Moldovan Memetics: A Botnet In Disguise

On Jun 1, 2023, Twitter user @E_Krenis noticed a series of possible bot accounts posting messaging regarding an unfolding situation in Moldova:

The accounts feature a common syntax for bot networks — each username follows a Name + Numbers (@JennaRay12345) combination. Unfortunately, it’s hard to prove that these accounts are genuinely linked without being on the backend at Twitter proper, where their Trust and Safety team would be able to determine what IP addresses each account logged in from. If there were any distinct matches, then they could prove that these accounts are controlled from the same source.

We don’t have access to these tools as outsiders. It can be tough for researchers to prove certain social media accounts are controlled from the same source by only being able to provide broad similarities. These accounts appear to be posting similar messaging and imagery, have AI generated profile pictures, and have been created around the same time. However, none of these points are data enough to prove they’re all controlled by the same entity.

Taking a look at some of the accounts in question, we see that one particular image of a jail cell with a white, bold “MOLDOVA TODAY” overlay is shared and repeatedly posted by them.

Notice that all of these posts are from different accounts:

Archive: https://web.archive.org/save/https://twitter.com/welch_huld44179/status/1664468624482893824

Archive: https://web.archive.org/web/20230602040828/https://twitter.com/AbbieGo76073805/status/1664483141099171840

Archive: https://web.archive.org/web/20230602041250/https://twitter.com/briggs_cor29355/status/1664451346496385024

Archive: https://web.archive.org/web/20230602041536/https://twitter.com/LouisaMorr36194/status/1664471702686842881

How can we prove that these four accounts are indeed part of the same coordinated bot network? Enter the SMOC-BRISQUEt method, a way to prove similar accounts are controlled from the same source. As digital images spread across the internet, they are subject to changes in compression, meaning they change subtly with each upload and download at the molecular level. If you’re a single person controlling multiple accounts from the same computer, then you’re posting the same imagery to those accounts, meaning we can measure for matches in compression.

The SMOC-BRISQUEt method analyzes the amount of image compression in a file as it gets posted to different places on the internet, down to the decimal level. This (broadly) means if two images from the internet have the exact same score, they originated from the same content source.

The more compressed an image, the higher the BRISQUEt score.

Using the BRISQUEt scoring tool, I collected each of these four images and analyzed the compression scores. Each version of the picture posted has the exact same score, meaning that all of these different accounts are posting from the same content source. They are a coordinated bot network.

Account         Filename             Score
welch_huld44179 FxlhYTfXwAERlLG.jpeg 36.56743115
LouisaMorr36194 FxlkK3MWYAAEIBa.jpeg 36.56743115
briggs_cor29355 FxlRqjTXwAEHdcL.jpeg 36.56743115
AbbieGo76073805 FxlulR5WcAAMqiN.jpeg 36.56743115

We have successfully proved these accounts are part of a coordinated propaganda effort regarding Moldova. Use the data below to recreate this method with your own found bot accounts, and prove they’re linked.

Many thanks to z3dster for the tip.

Data scraped via PhantomBuster and all media downloaded using CURL.

Download the data here:

https://github.com/mitchaiet/moldovan-bots-06-23

Download the SMOC BRISQUEt Visual Compression Score tool here:

https://github.com/mitchaiet/SMOC-BRISQUEt/releases/tag/1.0