Twitter crypto spam bots copy real tweets to appear real

August 7 2022 by Jeff Johnson

As a Safari extension developer, I have a Safari extension saved search on Twitter. Over the past couple of months, this saved search has shown the exact same tweet many times, with the exact same typo, from a different Twitter account each time. (I used a more specific search below in order to highlight this tweet.)

Where did this tweet come from? The original tweet was over a year ago, but it didn't start getting copied until a couple of months ago.

The original tweet, actually a quote tweet, was written by a real person with a relatively popular Twitter account.

Now look at one of the accounts that copied the tweet.

Joined Twitter only 3 months ago, hmm. What else has that account been tweeting?

Aha, crypto spam! This account is trying to spread crypto tweets by replying to them and mentioning other Twitter accounts, thereby triggering notifications.

This pattern continues. Here's another example of a copied tweet.

A Twitter search reveals that this tweet has also been posted many times.

Again, the original tweet was written by a real person with a popular Twitter account.

So what's happening here? To be clear, the two original tweet authors above are blameless and not responsible for the crypto bot scam. The bots are simply copying and posting tweets from real popular Twitter accounts in order to appear real themselves. In other words, the bots are trying to avoid Twitter's bot detection algorithms. The theory is that if a bot acts like a real person by posting tweets like a real person, then it's less likely to be flagged as a bot. And in practice this theory appears to be valid!

Jeff Johnson (My apps, PayPal.Me)