Spammers started showing up on Keybase as soon as Stellar announced a giant airdrop on the encryption app. They went away as soon as word went out that the free money era was over.

Or so Max Krohn, CEO of Keybase, told CoinDesk in an interview on Wednesday.

There’s been discussion lately of a serious uptick in spam on the chat side of Keybase. The explanation for that apparently lies almost entirely in Keybase’s partnership with the Stellar Development Foundation to airdrop 2 billion XLM to users of the app over a 20-month period.

“It was really an interesting experiment,” Krohn said. “In the end, it definitely achieved the goal of getting more numbers onto Keybase and more people onto Stellar.”

The trouble is, at a certain point the costs started to outweigh the benefits, as Keybase admitted when it announced the program was coming to an abrupt end. The third and final XLM airdrop began today, Dec. 13.

What was advertised to be a 2 billion XLM giveaway will now be much less. “The total giveaway amount will have been 300 million Lumens (approximately $16,000,000 USD),” Keybase wrote.

An airdrop in crypto occurs when a protocol or company distributes its tokens to some set of internet users that it believes will advance the brand. Since cryptocurrency is fungible and easily exchangeable, this is effectively the same thing as handing out money. There was a big move into airdrops in early 2018 until regulatory concerns slowed the practice, especially in the U.S.

Stellar has run a few airdrops, most recently to users of Blockchain wallets.

For the partnership with Stellar, Keybase users could receive tens of dollars in XLM with each airdrop. Malicious usage started right away but it accelerated, Krohn said, and by the November airdrop it was already a serious problem. Eventually, the airdrop on Keybase attracted so many spammers that it was no longer worth trying to continue.

“These airdrops are very hard to get right and in a way that is not overcome by fraud,” Jed McCaleb, Stellar’s founder, told CoinDesk at the Meridian Conference, a Mexico City gathering in early November.

As Keybase’s Krohn put it, the amount of crypto offered was too little for some to bother with, but for someone with the ability to write scripts to run a bot farm, it was potentially very lucrative. If a scammer could get hundreds or even thousands of bots through Keybase’s checks for human-like behavior, it certainly became worth their while.

Stellar Development Foundation CEO Denelle Dixon told CoinDesk that the goal for both companies was to interest new people, and it did that well. Further, Keybase did a good job making XLM useable in the app, she said, which Stellar looks for in distribution partners.

“They had developed a lot of interesting activities for users,” she said, such as easily sharing XLM within a chat. “We were really excited about it because we liked what Keybase stands for.”

'Immense operational strain'

Keybase went through several levels of checks before allowing accounts to join the airdrop.

On the first pass, any account that existed before the airdrop was announced was assumed to be real.

This worked well, but the whole purpose for both Stellar and Keybase was to bring new people in. So the next pass opened it slightly further. The partners said that any new account verified on Hacker News or GitHub would also be permitted to join the airdrop.

Stepping back, Keybase is an app that makes encryption via PGP easier. Most people use it for chat but it also has collaboration and developer tools built in, among other things. Encrypted communication is more reliable if the identity of users is verified, so Keybase uses various forms of social proofs to increase confidence that accounts represent the people they claim to be.

For example, Keybase has users cryptographically sign statements on other services to prove to Keybase that they are real.

This works across many websites, but Keybase and Stellar chose to start with Hacker News and GitHub because they both have high-quality communities that were not attractive to bots.

However, this led to spammers pouncing on these two services and looking to see if they could access dormant accounts. Bot farms have access to the millions of user IDs and passwords that have been compromised over the years. It’s a simple matter to write a script to check a site to see if any of those credentials work for old, unused accounts.

In short, if bot farms could activate a long-forgotten GitHub account, then they could pass Keybase’s filter. Both GitHub and Hacker News contacted Keybase to say the onslaught “was causing immense operational strain,” according to Krohn.

“In our mind, we thought it would be advantageous to all partners,” Krohn said. After all, it seemed to be an added benefit for users of Hacker News and GitHub. “The second they asked us to turn it off we said, ‘Sure.’”

Final phase

For the November airdrop, Keybase decided to use a combination of SMS verification and its own filters to demonstrate human-like behavior.

Krohn said about 150,000 new signups made it through.

“The bots are this adaptive adversary,” Krohn said. Different bot shops deploy different strategies to get through. Keybase can’t really know how many beat its system.

One additional challenge was the footprint of Stellar.

“They have a lot of initiatives going on in Latin America and Nigeria, but those are also some of the hardest countries from which to combat bot signups,” Krohn said. Limited internet infrastructure in those places gives fewer distinct signals from which to analyze behaviors of new accounts.

Krohn said they continued to be in contact with Stellar but at a certain point the benefits were no longer “growing as fast as the abuse,” Krohn said. And that’s why the airdrop is no more.

Prior to this writing, Keybase had already quit accepting new signups to receive the airdrop and recently added a strong blocking feature to its app.

For her part, Stellar’s Dixon hopes that more talented people continue to take on spam blocking. Prior to Keybase, she served at Mozilla, advancing the cause of the World Wide Web. She was philosophical about spammers ending their airdrop early.