A friend recently reached out to me because he was very suspicious about some tweets he was seeing on Twitter about a certain stock, and he wanted some more technical eyes on it. I believe I ended up discovering a network of zombie Twitter API users, that are being used to actively manipulate stock/crypto sentiment on twitter.
I will be sharing screenshots and direct evidence, and for the sake of transparency will provide links to all the evidence I have found along the way.
To start with, it began with looking into the Twitter chatter surrounding $SDC (SmileDirectClub).
$SDC immediately is a suspicious stock right now due to a suspiciously large uptick in bullish sentiment in the obvious subreddits (WSB, etc), but then it tanked earnings and the stock took a large hit. However this isn’t about the stock, however I thought the context was important.
Anyway, back to Twitter, if we look at some of the posts we are seeing we see posts like this:
Now it doesn’t take a genius to realise these are obviously bots. Their whole vibe is “bot” from the names to the profile pictures, and the intense shilling of this “@RecvProfit”.So my curiosity went in two directions:
1. Who/what is RecvProfit?
2. Why are all of these tweets coming from strange devices? (Notice in those screenshots where it normally says “Sent from iPhone” it instead says, “TwitterAnalysis2807” and “prataya_sentiment”)
# Who is RecvProfit?
Well the first question was easy to address, it’s this account:
At face value it’s innocent enough. Unless it has deleted the tweets, the account has never posted anything like the bots are quoting in their images, which adds another weird level of depth.
I don’t want to jump to conclusions about the RecvProfit account, because there is a chance the account is actually a scapegoat, but there is also a good chance it’s a fake pretty generic stock twitter account to faciliate the real trouble I found, when I was digging into my second question.
# What the heck are these seemingly random devices?
The “devices” we are seeing used at the bottom of those screenshots, are actually Twitter API project names. So from here you might say, okay they are just creating random twitter API projects and using them for this shilling.
Oh no no no no, if only.
I discovered that some of these project names have similar project names on Github (not exact matches, but one of the two examples I will provide is pretty definitive). What do these projects have in common?
1. They have “twitter” in the project name.
2. They have (stupidly, but understandable for a beginner) exposed their twitter API keys and secrets within the repository.
# Example 1
Original Twitter Post:
[Github Repo (Notice username is also Nancy)](https://github.com/nancyanand2807/Twitter-Sentiment-Analysis?fbclid=IwAR1PMK0FnwXm4BMQTvIiQ9TtK_Kq1izGjuY8sqPfA7ZC7t-GyRUgEY71xa0)
# Example 2
Original Twitter Post:
[Github Repo (Notice username is also prataya)](https://github.com/pratayaa/twitter_sentiment_analysis)
So what does all this mean?
This is my current theory:
A malicious actor has been scraping “twitter” related repositories to find exposed Twitter API keys, to create an army of Zombie twitter API users (which at a distance, look no different to normal users).These users are then being used to manipulate twitter sentiment surrounding certain stocks and crypto.
This is a huge problem and it’s impossible to know just how wide spread of an issue this is, from this small example.
For example one of the coins they are shilling is $CRO, which is pumping as I write this:[$CRO 24hr Price Chart](https://imgur.com/epaqMoZ)
The pump could be natural, but you can’t deny how suspicious it is.
Twitter (hell, and maybe Github) needs to be responsible for managing this as soon as possible, as these Twitter zombies could be running rampant. And who knows what other malicious uses these bots have been used for! (*cough* ^(elections) *cough*)
**TLDR**; A malicious actor is scraping GitHub for exposed Twitter API keys, and then those keys are being used to manipulate crypto and stock sentiment on Twitter, and god knows what else.
**Note**: I have listed this with the flair “**New Vulnerability Disclosure**”. I know that key scraping GitHub isn’t exactly new, but I feel like this particularly dangerous combination is a vulnerability in itself.