Over the past 5-6 months, I’ve been noticing a lot of new accounts spinning up that look like this format:

  • https://instance.xyz/u/gmbpjtmt
  • https://instance.xyz/u/tjrwwiif
  • https://instance.xyz/u/xzowaikv

What are they doing?

They’re boosting and/or downvoting mostly, if not exclusively, US news and politics posts/comments to fit their agenda.

Edit: Could also be manipulating other regional news/politics, but my instance is regional and doesn’t subscribe to those which limits my visibility into the overall manipulation patterns.

What do these have in common?

  1. Most are on instances that have signups without applications (I’m guessing the few that are on instances with applications may be from before those were enabled since those are several months old, but just a guess; they could have easily just applied and been approved.)
  2. Most are random 8-character usernames (occasionally 7 or 9 characters)
  3. Most have a common set of users they’re upvoting and/or downvoting consistently
  4. No posts/comments
  5. No avatar or bio (that’s pretty common in general, but combine it with the other common attributes)
  6. Update: Have had several anonymous reports (thanks!) that these users are registering with an @sharklasers.com email address which is a throwaway email service.

What can you, as an instance admin, do?

Keep an eye on new registrations to your instance. If you see any that fit this pattern, pick a few (and a few off this list) and see if they’re voting along the same lines. You can also look in the login_token table to see if there is IP address overlap with other users on your instance and/or any other of these kinds of accounts.

You can also check the local_user table to see if the email addresses are from the same provider (not a guaranteed way to match them, but it can be a clue) or if they’re they same email address using plus-addressing (e.g. [email protected], [email protected], etc).

Why are they doing this?

Your guess is as good as mine, but US elections are in a few months, and I highly suspect some kind of interference campaign based on the volume of these that are being spun up and the content that’s being manipulated. That, or someone, possibly even a ghost or an alien life form, really wants the impression of public opinion being on their side. Just because I don’t know exactly why doesn’t mean that something fishy isn’t happening that other admins should be aware of.

Who are the known culprits?

These are ones fitting that pattern which have been identified. There are certainly more, but these have been positively identified. Some were omitted since they were more garden-variety “to win an argument” style manipulation.

These all seem to be part of a campaign. This list is by no means comprehensive, and if there are any false positives, I do apologize. I’ve tried to separate out the “garden variety” type from the ones suspected of being part of a campaign, but may have missed some.

[New: 9/18/2024]: https://thelemmy.club/u/fxgwxqdr
[New: 9/18/2024]: https://discuss.online/u/nyubznrw
[New: 9/18/2024]: https://thelemmy.club/u/ththygij
[New: 9/18/2024]: https://ttrpg.network/u/umwagkpn
[New: 9/18/2024]: https://lemdro.id/u/dybyzgnn
[New: 9/18/2024]: https://lemmy.cafe/u/evtmowdq
https://leminal.space/u/mpiaaqzq
https://lemy.lol/u/ihuklfle
https://lemy.lol/u/iltxlmlr
https://lemy.lol/u/szxabejt
https://lemy.lol/u/woyjtear
https://lemy.lol/u/jikuwwrq
https://lemy.lol/u/matkalla
https://lemmy.ca/u/vlnligvx
https://ttrpg.network/u/kmjsxpie
https://lemmings.world/u/ueosqnhy
https://lemmings.world/u/mx_myxlplyx
https://startrek.website/u/girlbpzj
https://startrek.website/u/iorxkrdu
https://lemy.lol/u/tjrwwiif
https://lemy.lol/u/gmbpjtmt
https://thelemmy.club/u/avlnfqko
https://lemmy.today/u/blmpaxlm
https://lemy.lol/u/xhivhquf
https://sh.itjust.works/u/ntiytakd
https://jlai.lu/u/rpxhldtm
https://sh.itjust.works/u/ynvzpcbn
https://lazysoci.al/u/sksgvypn
https://lemy.lol/u/xzowaikv
https://lemy.lol/u/yecwilqu
https://lemy.lol/u/hwbjkxly
https://lemy.lol/u/kafbmgsy
https://discuss.online/u/tcjqmgzd
https://thelemmy.club/u/vcnzovqk
https://lemy.lol/u/gqvnyvvz
https://lazysoci.al/u/shcimfi
https://lemy.lol/u/u0hc7r
https://startrek.website/u/uoisqaru
https://jlai.lu/u/dtxiuwdx
https://discuss.online/u/oxwquohe
https://thelemmy.club/u/iicnhcqx
https://lemmings.world/u/uzinumke
https://startrek.website/u/evuorban
https://thelemmy.club/u/dswaxohe
https://lemdro.id/u/efkntptt
https://lemy.lol/u/ozgaolvw
https://lemy.lol/u/knylgpdv
https://discuss.online/u/omnajmxc
https://lemmy.cafe/u/iankglbrdurvstw
https://lemmy.ca/u/awuochoj
https://leminal.space/u/tjrwwiif
https://lemy.lol/u/basjcgsz
https://lemy.lol/u/smkkzswd
https://lazysoci.al/u/qokpsqnw
https://lemy.lol/u/ncvahblj
https://ttrpg.network/u/hputoioz
https://lazysoci.al/u/lghikcpj
https://lemmy.ca/u/xnjaqbzs
https://lemy.lol/u/yonkz

