Recently there has been an uproar about vote manipulation attacks in the /r/Bitcoin subreddit. It was alleged that this attack originated from a competing Reddit community, found at /r/btc.

This post will not attempt to prove whether or not someone from the /r/btc community did indeed manipulate votes on the Bitcoin subreddit, but instead will show how easy and cheap it is to maliciously manipulate Reddit posts and comments for personal/monetary gains. In general, there are two ways to manipulate Reddit votes:

1. There are services which sell Reddit upvotes. For a fee, these services upvote your posts and comments on Reddit using their network of Reddit accounts, but unclear is whether or not these are simply bots or actually stolen accounts.

A price list of Reddit services found online.

We managed to get into contact with one of many vendors selling these Reddit services, who wishes to remain anonymous, and convinced this person to allow us to make a small ‘test’ purchase in order to see whether or not the service was actually working. We took a random comment from a post in the /r/bitcoin subreddit and asked the vendor to add 20 upvotes to this comment.

The random comment pre-upvoting

Approximately 2 minutes after we requested the upvotes, the upvotes were added to the comment.

The random comment post-upvoting

We then asked the vendor whether or not it was possible to downvote posts in a similar fashion, and were told that it was indeed possible. When asked whether or not users were actively using the vendor’s services to manipulate certain subreddits, the vendor said “I have clients who make thousands by upvoting,downvoting posts+comments to artificially pump altcoins”

There are certain downsides to using paid services such as the above one. The prices are hefty if you want to manipulate multiple posts and comments, and you’re uncertain when exactly the vendor will fulfill your purchase.

2. Stolen accounts and custom-made scripts are readily available to solve the issues of price and timing. For a one-time fee, less than $500, anyone can purchase custom-made scripts and receive a list of ‘cracked’ (stolen) reddit accounts with which you can upvote/downvote any post or comment on Reddit. The vendor who sold us the test upvotes referred us to a business partner who would be able to tell us more about these scripts and provide us with a demo. We refrained from actually purchasing any stolen accounts or scripts.

The business partner, who also wished to remain anonymous, explained to us that it is relatively easy to crack Reddit accounts due to the fact that there are no extra login security measures such as 2FA on Reddit. This makes it very easy for anyone to run a list of names and passwords through the Reddit login page (known as cracking) and collect the working accounts. Once users obtain these details, they can then use the list of cracked accounts in conjunction with freely-available proxies to upvote and downvote posts and comments.

A screenshot we received from the business partner, displaying a list of ‘cracked’ Reddit accounts.

We asked the business partner to show us whether or not the accounts actually worked, to which he agreed. Again, we chose a random comment, but this time in the /r/btc subreddit.

Random comment pre-upvote

A couple of minutes after we requested the upvotes, the business partner sent us a screenshot of his running program.

The business partner sends us a screenshot of how his program works.

We checked the comment and the upvotes indeed appeared.

Random comment post-upvote

In addition to that, the upvoted comment started receiving replies due to it being higher up in the comment list and thus more visible.

To conclude, we have shown you how simple and easy it is to manipulate posts and comments on Reddit for any reason. There are, of course, additional methods to manipulate Reddit discussions, such as the use of comment bots or botnets. We hope Reddit notices this post and starts to roll-out 2FA as soon as possible, and expect a dramatic decrease in vote manipulation on Reddit once 2FA has indeed been implemented. This problem is not limited to Reddit — other Social Media platforms such as Twitter, Facebook, Instagram and even LinkedIn are prone to vote manipulation.

- The CoinMall Team