The attacker seems to be the admin of those two instances. Both instances have their registrations closed.
Edit: It is now open for both of them, or was already. I checked the Fediseer page for both instances and it still says that their registrations are closed.
Though it is suspicious that no captcha, email confirmation or manual approval is required for both of these instances. The admin of lemmy.doesnotexist.club seems to be inactive since their account creation yet this instance is still running. If the admin is the attacker, it could also be that they are the one behind the recent nicole spam.
https://gui.fediseer.com/instances/detail/chinese.lol
https://gui.fediseer.com/instances/detail/lemmy.doesnotexist.club
cross-posted from: https://hackertalks.com/post/8713785
The instances being used are
- lemmy.doesnotexist.club
- chinese.lol
Here is an example of the coordinated downvoting https://hackertalks.com/post/8692093
Of course its a controversial user who got someone angry enough to automated downvoting @DonaldJMusk@lemmy.today
But you can see every post they make gets 53ish downvotes from these two instances, plus some organic ones after a few hours.
Current downvoting Accounts
bot-list
LightIsland@chinese.lol MagnificentRow@chinese.lol FondKnowledge@chinese.lol SillyTowel95@chinese.lol HelplessDear@chinese.lol SomberBrain@chinese.lol InexperiencedCloset@chinese.lol NecessaryPerson11@chinese.lol ClosedEmployment@chinese.lol CoarseHair420@chinese.lol BurlyChampionship49@chinese.lol ZigzagNatural@chinese.lol QuestionableDirt@chinese.lol ProudDeparture@lemmy.doesnotexist.club JoyousDouble@chinese.lol UnitedPatience@chinese.lol MajesticArea@lemmy.doesnotexist.club SinfulConference@chinese.lol MoralDivide96@chinese.lol LeadingCarry65@chinese.lol FrillyOpinion38@lemmy.doesnotexist.club LimitedDiscount49@lemmy.doesnotexist.club ForkedScreen@chinese.lol MediumChemistry13@chinese.lol xXxLawfulGrassxXx@lemmy.doesnotexist.club VisibleSentence@chinese.lol AcidicLawyer90@lemmy.doesnotexist.club PriceySink14@lemmy.doesnotexist.club ExcellentBeach@chinese.lol VivaciousNews@lemmy.doesnotexist.club LankyIndependent32@lemmy.doesnotexist.club SpeedyFault@chinese.lol ConcreteHall89@lemmy.doesnotexist.club WorthyPoint12@lemmy.doesnotexist.club SurprisedAdult99@chinese.lol FlashyCrack@lemmy.doesnotexist.club MasculineBeing@chinese.lol RichWeird@lemmy.doesnotexist.club DryCash97@lemmy.doesnotexist.club AuthorizedChair@chinese.lol SlimKiss@lemmy.doesnotexist.club AromaticRoof78@lemmy.doesnotexist.club BewitchedInterview@lemmy.doesnotexist.club ImaginaryDraw@lemmy.doesnotexist.club PertinentGround@chinese.lol SinfulAssumption@lemmy.doesnotexist.club AwkwardAnybody30@lemmy.doesnotexist.club UnwillingRestaurant@lemmy.doesnotexist.club InsubstantialOven@lemmy.doesnotexist.club
A individual user airing their personal biases and manipulating lemmy isn’t good for the community, regardless of how you feel about their target. This is a really bad thing ™
Edit: It is now open for both of them, or was already. I checked the Fediseer page for both instances and it still says that their registrations are closed.
Fediseer doesn’t check constantly btw.
We need public voting or this will only get worse. It’s currently way too easy to manipulate everyone’s feed.
What do you mean public voting? Everything in the Fediverse is public. Spin up a server and you can see all votes, even in the UI as an admin. Do you mean for users?
Being able to disable downvoting is one of the best features Lemmy has and I wish more instances would do it.
Voting here doesn’t influence your feed and largely serves to spread negativity. Turning it off has a negligible impact on usability and an undeniable advantage when people decide their feelings matter more than someone else’s, like whatever this is.
