August 30, 2017

I awoke this morning to find my account on Twitter (@briankrebs) had attracted almost 12,000 new followers overnight. Then I noticed I’d gained almost as many followers as the number of re-tweets (RTs) earned for a tweet I published on Tuesday. The tweet stated how every time I tweet something related to Russian President Vladimir Putin I get a predictable stream of replies that are in support of President Trump — even in cases when neither Trump nor the 2016 U.S. presidential campaign were mentioned.

This tweet about Putin generated more than 12,000 retweets and likes in a few hours.

This tweet about Putin generated more than 12,000 retweets and likes in a few hours.

Upon further examination, it appears that almost all of my new followers were compliments of a social media botnet that is being used to amplify fake news and to intimidate journalists, activists and researchers. The botnet or botnets appear to be targeting people who are exposing the extent to which sock puppet and bot accounts on social media platforms can be used to influence public opinion.

After tweeting about my new bounty of suspicious-looking Twitter friends I learned from my legitimate followers on Twitter that @briankrebs wasn’t alone and that several journalists and nonprofit groups that have written recently about bot-like activity on Twitter experienced something similar over the past few days.

These tweet and follow storms seem capable of tripping some kind of mechanism at Twitter that seeks to detect when accounts are suspected of artificially beefing up their follower counts by purchasing followers (for more on that dodgy industry, check out this post).

Earlier today, Daily Beast cybersecurity reporter Joseph Cox had his Twitter account suspended temporarily after the account was the beneficiary of hundreds of bot followers over a brief period on Tuesday. This likely was the goal in the campaign against my site as well.

Cox observed the same likely bot accounts that followed him following me and a short list of other users in the same order.

Cox observed the same likely bot accounts that followed him following me and a short list of other users in the same order.

“Right after my Daily Beast story about suspicious activity by pro-Kremlin bots went live, my own account came under attack,” Cox wrote.

Let that sink in for a moment: A huge collection of botted accounts — the vast majority of which should be easily detectable as such — may be able to abuse Twitter’s anti-abuse tools to temporarily shutter the accounts of real people suspected of being bots!

Overnight between Aug. 28 and 29, a large Twitter botnet took aim at the account for the Digital Forensic Research Lab, a project run by the Atlantic Council, a political think-tank based in Washington, D.C. In a post about the incident, DFRLab said the attack used fake accounts to impersonate and attack its members.

Those personal attacks — which included tweets and images lamenting the supposed death of DFR senior fellow Ben Nimmo — were then amplified and re-tweeted by tens of thousands of apparently automated accounts, according to a blost post published today by DFRLab.

Suspecting that DFRLab was now being followed by many more botted accounts that might retweet or otherwise react to any further tweets mentioning bot attacks, Nimmo cleverly composed another tweet about the bot attack — only this time CC’ing the @Twitter and @Twittersupport accounts. Sure enough, that sly tweet was retweeted by bots more than 73,000 times before the tweet storm died down.


“We considered that the bots had probably been programmed to react to a relatively simple set of triggers, most likely the words ‘bot attack’ and the @DFRLab handle,” Nimmo wrote. “To test the hypothesis, we posted a tweet mentioning the same words, and were retweeted over 500 times in nine minutes — something which, admittedly, does not occur regularly with our human followers.” Read more about the DFRLab episode here.

This week’s Twitter bot drama follows similar attacks on public interest groups earlier this month. On Aug. 19, the award-winning investigative journalism site published the story, Leading Tech Companies Help Extremist Sites Monetize Hate.

On the morning of Tuesday, Aug. 22, several ProPublica reporters began receiving email bombs — email list subscription attacks that can inundate a targeted inbox with dozens or even hundreds of email list subscription confirmation requests per minute. These attacks are designed to deluge the victim’s inbox with so many subscription confirmation requests that it becomes extremely time-consuming to fish out the legitimate messages amid the dross.

On Wednesday ProPublica author Jeff Larson saw a tweet he sent about the email attacks get re-tweeted 1,200 times. Later that evening, senior reporting fellow Lauren Kirchner noticed a similar sized response to her tweet about how the subscription attack was affecting her ability to respond to messages.

