A Deadpool Of Bots

Yesterday in chat someone pointed out a small set of accounts that followed this Dirty Dozen of known harassment artists.

Dirty Dozen De Jure
Dirty Dozen De Jure

The accounts all had the format <first name><last name><two digits>. We extracted two dozen from the followers of these twelve accounts, then ran their followers and found a total of 112 accessible accounts that had this same format. Suspecting a botnet, we created a mention map to see how they have been spending their time.

112 Bots & Mentions
112 Bots & Mentions

This image is immediately telling for those used to examining mention maps. There are too many communities (denoted by different colors) present for such a small group and the isolated or nearly isolated islands just don’t look like a human interaction pattern.

ICObench Nexus
ICObench Nexus

Adjusting from outbound degree to Eigenvector centrality, it was immediately clear what the focus of this group of accounts was. The next level of zoom in the names revealed two other cryptocurency news sites and a leader in the field as being the targets of the these accounts.

Thinking that 112 was a small number, we extracted their 7,029 unique followers’ IDs and got their names. Nearly 600 matched the first/last/digits format, but there were other similarities as well. We placed all 7,029 in our “slow cooker”, set to capture all of their tweets.

6,897 Bots
6,897 Bots

We were expecting to find signs of a botnet, but it appears the entire set of accounts are part of the same effort. The 6,897 we managed to collect were all created in the same twelve week period. The gap between creation times and the steady production of about eighty accounts per day seems to indicate a small hand run operation in a country with cheap labor.

Hashtags Used
Hashtags Used

The network is transparently focused on cryptocurrency over the long haul. Adjusting the timeframe to the last thirty days moved the keywords around a bit but the word cloud is largely the same. The clue to how these accounts got into the mix is there in the lower right quadrant – #followme and #followback indicate a willingness to engage whomever from the world at large, in addition to their siblings.

Why we have pursued this so far when it looks like just a cryptocurrency botnet is due to this clue.

The Big Clue
The Big Clue

Here are five bad actors with two other accounts created right in between them time wise. This is the most striking example, but there are others like it. And understand the HUMINT that triggered this – a group of people who do nothing but take down racist hate talkers all day feel besieged by a group that manages to immediately regenerate after losing an account.

Our Working Theory

What we think we are seeing here is a pool of low end crypto pump and dump accounts that were either created for or later sold to a ringleader in this radicalized right wing group.

Now that we have roughly 7,000 of them on record, we have to decide what to do. This is just such a blatant example of automation that Twitter might immediately take it down if they notice. The 6.5 million tweets we collected are utterly dull – the prize here is the user profile dataset. We’d need some mods to our software, but maybe we need to collect all the followers for this group of 7,000 and figure out what the actual boundaries of this botnet truly are.

This has been a tiresome encounter for those who make it their business to drive hate speech from Twitter, but this may be the light at the end of the tunnel. If one group is using pools of purchased accounts to put their foot soldiers back in play the minute they get suspended, others are doing this, too. No effort was made to conceal this one from even moderate analysis efforts. If we demonstrate this is a pattern and Twitter is forced to act, we may well find that a lot of the heat will go out of political discourse on that platform.

Exploring Conversation Spaces

Earlier today we captured seventy one Twitter accounts that we classified into three groups. These are Durant’s Dullards (21), Team Pillow Forts (23), and TheShed (27). The first are associated with RowdyPolitics[.]com, the second group are associated with CitJourno[.]org and Patribotics[.]blog, while the last group are unified by being stable, long term personas who are often forced to replace accounts due to suspension.

Three Co-Traveler Groups
Three Co-Traveler Groups

Visually, the Fortress of Pillowtude is on the left, the cluster of red accounts are the RowdyPolitics people, and The Shed’s frequent reincarnations leave them scattered around the perimeter on the right with fewer mentions.

This particular graphic has been filtered to remove 934 ‘CMP’ accounts – Celebrities, Media, and Politicians. The working theory behind this is that those accounts are ubiquitous, they cross group boundaries, and thus are not terribly useful for diagnostics. That thinly populated space in the middle are less notable CMP figures that haven’t been removed yet … but more importantly, some of those are ‘weak ties’, as covered in Mark Granovetter‘s 1973 classic social network analysis paper The Strength of Weak Ties.

