this post was submitted on 08 Apr 2025

455 points (99.3% liked)

Fediverse

33639 readers

118 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Posts must be on topic.
Be respectful of others.
Cite the sources used for graphs and other statistics.
Follow the general Lemmy.world rules.

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)

founded 2 years ago

MODERATORS

ruud@lemmy.world

Xylinna@lemmy.world

MrCenny@lemmy.world

TragicNotCute@lemmy.world

automodbeta@lemmy.world

woelkchen@lemmy.world

455

2 Instances are being used for coordinated vote manipulation, and should be defederated. chinese.lol lemmy.doesnotexist.club (lemmy.asudox.dev)

submitted 1 month ago* (last edited 1 month ago) by asudox@lemmy.asudox.dev to c/fediverse@lemmy.world

64 comments fedilink hide all child comments

The attacker seems to be the admin of those two instances. Both instances have their registrations closed.

Edit: It is now open for both of them, or was already. I checked the Fediseer page for both instances and it still says that their registrations are closed.

Though it is suspicious that no captcha, email confirmation or manual approval is required for both of these instances. The admin of lemmy.doesnotexist.club seems to be inactive since their account creation yet this instance is still running. If the admin is the attacker, it could also be that they are the one behind the recent nicole spam.

https://gui.fediseer.com/instances/detail/chinese.lol

https://gui.fediseer.com/instances/detail/lemmy.doesnotexist.club

cross-posted from: https://hackertalks.com/post/8713785

The instances being used are

lemmy.doesnotexist.club

chinese.lol

Here is an example of the coordinated downvoting https://hackertalks.com/post/8692093

Of course its a controversial user who got someone angry enough to automated downvoting @DonaldJMusk@lemmy.today

But you can see every post they make gets 53ish downvotes from these two instances, plus some organic ones after a few hours.

Current downvoting Accounts
bot-list
LightIsland@chinese.lol MagnificentRow@chinese.lol FondKnowledge@chinese.lol SillyTowel95@chinese.lol HelplessDear@chinese.lol SomberBrain@chinese.lol InexperiencedCloset@chinese.lol NecessaryPerson11@chinese.lol ClosedEmployment@chinese.lol CoarseHair420@chinese.lol BurlyChampionship49@chinese.lol ZigzagNatural@chinese.lol QuestionableDirt@chinese.lol ProudDeparture@lemmy.doesnotexist.club JoyousDouble@chinese.lol UnitedPatience@chinese.lol MajesticArea@lemmy.doesnotexist.club SinfulConference@chinese.lol MoralDivide96@chinese.lol LeadingCarry65@chinese.lol FrillyOpinion38@lemmy.doesnotexist.club LimitedDiscount49@lemmy.doesnotexist.club ForkedScreen@chinese.lol MediumChemistry13@chinese.lol xXxLawfulGrassxXx@lemmy.doesnotexist.club VisibleSentence@chinese.lol AcidicLawyer90@lemmy.doesnotexist.club PriceySink14@lemmy.doesnotexist.club ExcellentBeach@chinese.lol VivaciousNews@lemmy.doesnotexist.club LankyIndependent32@lemmy.doesnotexist.club SpeedyFault@chinese.lol ConcreteHall89@lemmy.doesnotexist.club WorthyPoint12@lemmy.doesnotexist.club SurprisedAdult99@chinese.lol FlashyCrack@lemmy.doesnotexist.club MasculineBeing@chinese.lol RichWeird@lemmy.doesnotexist.club DryCash97@lemmy.doesnotexist.club AuthorizedChair@chinese.lol SlimKiss@lemmy.doesnotexist.club AromaticRoof78@lemmy.doesnotexist.club BewitchedInterview@lemmy.doesnotexist.club ImaginaryDraw@lemmy.doesnotexist.club PertinentGround@chinese.lol SinfulAssumption@lemmy.doesnotexist.club AwkwardAnybody30@lemmy.doesnotexist.club UnwillingRestaurant@lemmy.doesnotexist.club InsubstantialOven@lemmy.doesnotexist.club

A individual user airing their personal biases and manipulating lemmy isn't good for the community, regardless of how you feel about their target. This is a really bad thing (tm)

(page 2) 26 comments

sorted by: hot top controversial new old

[–] db0@lemmy.dbzer0.com 9 points 1 month ago

Edit: It is now open for both of them, or was already. I checked the Fediseer page for both instances and it still says that their registrations are closed.

Fediseer doesn't check constantly btw.

[–] asudox@lemmy.asudox.dev 5 points 1 month ago

@TomMonkeyMan@chinese.lol @yassinsiouda@lemmy.doesnotexist.club

[–] FrostyTrichs@crazypeople.online -4 points 1 month ago* (last edited 1 month ago) (13 children)

Being able to disable downvoting is one of the best features Lemmy has and I wish more instances would do it.

Voting here doesn't influence your feed and downvoting largely serves to spread negativity. Turning it off has a negligible impact on usability and an undeniable advantage when people decide their feelings matter more than someone else's, like whatever this is.

