The Rise of Human-Based Botnets: Unconventional Threats in Cyberspace
Maybe now you can ! Not the silver helmets one. But the online one... Like famous people who have hundreds, thousands, or more followers ready to execute their biding, you too can now enjoy the sheer pleasure of being at the head of a community !
But are you a star ? Do you have a fan base that would do anything for you ?
Most probably not… I don’t blame you. We can’t all be stars.
But good news, you can now create your own community and make them do whatever the f*ck you want without caring for backslash !
I. The experiment
As a cybersecurity enthusiast, I saw great potential in generative artificial intelligence. And boy, was I right !
Now that we can access powerful image generation toys like MidJourney, Dalle-2, etc, we can create any variety of images. And fake naked people are one of them ! Making fake nude pictures of men and women has never been that easy ! And do you know what the best engagement scores are on the internet ? Huum ? PORNOGRAPHY !
The plan
So let’s try something… We’ll make a completely fake account whose purpose is to sell nudes. We won’t sell anything for real, but it will be our cover story.
Our true purpose is to demonstrate that you can build a complete community based on fake images generated by AI and exchange them for real-life actions !
These actions will be less and less moral, and we’ll see how far we can push people in exchange for (fake) sexual acts.
Having a army
So there’s three things you can do with an army :
- First scenario: The show-off
Let’s make them artificially boost a social media content.
- Second scenario: The good guy path
Let’s give the army a greater purpose. Something that they’ll want to do because it’s right. Let’s make them report an obvious fake account on Twitter to get it banned ! (Not ours, lol)
- Third scenario: The bad guy path
This is the real deal.
Can we use our army to do something wrong ?
Let’s try to destroy someone’s reputation on a famous career-oriented professional networking platform. If the army can do this, then you can pretty much ask them anything ! This is the true power that we are looking for !
II. Creating our fake identity
To create our army we’ll use Twitter. As the moderation is near innexistant and pornography already flourishes (really you didn’t know ?) it’s perfect.
Meet Clara Walkers !
A 18 years old girls that wants to sell nudes to make some money to gain more autonomy.
The “back story” around our character is very important ! Why ? Because we must deal with common AI generation issues.
FACES
I’m not using “prompt AIs” like Midjourney or Dalle-2 anymore because I needed a lot of pictures and fast ! So, I used an AI tool specialized in pornography ! This way I could work quickly but there’s a catch ! I won’t get the same face twice…
Let’s say I would like to use this picture as an “official” representation of myself.
Now let’s generate more pictures and look at the faces.
She looks quite the same but not exactly… And the more you mess around with the settings of the AI and generate more and more blond girls, the worse it will get. Changing scenery to create variety changes the whole image, which includes the face. If you want to generate Clara at the swimming pool, clara in a bedroom, clara in a shower, or clara at school, each one will get minor face updates too. And this is not acceptable !
The next generation of AI tools is starting to propose automatic face swaps, but for now, we can’t access it freely. So we’ll have to use a trick !
Back to our cover story
So she’s a high school girl doing nasty business on the side. Then she mustn’t be recognised at school or else her reputation will be destroyed ! We can use this to our advantage !
By blurring parts of her face, we can hide the facts that it changes from one picture to another.
A side note on skin peculiarity
As we’ll generate lot’s of images, we must be careful of not sending one with a distinct peculiarity like a birth mark or mole. Also, we must always check for AI generation going wrong, like having 3 hands or 6 fingers and whatnot.
Creating our pinned tweet to attract customers
Twitter allows you to pin a tweet to act as a presentation of yourself. The tweet will always appear top.
Let’s use this image:
If you have been paying attention there’s 2 things we need to do before tweeting !
- Removing moles
2. Blurring the face
Perfect ! Now we’re good to go !
Let’s make our pinned tweet.
Looks great, and people seem to like what they see. Blurring the face doesn’t seem to pose any issues. Mostly because the focus is not on the face, I guess. Ahem…
Growth hacking
We can’t just wait for people to follow and DM. What we want is a fast growing account to make an army quickly, do our misschief, delete everything, and do it again. Maintaining a fake account for too long is too complicated and risky. So, we need a quick way to get a lot of followers quickly so that we can test our army.
I’ll settle for one hundred men before sending my troups to the battlefield !
The easiest way to get attraction is by liking comments on other porn accounts.
It looks like this…
I liked about 700 different comments and got the attention of a hundred people in only a few days. Meanwhile, I posted alluring tweets each day on the public feed to keep people entertained.
