Over the past 5-6 months, I’ve been noticing a lot of new accounts spinning up that look like this format:

  • https://instance.xyz/u/gmbpjtmt
  • https://instance.xyz/u/tjrwwiif
  • https://instance.xyz/u/xzowaikv

What are they doing?

They’re boosting and downvoting mostly, if not exclusively, US news and politics posts/comments to fit their agenda.

What do these have in common?

  1. Most are on instances that have open signup (I’m guessing the few that are on instances with registrations may be from before applications were enabled since those are several months old, but just a guess; they could have easily just applied and been approved.)
  2. Most are random 8-character usernames (occasionally 7 or 9 characters)
  3. Most have a common set of users they’re upvoting and/or downvoting consistently
  4. No posts/comments

What can you, as an instance admin, do?

Keep an eye on new registrations to your instance. If you see any that fit this pattern, pick a few (and a few off this list) and see if they’re voting along the same lines. You can also look in the login_token table to see if there is IP address overlap with other users on your instance and/or any other of these kinds of accounts.

You can also check the local_user table to see if the email addresses are from the same provider (not a guaranteed way to match them, but it can be a clue) or if they’re they same email address using plus-addressing (e.g. [email protected], [email protected], etc).

Why are they doing this?

Your guess is as good as mine, but US elections are in a few months, and I highly suspect some kind of interference campaign based on the volume of these that are being spun up and the content that’s being manipulated. That, or someone, possibly even an alien life form, really wants the impression of public opinion being on their side. Just because I don’t know exactly the purpose doesn’t mean something fishy isn’t happening that other admins should also look into.

Who are the known culprits?

These are ones fitting that pattern which have been identified. There are certainly more, but these have been positively identified. Some were omitted since they were more garden-variety “to win an argument” style manipulation.

These all seem to be part of a campaign. This list is by no means comprehensive, and if there are any false positives, I do apologize. I’ve tried to separate out the “garden variety” type from the ones suspected of being part of a campaign, but may have missed some.

https://lemy.lol/u/ihuklfle
https://lemy.lol/u/iltxlmlr
https://lemy.lol/u/szxabejt
https://lemy.lol/u/woyjtear
https://lemy.lol/u/jikuwwrq
https://lemy.lol/u/matkalla
https://lemmy.ca/u/vlnligvx
https://ttrpg.network/u/kmjsxpie
https://lemmings.world/u/ueosqnhy
https://lemmings.world/u/mx_myxlplyx
https://startrek.website/u/girlbpzj
https://startrek.website/u/iorxkrdu
https://lemy.lol/u/tjrwwiif
https://lemy.lol/u/gmbpjtmt
https://thelemmy.club/u/avlnfqko
https://lemmy.today/u/blmpaxlm
https://lemy.lol/u/xhivhquf
https://sh.itjust.works/u/ntiytakd
https://jlai.lu/u/rpxhldtm
https://sh.itjust.works/u/ynvzpcbn
https://lazysoci.al/u/sksgvypn
https://lemy.lol/u/xzowaikv
https://lemy.lol/u/yecwilqu
https://lemy.lol/u/hwbjkxly
https://lemy.lol/u/kafbmgsy
https://discuss.online/u/tcjqmgzd
https://thelemmy.club/u/vcnzovqk
https://lemy.lol/u/gqvnyvvz
https://lazysoci.al/u/shcimfi
https://lemy.lol/u/u0hc7r
https://startrek.website/u/uoisqaru
https://jlai.lu/u/dtxiuwdx
https://discuss.online/u/oxwquohe
https://thelemmy.club/u/iicnhcqx
https://lemmings.world/u/uzinumke
https://startrek.website/u/evuorban
https://thelemmy.club/u/dswaxohe
https://lemdro.id/u/efkntptt
https://lemy.lol/u/ozgaolvw
https://lemy.lol/u/knylgpdv
https://discuss.online/u/omnajmxc
https://lemmy.cafe/u/iankglbrdurvstw
https://lemmy.ca/u/awuochoj
https://leminal.space/u/tjrwwiif
https://lemy.lol/u/basjcgsz
https://lemy.lol/u/smkkzswd
https://lazysoci.al/u/qokpsqnw
https://lemy.lol/u/ncvahblj
https://ttrpg.network/u/hputoioz
https://lazysoci.al/u/lghikcpj
https://lemmy.ca/u/xnjaqbzs
https://lemy.lol/u/yonkz
  • TheObviousSolution@lemm.eeEnglish
    0·
    4 days ago