Seeing The Whole Forest

While these groups lead in the creation, curation, and elevation of content, we want to be able to see them in the context of their operating environment. Graphs like this are useful for discerning structure, for identifying certain types of relationships, but those accounts generated over 262,000 mentions and over 12,000 others were mentioned twice or more. This is where we set aside Gephi and take up Elasticsearch.

Selecting the 2,739 accounts mentioned ten or more times is a good balance between getting what is important and not overrunning out available resources. Recent performance tuning means our collection system can now handle forty eight accounts in parallel. This run took 70 minutes to collect 6.48M tweets from 2,235 accounts that were actually available, an average of 32 accounts/minute. The 504 missing accounts are mostly those from The Shed that have been banned.

We want to see both overall features as well as group specifics, so JSON filters were created for each group. Applying them, we can see the top hashtags in use by each group over the last week. The fourth cloud is the overall set of hashtags employed by every account they mentioned. Here we begin to see what each group’s contribution to the overall conversation may have been.

Durant's Dullards Top 25 Hashtags
Durant’s Dullards Top 25 Hashtags
Team Pillow Forts Top 25 Tags
Team Pillow Forts Top 25 Tags
The Shed Top 25 Hashtags
The Shed Top 25 Hashtags
Top 25 Hashtags From All Accounts Mentioned
Top 25 Hashtags From All Accounts Mentioned

Temporal Matters

6.5 million lines of text is a lot to digest. When we employ Kibana we have powerful ways to search, filter, and abstract content, coupled with fine grained control of time. If we want to know the top hashtags over the prior seven days, limited to those that occurred with #MAGA or #Anonyous, and see how they compare volume wise, that’s easily done.

Top Hashtags Prior Week
Top Hashtags Prior Week

What if we want to see who first noticed the news of Elena Khusyaynova’s indictment on Friday? A few mouse clicks and we have the data from when the story broke. Long term observations are just as smooth – if we set the system up to spool content, it’ll just continuously capture the accounts that we decide are interesting.

Khusyaynova Indictment
Khusyaynova Indictment

Future Explorations

We are just getting started with the Kibana interface to Elasticsearch, using it as an advanced text search engine, and doing some simple infographics in the spirit of descriptive statistics.  There are complex, powerful tools out there, such as Timesketch and Wazuh, that are built on the Elasticsearch foundation. If we find just the right person, we may start branching in that direction.

An Old Investigation Worth Revisiting

There is something new brewing that we telegraphed on Twitter, but it’s going to take a bit to ripen. Between now and then let’s look over an unrelated event that is somewhat similar in spirit. Some of this originally appeared on Liberty STRATCOm as Russian Indictments, American Pinholes. The Internet Research Agency indictment revealed thirteen email addresses associated with Paypal accounts. It is believed that Ricky Pinedo had something to do with their procurement, but we were interested in what could be discerned from them.

Internet Research Agency Paypal Accounts
Internet Research Agency Paypal Accounts

We checked these against RiskIQ and only the first one came back with an associated domain.

DigitalFaceLab registered by wemakeweather@gmail.com
DigitalFaceLab registered by [email protected]

The domain registration was proxied, but unluckily for IRA, I used to live about two miles from this address, which was easily checked. It is a vacant lot between two other homes, and the woman’s name is common.

DigitalFaceLab Bogus Registration
DigitalFaceLab Bogus Registration

Don’t bother chasing DigitalFaceLab[.]com unless you have RiskIQ, it was moved to a Chinese IP after we started probing it, apparently a strategy to shift blame, and that’s not the real story in any event.

If you Googled the domain name when the indictment was relased, there was one hit, in YourDigitalFace[.]com’s front page source code.