We've de-federated from both the instances being used for manipulative voting.

[–] db0@lemmy.dbzer0.com 12 points 1 month ago (1 children)

I want to see it per-community. We use voting for actually decision making in my instance, so we can't disable it instance-wide.

load more comments (1 replies)

[–] asudox@lemmy.asudox.dev 25 points 1 month ago (1 children)

Voting here doesn't influence your feed

It does when you use sorting algorithms that depend on it.

load more comments (11 replies)

[–] Grimy@lemmy.world 13 points 1 month ago* (last edited 1 month ago) (2 children)

We need public voting or this will only get worse. It's currently way too easy to manipulate everyone's feed.

load more comments (2 replies)

[–] kingofras@lemmy.world 44 points 1 month ago (1 children)

Warned about this 11 days ago. https://lemmy.world/post/27449126

This is still a weakness of the current federation model imo

[+] LandedGentry@lemmy.zip -5 points 1 month ago* (last edited 1 month ago) (1 children)

[deleted]

[–] asudox@lemmy.asudox.dev 20 points 1 month ago* (last edited 1 month ago) (2 children)

The bots are from those two instances as you can see in the screenshot. Furthermore, lemmy.doesnotexist.club has had dozens of bots since at least 2023 (2 years after domain creation. found via the web archive). Since at least 2023, the admin hasn't been doing anything, or even interacting with anyone. That account seems pretty much dead. But they keep hosting the instance for some reason. It is also a possibility that someone else indeed is using these two instances because they are "abandoned", but it is highly likely that it is the admin. It is very suspicious that the registrations have been open unguarded against bots since at least 2023. These two instances have been invaded with bots long ago, so defederation is still the right thing to do.

I also don't want to jump to conclusions, but I think the chances are pretty high that it indeed is the admin. It might lead us to whoever is behind the recent nicole spam.

load more comments (1 replies)

[–] LemUrun@pawb.social 62 points 1 month ago (11 children)

I know one of these instances.

Fuck you, Nicole!

[–] BossDj@lemm.ee 3 points 1 month ago (4 children)

What app are you using?

load more comments (4 replies)

[–] Sammy@lemmy.dbzer0.com 4 points 1 month ago

Stumblechat Room: HELL

[–] Kecessa@sh.itjust.works 15 points 1 month ago (4 children)

What? She lied to us? 😱

[–] cheese_greater@lemmy.world 10 points 1 month ago

The Liar Who Spammed Me

[–] LemUrun@pawb.social 2 points 1 month ago

What? Your favorite spammer betrayed you? I'm soooo sowwy :3

load more comments (2 replies)

load more comments (8 replies)

[–] freamon@preferred.social 27 points 1 month ago (1 children)

The attacker seems to be the admin of those two instances. Both instances have their registrations closed.

The alternative theory would be that these instances had open registrations, but rightly closed registration down after the admins noticed the bots. chinese.lol is on 0.18.4 with an admin with a 2 year old account, lemmy.doesnotexist.club has an admin with a 1 year account, and it was also that instance that the 'nicole' person has used before. This downvote attack would need to be a long time in the planning for what you're suggesting to be true.

[–] asudox@lemmy.asudox.dev 12 points 1 month ago* (last edited 1 month ago) (2 children)

Upon inspecting the actual websites, the registrations seem to be actually open for both instances with no email confirmation, captcha or manual approval as one user pointed out. I checked the Fediseer page for these instances. What is the update delay for Fediseer?

[–] freamon@preferred.social 11 points 1 month ago (1 children)

What is the update delay for Fediseer?

I don't know. It's not something I'm familiar with - it might just default to saying 'closed' if it doesn't have the data.

It's interesting that the obvious bot accounts on those instances were set up in mid-March last year, so I'm guessing that these are somebody's army that they've used before, but overplayed their hand when they turned it on the DonaldJMusk person. The admins can reasonably be blamed for setting up instances with open registrations and no protections and then forgetting about them, but I'd be wary of blaming them for being behind the attack directly. The 'nicole' person is unlikely to have used their own instance - it's probably just someone with the same MO as whoever owns the bots, finding and exploiting vulnerable instances.

[–] asudox@lemmy.asudox.dev 2 points 1 month ago* (last edited 1 month ago) (1 children)

it might just default to saying 'closed' if it doesn't have the data.

Nope. Fediseer displays unknown fields as N/A.

The admins can reasonably be blamed for setting up instances with open registrations and no protections and then forgetting about them

No, I don't think they forgot. Would you forget about something you regularly pay for?

load more comments (1 replies)

[–] vk6flab@lemmy.radio 74 points 1 month ago (1 children)

Can your detection method be automated and federated?

I'm asking because this is probably the thin end of the wedge and is likely to increase exponentially, especially since anyone can set up an instance and do whatever they like with it.

[–] asudox@lemmy.asudox.dev 31 points 1 month ago

Wdym. Do you mean how I found out that the attacker was the admin? Yeah sure, you definitely can automate that.

load more comments