    Users could also be doing and reporting the checking up - if votes were transparent - and they would be able to do it on far wider scale. Oh those leopards, eating your faces, vote obfuscation proponents.

  • iso@lemy.lolEnglish
    0·
    5 days ago

    @[email protected] I have cleaned these and some other bot accounts from my instance. I was ok to open registrations to this point because we were able to get reports for almost every activity and we could easily manage them. But unfortunately Lemmy does not have a regulatory mechanism for votes, so I’ll keep it manual approval until then.

    Also it looks like they’re manually creating accounts since we had captcha + email approval in our instance from the beginning. So this means that even with manual approvals, a botnet can be created – just in a delayed manner.

    • Admiral Patrick@dubvee.orgOPEnglish
      0·
      5 days ago

      Thanks for the follow up.

      Yep, seems manual or at least only partially automated based on feedback from other admins.

      Also yeah, unfortunately, Lemmy doesn’t have the ability to report users to their home admins, just content they post. Not sure if that’s a moderation feature that’s in the pipeline or not (haven’t checked for a bit).

        • Admiral Patrick@dubvee.orgOPEnglish
          0·
          4 days ago

          Huh. I’ll have to check that out. Unless it’s new in 0.19.4 or 5,I wasn’t aware the API would let you report users (just their content).

          • JackbyDev@programming.devEnglish
            0·
            4 days ago

            It’s possible it’s non standard, I believe it is a Play Store policy to be able to report all forms of user generated content.

            • Admiral Patrick@dubvee.orgOPEnglish
              0·
              4 days ago

              Ah, okay. I haven’t really messed with Jerboa for a good while since it still seems to have issues with AOSP keyboard (last I checked in on that bug, anyway).

              I was thinking of implementing a non-standard way of doing it in Tesseract (basically it would lookup the user’s instance admins and send a DM). Perhaps that’s what Jerboa is doing?

              Shame, I was hoping there was an API feature for that now.

  • Linkerbaan@lemmy.worldEnglish
    0·
    5 days ago

    In case people are wondering these bots are advocating for Kamala Harris.

    Dessalines is the developer of Lemmy and occasionally notifies users their posts are being botted

    Dessalines notified me on two of my own posts that they were heavily downvoted by low /zero content accounts in the past as well.

    • el_abuelo@programming.devEnglish
      0·
      5 days ago

      Just beware the bias here. Only pointing this out for people working against their agenda doesn’t mean there isn’t the same going on for the other side…just that they aren’t going to point it out as it doesn’t help their agenda.

        • RememberTheApollo_@lemmy.worldEnglish
          0·
          5 days ago

          It isn’t trump’s people pushing the buttons. The people running around before Biden dropped out yelling “Genocide Joe” almost definitely weren’t under trump’s control, and were possibly paid foreign actors. The same was true 8 years ago.

          • SirDerpy@lemmy.worldEnglish
            0·
            5 days ago

            The USA kills lots of people: Native Americans, African Americans, Arabs, Asians. We’re still doing it, now even to whites in Ukraine. It’s all to feed the military industrial complex, just as Eisenhower warned. War is why capital reserves for banks have been raised and why the Fed speaks of lowering the borrow rate. Admitting it is the difference between a patriot and a nationalist.

      • Linkerbaan@lemmy.worldEnglish
        0·
        5 days ago

        If Left wing content was upbotted I’m quite sure the Lemmy.World admins would notice and point it out very quickly.

