Identifying botnets amplifying #TakeAKnee and #BoycottNFL
On September 27, U.S. Senator James Lankford said Russian-linked internet trolls and bots were amplifying Twitter posts on both sides of the controversy surrounding the National Football League (NFL).
Lankford said trolls were amplifying the hashtags #TakeAKnee and #BoycottNFL, “taking both sides of the argument…to just raise the noise level in America and to make a big issue seem like an even bigger issue as they’re trying to push divisiveness in the country.”
@DFRLab and colleagues in the open-source community analyzed traffic on both hashtags, looking for indications of bot activity. We found a number of active botnets, but in most, no immediate link with Russia was visible.
The exception was a botnet which mainly posts commercial spam in a range of languages. This boosted a post on #TakeAKnee and had earlier been involved in a major bot attack on @DFRLab. That bot attack was itself triggered by a post linking the American far right with Russia.
Taking on #TakeAKnee
On September 23, the hashtag #TakeAKnee went viral as NFL players protested racial injustice and systematic inequality, which was put in the spotlight when U.S. President Donald Trump made comments disparaging the NFL players’ protest. The hashtag was not new, but it exploded from a few dozen tweets per day to over 770,000 in one day.
Much of the traffic was organic. It accelerated between 10:00 and 12:00 UTC (06:00 and 08:00 EST), consistent with internet users on the U.S. East Coast coming online and beginning to comment, before levelling off at a rate of around 1,000 tweets per minute.
We conducted a machine scan of the first 100,000 tweets, to assess how the hashtag began to trend and noted a number of significant spikes in the traffic.
Each spike was driven by the insertion of a separate, largely non-political botnet which retweeted a single post many times in a few seconds.
The most significant spike came at 12:02 UTC. This was triggered by a tweet from a user called @DianneLogic, with the text:
The tweet was retweeted over 100 times in less than 30 seconds, despite the fact that @DianneLogic has under 500 followers.
The accounts which shared this tweet all belong to a single botnet, which does not have a particular linguistic or political bias. For example, @NEafuak29, screen name “Austen Alexander”, retweets posts in Spanish…
This is classic behavior of a commercial botnet rented out to users who want to promote tweets or accounts, either their own, or on behalf of another.
However, these accounts were also involved in a bot attack on @DFRLab on August 30. Many of the bots were taken offline as a result of that incident, but a number clearly remained in operation.
This is signifcant, because the attacks on @DFRLab were part of a broader pattern of bot activity which primarily targeted researchers into Russian disinformation.
Given the largely commercial nature of the botnet’s other posts, this is not conclusive: it could have been hired by a user who supported #TakeAKnee. However, the botnet’s prior political activity places it in the nexus of pro-Kremlin and far-right activity.
Other botnets also amplified #TakeAKnee, but they were largely non-political in nature, posting retweets in a wide range of languages on a wide range of themes. One particularly striking botnet was employed at 12:11 UTC, after a user called @joeyglenn_twt posted an attack on Trump.
— JoeyGlenn's Tweets (@joeyglenn_twt) September 23, 2017
Our machine scan showed that this tweet was retweeted simultaneously by small clusters of bots whose usernames were linked by various themes, such as a scramble of the letters j, d, and f…
…the use of the screen name “red”, with various numbers in the handle…
…and references to diets.
These are all groups of bots, posting the same content at the same time. However, the groups are not uniform. The “jdf” group posts a classic mixture of multi-lingual content.
The “diet” and “red” groups largely follow a similar pattern, but have also posted some more political or current-events content from Catalonia, where tensions are high in the buildup to a contested referendum.
Other tweets by Glenn have also been amplified by bots, such as this post also attacking Trump, whose retweets included another family.
These bots, again, share a range of multilingual and commercial content, interspersed with Spanish references to the referendum.
None of these groups and networks of bots appears political in origin. Their content is multi-lingual and multi-faceted, without a single uniting theme. The likelihood is therefore that they were hired by unknown users to amplify specific messages, including Catalan independence and the #TakeAKnee movement.
One or two of these bots had Russian personas, notably Аня Домницкая and Артём. However, bots in the same network had Korean, Chinese, and Spanish names. There was no concentration of Russian-language posts, and the accounts themselves were created in 2011 and 2013, suggesting that they have been repurposed for bot work. This need not, therefore, mean that the network itself has a larger Russian connection.
