MikeFarb Profile picture
Apr 24, 2018 34 tweets 9 min read Twitter logo Read on Twitter

A Botnet

Different than your typical Botnet

Lots of Resistance Followers

Lets take a look

I really didn’t want to do another Botnet thread. This one however needs to be exposed. 9 months of activity. Over 12 Million posts. Many Resistance members following.

While we are at it how the hell after all this time and all of these tweets did Twitter not spot this Botnet?
Thanks to @rosesansthorns for bringing this to our attention. She saw anomalies in a Twitter account (@blackalive_) and shared them with our team. Here is a screenshot of that very active account.
We soon discovered hundreds of related and similarly automated Twitter accounts. In other words, a botnet. One with tentacles deep into Twitter’s users. One so massive that we gave it a name. The Reffy Botnet.
Named for the link shortening url that appears in almost every tweet it produces. A list of Reffy Botnet accounts, in alphabetical order, that we’ve found to-date appears at the link to the full article at the end of this report.
For those of you that Follow back most of your Followers you may have followed some of these accounts
The Reffy Botnet is distinguished by this combination of features:
1. Exclusive use, in almost all tweets, of one of two very unusual, custom link shorteners: ref.gl or twi.gl
2. No retweets or replies from any of its accounts
3. Use of a tweeting app called “Mobile Web” (M2)
4. Continuous, 24/7 tweets at regular intervals of 5 to 10 minutes — from each and every related account
The Reffy Botnet accounts can be found by searching Twitter for either of the two link shortener urls - twi[.]gl or ref[.]gl.
The botnet using the twi.gl link shortener appears to only include one account with a fairly high number of followers.
The botnet using the ref.gl link shortener includes at least 217 accounts, listed below. This botnet is extremely prolific, tweeting an estimated 40 to 50 times per minute, around the clock.
Each tweet seems to be unique — a search of Twitter for the text in the tweet never shows an identical tweet from a different account. Additionally, each account stays “in character”. For instance, each tweet from @blackalive_ links to an article about a Black Lives Matter issue
This bot army produces approximately 40 tweets and related links per minute. That equals nearly 58,000 tweets per day!!
Most of these accounts have tweeted at least 65,000 times since they were launched. The sum total of tweets is well over 12 million, and counting.
Is there a group of people “feeding” this bot army this vast amount of information? Or has someone written a sophisticated “scraper” that wanders the web looking for relevant headlines and delivers the results back to this botnet?
Either way, the amount of effort fueling this botnet is not at all trivial.
These accounts have another interesting feature. If you click on one of them, the “who to follow” suggestions will suggest Reffy Botnet accounts. How is it that Twitter knows these accounts are related to each other, but can’t figure out that it’s all one big automated botnet?
The Reffy Botnet accounts are particularly interesting because they have accumulated a large number of followers, many of whom are considered #Resistance leaders. They apparently accumulate followers by following medium to large accounts that tend to “follow back.”
The fact that familiar accounts follow the bot accounts may provide social validation that attracts similar followers.
The themes of the Reffy Botnet accounts vary widely —law enforcement, sports, drug rehab, political issues, and more. Posted links tend to be outdated, obscure news articles and/or blog posts; some lead to blank pages.
The diversity of ownership of these link targets makes it unlikely that this botnet serves as part of a classic click-bait scheme.
In short, the Reffy Botnet’s ultimate purpose remains unknown.

