Cryptocurrency and Saudi Focused Platform Manipulation
How dissecting the XRP Army led me to the heart of a state-backed information operation originating in Saudi Arabia
Enter XRP Army
The phrase “XRP Army” has often been used to describe the Twitter community that supports the XRP cryptocurrency.
For those who have no idea what I am talking about, dare I suggest you tweet “XRP is a security”?
It won’t take long for accounts like @DigitalAssetXRP, @AssetsDaily, @JODiE_XRP and @digitlasset_xrp to pounce on you:
The “Digital Assets Daily” account (@AssetsDaily), despite being created less than 100 days ago, has managed to amass 2,350 Followers:
While genuine XRP supporting individuals/accounts certainly exist, concurrently vast information operations seek to create the illusion of a larger community than reflects reality.
Enter @GiantGox
In May 2018, @XRPTrump (now suspended) helped direct my early XRP Army investigative efforts toward @GiantGox (an account core to the XRP Army astroturfing campaign):
In August 2018, I posted “I Made A Bet With Ripple’s CTO, David Schwartz” — where I dissect the @GiantGox account (below graphic cycles through algorithmically-determined communities):
Here’s what it looks like when cycling through account language settings (and while being compared to the colored communities cycled through previously):
It seemed odd that an account primarily tweeting in Japanese had nearly a thousand Followers consisting of accounts which had selected Arabic for their language setting (@GiantGox’s language was/is set to Japanese):
The XRP Army wasn’t pleased with my questions, triggering replies from @SwissXRP, @XRP_RO, @SandmanXRP and @BarbaraSnowden7 (among others):
Saudi Focused Platform Manipulation
Late last month (and on the Friday before Christmas), Twitter announced they were sharing data (and information) about a state-backed information operation that originated in Saudi Arabia:
As you can see below, Twitter asserts the “larger network” was comprised of “more than 88,000 accounts [engaging] in spammy behaviour across a wide range of topics”:
Twitter’s investigations traced the platform manipulation to Smaat, a social media marketing and management company:
A few days after Twitter released their data, Social Forensics leveraged it to uncover Purposeful Marketing, another Saudi-focused marketing company engaging in similar activity (for more on Purposeful Marketing, please see this post!).
Data Analysis
Social Forensics sought to explore the relationship (if any) between the Arabic language accounts connected to @GiantGox (via Following and/or Followers relationships) and the data shared by Twitter recently.
As previously mentioned, @GiantGox had nearly a thousand Arabic language Followers (based on data collected in July 2018). Moreover, @GiantGox was Following an additional 199 Arabic language accounts (that were not Following @GiantGox back, i.e. not Followers of @GiantGox):
Filtering the dataset to include Arabic language accounts connected to @GiantGox (1,187) and reapplying graph algorithms (in addition to visual clustering) results in this graph:
Below graphic cycles through accounts that @GiantGox is Following (1,152), accounts that are Followers of @GiantGox (988), and accounts that have a reciprocal Following relationship with @GiantGox (953):
The fact that 953 of the 1,152 (83%) Arabic language accounts being followed by @GiantGox were following @GiantGox back is a strong indicator of the nature/quality of said accounts.
Here is how I summarized the community (aka mod class) where the vast majority of @GiantGox-connected, Arabic language accounts appear (pink colored community) from my August 2018 post:
Auditing Twitter’s Actions
The accounts and connections (Following/Followers relationships) are based on data from July 2018.
Checking the account status of the 1,187 accounts at a later date (in this case, Dec 26th, 2019) allows for auditing Twitter’s actions.
Social Forensics observed that 333 (28%) @GiantGox-connected, Arabic language accounts that were active as of July 2018, were suspended or no longer exist after Twitter’s recent announcement:
Below graphic highlights accounts that remain, accounts that no longer exist, and accounts that Twitter has suspended:
Here we can see several (6) suspended accounts that, as of July 2018, were Following a large number of accounts that also have since been suspended by Twitter or no longer exist:
While @khdamatcom5 (retweeted 18 times based on data disclosed by Twitter) has been suspended, a number of large, connected accounts (similarly in violation of Twitter Rules.. and similarly named!) remain active:
Evading Twitter account suspension is as simple as adding a digit onto one’s handle, apparently (and infinitely):
Note the (bottom right) handle in the below image and also to which handle the tweet (where graphic was discovered) is replying:
Both accounts—namely, @UamN12 and @lla__a1— have been suspended by Twitter:
Here’s Twitter’s dirty little secret: inauthentic accounts (like @khdamatcom11, for example) create additional advertising inventory for Twitter to monetize (while inflating/overstating Twitter’s platform metrics, more broadly):
There is zero incentive for Twitter to effectively self-police (i.e. proactively mitigating against platform manipulation/information operations), hence they are staffed accordingly — with a larger Communications than Information Operations team.
Twitter’s focus continues to be on publicizing their efforts, rather than taking the most effective actions.
Artificial Amplification
The dataset released by Twitter includes 32 million tweets (approximately 50% of which are retweets) from 5,929 (now suspended) accounts.
Of the 1,187 Arabic language accounts connected to @GiantGox, 70% (831) were retweeted by accounts disclosed by Twitter as being part of a state-backed information operation originating in Saudi Arabia:
Here’s what it looks like when cycling through accounts that were retweeted a minimum of 100 times (310), a minimum of 500 times (100), and a minimum of 1,000 times (43):
Next, let’s resize nodes such that they are tied to the number of times each account was retweeted (rather than being tied to the number of accounts each account is Following):
Below graphic compares sizing nodes by number of accounts being followed (i.e. Following within context of 1,187 accounts) vs. sizing nodes by number of times account was retweeted (using data disclosed by Twitter):
This is what cycling through accounts that were retweeted a minimum of 100 times (310), a minimum of 500 times (100), and a minimum of 1,000 times (43) looks like (nodes sized by retweet frequency):
Moving forward, all graphs presented in this post will size nodes based on retweet frequency.