Or…
I sent Direct Messages to all of the hundred people, and all of them got the Welcome Package, which was comprised of 2 nudes to give incentive for when the real thing would start !
Let me remind you that this is all fake photos and could be of men or women alike. It’s only pixels put side by side statistically. It represents nothing more than what you wish it to be.
III. First scenario: The show off
We have one hundred followers ! It’s time to see if our army works.
I made a fake article on a well-known blogging website that I’m sure you have been on at least once... I won’t give the name because I read their CGU, and they wouldn’t like very much this experiment… I used ChatGPT to create 90% of the article.
It was pretty boring, but wasn’t giving fake info or anything. It simply gave no interest to readers as this graphic clearly shows.
Let’s change this situation ! The order I was about to give was a simple one but needed a backstory. You shouldn’t force people into doing something without a good reason to back it up even if you have good nudes to send along. It should consistently maintain a certain level of credibility.
The brother of “my” best friend (the one that takes pictures of “me”) wants to train its journalistic style and started writing on a blog. Let’s give him a boost to encourage him by giving him 50 likes on his article !
And this is how our army went marching in…
After day one :
Woohoo. This represents quite a few spikes in likes. Remember that each person must give 50 claps.
After day two :
It’s still going well, even though the peak has passed and it’s gradually declining.
We stabilize arround 700 likes.
What’s funny is that by creating external views artificially, the algorithm boosted the article internally about 1/4. I find this quite low but may be caused by the low reading time, which is near zero.
Let’s see the engagement score of our army :
Hum. That’s not great overall… It’s 1/4, I guess it’s okay, but I was expecting a bit more ! Don’t people want to help my fake friend ? They have no heart. Speaking of heart…
The heart of the problem
I was expecting a bit more engagement. But I think I understand why it’s lower than I anticipated.
Problem 1 : It’s too damn complicated for some of them. You see, they are not all brilliant souls… To be allowed to give “likes” to the article, they must create an account on the blog website, and if they don’t already have one, then it’s a complicated step. Also They don’t always find the “like” button. It’s at the top and botton on PC but only at the bottom on mobile. And some just couldn’t find the damn icon. Even with guidance, some never managed to find the button or liked random articles that weren’t mine… Yeah, I know right… We have an army, but it’s not the cream of the crop.
Problem 2 : Cheaters ! I only count people who give visual confirmation of their “likes” by making them upload a screenshot of the like button. It’s getting grey when you like an article or stays white if you don’t. The issue is that it doesn’t tell me how many likes they gave.
Problem 3 : We’re not worth it yet. Creating an account, giving likes, etc, is hard work for someone who just wants nudes. Some people don’t trust us for now and won’t work THIS hard just yet. We need to change their mind about us and that our nudes are top quality.
This scenario was maybe a tad complex for a first move. But it’s okay ! Let’s get to the second scenario right away !
IV. Second scenario : The good guy path
I’m more interested in offensive security. But technically, you could use your army to do benevolent actions.
For instance, there was this woman who closed hundreds of fraudulent Tiktok lives by posting banned words in the chat. This led the scammers to give up their operation as all of their Tiktok lives were getting banned. Near the end, the woman had about 70 people with her on this rampage, ready to comment whenever a new Tiktok live started.
You could do the same with your own army. Be the good guy and fight for something right. Even though giving nudes as treats is a bit strange it’s working, so why not use it…?
Let’s see if we’re right and make the army report a fraudulent Twitter account.
The target is not a real Twitter account. It’s a fake one I made up for the experiment. It follows all the codes of the classic pyramidial scam and looks as fake as Marvel’s CGI in 2010. Reporting this account is clearly a good action, and if you did, then you’re a good person participating in a safer experience on the plateform. Good for you ^^.
Meet ZeBilionnaire
He really stinks crypto fake bullshit. Even its profile picture want’s you to slap him in the face.
As always, I used an image generator: DreamLike.art, which has a great free tier. I made up this guy with its sports car.
Finally, made him go through GFGAN for face enhancement and taddaaaaa :
Fun fact : As I randomly retweeted other stupid crypto morrons to make my account more credible, I gained followers, and some even retweeted my RTs. This world makes no sense.
But who cares ! Let’s be the good guy and destroy ZeBilionnaire’s fake account with our army !
…
And the results are in :
Almost 2/4 ! That’s good ! I was aiming for 50% but really it’s quite good. That’s 43 people getting nudes. I had a lot of work to “thank” everyone ! This is the moment when I regret being one lazy software engineer and having no automation whatsoever. A tweeter bot that would DM users and send them their nudes would be so great…
Clonclusion on the Good guy scenario
With this engagement score, we really could have a positive impact on the internet. Clearly, we would require more than one hundred followers, but I need control over this experiment to make correct stats. Also, note that the target being on Twitter is easier as they already have an account for sure. So maybe if you wanted to do something on, I don’t know, Instagram, or else you might want to create your army on the targeted plateform directly !
