Cryptocurrency and Saudi Focused Platform Manipulation

How dissecting the XRP Army led me to the heart of a state-backed information operation originating in Saudi Arabia

Image for post
Image for post
Network graph representation of Twitter accounts connected to @GiantGox. Each dot is a Twitter account which is following and/or being followed by @GiantGox (graph contains 39,131 accounts). Initial data wrangling and graph creation (above, July 2018): Andy Patel (AI Center of Excellence, F-Secure); subsequent data wrangling and graph creation, investigation, analysis and writing: Geoff Golberg (Founder, Social Forensics)

Enter XRP Army

The phrase “XRP Army” has often been used to describe the Twitter community that supports the XRP cryptocurrency.

For those who have no idea what I am talking about, dare I suggest you tweet “XRP is a security”?

It won’t take long for accounts like @DigitalAssetXRP, @AssetsDaily, @JODiE_XRP and @digitlasset_xrp to pounce on you:

Image for post
Image for post
Image for post
Image for post

The “Digital Assets Daily” account (@AssetsDaily), despite being created less than 100 days ago, has managed to amass 2,350 Followers:

Image for post
Image for post

While genuine XRP supporting individuals/accounts certainly exist, concurrently vast information operations seek to create the illusion of a larger community than reflects reality.

Enter @GiantGox

In May 2018, @XRPTrump (now suspended) helped direct my early XRP Army investigative efforts toward @GiantGox (an account core to the XRP Army astroturfing campaign):

Image for post
Image for post

In August 2018, I posted “I Made A Bet With Ripple’s CTO, David Schwartz” — where I dissect the @GiantGox account (below graphic cycles through algorithmically-determined communities):

Image for post
Image for post
Same graph from opening image of this post.. just with flipped orientation here!

Here’s what it looks like when cycling through account language settings (and while being compared to the colored communities cycled through previously):

Image for post
Image for post

It seemed odd that an account primarily tweeting in Japanese had nearly a thousand Followers consisting of accounts which had selected Arabic for their language setting (@GiantGox’s language was/is set to Japanese):

Image for post
Image for post

The XRP Army wasn’t pleased with my questions, triggering replies from @SwissXRP, @XRP_RO, @SandmanXRP and @BarbaraSnowden7 (among others):

Image for post
Image for post
Image for post
Image for post

Saudi Focused Platform Manipulation

Late last month (and on the Friday before Christmas), Twitter announced they were sharing data (and information) about a state-backed information operation that originated in Saudi Arabia:

Image for post
Image for post

As you can see below, Twitter asserts the “larger network” was comprised of “more than 88,000 accounts [engaging] in spammy behaviour across a wide range of topics”:

Image for post
Image for post

Twitter’s investigations traced the platform manipulation to Smaat, a social media marketing and management company:

Image for post
Image for post

A few days after Twitter released their data, Social Forensics leveraged it to uncover Purposeful Marketing, another Saudi-focused marketing company engaging in similar activity (for more on Purposeful Marketing, please see this post!).

Data Analysis

Social Forensics sought to explore the relationship (if any) between the Arabic language accounts connected to @GiantGox (via Following and/or Followers relationships) and the data shared by Twitter recently.

As previously mentioned, @GiantGox had nearly a thousand Arabic language Followers (based on data collected in July 2018). Moreover, @GiantGox was Following an additional 199 Arabic language accounts (that were not Following @GiantGox back, i.e. not Followers of @GiantGox):

Image for post
Image for post
1,187 Arabic language accounts connected to @GiantGox as of July 2018 (top). Interconnectivity of said accounts where edges (lines) represent Following/Followers relationships (bottom)

Filtering the dataset to include Arabic language accounts connected to @GiantGox (1,187) and reapplying graph algorithms (in addition to visual clustering) results in this graph:

Image for post
Image for post
Node size determined by number of accounts out of 1,187 that each account is Following

Below graphic cycles through accounts that @GiantGox is Following (1,152), accounts that are Followers of @GiantGox (988), and accounts that have a reciprocal Following relationship with @GiantGox (953):

Image for post
Image for post
Node size determined by number of accounts out of 1,187 that each account is Following

The fact that 953 of the 1,152 (83%) Arabic language accounts being followed by @GiantGox were following @GiantGox back is a strong indicator of the nature/quality of said accounts.

Here is how I summarized the community (aka mod class) where the vast majority of @GiantGox-connected, Arabic language accounts appear (pink colored community) from my August 2018 post:

Image for post
Image for post

Auditing Twitter’s Actions

The accounts and connections (Following/Followers relationships) are based on data from July 2018.

Checking the account status of the 1,187 accounts at a later date (in this case, Dec 26th, 2019) allows for auditing Twitter’s actions.

