Skip to content
Naked Security Naked Security

Twitter’s Phantom Menace: a Star Wars botnet

Who is behind the stormtrooper army firing out random tweets from the Star Wars novels? And what are the security implications? Researchers want to hear from you

Most Twitter users are familiar with them: followers with odd names and avatars, following far more than they are being followed. Automated fake accounts known as bots.

People often dismiss them as harmless clutter. But one UK researcher thinks there may be more here than what we see on the surface – a Phantom Menace, if you will. (Cue the John Williams Star Wars film score…)

The bots are with you

Juan Echeverria, a computer scientist at UCL, has published a paper on a network of 350,000 Twitter bots he calls the Star Wars botnet. Some of the accounts are used to fluff up follower numbers, send spam and boost interest in trending topics. From the paper:

A large number of Twitter users are bots. They can send spam, manipulate public opinion, and contaminate the Twitter API stream that underline so many research works. One of the major challenges of research on Twitter bots is the lack of ground truth data. Here we report our discovery of the Star Wars botnet with more than 350k bots. We show these bots were generated and centrally controlled by a botmaster. These bots exhibit a number of unique features, which reveal profound limitations of existing bot detection methods.

He said the work has significant implications for cybersecurity, not only because the size of the botnet is larger than those studied before, but also because it’s been well hidden since its creation in 2013. He said more research is needed to fully grasp the potential threat such a large, hidden botnet poses to Twitter.

His research began by sifting through a sample of 1% of Twitter users to better understand how people use the medium. But along the way, the research seemed to reveal many linked accounts, which means an individual or group is running the botnet. These accounts didn’t behave like the more garden-variety bots out there.

Scum and villainy?

In the report, he describes what his team saw as the work unfolded:

Although the tweet distribution is largely coincident with the population distribution, there are two rectangle areas around North America and Europe that are fully filled with non-zero tweet distributions, including large uninhabited areas such as seas, deserts and frozen lands. These rectangles have sharp corners and straight borders that are parallel to the latitude and longitude lines. We conjectured that it shows two overlapping distributions. One is the distribution of tweets by real users, which is coincident with population distribution. The other is the distribution of tweets with faked locations by Twitter bots, where the fake locations are randomly chosen in the two rectangles – perhaps as an effort to pretend that the tweets are created in the two continents where Twitter is most popular. The blue-color dots in the two rectangles were attributed to 23,820 tweets. We manually checked the text of these tweets and discovered that the majority of these tweets were random quotations from Star Wars novels. Many quotes started or ended with an incomplete word; and some quotes have a hashtag inserted at a random place.

For example:

Luke’s answer was to put on an extra burst of speed. There were only ten meters #separating them now. If he could cover t

That passage is from the book Star Wars: Choices of One. Echeverria and his colleagues found quotations from at least 11 Star Wars novels.

Here’s a wider look at the Force-infused activities:

  • They only tweet random quotations from the Star Wars novels.
  • Each tweet contains only one quotation, often with incomplete sentences or broken words at the beginning or at the end.
  • The only extra text that can be inserted in a tweet are (1) special hashtags that are associated with earning followers, such as #teamfollowback and #followme; and (2) the hash symbol # inserted in front of a randomly chosen word (including stop words, like ”the” and ”in”) in order to form a hashtag.
  • The bots never retweet or mention any other Twitter user.
  • Each bot has created <= 11 tweets in its lifetime.
  • Each bot has <= 10 followers and <= 31 friends.
  • The bots only choose ‘Twitter for Windows Phone’ as the source of their tweets.
  • The user ID of the bots are confined to a narrow range between 1.5 × 109 and 1.6 × 109.

Echeverria and his fellow researchers have started  a website and Twitter account  called “That is a bot!” where people can report samples and help to raise awareness of how prevalent they are.

May The Force Be With You.


Why can’t Disney request the information of the Twitter Accounts and then issue Twitter a DMCA? It maybe a copyright issue.


Seems like an old-fashioned code to me. The position of the “random” character(s) probably indicates a word or phrase to add to a transmission/reception. Put them all together in the correct order and a message is formed.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!