In conclusion, remember that with 100 strangers, you can almost have half of them doing a good action on your behalf !
Getting back to the first scenario
We have proven to our army that we’re the real deal. The last round gave us a good engagement score. Maybe now that we have gained more trust, we could propose the first scenario again. Maybe this time, they will make the effort to create an account on the blog website and give the 50 likes on the article as required.
So, I proposed the first scenario once again !
It’s working !
We now have a better engagement score for scenario 1
It’s still lower than what I’d hope, but don’t forget that this is all based on 100 random strangers on the internet doing things for you just because you asked.
V. Third Scenario : The bad guy path
Ahhh, finally, the interesting part ! Can we use our army to take offensive actions ? Will they do it ?
I’ll create a fake account on a well-known website. It’s used to present featured profiles for professionnals. As I’ll break CGU again, I won’t give the real name. We’ll call it Linkerin.
So, I created a fake account on Linkerin of a CEO working in a technological startup. Imagine ruining someone life’s work ! Wouldn’t it be marvelous ? No ? Well, if this works, we can expect this kind of attack to get more and more frequent !
Meet Donald Helms
Made this guy up using Dalle-2 and chatGPT as prompt generator. He needs a credible background story, so we’ll invent him a life.
I had to make up all the company names. So our guy is now CEO at InnovaTek&Co !
Unfortunately, we have a small issue ! Linkering uses a default image for company names that it doesn’t know.
And that’s not great as it would be kind of strange that a guy, CEO of it’s own company, doesn’t have a company logo…
But it’s okay ! We can create companies on Linkerin ! Let’s make InnovaTek&Co real !
Well… That didn’t go as planned ! We need to have more people connected to Donald. It’s some kind of silly security check to prevent spamming. I won’t be stopped by this stupid filtering system. So I and a bunch of friends connected to Donald temporarily.
And here we go :
We have a company and a logo ! Now, the profile of Donal looks better.
I also made him a wife but decided that I wouldn’t use it. Too much work. Remember that I’m lazy.
Destroying someone’s life
Nowadays when it comes to destroying someone’s reputation you don’t need much. Thanks to social media and serial morons that repost everything without any verification, anything can go viral and become the bad buzz of the year.
Though, to proceed with our evil plan, we can’t just order the army to rip this poor guy’s face. I chose the Bad Guy Path, but the army won’t follow blindly. Well, some will I’m sure, but if we want a good engagement score, we need to transform this Bad Guy Path to a Good Guy Path without the army noticing !
We need to find a way to make them deliver all the hatred they have to the doorstep of Donald using my command exclusively.
To achieve that, we need a story. It’s a story in which Donald is the bad guy, and he needs punishing ! I wan’t all my soldiers to become the Punisher and restore justice.
What good story could we come up to ? Could Donald be a rapist ? Does he have wandering hands ? Nahhh ! The army could dismiss this with the usual rapist argument “she probably deserved it”. Note that the army is a bunch of men asking for sexual favors and, for most, treat women like meat bags. So, no, we need something else.
First, it must not be about me, Clara, because they would ask too many questions. So this hideous story (that we still need to invent) will happen to my female friend (her again). The one that takes the pictures of Clara. They already kind of know her as they gave 50 likes to her brother’s article. She is already part of the background story.
Can we use classic muslim or colored racism ? Nahhh. Unfortunalty, I think there are too many racists of too many things on this planet, so we should use something else. Something that everybody will recognise as evil…
Donald is a Nazi
And this is how Donald incarnated the dark side. Let’s make up a story where my friend is Jewish, and Donal said something along those lines :
Arf those jews ! The planet would be better without them !
He would also comment on her family name (Jewish also then). That’s perfect ! Few people like morrons and fewer people like Nazi monrons ! I think they’ll buy it.
I will have to build up expectations a little before going live :
Now that I have people’s attention. I can unleash the full story and have them getting mad at Donald.
Seems to be working. People find this outrageous.
Well, some, at least. I had hoped that it would clash a bit more, but you know... I kept the whole thing under rapt so that it wouldn’t get out of hands. This is only an experiment, after all.
