On Sockpuppets, Nation States, Nigerian Blogs, and a Murder Victim
July 7th, 2020 Adam Rawnsley published a Daily Beast Article about a series of fake people writing real articles for primarily English language right wing sites negative about Qatar. There is reason to suspect those fake accounts were run by a pro-U.A.E shop of some kind.
The fake authors used pictures generated with a service like “This Person Does Not Exist” which uses an artificial intelligence(i.e. A.I.) to generate fake faces. The fake people often but ,not always, have some telltale signs of being fake, teeth, glasses, ears and background often create problems for these AIs but it is getting better and better. You can test the system and how well you spot the fake faces with this quiz.
The Daily Beast made this image to show the fake pictures used for the fake news articles:
These sorts of accounts are commonly called troll or bot accounts but they are more accurately referred to as “sockpuppets”. A sockpuppet is a fake persona run by a real person, whereas a bot refers to an account that is automated and a troll simply refers to someone trying to get a rise out of others. An example of commonly encountered sockpuppets are fake Amazon reviews; these are real people writing the reviews under fake persona. Bots can be anything automated like a program to upvote those fake reviews. Finally, trolls! The easiest example of a troll is your younger sibling yelling “I’m not touching you” while sticking their finger a millimeter from your eye because they know it is annoying.
An example tactic using bots, sockpuppets, and trolls that has been seen with organizations like the Russian Internet Research Agency, or IRA, is to use two sockpuppets tweeting from opposite ends of the political spectrum to try to gin up real reactions from others, who are in truth the same person or team is acting out a planned script, a sort of internet WWE-style wrestling match. They then use a network of bots to amplify the tweets and “like” the most vitriol filled tweets, often from trolls, to push them up in the thread
The bots and sockpuppets play a game of cat and mouse with social media companies and we can gain insight into how they operate based on the data the social media companies have started to release after they shutdown large numbers of suspect accounts. These data dumps from Facebook and Twitter gives us insight into the modus operandi of these organizations and more importantly can help us find leftover accounts not yet shutdown. A technique I have used after Twitter or others publish a list of blocked accounts is to go back through and search for other accounts that have made similar tweets, and often I find other accounts missed by the initial ban wave.
I did a Twitter thread awhile back showing this technique at work
I decided to do a similar search after reading The Daily Beast article by searching Twitter for users that had shared the fake articles the Daily Beast had found. I took the link for https://humanevents.com/2019/12/03/qatar-is-destabilizing-the-middle-east/ and ran it back through twitter search with date windowing to before the Daily Beast article was published.
That search found this tweet by one “Dima Baruch” sharing the fake article.
“Dima’s” Twitter header:
Here is Dima’s account image
Notice the single eye glass lens, distorted background, missing ear, and extra mini tooth; clearly a machine generated image.
Dima’s profile claims he is an Ohio Jew from Acme, Ohio, Acme Ohio appears to be as real as the Acme Corp. Wile E. Coyote frequents. Dima is clearly a sockpuppet. Whoever was behind the account, which has been silent since April 24, 2020, tried to give the persona backstory. Here are some examples:
Trying to establish his Jewish background as a soviet born US Jew
Random posts to make it seem he wasn’t one dimensional
The operator wanting to endear Dima Baruch to US conservatives on Twitter
And then Dima tweeting on topic, attacking Turkey, Iran and Qatar while defending the U.A.E and Saudi Arabia
Looking at the Dima’s personas tweets, I found this one particularly interesting
Dima’s operator was attacking The New York Times and had a particular hate for Ken Vogel; this tweet had 3 likes and 3 retweets from the same 3 accounts
A quick analysis of those three accounts reveals that George and Dan used pictures of Spanish speaking users stolen from LinkedIn and Yohan Bitt’s image is most likely a reversed image of a model.
I ran all 4 accounts, Dima plus the 3 above that retweeted him, through TweetBeaver, a Twitter analytics tools and found a surprising result:
The three accounts that liked Dima’s tweet were all created on the same day. It seems unlikely 3 accounts created on the same day would all like the same tweet. Following those accounts and their networks I was able to find a few more suspicious accounts based on tweets and likes.
Teddy Speaks, who has another AI generated image
Shaun Anthony
Globetrotter, who another machine generated image
Jenny M, again machine generated
Garfield Super-fan, machine-generated, Carissa Beth
Henry (who is still actively tweeting as of 9/10)
Soulsurfer, another machine-generated image
Sinbadthepirate, who likes to ask the deep important questions
Brandon, another AI image
Alfred Zenk, who is using a stolen photo
RoseElise13, who uses a stock image
She has an interesting choice of what to retweet
Jestine
And finally a fairly egregious account, KlaymanMollie
Mollie’s avatar is a picture of murder victim Mollie Tibbetts
I ran all these accounts back through TweetBeaver
Take a look again at account created date
What are the chances I would choose that many accounts at random that have that many shared creation dates?
Not all these accounts were active in tweet about the U.A.E, Qatar or at all, some just functioned as bots to like the sockpuppets tweets. I’ve had a theory that could explain why some tweeted and others just liked tweets, many of these accounts are created by a seller who spins up a lot of accounts at once using a site such as https://www.fakepersongenerator.com/
They use those fake accounts for SEO - (search engine optimization)- if those accounts tweet the same topic or site they can push it up in the rankings. They also use them to sell likes or retweets for those trying to build their accounts through artificial means. Eventually, the seller sells these accounts to new operators. My guess is the older the account the more it goes for because, people trust older accounts more than fresh ones.
In this case, the seller sold the operators that tweeted the pro-U.A.E anti-Qatar and Iran messages these accounts a batch of accounts from the same creation group instead of a mix of dates. This should make it easy for Twitter to go in and find more of them and harder to hide the network.
While looking through the likes of those accounts and those that liked their tweets I was able to find newer accounts most likely created by the same seller but not sold yet.
I’m sure the seller is waiting to age these accounts in hopes Twitter doesn’t remove them before they can sell them as aged accounts
Once I found this accounts and searched the tweets they had liked I often ran into tweets with either a few likes or hundreds of likes that either way look like this, bots all the way down
Now, back to Dima and the fake news stories - I found the following tweet from his account regarding a potential sale of Chinese made J-10 Fighters to Iran
.NG is the country code top level domain for Nigeria, which makes this blog an odd news source to choose when generally Dima’s operator chose more mainstream news sources
I searched that headline and got a startling result
Multiple sites, I believe mostly Nigerian, all reporting the same story
Looking at some the sites you can submit guest posts and pay for sponsored posts
It is possible the operators behind these accounts hoped, that posting the news article and retweeting it, they could get the story picked up by more mainstream media or trend it somehow. As far as I can tell they were unsuccessful with this particular effort.
Similar to the story this past month of the fake Russian Blog site Peace Data, it seems other nations are trying to do the same thing; use either existing blog or news sites with loose editorial standards to spread planted stories or run their own and use their networks of sockpuppets and bots to accelerate the spread of those stories. The effort I documented above seems most likely to have been run for the benefit of the U.A.E based on the articles The Daily Beast uncovered and the targets of their tweets. However, that doesn’t mean it was run by the U.A.E for example the Russian IRA farmed work out to Ghana and Nigeria. Given the odd choice of Nigerian blogs I wouldn’t be surprised if whoever paid for the bots and sockpuppets hadn’t similarly farmed out their work to Nigerians, being a cheap source of native English speakers with easy and cheap access to the internet.
To find out how much of this I got right and who was actually behind these accounts I look forward to Twitter hopefully taking them down in which case I can read about them in a future transparency report.
