Cybersecurity researchers have discovered a huge botnet of zombie Twitter accounts sitting on the social network, but amazingly Twitter hasn't noticed or got rid of it.
Researchers from social media fraud investigations team Sadbottrue have found a botnet containing three million Twitter accounts, together with two other botnets each containing 100,000 bots that are likely being used by online services that offer to rent or sell Twitter followers to businesses, celebrities or individuals that want more followers.
The researchers say that the largest botnet has been around since 2014, but although Twitter frowns on any usage of bots, the botnet has remained completely undetected because none of the accounts have any connections to each other. The same is true for the two smaller botnets, which were registered in March 2015 and November 2014.
Three million accounts opened in just one day
Through its big data analysis, Sadbottrue found that incredibly, all three million Twitter accounts in the largest botnet were registered on the same day – which was much higher than activity on any other day in Twitter. To date, the botnet has sent out 2.6bn tweets and retweets. That's the essentially enough tweets to make the botnet top of any single hashtag every day for eight years straight.
So how did the researchers find a correlation between the accounts? Simple, they looked at each Twitter account's username and correlated it with the account's unique Twitter ID. Every single account on Twitter has a different user ID, so when a user logs onto Twitter for the first time and signs up for an account, the social network's servers assign the user to a specific account ID.
So if a human were to physically sign up for a Twitter account, there would be no way for them to be able to guess at what the Twitter account ID would be before they completed signing up and choosing a username.
Cybercriminals somehow reserved a huge chunk of usernames in advance
But somehow, the creators of the botnet were able to figure out what the Twitter IDs were and synchronise the account usernames with the Twitter IDs, and it is believed they reserved the usernames they wanted in advance, as the data showed that a huge chunk of over 168m IDs were reserved in one block on 22 October 2013, which looks like the bots are being used in a central command and control (C&C) server up to no good.
The zombie bot Twitter accounts are all identical in that all their tweets are private, the name field of the user lists the word "name" and the description field simply says "some kinda description".
Unfortunately, because it is not possible to see who the zombie bot accounts are following or what tweets they are sending out, it is not possible to figure out who created the botnet or why it was created. However, the researchers do say that a botnet of such a huge size should not have been possible to be assembled without the approval of someone very senior within Twitter.
IBTimes UK has contacted Twitter for comment and is waiting for a response.