The proposal
I propose the following plan ! Be a savior as nobody will fight for my friend against the evil corporate CEO ! Fight so that justice can be done ! If you have balls (of steel), then DM me “I have balls !” and you will get the opportunity to fight the Corporate Nazi oppressor !
Juuuuussstiiice to the peooooople !!
Sorry I’m getting a bit overwhelmed…
Let’s make our final move and set our plan in motion !
People can comment whatever they want on the Linkering account of Donald and with the level of “threatening” of their choosing.
Going into battle
The final results are in. And we clearly have two types of comments. The hardcore ones and the gentler ones.
But there’s also the less gentler ones, and that’s what we are looking for. Total annihilation !
And it goes on and on like this. There was a lot of “I know what you did”, “piece of crap”,“worthless scumbag” or “fat racist”, etc.
This is how Donald Helms ended. Utterly destroyed by random people who were misled. If Donal really existed, he probably wouldn’t have survived something like this. And even if this wouldn’t had been a fatal blow, I could come at him again. If the nudes flows then I keep control over the people. Pornography is a dope that everyone is addicted to, and to have its shot, the army will do anything it takes.
Complete army statistics are the following :
That’s is not overwhelming. But what did you expect ?
You’re asking people to comment on another website rather than Twitter, where they must create a fake account and be mean to some guy they don’t even know.
All considering, I find these very good results. Anyone having this kind of comments on his public posts is doomed for life. These comments were not written by bots. Those are real humans. They have the weight that bot’s don’t. Sure, there are fewer than if it was a fully automated attack. But here we wish to destroy someone’s reputation, and bots are not trustworthy. If the bot campaign was to be unmasked, then the credibility of the whole operation would crumble. But no. Here, we have real people, and we could have done a second strike if we wanted to. It would be destructive and mostly untraceable as the targeting only happens in DM.
Crunching the numbers
Making stats using the whole army isn’t really meaningful because a lot of the accounts didn’t do shit. They should be relieved of command and leave our army.
Being part of our army means to have done at least one of the three scenarios :
Those guys are the real deal ! We would need to recruit more to fill the gap. Also, our fake account grows by itself. People now follow us by themself ! And they make far better recruits than the random one hundred I got initially.
Now that we know our army is, in reality, 45% of the global herd, how many does the third scenario really represent among the true believers ?
See ? Far better results ! We would just need to grow our army size with people who are really engaged and not randoms. Maybe targeting specific communities and making up the correct story would steer things up a little more. Again, this experiment was done on one hundred randoms…
VI. BotNets or humanNets ?
Choosing between bots or humans to do your deeds depends on your objective. In the old days, manipulating humans at large scales was a tad of complicated and necessited large-scale operations.
But with the birth of computing, a new threat came knocking ! Bots ! The aim of this article is to show you that we now might have another problem on our hands… After the golden age of bots, it seems we ourselves are becoming actors of the demise of others.
What can you do with a botNet ?
BotNets are software programs that stay dormant in hacked devices and will, most of the time, start to flood a web service on command. We’re speaking of millions of devices making requests to the same service simultaneously again and again in order to take it down. This is called a DDoS (Distributed Denial Of Service) attack. The infected devices are, in general, badly secured IOT devices like stupid connected spoons, fridges, or even your damn connected pillow that tells you when you snore. All those devices are connected to the internet and have many security flaws that hackers can exploit simply by scanning random IP ranges over the internet. Then, an automated script will try to insert itself into the security holes of your device and wait there patiently for a command to arrive.
If botNets have still proven very effective these past years, the cost of maintaining this kind of insfrasture tends to cost more and more. With anti-DDoS solutions florishing in all cloud providers, the amount of hacked peripherals you need had to grow exponentially to really be effective.
The biggest attack that was revealed came from AWS (Amazon), which reported mitigating a massive DDoS attack in February of 2020. At its peak, this attack saw incoming traffic at a rate of 2.3 terabits per second.
What can you do with a humanNet ?
You just witness it. Even though we can’t reach the same amount of simultaneous requests and down web services, we can achieve a new kind of objective.
Human beings possess the quality of being able to go through Capchas and anti-DDoS protection, which is a favorable aspect compared to machines. A humanNet is composed of real living and breathing people, which can do whatever you want with the right triggers.
You have to rethink how attacks are done.
You don’t need to down the website of an online election if you can ruin the reputation of all the other candidates ! It’s more subtle and requires more work but can be equally or even more destructive than having 1 million bots. Just think of what I could have done with only 1000 followers instead of 100. The third scenario with it’s 38 % of believers would represent 380 people ready to destroy anyone’s life on my command.