YourDigitalFace[.]com unitedvetsofamerica@gmail.com
YourDigitalFace[.]com [email protected]
And the [email protected] account is one of the other Paypal accounts in the indictment. Now we might be on to something …

The domain YourDigitalFace[.]com was originally registered by Scott Orlosk in New Hampshire.

YourDigitalFace[.]com Original Registration
YourDigitalFace[.]com Original Registration
But it’s unclear what happened here. Did Orlosk lose control of the domain? It ends up tied to a Russian registrar, but not until May of 2017, which hardly makes sense given the overall time frame of events.

YourDigitalFace[.]com Expires
YourDigitalFace[.]com Expires
So what might be happening here?

  • RiskIQ is good, but not perfect, it misses things, it finds things later, it updates where and when it can get additional information. Maybe we are missing a key piece.
  • YDF expired, but Orlosk recovered it during a grace period, and may have been involved in developing and running DigitalFaceLab[.]com
  • Some exceedingly clever IRA person used DFL for the 2016 election and just happened to leave this subtle trail of clues to confound analysis.

But we know that IRA scrambled to clean up after the FBI made them – this is admitted in their indictment. Concealment at the theorized level is something we do in operations, we’ve run across similar things in other encounters with Russians, but this just … doesn’t feel like that. It doesn’t seem planned, it seems hasty, after the fact.

There are precisely three weeks to go till the 2018 midterm. This is a fine time to recall that Ricky Pinedo was just sentenced to six months in prison for what he took to be a crime below the threshold that would be pursued. His life will never be the same and everyone who had any transactions with those thirteen accounts has no doubt had some sleepless nights. Pinedo being sentenced means any cases based on his cooperation are going to quickly move to arrests, search warrants, and unsealed indictments becoming available.

Tools Of The Trade

Articles here are written by a single author (thus far) but represent the collective views of a loose group of two dozen collaborators, hence the use of the first person plural ‘we’. We take on civil investigations, criminal defense, penetration testing, and geopolitical/cybersecurity threat assessments.

Group members have native fluency in English, French, German, Spanish, Romanian, and we do a fair job with Arabic when it is required. Several of us have corporate or IPS infrastructure backgrounds, and our tools, both chosen and created, reflect this internal integration capability.

This is an inventory of the major systems we currently employ.


The Gephi data visualization package is a piece of free software which permits the handling of networks with tens of thousands of nodes and hundreds of thousands of links. We use this for macro scale examinations of Twitter and some types of financial data, coding import procedures to express complex metrics, when required. When you see colorful network maps, this is likely the source.


The Maltego OSINT link analysis system began life as a penetration tester’s toolkit. It offers a rich set of entities, integration of many free and paid services, and local transform creation. There is a team collaboration feature for paid subscribers and the free Community Edition can read any graph we produce. This is used internally in the same way a financial audit firm would employ a spreadsheet – it is a de facto standard for recording and sharing investigation information.

Sentinel Visualizer

Sentinel Visualizer is a law enforcement/intel grade link analysis package that supports both geospatial and temporal analysis. This only comes out in the face of paying engagements with large volumes of data, as it has a somewhat intimidating learning curve.


Hunch.ly is a Google Chrome extension that preserves the trail of web sites one visits, applying a standing list of selectors to each page and permitting the addition of investigator’s notes. This tool supports the notion of multiple named investigations, preserves content statically, and can export in a variety of formats. Users are free to follow their noses without the burden of bookmarking and making screen shots while investigating, then later attempting to share their findings in a coherent fashion. The system recently began supporting local Maltego transforms.


The RiskIQ service is an aggregator of a dozen passive threat data repositories in addition to it’s own native tracking of domain registrations, DNS, SSL certificates, and other threat assessment data. The service is delivered as a web based search engine and a companion set of Maltego transforms. This system is a panopticon for bad actor infrastructure which we use daily.


The Elasticsearch platform is used for many things, but for us it is a full text search engine with temporal analysis capabilities that will easily handle tens of thousands of Twitter accounts that have produced tens of millions of tweets. This is a construction kit for us, the right way to collate and correlate the work of teams of Actors, Collectors, and Directors. We currently curate 25 million tweets from ISIS accounts that were collected by TRAC, we support Liberty STRATCOM with collection and analysis, and the botnetsu.press system is in use by activists who track violent right wing groups in the west.