We’ve de-federated from both the instances being used for manipulative voting.
I fully disagree, in your scenario people wouldn’t realize how fucktastically bad your idea is
Look at what removing downvotes did to youtube, you seriously want that here?
I disagree. Downvoting is essential for Lemmy. I often disagree with something and it’s right to have a democratic vote on topics.
How is downvoting essential? It doesn’t do shit.
You shouldn’t downvote just because you disagree. You should vote based on whether it’s productive content.
Also helps identify trolls and bad actors at a glance if you don’t already have them tagged as such.
Also helps identify trolls and bad actors at a glance if you don’t already have them tagged as such.
Unless there’s been a bunch of downvote manipulation going on, as in the case of OP’s example (and which I’m the target of).
Oh, don’t play the victim. Everyone knows who you really are.
Not playing the victim. I’m merely stating that vote manipulation is bad, regardless who is on the receiving end. (I didn’t start this thread, I just happen to be an example used in it.)
Organic downvoting me is fine–I get plenty of those. Setting up bots/instances to manipulate downvotes aimed at me isn’t fine though, because it hurts Lemmy as a whole.
They won’t just stop at me, they can start using it against other users as well; even you. Not cool.
Which is the topic of the thread.
Monk, you got busted in /Politics. Give it up. We all know it’s you.
I’m not. He’s not the topic of this thread.
That’s fine, but removing downvoting doesn’t prevent the discussion. It curbs drive-by negativity which is a good thing IMO.
Obviously everyone is free to disagree with things. It should be more than absentmindedly hitting a down arrow though. Others obviously feel differently. Thankfully both exist on Lemmy.
I want to see it per-community. We use voting for actually decision making in my instance, so we can’t disable it instance-wide.
That would be a useful feature. Maybe something to roll out alongside private communities and things coming in the future.
Voting here doesn’t influence your feed
It does when you use sorting algorithms that depend on it.
Not with downvotes disabled 😉
Can your detection method be automated and federated?
I’m asking because this is probably the thin end of the wedge and is likely to increase exponentially, especially since anyone can set up an instance and do whatever they like with it.
Wdym. Do you mean how I found out that the attacker was the admin? Yeah sure, you definitely can automate that.
I’ve seen this several times on Reddit, lemmy, etc.: people see something suspicious (valid), jump to one of the less likely conclusions, and then make the pieces fit that support that theory. It’s not malicious, I think some of you just get tunnel vision when a potential (and exciting) conspiracy emerges
I think you are right that there is something that maybe needs to be done about these two instances, but vote manipulation coordination? Nothing here remotely points to that.
The bots are from those two instances as you can see in the screenshot. Furthermore, lemmy.doesnotexist.club had dozens of bots since at least 2023 (2 years after domain creation. found via the web archive). Since at least 2023, the admin hasn’t been doing anything, or even interacting with anyone. That account seems pretty much dead. But they keep hosting the instance for some reason. It is also a possibility that someone else indeed is using these two instances because they are “abandoned”, but it is highly likely that it is the admin. It is very suspicious that the registrations have been open unguarded against bots since at least 2023. These two instances have been invaded with bots long ago, so defederation is still the right thing to do.
I also don’t want to jump to conclusions, but I think the chances are pretty high that it indeed is the admin. It might lead us to whoever is behind the recent nicole spam.
FWIW:
- Around then, captchas were turned off by default for a short period of time (very stupidly, IMO), if I remember correctly, and a lot of bots were registered on a good number of instances. It was also when a lot of new instances were sprouting up because Lemmy was just gaining momentum.
- I have personally let certain things I host go on for years without checking them, because developers have ADHD more often than not, and autopay will keep your zombie in service for a long time if it’s not making a dent big enough to make you shut it down (hosting a low-activity anything is not usually very expensive).
Not impossible that it’s just an absent admin.