Social Forensics observed that 333 (28%) @GiantGox-connected, Arabic language accounts that were active as of July 2018, were suspended or no longer exist after Twitter’s recent announcement:

Image for post
Image for post
Node size determined by number of accounts out of 1,187 that each account is Following

Below graphic highlights accounts that remain, accounts that no longer exist, and accounts that Twitter has suspended:

Image for post
Image for post
Node size determined by number of accounts out of 1,187 that each account is Following

Here we can see several (6) suspended accounts that, as of July 2018, were Following a large number of accounts that also have since been suspended by Twitter or no longer exist:

Image for post
Image for post
Accounts include: @75fM1, @VIP_G5, @sarmadeia, @7ll2_, @rffoi4, @khdamatcom5

While @khdamatcom5 (retweeted 18 times based on data disclosed by Twitter) has been suspended, a number of large, connected accounts (similarly in violation of Twitter Rules.. and similarly named!) remain active:

Image for post
Image for post

Evading Twitter account suspension is as simple as adding a digit onto one’s handle, apparently (and infinitely):

Image for post
Image for post
Several reflect having hundreds of thousands of Followers

Note the (bottom right) handle in the below image and also to which handle the tweet (where graphic was discovered) is replying:

Image for post
Image for post
Image for post
Image for post

Both accounts—namely, @UamN12 and @lla__a1— have been suspended by Twitter:

Image for post
Image for post

Here’s Twitter’s dirty little secret: inauthentic accounts (like @khdamatcom11, for example) create additional advertising inventory for Twitter to monetize (while inflating/overstating Twitter’s platform metrics, more broadly):

Image for post
Image for post

There is zero incentive for Twitter to effectively self-police (i.e. proactively mitigating against platform manipulation/information operations), hence they are staffed accordingly — with a larger Communications than Information Operations team.

Twitter’s focus continues to be on publicizing their efforts, rather than taking the most effective actions.

Artificial Amplification

The dataset released by Twitter includes 32 million tweets (approximately 50% of which are retweets) from 5,929 (now suspended) accounts.

Of the 1,187 Arabic language accounts connected to @GiantGox, 70% (831) were retweeted by accounts disclosed by Twitter as being part of a state-backed information operation originating in Saudi Arabia:

Image for post
Image for post
Node size determined by number of accounts out of 1,187 that each account is Following

Here’s what it looks like when cycling through accounts that were retweeted a minimum of 100 times (310), a minimum of 500 times (100), and a minimum of 1,000 times (43):

Image for post
Image for post
Node size determined by number of accounts out of 1,187 that each account is Following

Next, let’s resize nodes such that they are tied to the number of times each account was retweeted (rather than being tied to the number of accounts each account is Following):

Image for post
Image for post
Node size determined by number of times account was retweeted by accounts disclosed by Twitter as being part of a state-backed information operation originating in Saudi Arabia

Below graphic compares sizing nodes by number of accounts being followed (i.e. Following within context of 1,187 accounts) vs. sizing nodes by number of times account was retweeted (using data disclosed by Twitter):

Image for post
Image for post

This is what cycling through accounts that were retweeted a minimum of 100 times (310), a minimum of 500 times (100), and a minimum of 1,000 times (43) looks like (nodes sized by retweet frequency):

Image for post
Image for post
Node size determined by number of times account was retweeted by accounts disclosed by Twitter as being part of a state-backed information operation originating in Saudi Arabia

Moving forward, all graphs presented in this post will size nodes based on retweet frequency.

Here we can see two active (as of January 14th, 2019), heavily retweeted accounts that, as of July 2018, were Following a large number of accounts that have since been suspended by Twitter or no longer exist:

Image for post
Image for post
Tweets from @ABOALLAIL2 were retweeted 2.1K times; Tweets from @Qx_____e were retweeted 1.5K times

Worth noting that @ABOALLAIL2 and @Qx_____e are large accounts — with 531K and 364K Followers, respectively:

Image for post
Image for post

Large Accounts

Using @ABOALLAIL2 and @Qx_____e as seed accounts, it’s possible to surface many additional connected, large (follow-for-follow) accounts that violate Twitter Rules via looking to Twitter’s “You might like” algorithm:

Image for post
Image for post

When viewing Twitter account profiles on desktop, most accounts will feature “You might like” sections on the right-hand side. Typically, three accounts will be prominently displayed, with an option to “Show more” accounts. Once this option is selected, Twitter will generally display 30 accounts.

Here’s what this looks like for @ABOALLAIL2, for example:

Image for post
Image for post

Completing the same exercise for @Qx_____e — and combining with the 30 accounts obtained via @ABOALLAIL2’s profile — surfaces 55 large (follow-for-follow) accounts that violate Twitter Rules (once duplicates are removed; 52 of which reflect having more than 100K Followers):

Image for post
Image for post

In aggregate (and inclusive of tweets from seed accounts), there have been 8.8 million tweets from the 57 accounts (data available here!).