    • sunzu2@thebrainbin.org
      0·
      5 days ago

      I have been calling this shit since DNc did that switcheroo trick. For which I was needlessly down voted. I just blocked news and politics subs.

      Good to see some hard evidence that we got DNC komissars around.

      People can support kamala all they want but when somebody is spending money to set narratives, even supporters should raise an eye brow. What is this really about?

      • Linkerbaan@lemmy.worldEnglish
        0·
        5 days ago

        Their entire agenda hangs on people not jumping ship because everybody just loves Democrats so much and the alternatives are not popular enough.

        Nobody is even arguing that they like Democrats anymore, it’s just yapping about how Biden (and now Kamala) is the only viable option to win. If it turns out alternatives are actually popular enough that enough people are willing to jump ship the entire narrative sinks.

        • SirDerpy@lemmy.worldEnglish
          0·
          5 days ago

          Consider the alternative of putting the Green platform on every ballot in 2028, overcoming the first and largest obstacle maintaining duopoly. It takes only 5% of the GE popular. Then, watch as Democrats panic to maintain the “big tent” for four years.

          I’m a triple minority. I’ve suffered assholes my whole life. Things got worse under Trump. But, that damage is already done. In this facet nothing changes for me if it’s Trump once again. I’m not afraid. We must think in terms much greater than four years.

            • Linkerbaan@lemmy.worldEnglish
              0·
              5 days ago

              The Democrats dont have Ranked Choice voting on their agenda this is a red herring.

              The Greens have RCV though! 2 in 1!

              • rothaine@lemm.eeEnglish
                0·
                5 days ago

                And without something like RCV, the greens can never win.

                You’re presenting a safe with the key locked inside.

                • Linkerbaan@lemmy.worldEnglish
                  0·
                  5 days ago

                  Yes yes she can never win and Biden is the best candidate. We know the drill. Democrat voters know how politics work right

            • SirDerpy@lemmy.worldEnglish
              0·
              5 days ago

              You’re flat out wrong, likely rooted in ignorance of the system. Without choice on the ballot it can’t be voted for. The obstacles to access are far greater than winning a majority.

              • rothaine@lemm.eeEnglish
                0·
                5 days ago

                No, you are flat out wrong. Read the links I shared. Statistically, it is nearly impossible for a third party to win under FPTP; you may as well buy lottery tickets. The most a third party can do is create a spoiler effect. This is regardless of being on the ballot or campaigning a lot.

                The voting system must be changed. Neither the Democrats or the Republicans will advocate for this, however, since they both enjoy having roughly half the pie.

                • SirDerpy@lemmy.worldEnglish
                  0·
                  5 days ago

                  I need not read links to identify your false premise. The goal isn’t that a certain party win. The revolutionary isn’t loyal to party, only principle. It doesn’t matter which group of opportunistic assholes “win”.

  • dethada@lemmy.zipEnglish
    0·
    6 days ago

    Is there any existing opensource tool for manipulation detection for lemmy? If not we should create one to reduce the manual workload for instance admins

    • johannesvanderwhales@lemmy.worldEnglish
      0·
      5 days ago

      If there were, upbotters would use it to verify that new bottling methods weren’t detectable. There’s a reason why reddit has so much obfuscation around voting and bans.

      • dethada@lemmy.zipEnglish
        0·
        4 days ago

        Good point, but is it then possible to come up with detection algorithms that makes it hard for upbotters even if they know the algorithm? I think that would be more ideal than security through obfuscation but not sure how feasible that is

        • johannesvanderwhales@lemmy.worldEnglish
          0·
          2 days ago

          I don’t know honestly. Really, with AI it would be pretty difficult to be foolproof. I’m thinking of the MIT card counting group and how they played as archetypal players to obscure their activities. You could easily make an account that upvoted content in a way that looked plausible. I’m sure there are many real humans that upvote stories positive to one political party and downvote a different political party. Edit: I mean fuck, if you wanted to, you could create an instance just to train your model. Edit 2: For that matter, you could create an instance to bypass any screening for botters…

  • A Basil Plant@lemmy.worldEnglish
    0·
    6 days ago

    My bachelor’s thesis was about comment amplifying/deamplifying on reddit using Graph Neural Networks (PyTorch-Geometric).

