Russian-language bots amplify call for “election monitors”

Ahead of Sunday’s German election, far-right activists on social media called on their supporters to volunteer as observers to prevent possible fraud. Their tweets were amplified by a network of Russian-language bots.

The intervention by a Russian-language botnet is small in scale. A majority of its posts are commercial or pornographic in nature, while only a minority are political; it would therefore be incorrect to speak of this as a political botnet, or to attribute it to any specific actor.

The specter of election fraud from the far-right remains significant in that it could be used to call the legitimacy of the election into question. Furthermore, the incident raised both the possibility of larger-scale claims of election fraud being made on or after the vote and the possibility any such claims will be boosted by non-German sources.

Calling for monitors

The far-right call for election monitors centered on a website called wahlbeobachtung.de (“election observation” in German). This is an openly partisan site, hostile to Chancellor Angela Merkel, as its introductory pamphlet makes clear:

The pamphlet reads:

So that 2017 can become a year of change, many EinProzent election observers are on the spot. We have collected all the necessary information. We ask everyone to follow it exactly. We’re not looking artificially for mistakes, but we are watchful and expecting the worst. It is our right. Watch Merkel’s fingers!

Merkel, who is widely expected to win on Sunday, is the only politician mentioned in the pamphlet.

The website featured two main pieces of content: a PDF pamphlet with advice for potential election observers and a one-minute video clip calling for volunteers. The video portrayed vote-counters abusing ballots, while a presenter assures the camera that the system foolproof. The presenter ended with the words “Wir schaffen das” (“We can do it” in German), a phrase famously used by Merkel in 2015 at the height of the migrant crisis.

https://youtu.be/nByMrn5xPBY

The pamphlet provided assorted advice to election observers, including a call to demand a recount if a suspiciously high number of invalid ballots is found.

The original version (Google cache here, archive here) claimed to quote paragraph 31 of Germany’s Election Law, and stated:

During the handling, counting and presentation of the outcome of the vote, everyone has access to the voting hall, insofar as it is possible without disturbing the voting process.

This is a misquote: the actual paragraph 31, presented on the official government portal, reads:

Vote handling is public. Those in charge of voting may have people who disturb order and quiet shown out of the premises.

The text was, however, drawn from an official document: article 54 of the German Ordnance on the conduct of elections. By noon, local time, on September 21, the online version of the pamphlet had been changed to cite the correct source.

By the same time, 306 Facebook users indicated they would observe the election. This is a small figure. According to Germany’s official election bureau, the vote will cover some 88,000 polling stations staffed by around 650,000 volunteers.

However, it raised the possibility that claims of election fraud could resurface on or after polling day.

Anti-migrant roots

The EinProzent reference (“one percent”) is to an anti-migrant and anti-Merkel website, einprozent.de, which calls itself a “professional resistance platform for German interests.”

It states:

The refugee invasion is a catastrophe for Germany and Europe. Politicians and the Media want to confront us with a fait accompli? We’re not gong to play along! We need a civil movement, a broad lobby for Germany. Our vision: thousands of members support our legal, media and political actions, spread information which cannot be found in the media and fight, in their communities, against the dissolution of our state.

A separate blog advised supporters to “be edgy” at political events, and to ask members of Merkel’s Christian Democratic Union (CDU) and Christian Social Union (CSU) “why still more illegals should come to Germany, and why this is even in the CDU manifesto”. No other political party was mentioned.

It further advised voters to protest against Merkel:

Chancellor Merkel herself must find out that the time of peaceful, sterile election rallies is over. (…) Be creative, be loud and give a sign.

The group is active on Facebook, Twitter, and VK, and regularly posts anti-migrant and anti-Merkel material. Although its VK page insists, “We are not ‘right-wing,’ ‘Nazis’ or a ‘pack’.”

Its presence on VK is very small with 41 members; it has some 7,000 Twitter followers. On Facebook it boasts almost 63,000 followers; its most popular recent post, a video appealing for evidence of migrant crime, was shared over 1,300 times.

The group repeatedly accused Merkel and her party, the CDU, of violating elections, tweeting the “Keep an eye on Merkel’s fingers” slogan as early as September 2016.

On August 31, anti-migrant magazine compact.de reported on the group’s call for observers, claiming the size of the German election implies “an enormous potential for mistakes and manipulation.” The headline was, “Criminal: This is how the Merkel party manipulates election results.”

Despite its activity and support, the group had little impact until shortly before the parliamentary election. The September 2016 tweet was retweeted 24 times; a tweet inviting users to a talk on election monitoring on September 12, 2017, was retweeted 30 times.

The Compact article was shared 1,300 times across all platforms. According to an Alexa analysis, wahlbeobachtung.de ranked the 38,704th most popular website in Germany; einprozent.de ranked 16,317th. By each measurable indicators, both groups had a small audience and low market penetration.

Russian-language botnet

On September 18, the campaign received an unusual boost on Twitter: a tweet from a Twitter user called @JonasBaua with the translated text, “Prevent election fraud! Become an election obsever!” and the link to wahlbeobachtung.de.

By September 20, the tweet was retweeted 169 times — despite the fact that @JonasBaua only has fifteen followers.

