Inside a Reddit Sockpuppet Operation

According to multiple Reddit moderators, someone called "Aaron" has approached them to be part of a spam marketing campaign, with a particular focus on cryptocurrency and blockchain-linked projects.

|
Sep 17 2018, 12:42pm

Image: Shutterstock

How do you really know that Reddit post about the blockchain is popular? Do people really think it’s worth reading?

One person focused on amplifying certain posts and topics on Reddit has been trying to recruit more influential users, according to multiple Reddit moderators. Documents then shared by one of those moderators provide a blueprint of such an operation—upvoting Reddit posts, especially those focused on specific cryptocurrencies, distributing flattering blog posts, and attempting to circumvent the site’s security protections.

While media outlets and investigators have generally paid much more attention to fake accounts on Twitter and Facebook, the news highlights the use of sockpuppets on another major social network.

“We’re able to give any project access to thousands of potential investors through mass-promotion. If any of these services interest you, please get in contact with me,” a post on the Bitcointalk forum written by “Aaron,” the spammer, reads.

Last week, a user who moderates several different forums said in a Reddit post they were approached by a “marketing” company. After moving over to Telegram, a messaging app particularly popular in the cryptocurrency community, the spammer provided a set of spreadsheets detailing some of their campaigns, the moderator wrote. They released the documents publicly on Reddit. Another moderator said they also received the same message from Aaron.

Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

When asked for comment by Motherboard via the Bitcointalk forum, Aaron did not deny running the Reddit spam campaign, or that the leaked spreadsheets belonged to their operation. They simply replied “Will I get paid for this interview?” (Motherboard and journalists more generally do not pay sources as that can encourage the source to provide information irrespective of its veracity).

But Aaron’s apparent spam campaign does seem to have its tentacles across various different parts of cryptocurrency Reddit. One product includes a blockchain-based ride sharing service, while at least one of the accounts appears to be focused on the Ethereum subreddit.

One spreadsheet lists Medium posts which Aaron’s accounts have seemingly upvoted multiple times on Reddit. The purpose of much of this spamming, it seems, is to bolster search engine optimization for certain cryptocurrencies; meaning they may be more likely to appear in Google or other search results, as well as getting them in front of more eyes on Reddit and generating an air of legitimacy.

“We specialize in large-quantity posts, upvotes, comments, articles, reviews, followers, traffic, click-throughs, back-linking, SEO, and more. The team is flexible and can complete a variety of marketing tasks,” the Bitcointalk forum post adds.

Motherboard verified that many of the accounts included in the spreadsheets do exist, and that their behaviour matches the description in the leaked documents, including whether the account was banned, or seemingly used for a particular purpose.

The spreadsheets are well organized, with columns for each account’s proxy IP address—if too much suspicious activity comes from any single IP address, Reddit may block it, so the spammer seemingly uses a unique IP for each account. A single account using a slew of different IPs, with its owner seemingly jumping all over the place, can also be suspicious.

“Logged in from too many different IPs,” one note next to an account reads. The spreadsheet labels this account, as well as over 100 others, as negatively impacted in some form by Reddit or other users. Some accounts were allegedly banned for making too many posts, being flagged as spam, or others were hacked accounts having their passwords changed, seemingly locking the spammer out. Many of these include accounts related information in a “Lesson Learned” column, such as don’t overpost, or the alleged limit on direct messages before being banned.

The spreadsheet also includes a handful of accounts on Bitcointalk.

“When they sent the spreadsheets across I wasn't sure if they were serious, I was flabbergasted by this level of stupidity,” the Reddit moderator who originally published the documents, added.

A Reddit spokesperson told Motherboard in an email that the company's "site-wide policies prohibit users from engaging in vote manipulation, or creating multiple accounts to avoid restrictions. We have dedicated teams and technology tools in place to detect users attempting to engage in these behaviors. In this specific instance, those measures identified and actioned the user before their behavior could disrupt the broader Reddit community."

Update: This piece has been updated to include comment from Reddit.