    Essentially: there used to be commenters who would constantly agree / disagree with a particular sentiment, and these would be used to amplify / deamplify opinions, respectively. Using a set of metrics [1], I fed it into a Graph Neural Network (GNN) and it produced reasonably well results back in the day. Since Pytorch-Geomteric has been out, there’s been numerous advancements to GNN research as a whole, and I suspect it would be significantly more developed now.

    Since upvotes are known to the instance administrator (for brevity, not getting into the fediverse aspect of this), and since their email addresses are known too, I believe that these two pieces of information can be accounted for in order to detect patterns. This would lead to much better results.

    In the beginning, such a solution needs to look for patterns first and these patterns need to be flagged as true (bots) or false (users) by the instance administrator - maybe 200 manual flaggings. Afterwards, the GNN could possibly decide to act based on confidence of previous pattern matching.

    This may be an interesting bachelor’s / master’s thesis (or a side project in general) for anyone looking for one. Of course, there’s a lot of nuances I’ve missed. Plus, I haven’t kept up with GNNs in a very long time, so that should be accounted for too.

    Edit: perhaps IP addresses could be used too? That’s one way reddit would detect vote manipulation.

    [1] account age, comment time, comment time difference with parent comment, sentiment agreement/disgareement with parent commenters, number of child comments after an hour, post karma, comment karma, number of comments, number of subreddits participated in, number of posts, and more I can’t remember.

    • Admiral Patrick@dubvee.orgOPEnglish
      0·
      5 days ago

      That would definitely work for rooting out ones local to an instance, but not cross-instance. For example, none of these were local to my instance, so I don’t have email or IP data for those and had to identify them based on activity patterns.

      I worked with another instance admin who did have one of these on their instance, and they confirmed IP and email provider overlap of those accounts as well as a local alt of an active user on another instance. Unfortunately, there is no way to prove that the alt on that instance actually belongs to the “main” alt on another instance. Due to privacy policy conflicts, they couldn’t share the actual IP/email values but could confirm that there was overlap among the suspect accounts.

      Admins could share IP and email info and compare, but each instance has its own privacy policy which may or may not allow for that (even for moderation purposes). I’m throwing some ideas around with other admins to find a way to share that info that doesn’t violate the privacy of any instances’ users. My current thought was to share a hash of the IP address, IP subnet, email address, and email provider. That way those hashes could be compared without revealing the actual values. The only hiccup with that is that it would be incredibly easy to generate a rainbow table of all IPv4 addresses to de-anonymize the IP hashes, so I’m back to square one lol.

      • A Basil Plant@lemmy.worldEnglish
        0·
        5 days ago

        Yes, this would essentially be a detecting mechanism for local instances. However, a network trained on all available federated data could still yield favorable results. You may just end up not needing IP Addresses and emails. Just upvotes / downvotes across a set of existing comments would even help.

        The important point is figuring out all possible data you can extract and feed it to a “ML” black box. The black box can deal with things by itself.

  • ericbomb@lemmy.worldEnglish
    0·
    6 days ago

    But this is SOO tedious. The annoying bit is it could just be one person who set it up over a weekend, has a script that they plug into when wanting to be a troll, and now all admins/mods have to do more work.

    You’re fighting the good fight! So annoying that folks are doing it on freaking lemmy.

    • Buddahriffic@lemmy.worldEnglish
      0·
      5 days ago

      I wonder if there’s a way for admins to troll back. Like instead of banning the accounts, send them into a captcha loop with unsolvable or progressively harder captchas (or ones designed to poison captcha solving bots’ training).