Verified Accounts

There are just 6 verified accounts among the 1,187 Arabic language accounts connected to @GiantGox (one of which, @2se, has been suspended):

Image for post
Image for post
Node size determined by number of times account was retweeted by accounts disclosed by Twitter as being part of a state-backed information operation originating in Saudi Arabia

Below graphic cycles through the 6 verified accounts (when an account is selected, the lit up edges represent accounts being followed by highlighted account):

Image for post
Image for post
Node size determined by number of times account was retweeted by accounts disclosed by Twitter as being part of a state-backed information operation originating in Saudi Arabia

Here are profiles for the active verified accounts (5):

Image for post
Image for post

The Following counts of the accounts are as follows: @SalemAlSehman (694K), @Qabdullahhumair (366K), @yahyaalghamri (801K), @TYL55 (1.1 million), @Ha2936 ( 1.6 million)

It is highly unlikely that each account was able to follow such a large number of accounts (ranging from 366K to 1.6 million) without leveraging automation to do so.

Reviewing the “Who to follow” sections while viewing the profiles of @Ha2936 and @TYL55 — two verified accounts that reflect having more than a million Followers — surfaces more than 40 large (follow-for-follow) accounts that violate Twitter Rules (once duplicates are removed; 15 of which reflect having more than a million Followers):

Image for post
Image for post
Image for post
Image for post

In aggregate (and inclusive of tweets from seed accounts), there have been 4.3 million tweets from the 44 accounts (data available here!).

Hyperactive Tweeting Accounts

Social Forensics has identified 107 (9%) @GiantGox-connected, Arabic language accounts that have, on average, tweeted 100 or more times per day since being created:

Image for post
Image for post
Node size determined by number of times account was retweeted by accounts disclosed by Twitter as being part of a state-backed information operation originating in Saudi Arabia

Filtering the dataset to include hyperactive tweeting accounts and reapplying visual clustering results in this graph:

Image for post
Image for post
This includes 97 (rather than 107) hyperactive tweeting accounts (10 have no Followers/Following connectivity to the other hyperactive tweeting accounts)

Below graphic isolates (active) @GiantGox-connected, Arabic language, hyperactive tweeting accounts (and where accounts were retweeted at least 100 times based on the dataset released by Twitter):

Image for post
Image for post
Node size determined by number of times account was retweeted by accounts disclosed by Twitter as being part of a state-backed information operation originating in Saudi Arabia

Here are profiles for these 33 accounts:

Image for post
Image for post

In aggregate (and inclusive of tweets from seed accounts), there have been more than 10 million tweets from the 33 accounts (data available here!).

OK, So What’s Your Point?

Image for post
Image for post
Source

To be very clear, we are not stating that the XRP Army has anything to do with Saudi Arabia.

As was outlined in August 2018 (and in painstaking detail), the majority of @GiantGox’s Twitter Followers are comprised of inauthentic accounts — more specifically, accounts seeking to create the illusion of a larger XRP supporting community than reflects reality.

It isn’t surprising to find such material overlap between Arabic language accounts connected to @GiantGox (again, an account core to the XRP Army astroturfing campaign) and accounts amplified (retweeted) by accounts that Twitter has attributed to a state-backed information operation originating in Saudi Arabia.

A common tactic utilized by those managing sockpuppet/troll/inauthentic accounts involves running a script to (bulk) follow a predetermined list of accounts. Such lists tend to largely be comprised of similar sockpuppet/troll/inauthentic accounts, and where said accounts (including many authentic ones!) are often running a script to follow back any account which follows.

That’s how the follow-for-follow sausage is made.

For this reason, you’ll frequently encounter verified accounts/authentic Twitter users that are Following large numbers of inauthentic accounts. Sadly, this is far too common with lazy “growth” marketers, self-proclaimed influencers, authors, musicians and activists (among many other groups).

Twitter’s underbelly of inauthentic accounts is deeply interconnected.

Hence, seemingly disconnected Twitter communities — the XRP Army and pro-Saudi Arabia focused accounts, for example — emerge more connected than you’d expect.

Despite Twitter’s recent removal of “more than 88,000 accounts [engaging] in spammy behaviour across a wide range of topics” (Twitter blog post, December 20th, 2019), millions of inauthentic, connected Arabic language accounts (equally in violation of Twitter Rules) continue to manipulate Twitter’s platform (and with unfathomable scale).

Geoff Golberg is an NYC-based researcher (and entrepreneur) who is fascinated by graph visualization/network analysis — more specifically, when applied to social networks and blockchain activity. His experience spans structured finance, ad tech, and digital marketing/customer acquisition, both at startups and public companies.

Geoff is the Founder/CEO/Janitor of Social Forensics, where he spends (far too much of) his time developing techniques and building tools to identify social media manipulation (of various flavors!).

Read about Geoff’s war with Twitter here!

Special thanks to Graphistry for their continued support.

Written by

CEO & Founder, Social Forensics | Previously: Co-Founder, Elementus | Featured in BBC, CNN, BuzzFeed, and Quartz, among others | SocialForensics.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store