#BotSpot: Bots Boost NFL Divides

Identifying botnets amplifying #TakeAKnee and #BoycottNFL

On September 27, U.S. Senator James Lankford said Russian-linked internet trolls and bots were amplifying Twitter posts on both sides of the controversy surrounding the National Football League (NFL).

Lankford said trolls were amplifying the hashtags #TakeAKnee and #BoycottNFL, “taking both sides of the argument…to just raise the noise level in America and to make a big issue seem like an even bigger issue as they’re trying to push divisiveness in the country.”

@DFRLab and colleagues in the open-source community analyzed traffic on both hashtags, looking for indications of bot activity. We found a number of active botnets, but in most, no immediate link with Russia was visible.

The exception was a botnet which mainly posts commercial spam in a range of languages. This boosted a post on #TakeAKnee and had earlier been involved in a major bot attack on @DFRLab. That bot attack was itself triggered by a post linking the American far right with Russia.

Taking on #TakeAKnee

On September 23, the hashtag #TakeAKnee went viral as NFL players protested racial injustice and systematic inequality, which was put in the spotlight when U.S. President Donald Trump made comments disparaging the NFL players’ protest. The hashtag was not new, but it exploded from a few dozen tweets per day to over 770,000 in one day.

Traffic on #TakeAKnee, September 19–26, from machine scan.

Much of the traffic was organic. It accelerated between 10:00 and 12:00 UTC (06:00 and 08:00 EST), consistent with internet users on the U.S. East Coast coming online and beginning to comment, before levelling off at a rate of around 1,000 tweets per minute.

We conducted a machine scan of the first 100,000 tweets, to assess how the hashtag began to trend and noted a number of significant spikes in the traffic.

Timeline of tweets on #TakeAKnee from 01:00 to 13:00 UTC on September 24, as traffic on the hashtag accelerated. Note the upwards trend from 10:00, and the abrupt spikes around 06:00, 10:45, 12:00 and 13:00, indicative of bot activity.

Each spike was driven by the insertion of a separate, largely non-political botnet which retweeted a single post many times in a few seconds.

The most significant spike came at 12:02 UTC. This was triggered by a tweet from a user called @DianneLogic, with the text:

RT this tweet if you want the entire @nfl to #TakeAKnee this weekend in retaliation to #Dotard calling @Kaepernick7 a SOB‼️ LETS DO THIS.
Archived on September 29, 2017. (Source: Twitter)

The tweet was retweeted over 100 times in less than 30 seconds, despite the fact that @DianneLogic has under 500 followers.

Some of the accounts which retweeted @DianneLogic. Note the timestamp at right, showing that every one of these retweets was posted in the same second, a classic indicator of bot engagement.

The accounts which shared this tweet all belong to a single botnet, which does not have a particular linguistic or political bias. For example, @NEafuak29, screen name “Austen Alexander”, retweets posts in Spanish…

Screenshot from the timeline of @NEafuak29. (Source: Twitter)

…Arabic…

Screenshot from the timeline of @NEafuak29. (Source: Twitter)

…English…

Screenshot from the timeline of @NEafuak29. (Source: Twitter)

…and Thai.

Screenshot from the timeline of @NEafuak29. (Source: Twitter)

This is classic behavior of a commercial botnet rented out to users who want to promote tweets or accounts, either their own, or on behalf of another.

However, these accounts were also involved in a bot attack on @DFRLab on August 30. Many of the bots were taken offline as a result of that incident, but a number clearly remained in operation.

Retweet by @NEafuak29 of a post responding to the August 30 bot incident. This post was retweeted by 86,000 bots, of which 70,000 were taken offline as a result. (Source: Twitter)

This is signifcant, because the attacks on @DFRLab were part of a broader pattern of bot activity which primarily targeted researchers into Russian disinformation.