  • DarkThoughts@fedia.io
    0·
    6 days ago

    Fedia hiding the activity is one of those things that I kinda dislike, as it was an easy way to detect certain trolls.

    • Admiral Patrick@dubvee.orgOPEnglish
      0·
      6 days ago

      yeah, i’m split on public votes.

      On one hand, yeah, there’s a certain type of troll that would be easy to detect. It would also put more eyes on the problem I’m describing here.

      On the other, you’d have people doing retaliatory downvotes for no reason other than revenge. That, or reporting everyone who downvoted them.

      It depends on the person to use that “power” responsibly, and there are clearly people out there who would not wield it responsibly lol.

      • DarkThoughts@fedia.io
        0·
        5 days ago

        I think retaliatory downvotes happen either way if you’re in an argument. Same with report abuse, which, if it happens to a high degree, would be the moderator’s responsibility to ban the perpetrator (reports here are not anonymous like they were on Reddit).

        Also, if there’s someone with an abusive mind, they can easily use another instance that shows Activity to identify downvoters. The vote is public either way for federation purposes, they’re just hidden from certain instances - at least on the user level, but they’re still there technically.

      • nondescripthandle@lemmy.dbzer0.comEnglish
        0·
        5 days ago

        Im fully against public down votes becaue I already see people calling out other users by their name in threads they’re not even part of. Theres no world where that behavior gets better when you give them more tools to witch hunt. Lemmy is as much an insular echo chamber as any social media and there are plenty of users dedicated to keeping it that way.

  • kersploosh@sh.itjust.worksEnglish
    0·
    6 days ago

    After digging into it, we banned the two sh.itjust.works accounts mentioned in this post. A quick search of the database did not reveal any similar accounts, though that doesn’t mean they aren’t there.

  • Otter@lemmy.caEnglish
    0·
    6 days ago

    I think what we need is an automated solution which flags groups of accounts for suspect vote manipulation.

    We appreciate the work you put into this, and I imagine it took some time to put together. That will only get harder to do if someone / some entity puts money into it.

    • SorteKanin@feddit.dkEnglish
      0·
      5 days ago

      automated solution

      On the other hand, any automated solution will be possible to work around. Such a system would be open source like the rest of Lemmy and you’d know exactly the criteria you need to live up to to avoid getting hit by the filter.

      • Otter@lemmy.caEnglish
        0·
        5 days ago

        I guess it could end up being an arms race.

        What if the tool was more of a toolbox, where each instance could configure it the way that they want (ex. Thresholds before something is flagged, etc.) Similar to how automod works, where the options are well known but it’s hard to tell what any particular space is running behind the scenes.

        At the very least, tools like this can make it harder for silent vote manipulation even if it doesn’t stop it entirely

    • Admiral Patrick@dubvee.orgOPEnglish
      0·
      6 days ago

      Yeah, this definitely seems more like script kiddie than adversarial nation-state. We’re not big enough here, yet anyway, that I think we’d be attracting that kind of attention and effort. However, it is a good practice run for identifying this kind of thing.

      • Starbuncle@lemmy.caEnglish
        0·
        6 days ago

        It’s easy on Reddit because they have their own username generator when you sign up, but the usernames being used here are very telling. Random letters is literally the absolute bare minimum effort for randomly generating usernames. A competent software engineer could make something substantially better in an afternoon and I feel like an adversarial nation-state would be using something like a small language model trained solely on large lists of scraped usernames.

  • XNX@slrpnk.netEnglish
    0·
    6 days ago

    How did you discover this? I wonder if private voting will make it too difficult to discover

    • Admiral Patrick@dubvee.orgOPEnglish
      0·
      6 days ago

      Try to summarize this as briefly as I can:

      I was replying to a comment in a big news community about 5 months ago. It took me probably 2 minutes, at most, to compose my reply. By the time I submitted the comment (which triggered the vote counts to update in the app), the comment I was replying to had received ~17 downvotes. This wasn’t a controversial comment or post, mind you.

