Decentralized social networks can also fall victim to botnet-driven spam, as illustrated by a recent event on Bluesky. Earlier this month, a wave of posts with the message “remember to always vote Trump” appeared on Bluesky, posted by accounts featuring random names and default avatars.
Interestingly, the spam didn’t begin on Bluesky itself. It made its way to Bluesky via two other decentralized networks: Mastodon and Nostr. The botnet utilized “bridges”—pathways connecting these networks to enable interoperability.
Even though the spam incident took place on May 11, a detailed analysis from a data scientist was only published recently, drawing new attention to the event. According to the blog Conspirador Norteño, the accounts responsible for spamming Bluesky were created using the Nostr social networking protocol.
Nostr’s protocol is the backbone of apps like Damus and Nos among others. It is also favored by Twitter co-founder and former CEO Jack Dorsey due to its popularity with Bitcoin enthusiasts. Although Dorsey supported the project that eventually transformed into Bluesky during his tenure at Twitter, he has since left its board, stating in an interview that he believes the Bluesky team is repeating past mistakes made at Twitter. Nowadays, Dorsey frequently engages on Nostr, which he considers a more open protocol.
It might seem odd, but despite being decentralized, Nostr, Mastodon, and Bluesky don’t communicate with each other. Mastodon uses the ActivityPub protocol, which is being adopted by Meta for Instagram Threads and other platforms including Flipboard and the open-source Substack competitor, Ghost.
To transfer posts from one network to another, bridges are built. However, this has caused significant debate among decentralized social networking users. Some factions have clashed over bridge construction methods, while others debate whether bridges should exist at all.
This incident serves as an example of the potential drawbacks of bridges, as the botnet cleverly used them to spam another network.
According to the attack analysis, the Nostr spam was initially sent to Mastodon using the bridge Momostr.pink. Another bridge, Bridgy Fed, then forwarded the content from Mastodon to Bluesky.
“Fingerprints of this process appear in the Bluesky versions of the posts, where the account handles have the format npub.momostr.pink.ap.brid.gy,” wrote conspirator0@newsie.social on Substack. “The first portion of this (from npub until the first dot) is the public key of the Nostr account, while the remainder (momostr.pink.ap.brid.gy) contains some hints about the tools used to bridge the posts (Momostr and Bridgy Fed).”
The botnet was able to repeatedly post the “vote Trump” messages until Bluesky took measures against the spam accounts. Although the data collection was incomplete because Bluesky began deleting accounts during the analysis, it seems that at least 228 accounts managed to post 470 times in just six hours. Approximately half of these posts were “vote Trump” messages, while the others posted “hello world” with a random adjective inserted between the two words.
Bluesky swiftly countered the attack and removed the spam accounts. The company has not yet commented on whether it plans to change its approach to spam or bridges.
As noted by The Fediverse Report, this type of spam attack was feasible because Nostr makes it particularly easy to create new accounts. This incident once again raises questions about the nature of the fediverse, or decentralized social media. If you join Bluesky, are you implicitly agreeing to be part of a network that includes Nostr content? Does Bluesky’s network encompass Mastodon because of an existing bridge?
These are questions that remain unanswered for now.
