Security Researchers Discover Sophisticated Twitter Crypto Botnet

On August 6, 2018, two security researchers at Duo Security who were studying Twitter automation patterns, stumbled upon a vast network of Twitter bot accounts promoting crypto fraud. The sophisticated network was accidentally discovered while the researchers were looking into how to create a methodology for accurately identifying Twitter bots.

Vitalik “Non-Giver of Ether”

BTCManager has reported in the recent past about a large cryptocurrency scam operation running on Twitter via an array of Twitter bot accounts configured to look just like the accounts of prominent crypto industry figures such as Elon Musk and Vitalik Buterin. In the latter case, the scam achieved enough success to motivate Buterin to edit his Twitter name and bio to let potential marks know that the “real” Vitalik Buterin is not involved in any purported crypto giveaway.

For the first time, the findings uncovered by the research team make it possible to effectively identify and track where the scam tweets originate from and how they have achieved such prominence. The team discovered a vast network of more than 15,000 bot accounts involved in the “crypto giveaway scam” using machine learning.

They say it is merely the tip of the iceberg, with the actual number of bot accounts involved estimated to be much more. The purpose of the scam is to obtain funds from Twitter users. The methods used include more than just imitating well-known or famous user accounts, and can also involve hijacking verified accounts to leverage on the followers’ trust.

Twitter Gets Played

According to the team, even Twitter’s internal quality control algorithms are getting gamed by the sophistication of the botnet, with some of the dummy accounts also showing up under Twitter’s recommendations in the “Who To Follow” section. On its part, Twitter insists that such accounts and activity are automatically detected and hidden by its anti-spam algorithm, though it is not foolproof.

Twitter responded to TechCrunch that they are aware of the ongoing manipulation, and the team is working on implementing a detection mechanism for such activities. Though Twitter’s existing mechanism already hides spammy content from the visual side, such restrictions are not imposed on the API side as of yet. Twitter also claimed that less than five percent of the accounts are related to spam.

New type of Botnet

The paper delivered by the researchers describes the botnet as one which is unlike any they have come across before. Rather than the typical flat hierarchy of a standard Twitter botnet, this crypto scam botnet is described as having a “unique three-tiered hierarchical structure.” Speaking to TechCrunch, Principal Security Engineer Jordan Wright described how this works:

“This botnet was unique because whenever we started mapping out the social connections between different bots — figuring out who did they follow and who follows them — we were able to enumerate a really clear structure showing bots that are connected in one particular way and an entire other cluster that were connected in a separate way.”

According to him, the ultimate goal of the botnet is to artificially inflate the popularity of the scam tweets, which makes it more likely for people to fall victim to them based on their perceived legitimacy as indicated by likes and retweets.