Discovering the Twitter Botnet

In my last  blog post, I discussed our data preparation and collection. In this blog post I will start talking about 1- a brief of some of our preliminary findings 2- The discovery of the botnet in our dataset.

To recap my last two blog posts, I want to remind you that we first, collected tweets from twitter to analyze tweets from the Syrian civil war. We did that by selecting 3 violent and 3 nonviolent events, after that we conducted 2 different kinds of analyses: log analysis (from the most re-tweeted tweets based on content) and network analysis (from the high account influence on a network diagram) on the re-tweeted tweets. In the last step, we compared the top retweeted accounts (twitter handles) from the log analysis and the network analysis then we conducted a comparative analysis between the top re-tweeted accounts across the different event types (3 violent and 3 nonviolent events).

The results from these 2 different analyses were:

1- In the nonviolent events data set, people were not tweeting about the salient events we selected (3 violent and 3 nonviolent events). For example, Angelina Jolie’s visit to the Syrian refugees’ camp in Jordan on September 11, 2012, wasn’t discussed in the tweets, however, people were tweeting about war-related issues (e.g., chemical bombs), comparing 9/11 and Syria Civil War.

2- From the salient violent events, we picked Houla Massacre that occurred on 5/25/2012 and compared the authors of top most retweeted tweets from the Log Analysis and the top retweeting accounts (we identified these by looking at the node size a.k.a node centrality) in the Network Analysis. The results of our analysis showed that they were totally different (Top retweeting authors’ ≠ Top retweeting nodes)

3- We compared our findings with the Influence Matrix (Source: Just to better understand our results. We found that we were interested in 3 different types of Twitter users: Curators, Celebrity, and Activist.


We were curious to know if we could find any celebrity type in the data set, someone who has both high content influence and high account influence. So we compared top retweeted nodes to the entire log analysis (450 posts), searching for any overlapping cases. We found one such user account: @g1. 

We wanted to learn more about this user’s attributes however, the account was suspended. Therefore, we started browsing the name associated to the bot, both in English and Arabic, on the Internet. We found some interesting information, however, none was related to the war. We suspected that this person might be the human user behind @g1. However, she did not have much of an online presence, which made us suspect that she is the one running her account (at that time we started suspecting that we might be dealing with a fake account of a celebrity)

In the network graph, @g1 was clustered with 19 other users, 17 of whom were suspended. Wondering what might be the reason behind this large number of account suspensions, we started following @g1 across different events in the data set.

Content Analysis

To better understand what might be the reason for suspending @g1 account we conducted a high-level content analysis on her tweets archived during the period of April to December 2012. We found that the account had stopped posting (therefore, presumably had been suspended) on November 20, 2012. Also, from our high level content analysis we discovered that most of tweets are highly political, so this wasn’t the reason for suspension by twitter.

From there, we started conducting the same analyses on the accounts clustered with @g1 across all of the six events. As a result, we identified 42 Twitter handles that had stopped posting on November 20, 2012. Interestingly, we found that the majority of these accounts got suspended on the same date, November 20, 2012. Moreover, we found that all of their last tweets were around 6:30 AM UTC indicating a systemic ban. Lastly, we discovered that they all shared the same last tweet.

Additional analyses on the data set and we discovered

  1.  21 additional accounts that had stopped posting at that time, (thus 63 accounts in total).
  2. All of the accounts were retweeting, specifically with RT, the one unique account: @h1
  3. All shared the same last retweet content.
  4. All stopped tweeting almost at the same time around 6:30 AM UTC, November 20, 2012.
  5. Each user was tweeting  continuously round the clock.

Why is this network a botnet?

What made us suspect that this might be a botnet were the following indicators:

  1. The links attached to tweets
  2. The links attached to RT
  3. The frequency of tweeting
  4. Tweet text (The 3 letter random hashtag)

An example is this tweet: “RT @h1: #سوريا #Syria لوهان ستمثّل في أغنية مصوّرة لليدي غاغا #xmy” (English translation: RT @h1: Lindsay Lohn to appear on Lady Gaga’s next music video #Syria ##سوريا #xmy).

When we searched for the sentence “Lindsay Lohan to appear on Lady Gaga’s next music video” in Arabic, we found a news headline on the website with the exact text. However, when clicking on the link, we got redirected to

Another example is: “#سوريا #Syria بدء امتحانات الفصل الثاني للمرحلة الجامعية الأولى في جامعة #دمشق #dmq” (English translation: The second midterms starts for University of # Damascus #Syria #سوريا #dmq).

The botnet was using a random 3 letter hashtag in all it’s tweets #xmy #dmq . Why were they adding this hashtag is something we still don’t know. We are assuming that this is their tracking method or reach testing technique.

Lastly, clicking on the link embedded in this tweet redirects to an article on the a new website,  which is an Arabic independent news forum.

These are the two examples of many similar incidents. Most of the tweets that were randomly tested lead to one of three websites.

Currently, we are still conducting content and network analyses to understand this botnet behavior and the motives behind its creation. One of the things we are pretty confident about is the botnet tweets were all in support of Alasad’s government and that it was followed by real people, who also supports the current Syrian regime. We asked ourselves: Was this twitter botnet created at the time when the majority of tweets on the Syrian civil war were against the regime to influence the public opinion and to amplify the voices of the people who are pro-regime, maybe?

In the meantime, stay tuned for further results of this project.

*The following and follower data was collected on March 18, 2013, not on the date of the event. For the top RT nodes, we only used data for 3 accounts because 17 accounts were suspended.)

** This project is in collaboration with Daisy Yoo and David McDonald from the iSchool at the University of Washington. Please don’t make copies of the content until you contact the blog admin.

***The twitter handles used in the post are not real they are pseudonyms created by the team.


Published by

Norah Abokhodair

I'm an applied social scientist with a passion for researching and developing the next generation of social and collaborative technologies. Currently, I'm a Research Program Manager at the Microsoft Learning Innovation Lab where our cross-functional team of PMs, UX Researchers, and Software Engineers employ design thinking to discover the future of seamless learning experiences, leveraging the power of Artificial Intelligence.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s