The purpose is not fully clear, but the account names suggest that the operators hope for STEEM/SBD bids or transfers accidentally going to these accounts. Given the follow-operations, it could additionally be another approach to gain lots of followers for a resteem service.
While transferring we get suggestions to select recipient from our follow list. So, one may not notice they are sending money to the lookalike bid bot/exchange account. This bot net is hoping for this mistake.
good point on the suggestions from the follow list, this could explain that part! Thanks for the hint! Even more important then to the them into the Condenser BadActorsList...
There seems little doubt that this is a botnet that needs shutting down, and hopefully your work can be fed into bad actor / irredeemable lists.
If it's not cheeky enough to try to extract rewards with out participation using the initial SP given to a new Steem account, they are also trying to cash-in on wallet transfer mistakes to common accounts.
Hopefully a case of well done, nice try, and goodbye!
Cheers
Asher
Your contribution has been evaluated (and is my first review!) according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.
To view those questions and the relevant answers related to your post, click here.
Are those accounts also active in terms of upvoting? I mean what extra profit could they earn if they all upvote one person/account?
Those accounts are included in the active accounts. So while we all think there are about 150k active accounts, the real number could be much lower.
I really don't understand how those accounts could be approved by Steemit Inc? They probably have this very badly automated?
And my first suspicion is that those accounts belong to one or only a few persons. How does this person solve the fact that you need a phone number per registration?
Are those accounts also active in terms of upvoting? I mean what extra profit could they earn if they all upvote one person/account?
They are active in voting. It would be interesting to see what they vote on. I didn't look into that. I personally noticed them on #utopian-io posts, but looking into their voting history shows a lot of other categories as well. In total they have close to 7k SP at hands, currently worth around 0.50$ per vote.
Those accounts are included in the active accounts. So while we all think there are about 150k active accounts, the real number could be much lower.
I also think that the "real" number of active accounts is considerably lower, but analyzing this on a large scale is difficult.
I have no idea how it was possible to register so many account in such a small time range. Getting one or a couple of temporary phone numbers is no problem, but hundreds?
There are internet phone apps that assign phone numbers not permanently connected to an account, so you can send text messages and make calls without a phone. I'd wager that's how they got so many fake numbers.
But seriously, isn't the point of the lengthy sign up to prevent scammy accounts? :/
Thank you for all this work you did!!
yeah, I guess this would be detected. But as soon as you have manual steps in your product it's hard to scale... I guess Steemit simply accepts this as a trade-off for automation and convenience for the users...
I could imagine getting a couple of phone numbers like this, but hundreds is a different league. That would need a provider with appropriate API to register batches of numbers on demand. I have no idea what's available on the market, so maybe this is even possible?
Recently, I saw the post on Golos.io (the Russian fork of Steem) about the consequences of one vulnerability, which allows you to register accounts directly to the blockchain, bypassing any checks of phone numbers or e-mail. https://golos.io/ru--golos/@investigator/s-golos-io-vsyo-v-proyadke - the article is in Russian.
In short: User with nickname worthless-man has spammed the network with millions of new registrations in just a few days. According to him, in such a creative way he is trying to show Golos developers the hidden bugs and vulnerabilities of the blockchain. From June 2018 (What a coincidence!) user with the same nickname is on Steemit.
And since the Golos is a fork of Steemit, it would be nice to make sure that we do not have the same vulnerability.
Oh, that's very interesting, thanks for the information! I tried the Golos signup a few weeks ago and it looked quite different from the Steemit one, but maybe under the hood there's still the same code? That could indeed explain things, but I guess without Steemit internal data or official statements this cannot be confirmed for Steem...
Steem should block all those accounts, send them a private memo explaining why, and how to contact steem via the email, then request a phone number from the individual and let them know they will receive a call back with in 48 hours of receiving their phone number. They are not likely to have 460 phones, and are unlikely to receive phone numbers for verification purposes from the scam listers. Inform them that failure to comply will result in account being terminated. Problem solved, 3 people 3 days of work.
naa, that's not going to work that easy ;) There is no way to block an account. And that's a central feature of Steem, not a bug. Once an account is created, there is no control option from Steemit. The accounts should not have been created in the first place, but I guess Steemit is taking a trade-off between approval effort/checks and user perception. Human users waiting long for an account or having to undergo complex verification procedures may limit the growth more than the damage from some others gaming the system. But I'm only speculating here, I have no insights on the account creation/ user verification process.
It is a double edged sword, damned if you do, damned if you don't. I guess the only way to solve the issue is for @adm to downvote each and everyone of them into oblivion like they did bernie to minus 16, those that complain can be called real accounts and be removed from oblivion if they verify with a phone number. Of course being -16Rep didn't really hurt bernie much.
...but you can downvote only those accounts who post. And even then the reputation only controls the visibility in condenser, not the existence or the votes/posts/funds/curation rewards of those accounts...
Which is why the down vote should be to the voter, not the person receiving the vote. A person should be able to click on the voter and the down vote remove the excessive reward gave, not remove a portion or all of the votes given. We know who gives he vote, we know what account the vote is from, so why the resistance to change code to down vote the vote owner?
While transferring we get suggestions to select recipient from our follow list. So, one may not notice they are sending money to the lookalike bid bot/exchange account. This bot net is hoping for this mistake.
This is a good point, thanks for the comment :)
good point on the suggestions from the follow list, this could explain that part! Thanks for the hint! Even more important then to the them into the Condenser BadActorsList...
Hey @reazuliqbal
Here's a tip for your valuable feedback! @Utopian-io loves and incentivises informative comments.