On top of that, several ProPublica staffers suddenly gained about 500 new followers. On Thursday, ProPublica’s managing editor Eric Umansky noticed that a tweet accusing ProPublica of being an “alt-left #HateGroup and #FakeNews site funded by Soros” had received more than 23,000 re-tweets.

Today, the 500 or so bot accounts that had followed the ProPublica employees unfollowed them. Interestingly, a little more than 24 hours after the tweet that got my account 12,000+ new followers, all of those followers are no longer following @briankrebs.

I thought at first perhaps Twitter had suspended the accounts, but a random check of the 11,500+ accounts that I was able to catalog today as new followers shows that most of them remain active.

Asked to respond to criticism that it isn’t doing enough to find and ban bot accounts on its network, Twitter declined to comment, directing me instead to this post in June from Twitter Vice President of Public Policy Colin Crowell, which stated in part:

While bots can be a positive and vital tool, from customer support to public safety, we strictly prohibit the use of bots and other networks of manipulation to undermine the core functionality of our service. We’ve been doubling down on our efforts here, expanding our team and resources, and building new tools and processes. We’ll continue to iterate, learn, and make improvements on a rolling basis to ensure our tech is effective in the face of new challenges.

We’re working hard to detect spammy behaviors at source, such as the mass distribution of Tweets or attempts to manipulate trending topics. We also reduce the visibility of potentially spammy Tweets or accounts while we investigate whether a policy violation has occurred. When we do detect duplicative, or suspicious activity, we suspend accounts. We also frequently take action against applications that abuse the public API to automate activity on Twitter, stopping potentially manipulative bots at the source.

It’s worth noting that in order to respond to this challenge efficiently and to ensure people cannot circumvent these safeguards, we’re unable to share the details of these internal signals in our public API. While this means research conducted by third parties about the impact of bots on Twitter is often inaccurate and methodologically flawed, we must protect the future effectiveness of our work.

It is possible that someone or some organization is simply purchasing botted accounts from shadowy sellers who peddle these sorts of things. If that’s the case, however, whoever built the botnet that retweeted my tweet 12,000 times certainly selected a diverse range of accounts.

Ed Summers, a software developer at the Maryland Institute for Technology in the Humanities, graciously offered to grab some basic information about the more than 11,500 suspected new bot followers that were still following my account earlier this morning. An analysis of that data indicates that more than 75 percent of the accounts (8,836) were created before 2013 — with the largest group of accounts (3,366) created six years ago.

Summers has published the entire list of suspected bot accounts at his Github page. He’s also published a list of the 20,000 or so suspected bot accounts that re-tweeted Nimmo’s fake death, and found an overlap of at least 1,865 accounts with the 11,500+ suspected bot accounts that targeted my account this week.

I mentioned earlier that most of these bot accounts should have been easy to detect as such: The vast majority of bot accounts that hit my account this week had very few followers: More than 2,700 have zero followers, and more than half of the accounts have fewer than five followers.

Finally, I’ve noticed that most of them appear to be artificially boosting the popularity of a broad variety of businesses and entertainers around the globe, often using tweets from multiple languages. When these bots are not intimidating or otherwise harassing reporters and researchers, they appear to be part of a business that can be hired to do promotional tweets.

An analysis of the data by @ChiefKleck

Further reading:

Twitter Bots Drown Out Anti-Kremlin Tweets

Buying Battles in the War on Twitter Spam Tracking Russian Influence Operations on Twitter

Update: 9:52 a.m. ET: Corrected spelling of name for managing editor of ProPublica.

86 thoughts on “Twitter Bots Use Likes, RTs for Intimidation

  1. bill

    Get rid of the bots and twitter probably has about 5000 users 🙂

  2. John

    “to ensure people cannot circumvent these safeguards, we’re unable to share the details of these internal signals in our public API” my ass.

    Twitter criticizes researchers’ work as “often inaccurate and methodologically flawed”, meanwhile, these botnets are abusing everything in sight, and their accounts are OBVIOUS, and Twitter’s anti-abuse team is nowhere in sight. These botnet accounts are YEARS old.

    Twitter is a sham. Their billions of dollars in valuation is probably a sham too. When they can’t deal with the most basic and easily dealt with abuse on their platform, they aren’t a platform worth doing business on. All of this abuse is clearly visible evidence of Twitter’s rot at the corporate level.

