Decentralized social networks are not immune to botnet-generated spam, as demonstrated by a recent spam attack against Bluesky. Earlier this month, a flood of messages saying “remember to always vote Trump” appeared on the Bluesky network, posted by accounts with random names and default avatars.
The spam, however, does not come from Bluesky. Instead, it reached Bluesky by first crossing two other decentralized networks: Mastodon and Nostr. To do this, the botnet exploited “bridges,” or paths built between networks that make them interoperable.
Although the spam attack took place on May 11, a post-mortem by a data scientist published only a few days ago has brought increased attention to the event. As the blog Conspirador Norteño explains, the accounts that spammed Bluesky were created through the social networking protocol Nostr.
The Nostr protocol powers applications like Damus, Nostur, Nos and others. It is also currently the network of choice for Twitter co-founder and former CEO Jack Dorsey due to its popularity among Bitcoin users. On Twitter, however, Dorsey had supported the project that later became the decentralized social networking startup Bluesky. But he has since left the board, saying he believes Team Bluesky is now repeating the same mistakes he and others made on Twitter. Dorsey now regularly engages with Nostr, which he considers a more open protocol.
This may seem strange, but even though Nostr and platforms like Mastodon and Bluesky are all decentralized networks, they don’t actually communicate with each other. Mastodon uses the ActivityPub protocol, which is now also adopted by Meta in Instagram Threads, as well as other apps and services, including Flipboard and its open source rival Substack Ghost.
To allow messages from one network to pass to another, bridges are built. It’s already a point of contention among some decentralized social media users, with different groups arguing over how bridges should be built while others question whether bridges should even exist in the first place.
The latter group could now cite this recent event as an example of the downsides of bridges, as the botnet cleverly exploited bridges to spam another network.
According to attack analysis, Nostr spam was first sent to Mastodon via the Momostr.pink bridge. Then another bridge called Bridgy Fed sent the contents of Mastodon to Bluesky.
“Fingerprints of this process appear in Bluesky versions of posts, where account IDs have the format npub.momostr.pink.ap.brid.gy,” conspirator0@newsie.social wrote on Substack. “The first part (from npub to the first dot) is the public key of the Nostr account, while the rest (momostr.pink.ap.brid.gy) contains some indications as to the tools used to link the publications (Momostr and Bridgy Fed).
The botnet was able to post “vote Trump” spam continuously until Bluesky took action against the spam accounts. The dataset to be analyzed was incomplete because Bluesky began deleting accounts during data collection. Yet from what was collected, it appears that at least 228 accounts managed to post 470 times in just six hours. About half of them were “vote Trump” messages, while others posted “hello everyone” with a random adjective sandwiched between the two words.
Bluesky mitigated the attack fairly quickly and removed the spam accounts. The company has not yet responded to requests for comment on whether it would change its approach to spam or bridging.
As The Fediverse Report site points out, this type of spam attack was possible because Nostr makes it particularly easy to create new accounts. The incident once again raises the question of what fediverse – that is, decentralized social media – actually is. If you join Bluesky, do you agree to be part of a network that includes Nostr content? Does the Bluesky network include Mastodon because a bridge was built?
These are questions that do not yet have solid answers.
techcrunch
/cdn.vox-cdn.com/uploads/chorus_asset/file/25449825/65cf71ee2368ff61aaf13de7_1.jpg?w=390&resize=390,220&ssl=1)