Edit: If you see anyone from your instance on here, please please please verify before taking any action. I’m only able to cross-check these against the content my instance is aware of.

  • Lampshade@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    17
    ·
    3 months ago

    What stops the botters from setting up their own instances to create unlimited users for manipulating votes?

    I guess admins also have to be on top of detecting and defederating from such instances?

    • Draconic NEO@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      They usually get found out pretty easily and then defederated by everyone. There’s a service called fediseer which allows instance admins to flag instances as harmful, which other admins can use to determine if they should block an instance.

      In order for that to really work they would have to rotate between a lot of domain names either by changing their own instance’s domain or using a proxy. Either way they’d run out of domains rather quickly.

      It’s way easier for them to just get accounts on the big servers and hide there as if they were normal lurking users.

    • Mac@mander.xyz
      link
      fedilink
      English
      arrow-up
      16
      ·
      3 months ago

      this has already happened multiple times. they get found out fairly quickly and defederated by pretty much everyone.

    • Admiral Patrick@dubvee.orgOP
      link
      fedilink
      English
      arrow-up
      35
      ·
      edit-2
      3 months ago

      What stops the botters from setting up their own instances to create unlimited users for manipulating votes?

      Nothing, really. Though bad instances like that would be quickly defederated from most. But yeah, admins would have to keep an eye on things to determine that and take action.

  • ericbomb@lemmy.world
    link
    fedilink
    English
    arrow-up
    20
    ·
    3 months ago

    But this is SOO tedious. The annoying bit is it could just be one person who set it up over a weekend, has a script that they plug into when wanting to be a troll, and now all admins/mods have to do more work.

    You’re fighting the good fight! So annoying that folks are doing it on freaking lemmy.

    • Buddahriffic@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      3 months ago

      I wonder if there’s a way for admins to troll back. Like instead of banning the accounts, send them into a captcha loop with unsolvable or progressively harder captchas (or ones designed to poison captcha solving bots’ training).

  • catloaf@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    3 months ago

    Lemmy should do something like make captcha and email verification the default in the next version, and reject federation from anyone with a lower version. If we accept federation from any instance where this was never turned on, banning accounts one by one is worse than Sisyphean. They’ll just keep finding more vulnerable instances that are already trusted and abuse them to spam the rest of the fediverse.

    If admins want to manually turn it off, then they should be prepared to manage that.

      • catloaf@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        3
        ·
        3 months ago

        If instances are unmaintained, losing them is probably a good thing.

        • Draconic NEO@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 months ago

          I think it’s unreasonable to call every instance that doesn’t update immediately with every release “unmaintained” if anything a lot of these bleeding edge instances which update to the latest version immediately without waiting at all are kind of reckless.

          After all everyone remembers the Federation bugs that were present in one of the releases and ended up being very bad for a lot of the instances, it caused content to fail to be federated between the instances. Not good.

          So I’m really not into the idea of trying to force or incentivize updates to unstable and untested versions if admins are unwilling to do it. And I’m especially not into the idea of criticizing admins who prefer to hold off on updating until they are sure the versions are stable.

        • Blaze (he/him)@feddit.org
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 months ago

          Not sure you want to lose Lemmy.world, sh.itjust.works and programming.dev, that would be around 40% of the active userbase

  • kersploosh@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    58
    ·
    3 months ago

    After digging into it, we banned the two sh.itjust.works accounts mentioned in this post. A quick search of the database did not reveal any similar accounts, though that doesn’t mean they aren’t there.

