Experts from the Graphika research group talked about how they managed to find and neutralize the Dracula botnet on Twitter. It consisted of about 3,000 bots that spread pro-Chinese political spam and repeated official messages spread through government accounts.The botnet was discovered thanks to a rather exotic quirk of its creators: the vast majority of bot accounts used quotes from Bram Stoker’s Dracula for the first two tweets, as well as as a for the profile description. That is why the botnet got its name.
“Not all the suspect accounts in the network had bios at all, but all those which did used incomplete quotes from Dracula. Adding to the impression that the network had been automated to bleed Stoker’s novel, every account featured, as its first tweets, two texts copied from Dracula that consisted of incomplete sentences, with the spaces between the words replaced by the + sign”, — explain Graphika experts.
The Dracula botnet is similar in many ways to other Twitter botnets that are part of Spamouflage, a codename that researchers have given the Chinese government’s social media operations. Graphika analysts already detected similar campaigns in September 2019, April 2020, and August 2020. What sets Dracula apart from other botnets is that it has accumulated only 3,000 accounts, the oldest of which date back to July 2020.
The researchers explain that bot accounts weren’t dangerous themselves. Apparently, they were automated and mostly either quoted “Dracula” or responded to each other’s tweets. In doing so, the main purpose of these accounts was to “amplify” specific tweets and predefined trends that could be used to promote Chinese government propaganda.
“Dracula’s Botnet is an important reminder of how interconnected different forms of inauthentic inactivity can be. Fake accounts such as these are the plankton in the disinformation sea: they appear insignificant individually, but they can feed larger, more sophisticated operations. They can also reveal them, if a set of inauthentic accounts providing commercial amplification suddenly turns to geopolitical themes”, — write Graphika researches.
Currently, the botnet has already been stopped: Dracula was shut down on August 20, 2020 after intervention of Twitter developers. Majority of the botnet accounts have been banned, and some accounts have been given “restricted” status, which prevents them from posting new content.
At the same time, it is unclear whether these accounts were blocked by some protective Twitter algorithm, or the employees of the social network discovered the botnet themselves and manually terminated its work.
Let me remind you of one of the most curious botnets: For eight years, the Cereals botnet existed for only one purpose: it downloaded anime.