    1. SeymourB

      They’re probably years old because they’re accounts that were created with lax passwords that were “acquired” by other individuals.

      That being said, I have no twitter followers because I don’t use it for anything. The lack of twitter followers alone shouldn’t be viewed as suspicious, not all of us have swallowed the social media is wonderful pill.

      I think the last time I used it was to request support from some place that refused to offer support except on social media. And, of course, they failed to answer. Guess I need more followers to be worthy of support?

  3. Metalrat

    I guess a lot of the accounts might be unused accounts that were ‘hacked’ by reuse of passwords skimmed from the many dumps over the last couple of years.

    Thanks for letting us know that something that has been thought about actually is really occurring.


  4. realman

    Its all show left side and the right side both controlled from the same organisation. Russia and Usa are both controlled from same organisation!! Once you guys undestood this then all good

    1. Tom

      Why is that? I don’t really see the connection between right and left here …

      1. Mahhn

        It’s either Lizard people, Israel, or Rothschilds.

        1. JimV

          Don’t forget the Bilderbergs, the Rosicrucians and the Snakeheads…

          1. Cris E

            Stuart Mackenzie: Well, it’s a well known fact, Sonny Jim, that there’s a secret society of the five wealthiest people in the world, known as The Pentavirate, who run everything in the world, including the newspapers, and meet tri-annually at a secret country mansion in Colorado, known as The Meadows.

            Tony Giardino: So who’s in this Pentavirate?

            Stuart Mackenzie: The Queen, The Vatican, The Gettys, The Rothschilds, *and* Colonel Sanders before he went tits up. Oh, I hated the Colonel with is wee *beady* eyes, and that smug look on his face. “Oh, you’re gonna buy my chicken! Ohhhhh!”

            Charlie Mackenzie: Dad, how can you hate “The Colonel”?

            Stuart Mackenzie: Because he puts an addictive chemical in his chicken that makes ya crave it fortnightly, smartass!

  5. TJACK

    Hm, looks like an excellent way to call out (and identify) a bunch of bot accounts. Most bots are so badly made, they are easy to identify as such – and can be eliminated. Good ones pass the Turing test 🙂
    P.S.: I am not a bot and been following you for a long time! Keep up the good work! @exowarfare

  6. Mark

    Be sure the botnet is originally Kremlin’s. Proofs based on @NatashaBertrand’s screen shot:
    1. Bot @kalmarkalmar1’s follower’s list (consisting of only four followers) contains @leon_elk aka Leonid Degtyarev, a Russian botnet spammer and close friend and deputy (at a state-owned Innovation Technologies’ Development Agency) to a top Russian/pro-Kremlin botmaster Artem Klyushin @ARTEM_KLYUSHIN. Both hail from Voronezh city.
    2. Bot @dudkina1992 (as well as many others on the screen shot) follows only Russian accounts.
    3. Bot @denisova_lida (2nd from the top, now deleted) has a peculiar phrase in it’s profile: “Болею за ЦСКА” (“I’m a fan of CSKA”) [a Russian football club]. This profile phrase, and even more often, “Болею за Спартак” (another football club) can often be seen among the Russian Twitter bots
    Sorry for the long comment.

  7. Anonymous Supporter

    Great job Brian, well done!

    Keep up the (very) good work!

  8. Ollie Jones

    All sorts of personal media are infested with “undesired content”. Telephones, email, blog comments, twitter, fb, etc. You name it, it’s infested. It’s out of hand. This undesired content is called “junk calls,” “spam,” “bots activity” and so forth.

    Junk calls have been an existential threat to the landline phone business for more than a decade, but the phone companies don’t care. The sooner that business completely collapses, the sooner they can cash in all that valuable downtown central-office real estate.

    Mobile phone companies have the same infestation now. They don’t care either; people mostly have to take voice service to get the other services.

    The big email companies are doing a decent, but not amazing, job coping with spam. They do care about this problem.

    WordPress is doing a decent job of spam-trapping undesired comments. Other blog systems, not so much. This is a big reason for WordPress’s dominance.

    Social media (Twitter, FB, etc). Fail. Infestations need to become an existential threat before they’ll deal with them.

    It’s not clear we users have the clout to make it an existential threat. It’s a free service. We ARE the product.