It should also be noted that these various botnets created relatively short-term spikes in traffic. Each consisted of a few dozen or a few hundred accounts, enough to boost the signal and to amplify individual posts, but not enough to fundamentally distort the traffic.
Overall, the first 100,000 tweets to use #TakeAKnee were generated by some 49,000 users, making an average of just over two tweets per user. This is consistent with organic Twitter traffic.
Far-right bots and #BoycottNFL
As the #TakeAKnee hashtag exploded, Trump supporters pushed their own hashtag, #BoycottNFL, to counter it and attack the protesting footballers.
This hashtag also went viral, but less successfully. From September 19–26, it generated a total of just over 550,000 tweets, with a peak of 214,000 on September 24. This is a high volume, but a fraction of the traffic on #TakeAKnee,which registered almost 1.5 million tweets on September 24 alone.
The hashtag was also driven by fewer users. The first 100,000 tweets were posted by just under 36,000 accounts, indicating the hashtag was driven by a relatively smaller (although still significant) user group.
Part of that traffic was generated by accounts which seem largely automated. However, those accounts are not commercial bots, such as those which boosted #TakeAKnee; instead, they are politically-active accounts whose content is limited to the far-right agenda in the United States.
They also achieve their amplification effect through individual accounts tweeting very high volumes of posts, rather than groups of accounts retweeting fewer posts all together. These features are characteristic of many accounts used by the far right in the U.S.
For example, the account @immoralreport posted 315 tweets with the hashtag #BoycottNFL between 10:00 and 18:00 UTC on September 24. Every one was a retweet, primarily of pro-Trump or far-right accounts.
Created in July 2015, this account had posted over 572,000 tweets by September 30, 2017, at an average rate of over 680 per day. The account is functionally anonymous, giving no indication of who is behind it. This combination of activity and anonymity is a classic indicator of bot status.
A Twitter search for posts created by the account, as opposed to retweets, from September 16–30, found 36 authored posts. A machine scan of all posts, including retweets, over the same period, showed that it posted 15,866 times. This appears to be a cyborg: a largely-automated account which periodically posts authored tweets to avoid looking too much like a bot.
Similarly, @PA4TAXPAYERS posted 220 times on #BoycottNFL between 10:00 and 18:00 on September 24. All were retweets. This is another hyperactive and anonymous account: it has no avatar or personal name and has posted 378,000 tweets and likes since its creation in March 2016, at an average rate of over 680 engagements a day.
According to a Twitter search, this account tweeted 18 authored posts from September 16–30. Over the same fortnight, it posted 8,391 times. This, again, appears to be a cyborg, largely automated but, again, posting its own tweets.
Accounts such as these drove a significant proportion of traffic. In total, the 50 most active accounts to tweet #BoycottNFL posted 4,495 times in the sample of 100,000 tweets. By contrast, the 50 most active posters on #TakeAKnee posted 3,368 times in a sample of the same size. This suggests that traffic on #BoycottNFL was driven by a smaller and more dedicated user group than #TakeAKnee — a group which made up for lower numbers by generating more posts each.
Taken together, all these factors suggest both #TakeAKnee and #BoycottNFL were genuinely viral movements, generating high volumes of traffic from large numbers of accounts, but both received an additional boost from bots.
The bots which amplified #TakeAKnee were primarily non-political; they appear to be bots for hire, repurposed to amplify specific posts. Of these, the most significant group is that which retweeted @DianneLogic, given its previous use in online harassment campaigns in the context of Russia and the far right. However, the evidence of its prior behavior is suggestive but not conclusive. It cannot be taken as proving Senator Lankford’s claim.
The accounts which amplifed #BoycottNFL are a different breed. They are largely cyborgs, rather than bots, posting authored content in between slews of retweets. They are also political, rather than commercial. Their sole purpose appears to be boosting far-right American posts.
In both cases, the bots were functionally anonymous, providing no verifiable information on the identity of the user behind them. There is thus no independent information which would allow us to say definitively whether they were American, linked somehow to Russia, or managed from another country entirely.
The final point is that there is a major difference in the level of activity, and engagement, between #TakeAKnee and #BoycottNFL. The former generated five times more tweets than the latter; it attracted proportionately more users in its initial phase. This would suggest that, while both hashtags were genuinely or organically viral, and both saw some level of bot activity, the distortion caused by automated accounts was greater for #BoycottNFL than for #TakeAKnee.
Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).
Follow along for more in-depth analysis from our #DigitalSherlocks.