Retweet of another tweet in the bot attack, posted by @moqolaq, another of the accounts in the same botnet which amplified the post on #TakeAKnee. (Source: Twitter)

Given the largely commercial nature of the botnet’s other posts, this is not conclusive: it could have been hired by a user who supported #TakeAKnee. However, the botnet’s prior political activity places it in the nexus of pro-Kremlin and far-right activity.

Other botnets also amplified #TakeAKnee, but they were largely non-political in nature, posting retweets in a wide range of languages on a wide range of themes. One particularly striking botnet was employed at 12:11 UTC, after a user called @joeyglenn_twt posted an attack on Trump.

Archived on September 30, 2017. (Source: @joeyglenn_twt / Twitter)

Our machine scan showed that this tweet was retweeted simultaneously by small clusters of bots whose usernames were linked by various themes, such as a scramble of the letters j, d, and f…

Screenshot of machine scan, showing the retweets by the “jdf” group, all posted at the same second, 12:11:02.

…the use of the screen name “red”, with various numbers in the handle…

Screenshot of machine scan, showing the retweets by the “red” group, all posted at 12:11:10.

…and references to diets.

Screenshot of machine scan, showing the retweets by the “diet” group, all posted at 12:11:10.

These are all groups of bots, posting the same content at the same time. However, the groups are not uniform. The “jdf” group posts a classic mixture of multi-lingual content.

Retweets from one of the “jdf” group in Spanish, English and Portuguese. (Source: Twitter)

The “diet” and “red” groups largely follow a similar pattern, but have also posted some more political or current-events content from Catalonia, where tensions are high in the buildup to a contested referendum.

Retweets from one of the “diet” group, showing cars and a political post from Spain.
Retweets from one of the “red” group, showing the match. (Source: Twitter)

Other tweets by Glenn have also been amplified by bots, such as this post also attacking Trump, whose retweets included another family.

Screenshot of the retweets of another @joeyglenn_twt tweet. (Source: Twitter)

These bots, again, share a range of multilingual and commercial content, interspersed with Spanish references to the referendum.

Arabic and Spanish retweets from @rrrrtttt1. (Source: Twitter)

None of these groups and networks of bots appears political in origin. Their content is multi-lingual and multi-faceted, without a single uniting theme. The likelihood is therefore that they were hired by unknown users to amplify specific messages, including Catalan independence and the #TakeAKnee movement.

One or two of these bots had Russian personas, notably Аня Домницкая and Артём. However, bots in the same network had Korean, Chinese, and Spanish names. There was no concentration of Russian-language posts, and the accounts themselves were created in 2011 and 2013, suggesting that they have been repurposed for bot work. This need not, therefore, mean that the network itself has a larger Russian connection.

Profile pictures of two bots in one of the #TakeAKnee networks, Аня Домницкая and Артём. (Source: Twitter)
Profile pictures of two other bots in the same #TakeAKnee network, @ooookkkkkkk and @2hyungee. (Source: Twitter)

It should also be noted that these various botnets created relatively short-term spikes in traffic. Each consisted of a few dozen or a few hundred accounts, enough to boost the signal and to amplify individual posts, but not enough to fundamentally distort the traffic.

Overall, the first 100,000 tweets to use #TakeAKnee were generated by some 49,000 users, making an average of just over two tweets per user. This is consistent with organic Twitter traffic.

Far-right bots and #BoycottNFL

As the #TakeAKnee hashtag exploded, Trump supporters pushed their own hashtag, #BoycottNFL, to counter it and attack the protesting footballers.

This hashtag also went viral, but less successfully. From September 19–26, it generated a total of just over 550,000 tweets, with a peak of 214,000 on September 24. This is a high volume, but a fraction of the traffic on #TakeAKnee,which registered almost 1.5 million tweets on September 24 alone.

Traffic on #BoycottNFL, September 19–26, from machine scan.

The hashtag was also driven by fewer users. The first 100,000 tweets were posted by just under 36,000 accounts, indicating the hashtag was driven by a relatively smaller (although still significant) user group.

