Decentralized network Bluesky targeted by botnet-driven spam originating on Mastodon
Decentralized social networks, including Bluesky, have recently been targeted by a botnet-driven spam attack. On May 11, Bluesky was inundated with posts stating "remember to always vote Trump," posted via accounts with random names and default avatars. The spam originated not from Bluesky itself but from two other decentralized networks, namely Mastodon and Nostr. This cross-network attack was facilitated through the use of "bridges," pathways that enable interaction between different networks.
Nostr protocol identified as spam source
The spam messages that flooded Bluesky were traced back to accounts made via social networking protocol Nostr, according to a postmortem analysis by a data scientist. This protocol powers various apps such as Damus, Nostur, Nos, and others. It is particularly popular among Bitcoin users, including X co-founder and former CEO Jack Dorsey. Despite being decentralized networks, platforms like Nostr, Mastodon, and Bluesky do not directly communicate with each other.
'Bridges' facilitate cross-network communication
To enable communication between these decentralized networks, pathways known as "bridges" are constructed. Mastodon, for instance, utilizes the ActivityPub protocol, which is now also being adopted by Meta in Threads, Flipboard, and open-source Substack opponent Ghost. However, the use of bridges has been a contentious issue among users of decentralized social networks. The spam attack on Bluesky serves as an example of how botnets can exploit these bridges to spam other networks.
Spam attack pathway and Bluesky's response
The Nostr spam was initially sent to Mastodon via the bridge Momostr.pink, before another bridge, Bridgy Fed, relayed the content from Mastodon to Bluesky. "Fingerprints of this process appear in the Bluesky versions of the posts," noted conspirator0@newsie.social on Substack. The botnet continued to post "vote Trump" spam until Bluesky intervened. Data collected prior to account removals indicates that a minimum of 228 accounts managed to post 470 times within six hours, half of which were "vote Trump" messages.