      17 votes in under 2 minutes on a comment is a bit unusual, so I pulled up the vote viewer to see who all had downvoted it so quickly. Most of them were these random 8 character usernames like are shown in the post.

      From there, I went to the DB to look at the timestamps on those votes, and they were all rapid-fire, back to back. (e.g. someone put the comment AP ID into a script and sent their bot swarm after it)

      So that’s when I realized something fishy was happening and dug deeper. Have been keeping an eye out for those type of accounts since. They stopped registering for a while, but then they started coming up again within the last week or two.

    • Admiral Patrick@dubvee.orgOPEnglish
      0·
      6 days ago

      Ethically, I can’t (and won’t). I’m only comfortable and confident enough to share the list of sockpuppet accounts I’ve confirmed and provide the information necessary to detect them. I did list the topics I’m aware of (US news and politics), but I’m only able to see activity based on what my instance knows about. So they may be manipulating other communities, but if my instance doesn’t subscribe to them, I have no way of seeing it.

      That’s actually why I posted this. My visibility is limited, so once I identified the pattern, I’m passing that along to other admins for awareness.

        • Cadeillac@lemmy.worldEnglish
          0·
          6 days ago

          This Blue MAGA shit is so fucking funny to me. It is the laziest no u. It came out of nowhere, they provide absolutely nothing to back it up. They just show up screaming Blue MAGA. I kind of miss the days when trolls actually tried. It isn’t even fun anymore, and they just run away when you hit them with a factual rebuttal

          • thisbenzingring@lemmy.sdf.orgEnglish
            0·
            6 days ago

            I got banned from one of the politics communities for calling out someone using the “blue maga” phrase. I called them ambitious and then called called them weirdo and got my comment removed for “attack language”, when I quested the mod they banned me for a few days. I will avoid any communities that mod is a part of.

            • sunzu2@thebrainbin.org
              0·
              5 days ago

              Both news and politics subs are captured by brain dead DNC operatives.

              Just block both, feed looks much better.

            • Cadeillac@lemmy.worldEnglish
              0·
              6 days ago

              I’ve gotten a couple warnings on politics. I don’t worry too much about it. Makes me have to be more clever, and not just directly attack people

  • catloaf@lemm.eeEnglish
    0·
    6 days ago

    Lemmy should do something like make captcha and email verification the default in the next version, and reject federation from anyone with a lower version. If we accept federation from any instance where this was never turned on, banning accounts one by one is worse than Sisyphean. They’ll just keep finding more vulnerable instances that are already trusted and abuse them to spam the rest of the fediverse.

    If admins want to manually turn it off, then they should be prepared to manage that.

      • catloaf@lemm.eeEnglish
        0·
        6 days ago

        If instances are unmaintained, losing them is probably a good thing.

        • Draconic NEO@lemmy.worldEnglish
          0·
          10 hours ago

          I think it’s unreasonable to call every instance that doesn’t update immediately with every release “unmaintained” if anything a lot of these bleeding edge instances which update to the latest version immediately without waiting at all are kind of reckless.

          After all everyone remembers the Federation bugs that were present in one of the releases and ended up being very bad for a lot of the instances, it caused content to fail to be federated between the instances. Not good.

          So I’m really not into the idea of trying to force or incentivize updates to unstable and untested versions if admins are unwilling to do it. And I’m especially not into the idea of criticizing admins who prefer to hold off on updating until they are sure the versions are stable.

        • Blaze@feddit.orgEnglish
          0·
          5 days ago

          Not sure you want to lose Lemmy.world, sh.itjust.works and programming.dev, that would be around 40% of the active userbase

        • Snot Flickerman@lemmy.blahaj.zoneEnglish
          0·
          6 days ago

          Blahaj is not unmaintained but it only upgraded from 0.19.3 a few weeks ago. They are always a tad behind, and so I think calling them “unmaintained” is a bit much.