A thousand followers and none
The ongoing evolution of a fake Twitter account creation and sales operation
Businesses that sell fake social media accounts and fake social media followers all face the problem that, sooner or later, the inauthentic nature of their merchandise is discovered and the accounts/followers they’ve sold get banned. In light of this, it’s not surprising that long-running account/follower sales operations continually evolve their techniques to confound detection and replace inventory lost to bans. Here’s a tale of one such operation, originally known as “Thousand Followers” and later as “Thousand Bytes”, whose operator(s) have helpfully left a trail documenting some of their activities on SEO forum BlackHatWorld.
The story begins back in July 2020, when posts advertising a new follower sales website by the name of thousandfollowers.com started popping up on BlackHatWorld. These posts, from a user presently named “Thousand Bytes” (previously named “jova” per some of the replies archived here), offered batches of 1000 “high quality” Twitter followers for the low price of $2. The posts also mention an API (application programming interface) that operators of other illicit follower sales services can use to automate purchases from the site. The Twitter account @thou_followers (now suspended) was provided in one of the BlackHatWorld posts as an example of an account with followers from the service.
In August 2020, researcher @ZellaQuixote and I ran across the @thou_followers account and the associated thousandfollowers.com website. Almost all of this account’s followers were relatively new accounts with zero likes, presumably thousandfollowers.com’s merchandise. These followers were created in batches of roughly 1000, with a new batch popping into existence every few days. The newly-created accounts invariably followed @thou_followers in the exact same order that they were created. The mass-created followers all had some things in common:
display names ending in one or more emoji
zero followers of their own
few or no tweets (tweets, if present, were repeated across multiple accounts)
the followers in any given batch all followed the same number — and the same set — of accounts (mostly Turkish-language accounts)
One of the most interesting aspects of the fake followers sold by thousandfollowers.com was the set of profile images they used. These images fell into a few basic categories:
GAN-generated human faces similar to those produced by https://thispersondoesnotexist.com
GAN-generated cats similar to those produced by https://thiscatdoesnotexist.com
GAN-generated anime images similar to those produced by https://thiswaifudoesnotexist.net
random plagiarized photos of objects and scenery (with frequent duplicates)
On August 16th, 2020, one day after this Twitter thread describing the workings of thousandfollowers.com, Twitter suspended the @thou_followers account along with all of the fake followers. “Thousand Bytes”, the operator(s) of thousandfollowers.com posted on BlackHatWorld about the incident on August 17th, notifying customers that the site would be going offline temporarily, and offering refunds to those who had lost their purchased (fake) followers. Three months later, “Thousand Bytes” posted another update, announcing that they would no longer be offering their services directly to the public, and would instead be selling followers privately to resellers and bulk buyers henceforth.
The “Thousand Bytes” BlackHatWorld account was mostly quiet in 2021, but on Twitter evidence of their ongoing involvement in astroturfing surfaced here and there. Throughout the first half of 2021, spam networks consisting of accounts with the same four categories of images as the thousandfollowers.com fake followers (GAN-generated human faces, GAN-generated cats, GAN-generated anime pics, and plagiarized photos) were created on a regular basis, with occasional tweaks in behavior:
A network of 3204 accounts created in January/February 2021. The source of the GAN-generated faces was switched to https://generated.photos (which offers a curated set of synthetic faces with neutral backgrounds) for this network and most of its successors. The GAN-generated faces used by this network were almost all female. Almost all accounts in this and subsequent network had Turkish display names. This network tweeted sports betting and escort service spam.
a network of 16512 accounts created in February/March 2021. This incarnation added a new behavior: replying to each other with nonsensical strings of letters.
a network of 5007 accounts created in April 2021, with the same characteristics as the February/March 2021 network
The similarities between these networks and the original thousandfollowers.com network suggest that they were all created with variations on the same bulk Twitter account creation software, likely the work of the individual or individuals posting as “Thousand Bytes” on BlackHatWorld.
In June 2021 (back in the days before the $8 Twitter Blue verification was available), Twitter bestowed blue verification checkmarks on six newly-created inauthentic accounts with the text “Official Twitter Account” in their biographies. These accounts lacked any discernible connection to any notable people or organizations, and at least two of them were using plagiarized profile photos. Most interestingly, all six of them were followed by the same set of fake followers: 976 accounts created on June 19th or June 20th, 2021 with Turkish display names, zero tweets, zero likes, and zero followers of their own. Each of these fake followers followed the same group of 190 accounts (including the six fake verified accounts) and the profile images used by the fake followers fell into a familiar set of categories: GAN-generated human faces (all female with neutral backgrounds), GAN-generated cats, GAN-generated anime pics, and repetitive plagiarized images. It’s possible that the six fake blue-check accounts were intended as a new line of business manufacturing and selling verified accounts, but the accounts were shut down by Twitter shortly after being outed.
In January 2022, “Thousand Bytes” announced a new venture via the BlackHatWorld forums: an account sales website called twaccs.com offering software-generated Twitter accounts with anywhere between zero and 10000 followers. In its early days, this website helpfully offered the ability to view samples of the merchandise before making a purchase. One of the sample accounts shown in March 2022 was @KutsalKorhan (subsequently suspended). This account was listed in the “10K followers” category, but actually had more (11.9K), in a possible attempt to provide a buffer against some of the followers getting suspended. @KutsalKorhan’s followers were nearly all accounts created on January 7th 2022 with Turkish display names, zero followers, zero tweets, and zero likes that followed the same set of 225 accounts (presumably, part of twaccs.com’s inventory of accounts with “10K followers”). As with their followers, most of the accounts being sold also had Turkish display names.
Six of the accounts in the “10K followers” category were renamed on March 30th, 2022, likely indicating that the accounts were purchased. Several became cryptocurrency/NFT promotion accounts, and all were suspended within a few days of the apparent purchase.
ArnisaDurhan (ID 1501041231408742401) became @CryptoBabyDoge
Yelda88661855 (ID 1501041307342495750) became @CryptoCatSw (which was either renamed again or deleted prior to being suspended)
Ilgm33660623 (ID 1501041078031507460) became @cryptohabeer
ErbogaGuncicek (ID 1501035563490725888) became @ethmedya
Sezen30423606 (ID 1501041408630738948) became @hilal_00hilal
Tlay05714440 (ID 1501036842317144065) became @tulay333
After multiple social media researchers (@ZellaQuixote/myself as well as @EJGibney) posted analyses of twaccs.com in March 2022, the operators of the website disabled (and eventually entirely removed) the ability to view sample accounts. Although this does make detection of future incarnations of the network more difficult, it by no means prevents it entirely.
In a final intriguing twist (well, final for now), the popular Twitter “shadowban” test site shadowban.yuzurisa.com recently added a message promoting the purchase of fake accounts from twaccs.com as a solution to being shadowbanned on one’s existing Twitter account. Per Wayback Machine archives, this message was added sometime between September 1st and September 17th, 2022. Needless to say, buying a fake Twitter account with fake followers from a dodgy website such as twaccs.com is unlikely to result in you having a good time with Twitter’s spam detection filters and is therefore not in any way, shape, or form a good solution to being “shadowbanned”.