Researchers Discover Huge Crypto Scam Botnet on Twitter

Researchers have uncovered a large botnet that mimics legitimate accounts on Twitter to spread a cryptocurrency "giveaway" scam.

AccessTimeIconAug 7, 2018 at 2:42 p.m. UTC
Updated Aug 18, 2021 at 9:36 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Researchers have uncovered a huge botnet that mimics legitimate accounts on Twitter to spread a cryptocurrency "giveaway" scam.

As reported by ITPro, the discovery was made during a research effort by Duo Security that looked at 88 million Twitter accounts from May to July and used machine learning to identify bots, malicious or otherwise, on the social media platform.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • The team notably found a single network of over 15,000 bots in a three-tiered structure that spread the fake cryptocurrency giveaway, and further evolved as time passed in order to avoid detection.

    The Duo team described how the botnet works in a paper to be presented at the 2018 Black Hat cybersecurity event on Wednesday.

    Typically, they write, bots first create a spoofed (or copycat) account for a genuine cryptocurrency-related account that would copy the name and profile picture of the legitimate account.

    To spread the fake giveaway scam, the bots would reply to tweets posted by the legitimate account, containing a link to entice Twitter users to the scam.

    Adding to the complexity, many spoof accounts followed what the researchers termed "hub accounts" and suspect are followed "in an effort to appear legitimate".

    The botnet also employed "amplification bots" – other fake accounts that are used to give "likes" to scam tweets to "to artificially inflate the tweet's popularity [and] make the cryptocurrency scam appear legitimate."

    The paper states:

    "[Searching for connected bots] resulted in a 3 tiered botnet structure consisting of the scam publishing bots, the hub accounts (if any) the bots were following, and the amplification bots that like each created tweet. The mapping shows that the amplification bots like tweets from both clusters, binding them together."

    Intriguingly, the team found that the discoveries allowed them to connect the bots in a way "that can result in the unraveling of the entire botnet."

    While Twitter has been making moves to clamp down on such cryptocurrency scams, Duo writes in its conclusion that the work shows that botnets are still active and can be discovered by "straightforward analysis."

    "We don't consider the problem solved," they said.

    Going forward, Duo plans to open source the techniques described in the paper in the hope that new techniques can be developed to identify malicious bots, and help "keep Twitter and other social networks a place for healthy online discussion and community."

    Network image via Shutterstock

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.