this post was submitted on 08 Apr 2025
457 points (100.0% liked)

Fediverse

33360 readers
939 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to [email protected]!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
457
2 Instances are being used for coordinated vote manipulation, and should be defederated. chinese.lol lemmy.doesnotexist.club (lemmy.asudox.dev)
submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]
64 comments fedilink hide all child comments
 

The attacker seems to be the admin of those two instances. Both instances have their registrations closed.

Edit: It is now open for both of them, or was already. I checked the Fediseer page for both instances and it still says that their registrations are closed.

Though it is suspicious that no captcha, email confirmation or manual approval is required for both of these instances. The admin of lemmy.doesnotexist.club seems to be inactive since their account creation yet this instance is still running. If the admin is the attacker, it could also be that they are the one behind the recent nicole spam.

https://gui.fediseer.com/instances/detail/chinese.lol

https://gui.fediseer.com/instances/detail/lemmy.doesnotexist.club

cross-posted from: https://hackertalks.com/post/8713785

The instances being used are

  • lemmy.doesnotexist.club
  • chinese.lol

Here is an example of the coordinated downvoting https://hackertalks.com/post/8692093

Of course its a controversial user who got someone angry enough to automated downvoting @[email protected]

But you can see every post they make gets 53ish downvotes from these two instances, plus some organic ones after a few hours.

Current downvoting Accounts

bot-list

[email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

A individual user airing their personal biases and manipulating lemmy isn't good for the community, regardless of how you feel about their target. This is a really bad thing (tm)

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 73 points 1 month ago (1 children)

Can your detection method be automated and federated?

I'm asking because this is probably the thin end of the wedge and is likely to increase exponentially, especially since anyone can set up an instance and do whatever they like with it.

[–] [email protected] 30 points 1 month ago

Wdym. Do you mean how I found out that the attacker was the admin? Yeah sure, you definitely can automate that.

[–] [email protected] 65 points 1 month ago (8 children)

I know one of these instances.

Fuck you, Nicole!

[–] [email protected] 17 points 1 month ago (4 children)

What? She lied to us? 😱

[–] [email protected] 10 points 1 month ago

The Liar Who Spammed Me

[–] [email protected] 6 points 1 month ago

What? Your favorite spammer betrayed you? I'm soooo sowwy :3

load more comments (2 replies)
[–] [email protected] 8 points 1 month ago (3 children)

Don't you besmirch my fediwife's good name!

load more comments (3 replies)
[–] [email protected] 5 points 1 month ago

Stumblechat Room: HELL

[–] [email protected] 3 points 1 month ago (4 children)

What app are you using?

load more comments (4 replies)
load more comments (4 replies)
[–] [email protected] 46 points 1 month ago (7 children)

Seems relatively painless to chop those two instances off - chinese.lol has less than 200 users, and I can't even find instance info for doesnotexist.club (coincidence? i think NOT).

I do personally wonder how difficult it is to spin up new instances though. How much effort would it be for them to create a new one and do it again?

I'm actually most concerned with the IP leaking of the fediverse chick posts - hopefully some progress has been made with the IP leaking in auto-loaded external media through DM's

[–] [email protected] 17 points 1 month ago

Some instances enable the image proxy, which should prevent this.

[–] [email protected] 5 points 1 month ago* (last edited 1 month ago)

I checked the images and so far every image I've encountered linked to the users's lemmy instance's pictrs instance, none were hosted through a custom trackable image host.

[–] [email protected] 5 points 1 month ago (1 children)

How much effort would it be for them to create a new one and do it again?

Minimal, but it is the domain that gets blocked so the attacker would still need to purchase a new domain.

load more comments (1 replies)
load more comments (4 replies)
[–] [email protected] 45 points 1 month ago (2 children)

Warned about this 11 days ago. https://lemmy.world/post/27449126

This is still a weakness of the current federation model imo

load more comments (2 replies)
[–] [email protected] 27 points 1 month ago (1 children)

The attacker seems to be the admin of those two instances. Both instances have their registrations closed.

The alternative theory would be that these instances had open registrations, but rightly closed registration down after the admins noticed the bots. chinese.lol is on 0.18.4 with an admin with a 2 year old account, lemmy.doesnotexist.club has an admin with a 1 year account, and it was also that instance that the 'nicole' person has used before. This downvote attack would need to be a long time in the planning for what you're suggesting to be true.