    It wouldn’t be hard for Twitter to take responsibility. Make people pay, with real payment cards, for immediate delivery of tweets to more than, say, 100 followers. For nonpaying customers, meter the delivery so it can take up to 24 hours. Either an originator or a recipient can subscribe for rapid delivery.

    Do the same with “follow” operations — offer a human-scale quota.

    And charge a nominal fee for each account creation.

  9. Winston

    Don’t trust the apparent political bent and source of these attacks. To carry out such attacks with such an easily discernible and attributable botnet -absolutely stinks- of false flags to reinforce a dying narrative. Such attacks would be counterproductive for the cause of actual Trump supporters which is what I believe is the intent of the attacks.

    1. Tom

      Winston – Thanks for a good laugh! Made my morning! I suspect a lot of people may not have realized you were joking though.

  10. Doc

    Brian wrote: “I mentioned earlier that most of these bot accounts should have been easy to detect as such: The vast majority of bot accounts that hit my account this week had very few followers: More than 2,700 have zero followers, and more than half of the accounts have fewer than five followers.” Not so fast. There are a lot of people out there who signed up for twitter only to be able to follow certain others, and who never post anything. I would be among those. I am not a bot, and I have (as far as I know) no followers and don’t want any. So the logic you described may be flawed…

    1. BrianKrebs Post author

      Nobody is suggesting that all accounts with only a few followers are bots, but it’s a great starting point. Also, note from the screenshot at the end of the story that virtually all of these bots that RT’d my tweet about Putin were registered using Twitter for iPhone. That would be another great place to start.

      1. Harry R

        Not really. Those sorts of first-level indicators are trivially avoided. You just have a bunch of the fake accounts follow each other and tweet from different devices.

        Need to do second-tier analysis. Sure account X has 27 followers, but what does the social _web_ of those followers have in common? Do they follow each other? Do they tend to tweet content with common themes? And that’s the sort of thing machine learning excels at.

      2. Bill

        Only a few followers by itself is not a sign. I just recently joined so I see what I was missing(not much!) and have no followers. I have only followed you.

        Perhaps a better test would be few followers, and with lots of tweets, retweets or whatever.

    2. JCitizen

      I doubt I have even one follower – I joined Twitter to follow my hero Buzz Aldrin, The other subject I attempted to follow was a near earth asteroid and comet watch organization. I notice they disappeared off Twitter despite being legitimate. Apparently NASA started their own, and may have bullied them to drop it. I miss it, because it had some pretty cool calculation tools to check on news reports, and verify orbits of known near earth objects. Who knows? Not me!!

    3. Wayne

      Just piling-here… I have zero followers, close to zero posts. Just a lurker. Would need to identify good criteria to avoid filtering out true human fans and supporters.

    4. timeless

      My fairly young account has a number of spammy followers. I’m not sure what to do about them. I’ve started taking the approach of reporting them, but for a service I barely use, that’s a pretty expensive operation–like changing your password weekly on an account you use quarterly…

  11. EJ

    The US spends billions on high-tech weapons systems, and the Russians invest in social media attacks. Guess which one is winning?

  12. Kay

    Two comments: This has been going on for a while. I’ve noticed that every time I post a comment with hashtag #Russia #RussianTrumpTrolls, etc. I get followed by what are clearly bots.

    Second, this would be a great post to tweet directly on Twitter – so there news image links associated with the story, instead of just copying and pasting a blue link that people rarely click on. Why isn’t there a twitter/FB link button on the blog page?

  13. Harry R

    Looks like Twitter has some really rudimentary anti-bot processes. Banning accounts who get a lot of followers/activity in a short time can be easily exploited, as we’ve seen.

    What they NEED to do is look at the _behavior_ of these bot accounts, training machine learning. Even simple bayesian learning should be enough to point out likely fake/bot accounts. And then the accounts that pass a confidence threshold should go to moderation tea inside Twitter that make the final decision on whether the account is fake.

    This will obviously spark a neverending arms race and require ongoing attention and investment from Twitter. But I don’t see how that’s avoidable.

    The usual answer is user-generated moderation and reputation systems, but given that these botnets have tens of thousands of accounts, they could game those systems too.

    1. timeless

      I’d be shocked if Twitter wasn’t at least passively collecting this information.

      The problem with deploying any automated response is that it’s gameable c.f. the DFRlab tweet.