  • DarkThoughts@fedia.io
    link
    fedilink
    arrow-up
    15
    ·
    3 months ago

    Fedia hiding the activity is one of those things that I kinda dislike, as it was an easy way to detect certain trolls.

    • Admiral Patrick@dubvee.orgOP
      link
      fedilink
      English
      arrow-up
      20
      ·
      3 months ago

      yeah, i’m split on public votes.

      On one hand, yeah, there’s a certain type of troll that would be easy to detect. It would also put more eyes on the problem I’m describing here.

      On the other, you’d have people doing retaliatory downvotes for no reason other than revenge. That, or reporting everyone who downvoted them.

      It depends on the person to use that “power” responsibly, and there are clearly people out there who would not wield it responsibly lol.

      • DarkThoughts@fedia.io
        link
        fedilink
        arrow-up
        3
        ·
        3 months ago

        I think retaliatory downvotes happen either way if you’re in an argument. Same with report abuse, which, if it happens to a high degree, would be the moderator’s responsibility to ban the perpetrator (reports here are not anonymous like they were on Reddit).

        Also, if there’s someone with an abusive mind, they can easily use another instance that shows Activity to identify downvoters. The vote is public either way for federation purposes, they’re just hidden from certain instances - at least on the user level, but they’re still there technically.

      • nondescripthandle@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        7
        ·
        3 months ago

        Im fully against public down votes becaue I already see people calling out other users by their name in threads they’re not even part of. Theres no world where that behavior gets better when you give them more tools to witch hunt. Lemmy is as much an insular echo chamber as any social media and there are plenty of users dedicated to keeping it that way.

    • Deceptichum@quokk.au
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      2
      ·
      edit-2
      3 months ago

      I’ve seen it often on pro-Israel accounts before. But they’re usually all registered a year ago and cycled through posting content.

      Such as @[email protected].

    • Admiral Patrick@dubvee.orgOP
      link
      fedilink
      English
      arrow-up
      25
      ·
      edit-2
      3 months ago

      Ethically, I can’t (and won’t). I’m only comfortable and confident enough to share the list of sockpuppet accounts I’ve confirmed and provide the information necessary to detect them. I did list the topics I’m aware of (US news and politics), but I’m only able to see activity based on what my instance knows about. So they may be manipulating other communities, but if my instance doesn’t subscribe to them (or they’re by posters that have been banned), I have no way of seeing it.

      That’s actually why I posted this. My visibility is limited, so once I identified the pattern, I’m passing that along to other admins for awareness.

        • Cadeillac@lemmy.world
          link
          fedilink
          English
          arrow-up
          18
          arrow-down
          2
          ·
          edit-2
          3 months ago

          This Blue MAGA shit is so fucking funny to me. It is the laziest no u. It came out of nowhere, they provide absolutely nothing to back it up. They just show up screaming Blue MAGA. I kind of miss the days when trolls actually tried. It isn’t even fun anymore, and they just run away when you hit them with a factual rebuttal

          • thisbenzingring@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            8
            arrow-down
            2
            ·
            edit-2
            3 months ago

            I got banned from one of the politics communities for calling out someone using the “blue maga” phrase. I called them ambitious and then called called them weirdo and got my comment removed for “attack language”, when I quested the mod they banned me for a few days. I will avoid any communities that mod is a part of.

            • Cadeillac@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              arrow-down
              1
              ·
              3 months ago

              I’ve gotten a couple warnings on politics. I don’t worry too much about it. Makes me have to be more clever, and not just directly attack people

            • sunzu2@thebrainbin.org
              link
              fedilink
              arrow-up
              2
              arrow-down
              5
              ·
              3 months ago

              Both news and politics subs are captured by brain dead DNC operatives.

              Just block both, feed looks much better.

  • Onno (VK6FLAB)@lemmy.radio
    link
    fedilink
    English
    arrow-up
    24
    ·
    3 months ago

    As an end user, ie. not someone who either hosts an instance or has extra permissions, can we in anyway see who voted on a post or comment?

    I’m asking because over the time I’ve been here, I’ve noticed that many, but not all, posts or comments attract a solitary down vote.

    I see this type of thing all over the place. Sometimes it’s two down votes, indicating that it happens more than once.

    I note that human behaviour might explain this to some extent, but the voting happens almost immediately, in the face of either no response, or positive interactions.

    Feels a lot like the Reddit down vote bots.

