Spambots continue to suppress speech and enable harassment of the Chinese community on X

Networks of Chinese-language spambots risk the censoring of posts during politically sensitive events, repeating past oversights

Spambots continue to suppress speech and enable harassment of the Chinese community on X

Share this story
THE FOCUS

BANNER: Screenshots of the X search results for “Australia” in Chinese (澳大利亚) on May 13, 2024. (Source: X)

Spambots continue to suppress authentic posts in Chinese-language searches on X. While they are not likely operated by the Chinese government, they nevertheless threaten political speech on the platform and risk censoring topics during active demonstrations, as has happened in previous instances. Additionally, the availability of bots on X for purchase seems to have grown despite recent crackdowns.

The Chinese community on X uses the platform for monitoring current events and engaging in discussions that would otherwise be censored on domestic platforms like Weibo. China’s Great Firewall blocks many Western websites, including X, requiring mainland users to set up a VPN to access them and exercise free speech. Diaspora bloggers and commentators are popular among the Chinese X community because they can be critical of China with less fear of Communist Party of China (CCP) persecution. In recent years, Chinese activists used X to build momentum for their campaigns, for example, in the Great Translation Movement  to call out Chinese support for Russia following its 2022 invasion of Ukraine.

On May 13, 2024, the Australian Broadcasting Corporation broke a story about a Chinese spy operating in Australia. Given the tense relationship between the two countries, this story would trigger many reactions in China, yet only a couple of posts about it can be found on Weibo. On X, users who searched for posts on the publication date that included “Australia” (“澳大利亚”) were awash in spambots rather than authentic Chinese users’ reactions to the news.

Screenshots of the X search results for “Australia” in Chinese (澳大利亚) on May 13, 2024, with the top results on the left and the media results on the right. (Source: X)

In addition to Australia, spambots drowned out the search results for the names of many other regions. Sports betting is partially to blame, as the bots spam the names of international cities and countries that are home to popular teams. The DFRLab followed the advertisements, and their URLs did link to seemingly operational Chinese gambling sites. The spam is not limited to locales outside of China, as searches for Chinese city names are also flooded with advertisements for sexual services. The DFRLab compiled a list of bots that appeared in searches in mid-May and found more than one thousand unique accounts. The actual number of active Chinese spambots is likely magnitudes higher.

Chinese spambots have crowded out political discussions in the past. In November 2022, an apartment fire in the capital of Xinjiang, Urumqi, killed ten and injured nine people with many blaming China’s restrictive zero-COVID policy for obstructing escape and rescue efforts. In the following weeks, this tragedy prompted demonstrations in cities inside and outside of China against the zero-COVID policy. Protestors held blank papers in what has been called the “White Paper protests.” Posts of these protests on Twitter (at the time) were drowned out by similar Chinese spambots.

Left: Screenshot of a search of Beijing in Chinese (北京) during the White Paper protests in December 2022. It shows an ad for sports betting. Right: Screenshot of the same search on May 24, 2024. An ad for sexual services shows as the top result. (Source: Radio Free Asia, left; DFRLab via X, right)

Researchers hypothesized that the 2022 spam flooding was probably backed by the Chinese government, a suspicion circulated by many other publications at the time. However, the DFRLab believes the bots were genuinely trying to promote their services, coincidentally suppressing posts about the protest. No matter who was really behind the spam then, if similar anti-CCP protests were to break out now, Chinese X users would likely have their posts similarly suppressed by bots.

Spambots stifled political discussion on X within the Chinese community again in 2023. To promote the sale of Twitter Blue, now-X CEO Elon Musk gave paid verified accounts priority under the replies of posts. Spambots took advantage of this feature, leaving ads for sexual content under popular posts and squeezing out genuine replies. Three prominent Chinese-language political bloggers told Voice of America that these spambots had affected users’ proactivity in engaging in discussions. Since escaping censorship is a main draw of X for Chinese users, political discussions are more prevalent and hence targeted by the spambots (non-politically sensitive discussions tend to stay on domestic social media where there is a much larger Chinese community). As of late, the bots have become less active in the replies.

A commonality of the spambots active in May 2024 was that all were created a month prior, in April. The DFRLab did not find any changes in X’s registration policy in April that could have made bots easier to create. In fact, in early April, X announced the launch of an initiative to more actively combat manipulation and spam. The operators likely age the accounts after creation to stabilize them – i.e., make them less likely to be caught by such initiatives – before engaging in spam. After large portions of the bot network get banned, they use a newly aged batch of bots.

The content of these bot accounts suggests that they were not centrally run: the sports betting accounts never posted or reposted advertisements for sexual services, and vice versa. Had they been operated by a single entity, they would likely find it easier to use the same network of bots to promote a wider range of services. However, the many actors spamming X also suggest that the barrier for entry may be quite low.

Screenshots of two user interfaces for two different X automation software. The operator can schedule spam on X after separately obtaining and linking their accounts. (Source: Vst.tw; Yinwenseo)

The DFRLab discovered that a Telegram channel could be one of the suppliers of bot accounts and automation software that has been suppressing regional keyword searches with spam. On June 16, 2024, the channel @twitter8881 posted a screenshot to advertise its sports betting promotional services to coincide with the ongoing UEFA European Football Championship. The screenshot also highlighted sexual services and cryptocurrencies as suitable areas for its X automation software. On the left of the screenshot is the software’s user interface, which lists the connected bot accounts and allows the operator to set keywords to spam. On the right of the screenshot, the bot accounts posted advertisements that were nearly identical to the ones posted by bots that suppressed the “Australia” keyword in May, suggesting the same interest group supporting this campaign. At the time of this article’s publication, spam bots have completely taken over the keyword search for Europe in Chinese (欧洲). 