VII. Doing Man In the Middle (MIM) attacks
To send our army on the blog article and on the Linkerin page, you can see in some of the screenshots that I used bit.ly links. Well, it’s not quite what you think this is. If you dont know what a bit.ly link is, let me explain this briefly.
Bit.ly is a website that does URL shortening. It means that you give it a long URL, and will give you a new one that is very short in return. This short URL still points toward the original target that you gave initially.
ie: “bit.ly/8P8flmw” also points to “https://<your-very-long-URL>”
In theory, using the short URL or the long one sends you to the same destination. So why use URL shorteners ? Well, on Twitter, for instance, you have a limited character count, so you dont want to lose 70+ characters on a fat URL when you can have a bit.ly URL that is 10 characters long.
BUT… The destination that I set for the bit.ly link was NOT the true destination. For example, the bit.ly used for the blog article did NOT point to the article at all. Instead, it pointed to a server of mine ! 😁
This server logged every request that it received and only then did it forwarded the request to its real destination : the blog article.
This means that all army members that clicked the links I gave have been cataloged, his IP address, and user agent (operating system / browser name) being stored in a log file that I can consult.
It looks like this:
On the left, you have the IP address and on the right some information on the device, which clicked the link. With the IP address alone, there isn’t much that can be done except getting basic geolocalisation of the user. You could get the country for sure and maybe the nearest large city where they live using the WhoIs database. But that’s it… There is not much more actionable knowledge you can get using the IP address of a phone or computer.
BUT 😁. If you combine the time in the log entry and the time of notification on the blog website (when a like was given), then you can determine who is who. Then, using the blog account, which generally comes with a profile pic, you can search for this image on multiple websites using reverse image search engines like TinEye. From there, you could come up with an old google+ account with the same photo and use GHunt to get ALL google related stuff of the guy in question. When reaching this level you’re starting to get really close to the person’s private life. The only error he did was clicking the link…
How to proctect against MIM ?
Well, first, you shouldn’t click on any untrustworthy links at all. Fortunately, most url shortener websites have a way to check the destination without clicking on the link itself.
Simply take the bit.ly URL and add the character “+” at the end
ie : “bit.ly/8P8flmw” becomes “bit.ly/8P8flmw+”
It will redirect you to a safe bit.ly page that shows the true destination.
Here, you can see that this bit.ly doesn’t point to the blog article directly but instead points to my server’s IP address. Oupsie 😁
A note on getting free servers
As I didn’t want to use my own server for this experiment, I needed a temporary one. As I didn’t feel like paying for another server (VPS), I used a free one. Yes, those exist !
Oracle propose free servers for ever. The hardware specs are very limited but are more than enough to power a dockerised Nginx for redicting our users to the intended target after stealing their IP address and whatnot ^^.
VIII. Clonclusion on creating your army
Well… It works ! It’s quite slow, though ! But if you don’t need quick actions but long-term interference, then it’s perfect.
I thereby prove to you that AI can and will be used to control the masses. I did it. Me. A lonely man in his apartment… So what of governments, rich hacking groups and so on ? Image generation is here to fool you ! Text generation already does. So be careful ! Never trust any pixels… Always make due diligence on what action you undertake based on internet “facts”. It was true before but is even more true now.
Remember this ?
This photo of an old man getting reckt by policemans during a protest in Paris went viral. This photo has stirred up hatred towards the police.
Well… It’s fake. It was made by MidJourney and probably did a lot of damage. This is only the beginning. This was untargeted but can still be considered as an offensive action on a cyber security level. As we speak, there probably are other offensive actions taking place right now. Very targeted. Very short busrst. But probably very efficient !
And the next target may as well be you…
Every step of this experiment has been scrubbed clean. Both Twitter accounts have been wiped. The blog article destroyed. The Linkerin account and the company deleted. Everything you saw in this article has been recreated to look like the original experiment. To protect everybody who fell for the scam, I made sure that their privacy was kept safe by not using any original materials. No harm was done, and all were happy with what they received in exchange for their unwilling participation.
Thx 4 reading me
Other articles:
- https://medium.com/@rootOrNothingElse/selling-nudes-generated-by-artificial-intelligence-on-twitter-78e38b1a266e
- https://medium.com/@rootOrNothingElse/so-i-tried-to-become-millionaire-by-selling-nudes-generated-by-artificial-intelligence-dd61eed103a4
Image refs:
https://factuel.afp.com/doc.afp.com.33CC82Z
https://www.ecranlarge.com/series/news/1461952-the-punisher-pourquoi-la-serie-netflix-est-un-ovni-chez-marvel