I guess I wasn’t clear here. I am not saying these bots and issues aren’t coming from these instances or that all these things you are documenting aren’t happening. They clearly are.
But: “coordinated vote manipulation between the admins of these two specific instances“ was the original claim here, right? You are definitely seeing something that is bad happening, but the conclusion you are coming to is conspiratorial and I don’t see evidence to support it.
Unfortunately when Admins don’t take care of their instances this kind of stuff happens. We saw it with Kbin.social (basically all of kbin). It was spam central before it completely went dark.
Well yeah, there is no concrete evidence that it is the admin (or the admins). But the hints I found seem to be pointing that they are the one behind this. Of course there is a possibility that it is someone else, but it baffles me why anyone would leave the registrations open for 2 years, keep the instance running, but never interact with the fediverse through it themselves. And this isn’t exactly like kbin.social, the admin eventually did respond and close down the instance (not to mention, the admin was still communicating with the people). This instance and its bots have been going on for over 2 years, with not even a single sign of activity from the admin(s).
Nevertheless, defederation is the right thing to do right now. Unless concrete evidence is found, we could put this aside.
Thank you for this.
I know I’m viewed as controversial, but I legit want Lemmy to grow so I post a lot of content.
But it’s always community-specific and community-appropriate. The conservative news articles that people despise me for, actually only get posted to a few conservative communities. People are free to check my post/comment history to verify.
If people block those communities or even just block me, then they never have to see my conservative stuff. Not sure why they don’t just do that and ignore me.
So the downvote brigading/manipulation was def out of line and goes against the spirit of Lemmy. It’s something that’s more in line with Reddit than Lemmy.
You guys are rockstars for bringing this up. I know I’m not liked, but Lemmy is open to diverse opinions.
YOU guys are the ones who make Lemmy awesome.
Monk, seriously. Give it up. You got busted copying your Universal Monk comments word for word by the mods at /Politics. It’s over. Everyone knows it is you. If you truly wanted to make lemmy better, you’d stop trolling people with your alts and just leave and not hide out in your Universal Monk run communities where you can ban anyone that calls you out.
At this point I am hoping that there should be very few left to buy this fake ass-kissing of yours.
And hopefully, the mods of this community don’t fall for it and decide to check for themselves by reaching out to the /Politics mods.
Ban evasion is taken pretty seriously. Especially by people that are legitimately trying to make lemmy awesome.
You got busted copying your Universal Monk comments word for word by the mods at /Politics.
I’m not Universal Monk. Please find a post that was copied word for word and post for us to see. Because I still have no clue what post that’s a reference to.
If you truly wanted to make lemmy better, you’d stop trolling people with your alts and just leave and not hide out in your Universal Monk run communities where you can ban anyone that calls you out.
I’m not a troll, nor have I been trolling. My post/comment history is there for all to see. Dude, I’m not Uni Monk. He’s still around and still posting. He’s still on Lemmy. Go yell at him if you’re pissed at him. It has nothing to do with me.
How am I trolling by posting conservative news articles to conservative news communities?
None of that has to do with this thread. There was a guy manipulating votes. He got caught. Deleted his account. It’s done. Bringing up unrelated stuff just muddies the thread and is off-topic.
Oh yea. You’re clearly not being downvoted anymore!
ROFL!
Seems relatively painless to chop those two instances off - chinese.lol has less than 200 users, and I can’t even find instance info for doesnotexist.club (coincidence? i think NOT).
I do personally wonder how difficult it is to spin up new instances though. How much effort would it be for them to create a new one and do it again?
I’m actually most concerned with the IP leaking of the fediverse chick posts - hopefully some progress has been made with the IP leaking in auto-loaded external media through DM’s
How much effort would it be for them to create a new one and do it again?
Minimal, but it is the domain that gets blocked so the attacker would still need to purchase a new domain.
I’m actually most concerned with the IP leaking
I’m curious, what is it about IP leaking that concerns you? I’ve been thinking about it lately but I have a hard time seeing why it’s a problem.