Here we can see two active (as of January 14th, 2019), heavily retweeted accounts that, as of July 2018, were Following a large number of accounts that have since been suspended by Twitter or no longer exist:
Worth noting that @ABOALLAIL2 and @Qx_____e are large accounts — with 531K and 364K Followers, respectively:
Large Accounts
Using @ABOALLAIL2 and @Qx_____e as seed accounts, it’s possible to surface many additional connected, large (follow-for-follow) accounts that violate Twitter Rules via looking to Twitter’s “You might like” algorithm:
When viewing Twitter account profiles on desktop, most accounts will feature “You might like” sections on the right-hand side. Typically, three accounts will be prominently displayed, with an option to “Show more” accounts. Once this option is selected, Twitter will generally display 30 accounts.
Here’s what this looks like for @ABOALLAIL2, for example:
Completing the same exercise for @Qx_____e — and combining with the 30 accounts obtained via @ABOALLAIL2’s profile — surfaces 55 large (follow-for-follow) accounts that violate Twitter Rules (once duplicates are removed; 52 of which reflect having more than 100K Followers):
In aggregate (and inclusive of tweets from seed accounts), there have been 8.8 million tweets from the 57 accounts (data available here!).
Verified Accounts
There are just 6 verified accounts among the 1,187 Arabic language accounts connected to @GiantGox (one of which, @2se, has been suspended):
Below graphic cycles through the 6 verified accounts (when an account is selected, the lit up edges represent accounts being followed by highlighted account):
Here are profiles for the active verified accounts (5):
The Following counts of the accounts are as follows: @SalemAlSehman (694K), @Qabdullahhumair (366K), @yahyaalghamri (801K), @TYL55 (1.1 million), @Ha2936 ( 1.6 million)
It is highly unlikely that each account was able to follow such a large number of accounts (ranging from 366K to 1.6 million) without leveraging automation to do so.
Reviewing the “Who to follow” sections while viewing the profiles of @Ha2936 and @TYL55 — two verified accounts that reflect having more than a million Followers — surfaces more than 40 large (follow-for-follow) accounts that violate Twitter Rules (once duplicates are removed; 15 of which reflect having more than a million Followers):
In aggregate (and inclusive of tweets from seed accounts), there have been 4.3 million tweets from the 44 accounts (data available here!).
Hyperactive Tweeting Accounts
Social Forensics has identified 107 (9%) @GiantGox-connected, Arabic language accounts that have, on average, tweeted 100 or more times per day since being created:
Filtering the dataset to include hyperactive tweeting accounts and reapplying visual clustering results in this graph:
Below graphic isolates (active) @GiantGox-connected, Arabic language, hyperactive tweeting accounts (and where accounts were retweeted at least 100 times based on the dataset released by Twitter):
Here are profiles for these 33 accounts:
In aggregate (and inclusive of tweets from seed accounts), there have been more than 10 million tweets from the 33 accounts (data available here!).
OK, So What’s Your Point?
To be very clear, we are not stating that the XRP Army has anything to do with Saudi Arabia.
As was outlined in August 2018 (and in painstaking detail), the majority of @GiantGox’s Twitter Followers are comprised of inauthentic accounts — more specifically, accounts seeking to create the illusion of a larger XRP supporting community than reflects reality.
It isn’t surprising to find such material overlap between Arabic language accounts connected to @GiantGox (again, an account core to the XRP Army astroturfing campaign) and accounts amplified (retweeted) by accounts that Twitter has attributed to a state-backed information operation originating in Saudi Arabia.
A common tactic utilized by those managing sockpuppet/troll/inauthentic accounts involves running a script to (bulk) follow a predetermined list of accounts. Such lists tend to largely be comprised of similar sockpuppet/troll/inauthentic accounts, and where said accounts (including many authentic ones!) are often running a script to follow back any account which follows.
That’s how the follow-for-follow sausage is made.
For this reason, you’ll frequently encounter verified accounts/authentic Twitter users that are Following large numbers of inauthentic accounts. Sadly, this is far too common with lazy “growth” marketers, self-proclaimed influencers, authors, musicians and activists (among many other groups).
Twitter’s underbelly of inauthentic accounts is deeply interconnected.
Hence, seemingly disconnected Twitter communities — the XRP Army and pro-Saudi Arabia focused accounts, for example — emerge more connected than you’d expect.
Despite Twitter’s recent removal of “more than 88,000 accounts [engaging] in spammy behaviour across a wide range of topics” (Twitter blog post, December 20th, 2019), millions of inauthentic, connected Arabic language accounts (equally in violation of Twitter Rules) continue to manipulate Twitter’s platform (and with unfathomable scale).
Geoff Golberg is an NYC-based researcher (and entrepreneur) who is fascinated by graph visualization/network analysis — more specifically, when applied to social networks and blockchain activity. His experience spans structured finance, ad tech, and digital marketing/customer acquisition, both at startups and public companies.
Geoff is the Founder/CEO/Janitor of Social Forensics, where he spends (far too much of) his time developing techniques and building tools to identify social media manipulation (of various flavors!).
Read about Geoff’s war with Twitter here!
Special thanks to Graphistry for their continued support.