Negative Decisions

What not to do is just as important as the right stuff. Here are some things we avoided, that we tested but did not implement, or that we have used but later abandoned.

Analyst’s Notebook – nonstarter, 2x the cost of Sentinel Visualizer, and not nearly as open.

Windows – with the exception of Sentinel Visualizer, we don’t have anything that is Windows dependent. Generally speaking, things have to behave for Linux and OSX, with Windows support being nice, but not required.

Splunk – we tried to love it, truly we did. It just didn’t work out.

OSSIM – largely abandonware from what we hear. AlienVault’s Open Threat Exchange is doing fine though, and it all turns up in RiskIQ.

Aeon, Timeline, etc – we always jump at collaborative timeline tools, then later end up sitting back and being annoyed. SaaS solutions are out there, but we have confidentiality concerns that hold us back from using them.

TimeSketch – very cool, an Elastic based tool, but more incident response focused than intel oriented.

SpiderFoot – very cool, but we settled on RiskIQ/Maltego installed on a remotely accessible workstation. This is one we should put back up and use enough to advise others.

There have been many more digressions over the years, these are some of the more formative ones.


Adversary Resistant Networking

Much like our thinking regarding Adversary Resistant Computing, we have some ideas on dealing with opponents who exhibit enough situational awareness to spot a visitor originating in a certain place, and then devise some way to cause trouble for them.

First, what hunts you?

Our taxonomy of threats from the ARC article is a bit much here. Any foe you might encounter will fall somewhere on this spectrum:

  • Simple detection via web site logging or documents seeded with some means of ‘phoning home’. Threats are doxing, civil discovery, or maybe an attempt to involve law enforcement.
  • Detection and fingerprinting for browser, OS, and the like. Threats as above, adding perhaps browser hijacking or spearphishing attempt.
  • Detection, fingerprinting, temporal analysis, and other corporate defense tactics. Threats as above, adding much more likely civil or criminal trouble.
  • Competent nation state or Five Eyes, curious and tracking large classes of anomalous behavior, watching (and interfering) in ways you can not quite imagine. Threats scale up with their perceived value of what interests you.

Second, what role does your organization play?

If you are noticed, what does your presence convey to the entity that has detected you? Are they about to get some negative press? A lawsuit? A raid by authorities? Are you a vanguard for a sanctioned intrusion or some sort of subversion of their systems? They will be doing a threat assessment on you, just as you should be doing on them.

Third, how much are you willing to give up?

You can not interact with a remote system without leaving some sort of trace. There are a variety of ways to hide, from the Tor anonymizing network, to various VPNs, to physical travel away from your normal haunts. And if you have a budget, there is realm beyond this one.

Some Real World™ scenarios:

The Tor network provides a multi-hop routing architecture, hundreds of global exits to the clearnet, and a private darknet of websites with onion addresses. Entry level opponents will be baffled by this, wary ones will simply use the Tor exit nodes list to block access, and nation states are in a position to attempt traffic correlation and other mischief.

There are many VPN providers out there. If they require you to use a binary bundle, you should turn and run. Free services that accept OpenVPN connections are profiling you, injecting ads, and likely trying to hijack your system. We trust ProtonVPN to not be doing this, and for certain other activities the very feral Cryptostorm is a good choice. The problem with each is that their exits are discoverable by anyone willing to spend $5 to $125 to explore, and once your pattern is recognized,

Tor will happily engage its network after exiting a VPN node. Some VPN providers, like Cryptostorm, offer free low speed services, and they will accept TCP connections that arrive from the Tor network. The first is good discipline if you might be facing one of those nation state opponents, the latter is a technique used to circumvent Tor access bans while still enjoying its protection.

The real hazards here are forgetting to do some certain step, say turning on a VPN, or having a a failure that in some way exposes your location. We are big fans of “fail closed networking” – if something isn’t right with your connection, it should behave in such a way that you must repair it before resuming your work.