Contributing on Utopian
Learn how to contribute on our website.
Want to chat? Join us on Discord https://discord.gg/h52nFrV.
Vote for Utopian Witness!
Fine work inspector @crokkon :)
There seems little doubt that this is a botnet that needs shutting down, and hopefully your work can be fed into bad actor / irredeemable lists.
If it's not cheeky enough to try to extract rewards with out participation using the initial SP given to a new Steem account, they are also trying to cash-in on wallet transfer mistakes to common accounts.
Hopefully a case of well done, nice try, and goodbye!
Cheers
Asher
Your contribution has been evaluated (and is my first review!) according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.
To view those questions and the relevant answers related to your post, click here.
Need help? Write a ticket on https://support.utopian.io/.
Chat with us on Discord.
[utopian-moderator]
Hey @crokkon
Thanks for contributing on Utopian.
We’re already looking forward to your next contribution!
Want to chat? Join us on Discord https://discord.gg/h52nFrV.
Vote for Utopian Witness!
Are those accounts also active in terms of upvoting? I mean what extra profit could they earn if they all upvote one person/account?
Those accounts are included in the active accounts. So while we all think there are about 150k active accounts, the real number could be much lower.
I really don't understand how those accounts could be approved by Steemit Inc? They probably have this very badly automated?
And my first suspicion is that those accounts belong to one or only a few persons. How does this person solve the fact that you need a phone number per registration?
They are active in voting. It would be interesting to see what they vote on. I didn't look into that. I personally noticed them on #utopian-io posts, but looking into their voting history shows a lot of other categories as well. In total they have close to 7k SP at hands, currently worth around 0.50$ per vote.
I also think that the "real" number of active accounts is considerably lower, but analyzing this on a large scale is difficult.
I have no idea how it was possible to register so many account in such a small time range. Getting one or a couple of temporary phone numbers is no problem, but hundreds?
There are internet phone apps that assign phone numbers not permanently connected to an account, so you can send text messages and make calls without a phone. I'd wager that's how they got so many fake numbers.
But seriously, isn't the point of the lengthy sign up to prevent scammy accounts? :/
Thank you for all this work you did!!
But if someone would check the sign up names manually you could easily detect this kind of scammers.
yeah, I guess this would be detected. But as soon as you have manual steps in your product it's hard to scale... I guess Steemit simply accepts this as a trade-off for automation and convenience for the users...
Guess so about the trade off. If you ask me it's a bad thing. Things like this prevent it from becoming mainstream.
I think Steemit Inc could easily find volunteers for this job. Or perhaps they can be rewarded with upvotes from the Steemit accounts....?
I could imagine getting a couple of phone numbers like this, but hundreds is a different league. That would need a provider with appropriate API to register batches of numbers on demand. I have no idea what's available on the market, so maybe this is even possible?
Upvoting Utopian.io could be a very good idea for getting high curation rewards. Higher then the $0.50 from self upvoting.
I noticed lbocktrades as one. Not sure if it is in your list .
yes, it's in the list. Thanks!
Recently, I saw the post on Golos.io (the Russian fork of Steem) about the consequences of one vulnerability, which allows you to register accounts directly to the blockchain, bypassing any checks of phone numbers or e-mail. https://golos.io/ru--golos/@investigator/s-golos-io-vsyo-v-proyadke - the article is in Russian.
In short: User with nickname worthless-man has spammed the network with millions of new registrations in just a few days. According to him, in such a creative way he is trying to show Golos developers the hidden bugs and vulnerabilities of the blockchain. From June 2018 (What a coincidence!) user with the same nickname is on Steemit.
And since the Golos is a fork of Steemit, it would be nice to make sure that we do not have the same vulnerability.
Oh, that's very interesting, thanks for the information! I tried the Golos signup a few weeks ago and it looked quite different from the Steemit one, but maybe under the hood there's still the same code? That could indeed explain things, but I guess without Steemit internal data or official statements this cannot be confirmed for Steem...
Steem should block all those accounts, send them a private memo explaining why, and how to contact steem via the email, then request a phone number from the individual and let them know they will receive a call back with in 48 hours of receiving their phone number. They are not likely to have 460 phones, and are unlikely to receive phone numbers for verification purposes from the scam listers. Inform them that failure to comply will result in account being terminated. Problem solved, 3 people 3 days of work.
naa, that's not going to work that easy ;) There is no way to block an account. And that's a central feature of Steem, not a bug. Once an account is created, there is no control option from Steemit. The accounts should not have been created in the first place, but I guess Steemit is taking a trade-off between approval effort/checks and user perception. Human users waiting long for an account or having to undergo complex verification procedures may limit the growth more than the damage from some others gaming the system. But I'm only speculating here, I have no insights on the account creation/ user verification process.
It is a double edged sword, damned if you do, damned if you don't. I guess the only way to solve the issue is for @adm to downvote each and everyone of them into oblivion like they did bernie to minus 16, those that complain can be called real accounts and be removed from oblivion if they verify with a phone number. Of course being -16Rep didn't really hurt bernie much.
...but you can downvote only those accounts who post. And even then the reputation only controls the visibility in condenser, not the existence or the votes/posts/funds/curation rewards of those accounts...
Which is why the down vote should be to the voter, not the person receiving the vote. A person should be able to click on the voter and the down vote remove the excessive reward gave, not remove a portion or all of the votes given. We know who gives he vote, we know what account the vote is from, so why the resistance to change code to down vote the vote owner?
please stop auto voting my comments with curx
Good work. It seems to be a profitable way to gain a lot of steem power. Some big players might be behind this.
Thanks for warning