#ElectionWatch: Italy’s Self-Made Bots

How the Lega’s followers automate themselves

Automated re-posts of tweets promoting Matteo Salvini. (Source: Twitter)

As Italy counts down to national elections in March, one party has taken a creative approach to spreading its message on Twitter: it enlisted supporters to turn themselves into bots.

Bots are automated accounts which post retweets or likes without human intervention. In politics, they are normally used to make small groups look bigger. Usually, bots are made by a bot herder or team, either by creating new accounts or repurposing hijacked ones. @DFRLab published a guide on how to #BotSpot, a primer on how bots are used, and some techniques botmakers use to disguise their product.

In the Italian case, some bots have been created by the account-holders themselves — what could be called “selfbots.”

This is not the first time this has been done (the Russian Embassy in the UK used the same tactic a year ago), but with the election approaching, it highlights how different actors are trying all possible tactics to give themselves an edge online.

Automatic posts

The story broke on January 23, after Matteo Salvini, leader of the nationalist Lega party, appeared on national television.

Italian blogger, web designer, and fact-checker David Puente was quick to point out a suspicious number of accounts tweeted the same message advertising Salvini’s appearance at exactly the same time.

Translated from Italian: “The automatic Lega Nord tweets on Twitter: ‘An EXTRAORDINARY Matteo #Salvini on LA7! Do you agree?’” (Source: DavidPuente.it)

@DFRLab conducted a machine scan of the phrase and confirmed that the identical text was posted by 154 accounts in the space of 74 seconds, from 21:45:11 UTC to 21:46:25 UTC.

The first accounts to tweet the pro-Salvini phrase, from machine scan. Note the timestamp on the right, running at a rate of two tweets per second. (Source: DFRLab)

This is typical bot behavior. Puente analyzed the data coming from two of the accounts and revealed that they came from an automator called “LegaNordIllustrator”, linked to the official Lega Twitter feed, @LegaSalvini, and to the URL SalviniPremier.it.

Image from Puente’s post, showing the LegaNordIllustrator. (Source: DavidPuente.it)

Both salvinipremier.it and Salvini’s other apparent websites, matteosalvini.eu and matteosalvini.com, redirect to Salvini’s official Facebook page. Puente identified this URL as the host of the automator: http://matteosalvini.com/seguimitw.asp.

The link leads to an advert for Salvini’s own Twitter account:

Translated from Italian: “FOLLOW MATTEO SALVINI ON TWITTER”. (Source: matteosalvini.com)

Bots, yet not bots

The behavior of these accounts was too similar and too synchronized to be anything other than automated. Analysis of the accounts involved confirmed this, demonstrating that they repeatedly posted the same Salvini messages (usually with his name hashtagged) in the same order.

Posts from @Flory1952, @HarrisonPala and @fabiokingrock , showing identical posts at the same time and in the same order. (Source: Twitter)

Scanning these tweets, in turn, revealed an identical pattern of simultaneous posts from the same accounts.

The first posts on two identical phrases promoting Salvini on January 23, from machine scans. Note the way the same accounts feature in almost the same order in both scans. In each case, all these tweets were posted within 3 seconds. (Source: DFRLab)

Some of the amplifiers were corporate accounts: Lega chapters across Italy, and Radio Padania Libera, a nationalist radio station whose name calls for a free republic of “Padania,” the northern part of Italy.

Shares of the identical message from Lega groups in Lombardy, Parma, Castrezzato, Giaveno and Montanaro, and Radio Padania Libera, from machine scan. All these were posted within 39 seconds. (Source: DFRLab)

Others appeared to be human users, but posted with machine-like regularity — too regular to be human. These accounts are all automated to post the same content at the same time. In that sense, they are a botnet.

However, different accounts in the botnet behave in different ways. For example, the last time @Flory1952 posted anything other than automated Salvini content was on August 6, 2017.

@Flory1952’s last authored post. A Twitter search for the identical text turned up no other results. (Source: Twitter / @Flory1952)

@HarrisonPala, by contrast, interspersed Salvini tweets with commercials for Xbox and a few authored posts. This tweet included a selfie showing a face which matches the profile picture. A reverse image search did not return other results for these pictures, indicating that this is a genuine user.

Left, @HarrisonPala’s selfie; right, his profile picture. (Source: Twitter / @HarrisonPala)

@Dumbo54 caught our eye because its profile picture is the flag of the so-called “Novorossiya,” the (largely discontinued) Russian-led separatist name for eastern Ukraine, and it is a highly-active account with over 133,000 engagements since it was created in 2010.