There are tools that purport to do this for desktop operating systems; we find all of them to be less than comforting. Linux can be made to behave in this fashion, and Linux based firewalls can enforce such discipline for your entire network, including those devices which otherwise have no hope of operating safely.



Adversary Resistant Computing

The very first question asked when one begins to awaken to the hazards in the world today will be “How do I ensure my current phone and computer safe?” Serious practitioners ask themselves this each day, when they first rise in the morning, and then again when the close their eyes to sleep.

We answer this simple question with a number of others, to sharpening thinking.

First, what hunts you?

Your answer(s) to this conditions the required level of discipline, as there are a spectrum of threats:

  • Largely civilian OSINT practitioners, law abiding, usually lacking a budget.
  • Sanctioned civilian investigators, corporate security or private detectives, with some skills, some budget, and some degree of law enforcement support in their jurisdiction.
  • Cyber specific adversaries, specialty vendors with skills, tools, and the talent to properly pursue threats to their interests.
  • Violent action groups, able and willing to engage in extralegal activities, or operating in areas where there are no surviving authorities providing law and order.
  • Nation state actors, who have less talent and flexibility across the board than the other threats, but much larger budgets, and who bring a long term perspective.
  • Global intelligence players, such as the Five Eyes everywhere, China and Russia in their own territories, and the set of competent regional powers such as Iran or India.

Once you have a sense of your peak problem, and understand that it can and will employ the smaller fish, you have a starting point to understanding what is required.

Second, what role does your organization play?

If you are reading this you presumably fit into one of those six very general threat buckets we just named. Depending on the day, we fit into the first three, we might be working for the upper two, and we have been involved in the study of, but not direct conflict with violent extralegal actors.

Third, what role do you yourself play?

If you are reading our internal documentation you’ll find that we partition people into three types of roles:

  • Actors – those who travel, who may interact with an observation target in some fashion, who face the risks of identification, device intrusion, device seizure, and so forth.
  • Collectors – typically passive observers whose intent is to go unnoticed, and who largely succeed. One the strengths of our system is the ability to capture cognitive surplus and the free time of motivated observers, who may be equipped with as little as a prepaid Android device.
  • Directors – those who can assess risk and advise Actors, who have overall situational awareness for group activity, who guide and motivate Collectors.

Having considered this, you now understand some of what we are thinking when we answer that first query about device safety.

What to NOT do …

If “Microsoft Windows” is ever meant to be a serious answer, the original question was poorly phrased. We just don’t use it unless there is a specific need to look like a Windows user, with the implication being that one is actively nosing around an adversary and wants to blend into the background noise.

NSA employees are known to use Apple products and many of us favor them, for the smooth blend of consumer software and Unix security features. Others prefer Linux.

If you mentally edit every mention of “cell phone”, replacing it with “small, stupid computer, too trusted, and far too easily lost or seized and searched”, you’ll be on the right track. They are a fact of life, but so is the common cold during fall and winter, and you know the steps you should take to avoid that.

There are decent Android products, albeit ZTE, in the second tier of such devices for prepaid services such as GoPhone or TracFone. $25 to $50 will net you a device which you do not need to fund for cell service in order to start using it for some purposes. A slightly dated phone you have retired is also a good choice here.

Some Specific Recommendations

You should be familiar with a type two hypervisor. The solid free one is VirtualBox. The paid solution is VMware Workstation on Linux/Windows, or Fusion on the Mac. Apple owners should avoid Parallels – the price is attractive, it’s a smooth OSX native, but power hungry and the ability to work with other platforms ranges from poor to nonexistent.

TAILS Linux is a live CD distro that defaults to using the Tor network. We like this on small laptops, but hardware support is variable, and they dropped the 32 bit version some time ago. This software works well under both VirtualBox and VMware.

We like the idea of Whonix, a dual VM gateway/workstation environment that will run under VirtualBox. Prior to this existing we rolled a solution of our own in this area, and we still use it, because Tor is not always the right answer when it comes to Adversary Resistant Networking.

