Researchers from cybersecurity firm Duo Security have recently unveiled there’s a massive botnet army behind Twitter’s “crypto giveaway” scams. The botnet army, with at least 15,000 bots in it, has a three-tiered hierarchical structure.

The researchers, in a report titled “Don’t @ Me: Hunting Twitter Bots at Scale,” detailed the sophisticated botnet in what’s being seen one of the most wide-reaching studies of the Twitter ecosystem yet. Per the report, the botnet evolved over time to remain undetected.

As first reported by ITPro, the researchers looked at over 88 million Twitter accounts from May to July of this year, and used a machine learning model to identify bots and spammers. Their findings were released in a report ahead of a presentation at the 2018 Black Hack cybersecurity conference in Las Vegas.

Per the researchers, Duo’s principal R&D engineer Jordan Wright and data scientist Olabode Anise, the botnet’s first tier involves bots spoofing legitimate cryptocurrency-related accounts, by stealing users’ display name and avatar. As CryptoGlobe covered, the botnet even spoofed the account of Bloomberg reporters.

The spoofing trend, which even affected Tron founder Justin Sun, forced Twitter users to add “not giving away ETH” to their display names, in an attempt to stop scammers from tricking users. The spoofed accounts spread fake links in replies to the users they’re spoofing, claiming a crypto giveaway is going on.

These spoofing bots reportedly follow the same Twitter accounts, dubbed “hub accounts.” Their importance in the botnet isn’t clear, but researchers believe these were randomly chosen to make the botnet appear legitimate.

A third tier sees bots create fake accounts that merely like and retweet other bots, to boost their popularity and reach. Per the researchers, users are likely going to trust tweets with various likes and retweets, something the botnet’s operators know.

Malicious bot detection and prevention is a cat-and-mouse game. We anticipate that enlisting the help of the research community will enable discovery of new and improving techniques for tracking bots.

Jordan Wright

While the botnet heavily affects cryptocurrency-related posts on Twitter, researchers found that less than 5% of the social network’s accounts are spam-related.

Twitter’s Response

Twitter has in the past revealed it’s trying to curb the botnet’s actions, as it claims to be “proactively implementing a number of detections to prevent these types of accounts from engaging with others in a deceptive manner.”

Per a company spokesperson, “spam and certain forms of automation” go against its rules, and in many cases “spammy content is hidden on Twitter” on the basis of automated detections. While this type of content is hidden on Twitter itself, it’s reportedly visible via its API.

Notably the researchers have revealed they’re happy with the social network’s initial response to their findings. In a blog post, they revealed the company announced they’ll be challenging “more than 9.9 million potentially spammy or automated accounts per week.

The blog post reads:

We’re excited to see these efforts by Twitter and are hopeful that these increased investments will be effective in combating spam and malicious content.

Duo Security

They noted, however, this won’t solve the problem, as their research demonstrated the organized botnet is still active.