    • Admiral Patrick@dubvee.orgOP
      link
      fedilink
      English
      arrow-up
      30
      ·
      3 months ago

      As a regular user, I don’t think there’s much you can do, unfortunately (though thank you for your willingness to help!). Sometimes you can look at a post/comment from Kbin to see the votes, but I think Mbin only shows the upvotes. Most former kbin instances, I believe, switched to mbin when development on kbin stalled.

      The solitary downvotes are annoying for sure. “Some people, sigh” is just my response to that. I just ignore those.

      Re: Downvote bots. I can’t say they’re necessarily bots, but my instance has scripts that flag accounts that exclusively give out downvotes and then bans them. That’s about the best I can do, at present, to counter those for my users.

      • Tanoh@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        ·
        3 months ago

        Re: Downvote bots. I can’t say they’re necessarily bots, but my instance has scripts that flag accounts that exclusively give out downvotes and then bans them. That’s about the best I can do, at present, to counter those for my users.

        It is usually not a good idea to specify what your exact metrics are for a ban. A bad actor could see that and then get around it by randomly upvoting something every now and then.

        • Admiral Patrick@dubvee.orgOP
          link
          fedilink
          English
          arrow-up
          6
          ·
          edit-2
          3 months ago

          True. But it uses a threshold ratio. They’d have to give out a proportional number of upvotes to “fool” it, and at that point, they’re an average Lemmy user lol. That script isn’t (currently) setup to detect targeted vote brigading, just ones that are only here to downvote stuff. I’ve got other scripts to detect that, but they just generate daily/weekly reports.

          It takes time to detect them, but it does prevent most false positives that way (better to err on the side of caution and all that).

  • Rookwood@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    16
    ·
    3 months ago

    It’s painfully obvious lemmy is overrun with astroturf. Kamala spam has been oppressive and it’s just cringe most of the time. I refuse to believe that most of the real users here are that cringe. Also, I support Kamala.

      • nondescripthandle@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        3 months ago

        Its funny because there’s a user assuming the astro turf is going the other direction and they’re getting mostly up voted. Too many people are thinking with their feelings instead of their brain.

    • SirDerpy@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      8
      ·
      3 months ago

      The blue wave doesn’t care about wisdom or agency any more than MAGA. The masses mistake revolutionary and Russian agent in false dichotomy. And, the .world mods are more than complicit.

      The majority here will hate you for truth. There are better venues for it.

    • Blaze (he/him)@feddit.org
      link
      fedilink
      English
      arrow-up
      13
      ·
      edit-2
      3 months ago

      I’m really not sure. 47k monthly active users, between 30% to 50% of them not American, and those who are are already going to vote Democrat, is it really worth the hassle?

      • sunzu2@thebrainbin.org
        link
        fedilink
        arrow-up
        3
        arrow-down
        5
        ·
        3 months ago

        They spamming that site into every cravice of the internet they can.

        Because we lean democrat, our user base accepts it. I get if they shill your “team” it doesn’t feel as offensive. But it is an malicious operation.

        These clowns running the politics and news subs are bad faith actors and they should their hand with kamala shill ops.

        Just an opinion but I have been saying this for months and now it feel good to be particularly validated.

  • onlinepersona@programming.dev
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    4
    ·
    3 months ago

    Lemmy should have the option to defederate from instances depending on automated criteria. Sign ups without admin checks are a great attribute to use for defederation, because it leads to such abuse. I’ve finally blocked most communities and instances that have news about US politics and have a clean feed, but for newcomers, that shit is everywhere.

    Anti Commercial-AI license

    • Admiral Patrick@dubvee.orgOP
      link
      fedilink
      English
      arrow-up
      8
      ·
      3 months ago

      It’s not a native feature, but some instances have a script or plugin (not super familiar with it beyond a general awareness of its existence) that can tie their federation allow/block lists with Fediseer. So, like, if an instance gets censured by a bunch of other instances you’re on good terms with, it can automatically pick that up and add it to your block list.

      I don’t hate the idea of that, and I have seen it protect a few instances from several spam waves, but I haven’t implemented it myself.

  • TheObviousSolution@lemm.ee
    link
    fedilink
    English
    arrow-up
    3
    ·
    3 months ago

    Users could also be doing and reporting the checking up - if votes were transparent - and they would be able to do it on far wider scale. Oh those leopards, eating your faces, vote obfuscation proponents.