The pinnacle for adversary resistance is Qubes, a type one hypervisor based on CentOS that provides multiple exclusive security domains. This system has some very specific hardware requirements and even an experienced Linux administrator is going to face challenges using it.

A minimum comfortable desktop for this sort of work will have an i7 processor, 16 gig of ram, and a solid state disk. Our group has several Dell M4600, which max out at 32 gig, which supports the latest Qubes, and which offers both a 2.5″ drive bay and an MSATA slot on the mainboard.

Leave Windows on the main drive if that is your current comfort zone, install VirtualBox to get started using a hypervisor, and a small MSATA drive will be fine for Qubes or Linux transition. A well appointed machine can be had on Amazon for $500.



NPC Bot Wave

Earlier today Josh Russell published a list of “NPC” accounts on Twitter. Nominally this seems to be tied to a “New Progressive Coalition”, but there are several humorous takes on the meaning of the acronym.

NPC Bots
NPC Bots

While a deadly accurate send up of Progressive sensibilities this election cycle, there were 450+ very similar accounts on the list when we started the profiling process, so it might have begun as a human wave of image board kids, but there is some sort automation at work here, which makes it interesting.

One of the strengths of our system is the ability to rapidly snapshot a group like this. We quickly collected 425 of them before they began to rename or self-suspend. We collect up to 3,200 tweets, up to 5,000 of those they follow as well as accounts following them, and we extract all mentions. Making a mention map with Gephi is typically our first step; social networks can be voluminous, while mentions are both bounded by the maximum tweet count as well as time stamped. This lets us see what activity the accounts are involved in, as well as slicing by time when appropriate.

425 NPC Bot Mentions
425 NPC Bot Mentions

These 425 sources mentioned 7,687 other accounts – a network motif we refer to as a “monkey pile”. Filtering out individual mentions left 2,333 other accounts, a 66% reduction in complexity. Sizing names by Eigenvector centrality permits us to see who they are messaging.

NPC Bot Targets
NPC Bot Targets

The @NPC691 account is key in this network and examining its timeline we see they are an early adopter of this particular meme – 72 hours before it became this general outburst.

@NPC691's First Tweet
@NPC691’s First Tweet

Collection on this took less than half an hour. If this were anything other than a harmless bit of fun, the 9,230 unique followers of these accounts are preserved, as are the 12,008 accounts they follow. We can see there are 4,793 accounts that are mutually following, so our 425 account sample may only be 10% of this total network.

Trying to do this by eye would be an impossible task. The ability to collect large amounts of information quickly and then rapidly analyze the take is key in an age of cyborgs and botnets mixing with a human operated account population.

Puzzling Over Boundaries

Much like the breakdown of Westphalian Sovereignty in the face of a well connected, easily traversed world, we are pondering just where the boundaries are on what we publish.

Best practices advice regarding Adversary Resistant Computing and Networking is broadly available, but highly variable in quality, and often not conditioned by real world experience. Communications Security advice is even more uneven. We might be educating bad actors by openly publishing, but the good guys are under the gun, and no white hat from inception thinks the way those of us who wear faded gray do. We’re going to put this content out there and count on the nonstop situational awareness required to truly excel keeping a lid on proliferation.

We publish studies on various groups, which can educate them in their failings, if they take the time to read. This is also conditioned on situational awareness and with information operations in particular, characterization is sterilizing sunlight. We use OSINT methods and release collected data in a form that facilitates others using it, but at this time the collection methods and software we use are not freely available.

Analytical Tradecraft is a matter of good systems and the right mindset to get teams using it effectively. There are guides out there, the CIA’s Psychology of Intelligence Analysis  being a well known example. There is no substitute for real world experience when it comes to Sanctioned Irregulars, and that is where we are strongest.

And Field Operations Tradecraft seems to be a bridge too far – we’re not in the business of teaching bad actors how to caper.

The you have it. @NetwarSystem provides a feed of posts here, from LinkedIn, and selected content from other sources. The contact page has advice on who is qualified as a customer and how to reach us. We look forward to hearing from those of you who truly need what we do.