@dumbo54’s profile page. (Source: Twitter / @Dumbo54)

The account posts long slews of Italian-language retweets, many from Lega member Claudio Borghi, in a botlike pattern of behavior.

Retweets by @dumbo54. (Source: Twitter / @Dumbo54)

However, it does not behave like a pure bot. It posts many replies, such as these, which appear to be authored.

(Source: Twitter / @dumbo54)

Despite its use of the separatist flag, it barely mentions Novorossiya or Ukraine in its tweets.

The only mentions of Novorossiya in @dumbo54’s tweets. The upper post, translated from Italian: “Before anyone asks, my profile is the flag of Novorossiya, where a whole people are fighting a desperate war.” (Source: Twitter / @Dumbo54)

@dumbo54 appears to be a genuine Italian account, partially automated to amplify pro-Lega messaging, but also used to post many replies.

How to be a selfbot

These accounts therefore constitute a botnet when it comes to posts about Salvini, but not necessarily when it comes to other topics.

The app exposed by Puente explains this dichotomy. The users in question appear to have signed up to it, and thus converted themselves into willing “selfbots”, effectively handing the keys of their accounts to Lega.

We can deduce a little about the way the app works by studying the posts it generated. It appears to hold its human users in a list, and run through them in a set order, second by second, with minimal variation.

Comparison of the first accounts to post three different texts about Salvini on January 23. In each case, these posts were all made in seven seconds. Note the almost-identical order, and the absolutely identical set of users in each case. (Source: DFRLab)

The corporate accounts appear to constitute a separate sub-list which displays a little more variation in the order and timing of posts.

Posts from corporate accounts on the two set phrases. Note that two of the users in the left-hand list do not feature in the right-hand list, and vice versa. (Source: DFRLab)

In each case, the official Lega account, @LegaSalvini, was the first corporate account to post, with the Salvini supporters’ group, @Noiconsalvini, and Radio Padania Libera following in short order.

However, these were always preceded by the first in the “humans” series of accounts, albeit only by one or two seconds.

First posts in the automated call before Salvini’s television appearance, from machine scan. (Source: DFRLab)
First posts in the automated praise after Salvini’s television appearance, from machine scan. (Source: DFRLab)

Thus, the @LegaSalvini account does not appear to act as a trigger for the human accounts, as might have been suspected; rather, it, like the others, is triggered by the automator, which then appears to run through its list of accounts with minimal variation.

This is not the first time Lega resorted to a selfbot strategy. On the matteosalvini.com home page, Salvini's supporters can still find the promotional pictures that invite them to join Lega's social campaign on Facebook and Twitter.

(Source: matteosalvini.com)

As Puente also pointed out in his article, the social media campaign was launched in 2014 before the elections for the European Parliament and was suspended. Lega invited supporters to subscribe to the app through their Facebook, Twitter, or both their profiles in order to become a "spokesperson" for Salvini. They also specify that, upon registration, the supporters' profiles will automatically like, repost, and retweet Matteo Salvini's content.

The two pages on matteosalvini.com that invite Salvini's supporters to become his spokesperson through their Facebook (on the right) and Twitter (left) accounts. (Source: matteosalvini.com)

Another example of Lega's use of selfbots was the referendum announced by Renzi in December 2016. On the night before the referendum, between 10:04pm and 10:09pm, 156 Twitter accounts shared the same picture with the same message that invited Italian citizens to go and vote "no". In this case, we found some of the same people involved in the selfbots case two days ago.

Screenshots of the first 8 accounts to share the content at 10.04pm on December 3, 2016 (on the right) and of the entire picture (on the left). (Source: Twitter)

Conclusion

This network of “selfbots” is a variation on a well-known political theme. It created a dormant network of bots, which can operate autonomously but also be activated at will to amplify a political message.

The botnet was both obvious and small. It appeared to include just over 150 accounts, of which some are Lega corporate ones. Its main impact on the Italian Twittersphere appeared to have been to expose the Lega’s use of automation online, which was not necessarily the desired effect.

However, it is a point of vulnerability in the online debate. By blurring the distinction between human-run accounts and automated ones, it opens the door to larger-scale abuse. With apparently human users behaving like bots, at the same time as bot makers are trying to make their bots behave more like humans, “selfbots” like this further blur the distinction between human and algorithm, and render the online space more vulnerable still to abuse.


Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).

Anna Pellegatta is a Digital Forensic Research Assistant at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).

Our #ElectionWatch coverage for the upcoming Italian elections is in partnerhsip with fanpage.it.

Follow along for more in-depth analysis from our #DigitalSherlocks.