      While we’d like Twitter to kill these bots, we already suspect these bots are abusing one of Twitter’s automated responses.

      I think of these things like arms races, specifically the kind in Star Trek with the Borg, each response can only be used once, after which it becomes totally ineffective. Except, it’s actually worse, each response Twitter deploys will end up being a landline that the human owned accounts may be pulled into/over.

  14. Patrick

    The bigger issues here seem to be a major conflict of interest between Twitter removing account and hurting their “growth numbers” and trying to sanitize their feed to keep regular humans happy. I would imagine as long as Twitter has a bottom line to manage bots will continue growing in numbers and usage since it pumps up potential advertising dollar spends.

  15. parabarbarian

    I doubt that Twitter (or Facebook) will do much to eliminate bot accounts. High subscription numbers is an important factor in keeping stock prices up and if half the accounts disappeared overnight the stock prices would tumble.

  16. James Schumaker

    Kremlin-sponsored bots often have no direct purpose other than to sow confusion and spread fake news. They are designed primarily to distract people from real news. If bots like the ones that attached themselves to Brian’s account cause that account to be suspended, or make life more difficult from an administrative standpoint, that is more a side benefit than a principal objective. I am wondering why the U.S. Government tolerates this and has not already cracked down on bots originating from Russia and other adversary countries. Bots are pretty easy to trace individually and entire domains can be blocked, if necessary. I’m not advocating an environment like that created by the Chinese, where a “Great Wall” effectively blocks out unsanctioned internet traffic, but a more active perimeter defense than we have now would be a welcome relief to the chaos the Internet is currently experiencing. I would be interested in any comments Brian might have on this, and on the legal issues that might be involved.

  17. vb

    Twitter has no financial incentive to delete bot accounts. Bot accounts cost Twitter nothing. Deleting bot accounts saves Twitter nothing.

    Until the economics changes, don’t look to Twitter to do anything other than Corporate-Speak.

    1. Eric

      Shutting the bot accounts down does cost Twitter something. It reduces the number of ‘users’, which might destroy the illusion that they are continually growing.

      Investors would be unhappy and start selling the stock.

  18. Ron Micjan

    Putting a $10 price tag on each new twitter account would put a stop to this nonsense pretty fast. Simple enough to follow the money at that point (if they chose to continue) to shut these bot builders down overnight. Even if it was only a dollar to open an account, the user would have to tie the account to a payment system which should identify the user.
    I had wondered about the captcha challenge and whether there were groups or sweatshops that were filling in the blanks. Thanks for the confirmation.

  19. Chris Nielsen

    I re-tweeted the tweet that got you so many followers. I only have two so having a lot of bot followers would be better than what I have now. I know it might risk an account shutdown, but that’s ok. After all, I only have two followers at the moment. 🙂

    I had to smile at the @Twitter tweet to make Twitter aware of the problem. We need more smart people working on this stuff to combat it.

    I have not decided if I will start selling tweets once I get 12k followers. It’s tempting…

  20. Blue Critter

    Thanks, Brian! A much better topic than the “he said, she said” stuff.

  21. William Smith

    On public money, USA is running public commissions for investigating who in government is the best friend of Putin / agent of FSB. And now this Donald “Yeltsin” Trump and war with monuments and your own history.

    No one thought that ukrainianism is so contagious. The whole planet is laughing at you.

    1. SeymourB

      Hello comrade! Nice weather we’re having in Olgino today. I suggest you read the latest directive, lest you end up being sent to the front lines.

  22. Andrew J Conway

    Twitter could detect and shut down all the bot accounts if they wanted to. I believe the problem is that if they did their number of users and tweets per month would shrink and their growth rate would look anemic. For a company that is not making money their value to shareholders is based on the perception of rapid growth and engagement, so I don’t think they want to damage that.

  23. JCitizen

    So begins the social media wars! Maybe Twitter ought to hire IBM’s WATSON to clean out the mess? I shudder to think of an AI becoming a bot on its own volition!!

  24. Drone

    Meh, I don’t use Twitter. I’m not self-obsessed.

    I AM thankful for the existence of Twitter though. It keeps the self-obsessed away from the rest of us. Think of Twitter as a black-hole, made up entirely of ego.

Comments are closed.