. PattiM

        It’s a lot more complicated than Brian lets on (if he knows) – try googling Vox POL and watching some of the research going on. Social media is already known to be strongly tied to violence and a big headache for CONUS intelligence.

    2. CorruptCroniz

      You were just trolled by the Alt-Left. Reach out to a liberal cybersecurity blogger with your bot network for hire services. ala russia, ala trump. Get lots of free PR for more fake news. The Russia connection to Trump have been a hilarious farce

  6. William Smith

    Credit where credit is due. Using fake bots to manipulate the public is well American. Search for online persona management contract that was posted by the US military in 2011.

    L’arroseur arrosé.

  7. Peter

    The Putin and Trump bots have become so tiresome lately – hope we come up with a way to expose and ban these accounts!

    1. PattiM

      It would be useful to look at “big data” researchers and the big polling agencies. These use data such as twitter – but you can’t do valid scientific research without validating your data sources. So I’m sure there is research going on as to how to filter out bot action (which is useless for sociemetric big data analysis).

  8. Dee

    This stuff astounds me: when 300 obviously-bot users follow another user, that user’s account gets deactivated. So, the follow-up question: if they were obviously bot users, why weren’t they shut down before that? Reminds me of an old joke about a man who lost his watches in a dark alley and was looking for them under a street lantern, because it’s lighter there.

  9. Dee

    This stuff astounds me: when 300 obviously-bot users follow another user, that user’s account gets deactivated. So, the follow-up question: if they were obviously bot users, why weren’t they shut down before that? Reminds me of an old joke about a man who lost his watches in a dark alley and was looking for them under a street lantern, because it’s lighter there.

  10. Davidc

    I use Twitter and when I get followed because of a bot I simply go to the profile and block. No big deal. Its very rare though. And the people I follow are real people. I don’t understand what the big deal is. If you look into the pit of hell then ya they are gonna look back.

    1. Howard

      “I simply go to the profile and block. No big deal.”

      That may work for one or two bot accounts following you every few days, but does that scale to 800 or 14,500 in a day? That’s what this article is about. A handful of bots by definition doesn’t have a lot of power, and the risk of letting that bot network continue on is fairly low. A bot network of thousands can probably start to sway people on the edges when they try and shift a narrative or get some topic trending.

      1. Candace

        The only tweeters that have these issues are the ones who need numbers in followers. They don’t check each person’s page. I don’t care about have a gazillion followers so each time I get one I vet them. 6 bots last nite.

  11. Steve

    The goal of using the bots is to disrupt communication. Normal people who choose to no longer use social media validate the efforts of those who use the botnets.

  12. Dan

    Surely the target of such attacks is informative by itself? Letting such bots run for a while and observing their topics of concern might clue-in to the agenda behind the targeting.

  13. Robbie

    So. If a “malicious” actor wanted to DDos these bots, all they have to do is register a bunch of fake twitter accounts and send out a few thousand tweets using keywords that trigger them.

  14. HillComeyLynchElizabethCarlisle

    Brian you were just >>trolled<< by the Alt-Left. You should be smarter than that

    1. bill

      Yes the left as right is controlled from the very same source.
      as russia and usa and even north korea is controlled from the same group of people.even mafia mob all organised crime is controlled 100% from those elite group. neeedless to say all this antifa and etc. Allright we know but the question is what you can do about it? Answr is ; nothing !! And those who need to undestood this things will never undestood. Even you undestood,you got nothing to do with that knowledge. But thats how everything run by in this nice world 🙂

    2. John

      Wow, I thought it is just another weird thing I heard from the US, but you dildos actually adopted the word ‘Alt-Left’ instantly like well trained monkeys from your wizard of neologisms. It never seizes to amaze me how people love being spoonfed by their favorite idiot.

  15. PattiM

    Perhaps someone more technically advanced can answer this, but we normal folks have routers provided by our ISP’s and in my experience these are very insecure (the v#ri&on router I had had the password on a web-facing server). Having my own LAN behind a second router does not help prevent the ISP’s router from being botted – so what to do?

  16. Gavin

    Good Article. Twitter is definitely a hot mess of problems right now with bots. FB just admitted to 100K in ads in 2016. I see no end to it without giving up some anonymous freedoms.

  17. MikeM

    I see a new book opportunity here… it used to be they hacked systems and now it is hacking and manipulating public facing services and applications on a global and public, instantaneous way… this means that trad. anti-virus is useless and the public applications need to have enough flexibility and inherent security to prevent abuse. Not an easy task.

  18. SB

    I’ve noticed the same when reading comments on popular sites such as Yahoo. Some news stories will have a comment with an astronomical amount of upvotes while the next comment(s) will have porportionally fewer votes. An example would be an article with 100 comments, yet the top comment will have 5,000 “likes”, the next comment will have 500 likes, and the next comment will have 50 likes, etc. All comments will be in the same vein (either all favorable, or disfavorable regarding the article). It’s so obvious that there is some form of manipulation going on, and I am amazed that the likes of Yahoo, Twitter and Facebook don’t put a stop to it.

Comments are closed.