Part of that traffic was generated by accounts which seem largely automated. However, those accounts are not commercial bots, such as those which boosted #TakeAKnee; instead, they are politically-active accounts whose content is limited to the far-right agenda in the United States.

They also achieve their amplification effect through individual accounts tweeting very high volumes of posts, rather than groups of accounts retweeting fewer posts all together. These features are characteristic of many accounts used by the far right in the U.S.

For example, the account @immoralreport posted 315 tweets with the hashtag #BoycottNFL between 10:00 and 18:00 UTC on September 24. Every one was a retweet, primarily of pro-Trump or far-right accounts.

Profile page for @ImmoralReport, showing the creation date and number of posts. Source: Twitter. Archived on September 30, 2017. (Source: Twitter)

Created in July 2015, this account had posted over 572,000 tweets by September 30, 2017, at an average rate of over 680 per day. The account is functionally anonymous, giving no indication of who is behind it. This combination of activity and anonymity is a classic indicator of bot status.

A Twitter search for posts created by the account, as opposed to retweets, from September 16–30, found 36 authored posts. A machine scan of all posts, including retweets, over the same period, showed that it posted 15,866 times. This appears to be a cyborg: a largely-automated account which periodically posts authored tweets to avoid looking too much like a bot.

Machine scan preview of posts from @ImmoralReport, showing the volume of posts, including retweets, September 16–30.

Similarly, @PA4TAXPAYERS posted 220 times on #BoycottNFL between 10:00 and 18:00 on September 24. All were retweets. This is another hyperactive and anonymous account: it has no avatar or personal name and has posted 378,000 tweets and likes since its creation in March 2016, at an average rate of over 680 engagements a day.

Profile of @PA4TAXPAYERS. Source: Twitter. Archived on September 30, 2017. (Source: Twitter)

According to a Twitter search, this account tweeted 18 authored posts from September 16–30. Over the same fortnight, it posted 8,391 times. This, again, appears to be a cyborg, largely automated but, again, posting its own tweets.

Machine scan preview of posts from @PA4TAXPAYERS, showing the volume of posts, including retweets, September 16–10.

Accounts such as these drove a significant proportion of traffic. In total, the 50 most active accounts to tweet #BoycottNFL posted 4,495 times in the sample of 100,000 tweets. By contrast, the 50 most active posters on #TakeAKnee posted 3,368 times in a sample of the same size. This suggests that traffic on #BoycottNFL was driven by a smaller and more dedicated user group than #TakeAKnee — a group which made up for lower numbers by generating more posts each.

Conclusion

Taken together, all these factors suggest both #TakeAKnee and #BoycottNFL were genuinely viral movements, generating high volumes of traffic from large numbers of accounts, but both received an additional boost from bots.

The bots which amplified #TakeAKnee were primarily non-political; they appear to be bots for hire, repurposed to amplify specific posts. Of these, the most significant group is that which retweeted @DianneLogic, given its previous use in online harassment campaigns in the context of Russia and the far right. However, the evidence of its prior behavior is suggestive but not conclusive. It cannot be taken as proving Senator Lankford’s claim.

The accounts which amplifed #BoycottNFL are a different breed. They are largely cyborgs, rather than bots, posting authored content in between slews of retweets. They are also political, rather than commercial. Their sole purpose appears to be boosting far-right American posts.

In both cases, the bots were functionally anonymous, providing no verifiable information on the identity of the user behind them. There is thus no independent information which would allow us to say definitively whether they were American, linked somehow to Russia, or managed from another country entirely.

The final point is that there is a major difference in the level of activity, and engagement, between #TakeAKnee and #BoycottNFL. The former generated five times more tweets than the latter; it attracted proportionately more users in its initial phase. This would suggest that, while both hashtags were genuinely or organically viral, and both saw some level of bot activity, the distortion caused by automated accounts was greater for #BoycottNFL than for #TakeAKnee.


Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).

Follow along for more in-depth analysis from our #DigitalSherlocks.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.