For one, you now know there is someone on the other end, so you can target your attacks instead of trying random ips.
Some instances enable the image proxy, which should prevent this.
I checked the images and so far every image I’ve encountered linked to the users’s lemmy instance’s pictrs instance, none were hosted through a custom trackable image host.
The attacker seems to be the admin of those two instances. Both instances have their registrations closed.
The alternative theory would be that these instances had open registrations, but rightly closed registration down after the admins noticed the bots. chinese.lol is on 0.18.4 with an admin with a 2 year old account, lemmy.doesnotexist.club has an admin with a 1 year account, and it was also that instance that the ‘nicole’ person has used before. This downvote attack would need to be a long time in the planning for what you’re suggesting to be true.
Upon inspecting the actual websites, the registrations seem to be actually open for both instances with no email confirmation, captcha or manual approval as one user pointed out. I checked the Fediseer page for these instances. What is the update delay for Fediseer?
Should be 12 hours, unless they explicitly prevent us from accessing their nodeinfo. Which now that I think about it, I should probably notify on.
What is the update delay for Fediseer?
I don’t know. It’s not something I’m familiar with - it might just default to saying ‘closed’ if it doesn’t have the data.
It’s interesting that the obvious bot accounts on those instances were set up in mid-March last year, so I’m guessing that these are somebody’s army that they’ve used before, but overplayed their hand when they turned it on the DonaldJMusk person. The admins can reasonably be blamed for setting up instances with open registrations and no protections and then forgetting about them, but I’d be wary of blaming them for being behind the attack directly. The ‘nicole’ person is unlikely to have used their own instance - it’s probably just someone with the same MO as whoever owns the bots, finding and exploiting vulnerable instances.
it might just default to saying ‘closed’ if it doesn’t have the data.
Nope. Fediseer displays unknown fields as
N/A.The admins can reasonably be blamed for setting up instances with open registrations and no protections and then forgetting about them
No, I don’t think they forgot. Would you forget about something you regularly pay for?
People forget about subscriptions all the time when they are cheap enough. The admin might even have some kind of grouped payment for multiple domains/sites and doesn’t bother cleaning them out to shut them down.
I know one of these instances.
Fuck you, Nicole!
Don’t you besmirch my fediwife’s good name!
Where are your God now?
Welp, too late ¯\(ツ)/¯
What? She lied to us? 😱
What? Your favorite spammer betrayed you? I’m soooo sowwy :3
The Liar Who Spammed Me
Make sure to click all of those links
I tried, the Discord link never work. So I’m kind of mad…
You… actually clicked the links? Brother do not do that.
Yeah, deanonymization and shit… Seeing how Nicole became a massive meme and no one gives two shits about that (fediwife 🙄), this appears to be harmless.
What app are you using?
Sync, at least to Lemmy 1.0. Then, probably Raccoon.
Why switching?
Lemmy 1.0 will mess up with every single client, as long as they won’t update. Sync seems abandoned, so it will simply stop working.
Stumblechat Room: HELL
Warned about this 11 days ago. https://lemmy.world/post/27449126
This is still a weakness of the current federation model imo
This person is a FUCKING FASCIST AND IS SPREADING WHITE REPLACEMENT BULLSHIT DONT TRUST THEM ON A SINGLE FUCKING THING
Which person? OP? The guy you are replying to? Or the spam voter?
@TomMonkeyMan@chinese.lol @yassinsiouda@lemmy.doesnotexist.club
Beats me what anybody would get out of vote manipulation on lemmy - there are no sponsors, no money involved AFAIK. What’s the payoff, upvotes?
Pettiness. I guess some people suffer from such extreme grass deficiency that they’ll go through all the trouble of setting up bots to do fully automated luxury harassment instead of small-batch hand-raised harassment.
The person being downvoted is the mod of c/conservative. I’m guessing this is a political maneuver to bury his posts/bully him off lemmy
We don’t need bots to do that!
Winning the hearts and minds in a propaganda / information war at relatively low cost