This is a remarkably high number of retweets for an account with so few followers. @DFRLab ran a machine scan of the tweet and established that only one of the fifteen followers retweeted “Bauer” at all.

The other retweets came from a network of automated “bot” accounts, which mainly post in Russian. They combine commercial and pornographic material with support for the AfD and attacks on Russian anti-corruption campaigner Alexey Navalny.

This is a botnet primarily deployed in Russian-language — partly political, wholly pro-AfD, and always anti-Navalny. It is not possible to establish from open sources who is behind the botnet, but judging by its content, it primarily serves the Russian-language market.

The very first account to retweet “Bauer”, for example, was called @NAME8888889i8 (screen name “Toilettenteufel”). It was created on September 3, and shows no avatar picture, background, or any personal information. All its posts are retweets.

Those retweets are mainly in Russian, with some in English and a few in German. They cover a wide range of topics, including football, plastic windows…

… Finnish heated floors …

… cars and shoes…

… criticism of a surgical procedure at a clinic in Moscow…

… and assorted pornographic and dating sites. This behavior is characteristic of a commercial botnet which sells follows, likes, and retweets regardless of their content.

However, it also shared an online attack on Navalny, which purported to show a Lithuanian passport in his name, from a Russian-focused political account called @NavalnyPravda (“Navalny truth” in Russian).

These tweets were further interspersed with pro-AfD material.

The account’s language use is significant. Its Russian-language posts are mainly commercial, but also include political, pro-Kremlin content. Its English-language posts are mainly pornographic. Its German-language posts, however, only concern the German election and amplify far-right messages.

We can therefore conclude that this is a bot of Russian origin, largely used for commercial purposes, but also used politically. It remains unclear who is behind the “bot”, and whether its German tweets were paid for by a German user or provided voluntarily by a Russian-speaking one.

The same applies to @leeeeeeena546, another newborn account (September 10) with no avatar or background, which retweeted the same posts on Finnish heated floors and the botched surgical procedure:

This account, too, retweets a mixture of Russian-language posts on shoes, cars, online credits, and multilingual pornography. It also promoted apartments in Surgut (unusually, not as a retweet, but a share from a real-estate website):

This account shared the “Bauer” post and a number of attacks on Navalny. It also retweeted other pro-AfD and anti-Merkel posts.

These retweets are particularly interesting, as they linked this botnet to earlier far-right actions in Germany which @DFRLab has chronicled, but which did not have an apparent link to Russia.

The hashtags #NichtMeineKanzlerin, #LuegenSpiegel, and #NichtMeinSpiegel (left-hand image) come from a series of bot attacks in early September; the account @darksideofkek (right-hand image) was one of the leaders of those attacks.

A third account, @u77W3XobwwkFLQd (screen name “Алина Александрова”), shared the Bauer and Navalny posts and retweeted a mix of familiar posts and AfD memes.

It also shared tweets on apartments in Surgut, rental buses in Samara, and roadside rescue in Poland.

Time and again, in fact, different accounts in the network shared the same posts, interspersing non-political content in various languages with attacks on Navalny (in Russian) and Merkel and her main rival, Martin Schulz (in German).

This behavior indicates that all these bot accounts belong to the same network, and that the network itself is of Russian-language origin, largely used for commercial purposes, but also used politically.

Tip of the iceberg

The “Bauer” post was retweeted 169 times. This is not, however, the full extent of this botnet.

Overall, the tweet about Navalny’s passport, which so many of the “Bauer” bots shared, was retweeted over 1,600 times by September 21. Much of its amplification also came from bots.

Of these, some were purely Russia-focused and Russian-language. Others combined Russian content from @NavalnyPravda with German posts from far-right accounts such as @darksideofkek.

Time and again, they shared the same commercial tweets, indicating that they are, indeed, part of a coordinated network.

A few posted other Russian political content, including tweets from the mayor of the eastern city of Vladivostok, Igor Pushkaryov, although this content was minimal, and it should not be seen as proof of a political affiliation.

They did, however, repeatedly share pro-AfD and anti-Merkel content.

As with the sharers of the “Bauer” post, this evidence exposes a larger botnet which is primarily Russian and commercial, but which periodically amplifies political messages in Russian and amplifies far-right posts in Germany.

Conclusion

The campaign by the EinProzent site to raise the question of election fraud in favor of Merkel is a long-standing one. It is clearly anti-migrant and anti-Merkel in orientation, but has had little impact online.

The last-minute spike in its Twitter traffic — which was still modest in scale — was driven by a Russian-language botnet which is primarily used to boost commercial tweets from various sources.

This botnet is not generally politically active in Russia. The main exception is its amplification of the attacks on Navalny coming from a single Twitter account; it also amplified a politician in Vladivostok. This therefore appears to be a botnet for hire, repurposed by unknown users (whether the manager of the botnet or a client) to boost political messaging.

Its most aggressive political activity is in Germany. This is clearly aimed at pushing far-right messaging, including the claim of election fraud. This could either be because it was hired to do so or because of the bot manager’s own choice.

With the election due on Sunday, @DFRLab will continue to monitor online events surrounding the vote and the activity of possible botnets.

---

Follow along for more in-depth analysis from our #DigitalSherlocks.