[–] [email protected] 11 points 1 month ago* (last edited 1 month ago) (2 children)

Upon inspecting the actual websites, the registrations seem to be actually open for both instances with no email confirmation, captcha or manual approval as one user pointed out. I checked the Fediseer page for these instances. What is the update delay for Fediseer?

[–] [email protected] 12 points 1 month ago (2 children)

What is the update delay for Fediseer?

I don't know. It's not something I'm familiar with - it might just default to saying 'closed' if it doesn't have the data.

It's interesting that the obvious bot accounts on those instances were set up in mid-March last year, so I'm guessing that these are somebody's army that they've used before, but overplayed their hand when they turned it on the DonaldJMusk person. The admins can reasonably be blamed for setting up instances with open registrations and no protections and then forgetting about them, but I'd be wary of blaming them for being behind the attack directly. The 'nicole' person is unlikely to have used their own instance - it's probably just someone with the same MO as whoever owns the bots, finding and exploiting vulnerable instances.

load more comments (2 replies)
[–] [email protected] 11 points 1 month ago* (last edited 1 month ago)

Should be 12 hours, unless they explicitly prevent us from accessing their nodeinfo. Which now that I think about it, I should probably notify on.

[–] [email protected] 17 points 1 month ago* (last edited 1 month ago) (2 children)

We need public voting or this will only get worse. It's currently way too easy to manipulate everyone's feed.

load more comments (2 replies)
[–] [email protected] 13 points 1 month ago* (last edited 1 month ago) (4 children)

Being able to disable downvoting is one of the best features Lemmy has and I wish more instances would do it.

Voting here doesn't influence your feed and downvoting largely serves to spread negativity. Turning it off has a negligible impact on usability and an undeniable advantage when people decide their feelings matter more than someone else's, like whatever this is.

We've de-federated from both the instances being used for manipulative voting.

[–] [email protected] 25 points 1 month ago (4 children)

I disagree. Downvoting is essential for Lemmy. I often disagree with something and it's right to have a democratic vote on topics.

[–] [email protected] 17 points 1 month ago (1 children)

Also helps identify trolls and bad actors at a glance if you don't already have them tagged as such.

[–] [email protected] 8 points 1 month ago

You shouldn't downvote just because you disagree. You should vote based on whether it's productive content.

[–] [email protected] 7 points 1 month ago

That's fine, but removing downvoting doesn't prevent the discussion. It curbs drive-by negativity which is a good thing IMO.

Obviously everyone is free to disagree with things. It should be more than absentmindedly hitting a down arrow though. Others obviously feel differently. Thankfully both exist on Lemmy.

[–] [email protected] 6 points 1 month ago

How is downvoting essential? It doesn’t do shit.

[–] [email protected] 24 points 1 month ago (1 children)

Voting here doesn't influence your feed

It does when you use sorting algorithms that depend on it.

[–] [email protected] 6 points 1 month ago

Not with downvotes disabled 😉

[–] [email protected] 11 points 1 month ago (1 children)

I want to see it per-community. We use voting for actually decision making in my instance, so we can't disable it instance-wide.

[–] [email protected] 3 points 1 month ago

That would be a useful feature. Maybe something to roll out alongside private communities and things coming in the future.

[–] [email protected] 5 points 1 month ago

I fully disagree, in your scenario people wouldn't realize how fucktastically bad your idea is

Look at what removing downvotes did to youtube, you seriously want that here?

[–] [email protected] 11 points 1 month ago (5 children)

Beats me what anybody would get out of vote manipulation on lemmy - there are no sponsors, no money involved AFAIK. What's the payoff, upvotes?

[–] [email protected] 5 points 1 month ago

Pettiness. I guess some people suffer from such extreme grass deficiency that they'll go through all the trouble of setting up bots to do fully automated luxury harassment instead of small-batch hand-raised harassment.

[–] [email protected] 3 points 1 month ago

Winning the hearts and minds in a propaganda / information war at relatively low cost

load more comments (3 replies)
[–] [email protected] 9 points 1 month ago

Edit: It is now open for both of them, or was already. I checked the Fediseer page for both instances and it still says that their registrations are closed.

Fediseer doesn't check constantly btw.

[–] [email protected] 5 points 1 month ago

@[email protected] @[email protected]

load more comments
view more: next ›