Screenshot uploaded by the Telegram channel @twitter8881 of its X automation software spamming “European Cup” in Chinese. The attached promotional image is nearly identical to the one that was included in previous spam campaigns that suppressed regional keyword searches. (Source: Twitter8881) 

Many Chinese account sellers use Telegram and the platform is known to have channels dedicated to the Chinese dark web economy and is the location where much of the market for social media accounts and services takes place. Chinese sellers seem to prioritize accounts on Facebook, LinkedIn, Instagram, and Tinder, likely because romance scams (also known as pig butchering scams) are more lucrative than generic spamming. Other sellers advertise services to boost the number of followers, likes, or reposts, and even to mass report an account. Previously, malicious actors may have prepared for their influence operations by creating accounts months, sometimes years, ahead of time. The plethora of social media accounts for sale now, with some delivered in minutes, means bad actors no longer need long-term planning to undertake an influence operation.

Screenshots of offerings from two different X account sellers taken on May 22, 2024. The top screenshot shows accounts registered in April for sale. The bottom screenshot shows a portion of the vast inventory for bulk sale. (Source: 77hao; Tuitehao)

By mid-2024, it seems likely that malicious actors purchased X accounts to harass one of the most prominent Chinese bloggers, Teacher Li, to intimidate him from engaging in anti-CCP activism. In June, he was spammed and sent graphic content of cat abuse and death threats. The accounts used to target him shared similarities with the spambots, such as their naming schemes and account creation dates. Similar accounts, most less than a month old, targeted another Chinese activist, Wang Jingyu, in June with demeaning cartoons of him and death threats.

Two screenshots of profiles and their messages harassing Chinese activist Teacher Li. Two accounts in particular, @SarahWrigh68852 and @CarterCaro80083, were created days apart in April 2024. Accounts in this harassment campaign were likely purchased from a Chinese account vendor. (Source: Teacher Li)

In late June and early July, a Chinese bot network also targeted Vicky Xu, a journalist who led a report revealing forced labor in Xinjiang as part of the Australian Strategic Policy Institute (ASPI), one of its most widely read studies. To punish her dissent, like in Wang Jingyu’s case, bot accounts spammed degrading cartoons (including one containing sexually explicit depictions) and death threats to her. The DFRLab discovered that several of these bot accounts may have accidentally leaked their account vendor during their spamming of a YouTube video slandering her. If this campaign against Xu is state-backed, which is likely given China’s history targeting her, then this leak shows that state-backed actors source their bot accounts from the same vendors as the spammers and scammers. The bot accounts that harassed Teacher Li, Wang Jingyu, and Vicky Xu do not appear to overlap; it wouldn’t be expensive to purchase accounts just to harass one person as they can be bought for less than fifty cents each. 

Left: Screenshots of insults and death threats received by Vicky Xu from bots on X. Right: Screenshots of spam posts by bots amplifying a video slandering her. They include a link to a Chinese account vendor site, mv888.cn.
Left: Screenshots of insults and death threats received by Vicky Xu from bots on X. Right: Screenshots of spam posts by bots amplifying a video slandering her. They include a link to a Chinese account vendor site, mv888.cn. (Source: Vicky Xu, Vicky Xu, Vicky Xu, left; Macon Elmers, Mindy Keller, Warren Fulton, Joan Jenkins, Ricky Gibbs, Nelle Victoria, right) 
Screenshot of the vendor’s website that likely supplied the X/Twitter accounts for the harassment campaign against Vicky Xu with translations by the DFRLab. The website provides instructions to log into the newly purchased accounts. (Source: mv888.cn) 

In April 2022, Elon Musk tweeted “We will defeat the spambots or die trying!” Two years after his acquisition of Twitter and rebranding as X, the platform is far from winning the battle against spambots. Chinese spambots have rendered some regional searches unusable on X. Comparing the self-provided balance sheets of one account seller, the DFRLab found it sold 9,000 Twitter or X accounts between February 2023 and May 2024. In the same period, its inventory ballooned from about 1,400 to a whopping 44,000; the seller even lowered its prices to rid inventory at one point. If its financials are accurate, then registering bot accounts on X may have become easier for these account dealers. Even a single bot on X can spam a keyword, rendering the search unusable.

Current methods of blocking bot registration, like phone number registration and two-factor authentication, are not enough to stop them from being created: sim cards can be easily bought on Telegram and account dealers offer a service through their proprietary sites to retrieve the two-factor authentication token for their customers. The good news is these accounts share many identifiable features, as they did in 2022. They follow a certain rubric of handles, such as an English name trailed by random numbers, making this a possible feature by which to identify them. They always share multimedia, making only slight changes to their graphics. Account sellers also give their customers “to-do” and “not-to-do” guides for reference. Following up on the tactics used by the market for accounts could help to alleviate X’s bot problem.


Cite this case study:

“Spambots continue to suppress speech and enable harassment of the Chinese community on X,” Digital Forensic Research Lab (DFRLab), July 8, 2024, https://dfrlab.org/2024/07/08/spambots-continue-to-suppress-speech-and-enable-harassment-of-the-chinese-community-on-x/.