The curious case of user one134500 and the most obvious reply spam ever
Discover more from Conspirador Norteño
The curious case of user one134500 and the most obvious reply spam ever
I just met you and this is crazy, but here's a scammy crypto website so log in maybe?
Beginning on May 10th, 2023, a network of recently-created accounts started spamming Twitter users with repetitive replies containing what appeared to be login credentials for a mysterious website (uu55111.com). This activity kicked into high gear on May 12th, 2023, with hundreds of thousands of replies from thousands of spam accounts generated in the ensuing days. Although Twitter has removed some of the accounts, a majority remain active and continue to flood the site with spam more than a week later.
At the time of this writing, there are at least 13719 active accounts in this spam network, all of which were created in March or April 2023. None of these accounts has ever liked a tweet, and all of their tweets subsequent to May 10th, 2023 are replies. Although these accounts theoretically tweet via the Twitter Web App, automation seems likely due to the repetitive nature of the content and the sheer volume. Most of the accounts in the network were sporadically active prior to May 10th, 2023; this early content was generic-sounding tweets about daily activities rather than reply spam.
The website promoted in the network’s initial wave of reply spam, uu55111.com, describes itself as a “financial income platform” and purports to offer a variety of cryptocurrency-related financial services. Given that the website contains no details regarding licensing, associated financial institution(s), or indeed contact information of any kind other than a gmail address ending in random digits, this site (and others mentioned later in this article) should be approached with extreme skepticism and caution. The uu55111.com domain name was registered on May 9th, 2023, the day before the network’s first replies mentioning it.
Over the ensuing days, the spam accounts worked three additional websites into their spammy replies. Two of these sites (uu11551.com and uu14774u.com) appear to be identical to the uu55111.com site. The third, bobvip8.xyz, is different: instead of an alleged “financial income platform”, the site offers “$BOB tokens” and prominently features a button for connecting a cryptocurrency wallet, accompanied by a variation on the Pepe the Frog meme. The spam promoting bobvip8.xyz also differs from the spam promoting the other websites, as no login credentials are included.
The spam network replies to a wide variety of accounts, with the official Reuters Twitter account at the top of the list. Additional accounts that received large numbers of spam replies include additional news organizations (Bloomberg, Forbes), serial tech entrepreneur Elon Musk, multiple radio accounts (Hits 93 Toronto, Dirty South Radio), various social media marketing services, and others. Although the network does not appear to be choosing what to reply to based on the presence of specific keywords, it does have a language preference: 75.2% of the tweets replied to are in English, followed by Spanish at 5.6%. The accounts in this network tend to reply quickly; 70.9% of the spam replies were sent less than six minutes after the tweet being replied to was posted.
Given the high degree of repetition, this spam campaign should be relatively straightforward for Twitter to detect and shut down. Despite this, the spam has flowed largely unhindered for well over a week. Although some of the accounts that participated in the initial wave have been suspended, others have been activated to replace them, and the number of active accounts in the network has actually increased, from 9688 on May 13th to 13719 on May 20th. In the past (including post-Musk takeover), Twitter has generally been pretty good about detecting and removing extremely obvious spam such as this, so the apparent lack of action thus far is mildly surprising. This article will be updated should the situation develop further.
Update: as of 3 PM Pacific time on May 22nd, 99.5% of these spam accounts have been suspended by Twitter.
The curious case of user one134500 and the most obvious reply spam ever
Hi, was trying to contact about a reply i made about 'like bots' in one of your twitter threads. Seems it only likes (hearts) replies i make to other accounts, and of course it did it in your thread. Did you want me to cont. replying to myself to create a honeypot?
So a couple questions, (feel free to answer all or none, I won’t be offended, I know they're loaded questions)
1. Is 99.5% of the total accounts created or just of that initial batch? Have more accounts been created (related to the network) since the ban.
2. Any idea if these accounts follow each other? Is that something worth tracking? Or do networks like this know that is something that can be used to identify them?
2. 99.5% obviously covers the brunt of the problem, but do you have any idea why they couldn’t identify the other .5%? Based on what you said they seem like pretty straight forward bans. They use the same(ish) message most of the time, they reply to a lot of the same accounts, they have all been created in the last 90 days. Also, once you identify 100-1000 bad accounts referencing the same website (uu11551.com) could you not use that to identify others? I imagine they're trying to limit false positive account bans, but if you used a combo of automation and manual review, it seems like you could get a lot more accurate.
3. Do you think the timeline for this ban was acceptable (7-10 days). Are you surprised/disappointed it took this long? (I am)
4. Do you think the ban was automated on twitters side? That is, no manual intervention by twitter personnel. Based solely on twitters automation / community reporting. Or do you think someone on twitters team was prompted to make an action based on your post and/or others. I saw at least 4-6 people I follow mention these accounts/tweets.
5. Do you care that much about improving the platform? Or do you just like reporting on these issues? I don’t think you’re a huge fan of Elon (which is fair) and he made a lot of promises about reducing spam which doesn’t appear to be happening much at this point. I guess I’m asking if you’d prefer twitter would just fix their shit or if you’d prefer another platform sans Elon. If for example, twitter offered you a job fighting spam that was 2x your current income. Would you take it?
6. Outside of twitter fixing their automation algos, do you think they would benefit from better (mass) spam reporting features? If so what do you think that would look like?
Full disclosure.
1. I love your content
2. I'm a software engineer working in privacy (my name is Will Hieronymus I work for Relyance AI) I'm not affiliated with twitter or Elon, and I don't think I'm an Elon fan boy, although I'm sure I would be labeled by some people as such. I'm actually just really trying to figure out if Elon sucks or if he's at least competent (I suspect he's somewhat competent but not perfect but also way too arrogant).
3. I'm a complete noob to this bot stuff on twitter or any other platform, but I think I can pick it up pretty quickly. I'd love to learn more.
4. I'm VERY curious in how to combat this spam stuff. I think it's important. Not just for obvious crypto scams like this, but also, probably more importantly like disinformation in general.