But here’s what we do know thus far:
We used the service VirusTotal to examine the two link shortener URLs.
It revealed that malware detection software provided by the information security company Trustwave detected malicious code being served by both domains between January 6th and January 8th, 2018. virustotal.com/#/domain/ref.gl
We had a look at the code that actually performs the redirect by downloading the code from the url in one of these tweets.
This is what we found:
This code indicates that each time the link shortener url is clicked on, a record of that click is being saved to the Google Analytics account associated with the urls.
This means that detailed information about each user, including the user’s IP address, can be recorded. danielpinero.com/how-to-see-ip-…
At the same time, whoever is controlling these bot accounts can use the Twitter API to harvest data about any Twitter user who “liked” or commented on each individual tweet.
This means that whoever has built this botnet has all the information needed to find the IP address of any Twitter user who “likes” or replies to one of these tweets and also clicks on the associated link.
We strongly recommend blocking and reporting any account that is using the ref[.]gl or twi[.]gl link shorteners.
Who is behind the Reffy Botnet?
Ownership of the domain ref.gl offers clues about this botnet’s genesis. Whois searches for ref.gl and twi.gl are very interesting.
Despite using Danish name servers, both domains are hosted in Colorado, with the hosting company Handy Networks, LLC. This indicates that these domains are expecting visitors who are primarily located in the US.
Our full article can be found here


We have provided a list of the bots for those of you that would like to clear them out of your follow list.

We suggest doing that.
While we were building this thread this morning this Botnet has stopped tweeting. It has been going non stop for 9 months.

We will keep an eye on its status.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with MikeFarb

MikeFarb Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mikefarb1

Aug 21, 2018

So Russia has reportedly moved on from Hacking our Election Infrastructure. Moving on to other things. Don’t believe it. They are everywhere in our Election System. They know the importance of the Midterms.

And Now This!

Parts of an operation linked to Russian military intelligence targeting the US Senate and conservative think tanks were thwarted last week. The domains were associated with the Russian government and known as Strontium, or alternatively Fancy Bear or APT28
"Hackers could have used the domains to send emails to Senate staffers or people working for the Hudson Institute or the International Republican Institute in an attempt to trick them into handing over information, like their passwords."
Read 5 tweets
Aug 19, 2018
Georgia to close 75% of Black Counties Precincts!! Precincts that were all open during the Primaries. They know they have a problem. Even with the Election machines that give suspect results they know they need more help.


If this stands we need to start a major effort to provide transportation in this county. We will need drivers, volunteers and people to help distribute notices and spread the word.
This is also what we should be doing in any heavily Gerrymandered area where there is a difficulty with people traveling the long distance to their polling places.
Read 4 tweets
Jul 18, 2018

More than 250 Trump Organization Subdomains are in Communication with Computers in Russia!!

The Trump Organization, like most large organizations, has a lot of domains registered to it. Let's take a look.
Many of these domains have subdomains - like reservations.trumphotels.com. This is a normal practice. But we found something HIGHLY unusual.
Read 19 tweets
Jul 17, 2018
Remote Access Software used by ES&S Voting. They finally tell the truth. At least some of it. Thank you to @KimZetter for pursuing her initial story from February. I am afraid we are missing the bigger point here.

States have given over their Election Systems to a myriad of Private Companies. The States in many cases have absolutely no idea what is happening with their Elections.
Ask yourself why did the States notified over a year after the 2016 Election not know that they were being targeted by Russia? How is that possible? What does that mean for the possibility of having a free and fair Election?
Read 13 tweets
Jul 15, 2018

Michigan, ES&S and the Voting Machines that couldn’t count!!

Why are States Buying and Using Machines that don’t pass testing?

It is infuriating!!

All along there have been problems with electronic voting. Again and again election officials and observers have spoken up, only to be ignored.
In 2008 an election official in Oakland County Michigan noticed something alarming.with ES&S optical scan machines. Here is the story.
Read 20 tweets
Jul 14, 2018
Maryland Voter Registration System runs on Russian Owned Software! The biggest problem here is that they never knew it. How is that possible? The States have no idea who is behind the companies they give the Elections over to.


We are going to be dropping a ton of research on exactly this. Why do States willfully do this. Would a state actually know if something went bad ? Let's talk more about Spearphishing.
Every company that touches a States Voting system introduces a hundred more employees that can get hacked. Companies rely on these contracts. They aren't going to disclose what happened. Just look at VR Systems.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!