Decentralized social networks aren’t immune to botnet-driven spam, as a recent spam attack on Bluesky demonstrates. Earlier this month, a flood of posts reading “remember to always vote Trump” showed up on Bluesky’s network posted by accounts with random names and default avatars.
The spam didn’t originate on Bluesky, though. Instead, it reached Bluesky by first crossing over two other decentralized networks: Mastodon and Nostr. To do so, the botnet leveraged “bridges,” or pathways built between the networks that make them interoperable.
Though the spam attack occurred on May 11, a postmortem by a data scientist only published a few days ago, gaining the event increased attention. As the blog Conspirador Norteño explains, the accounts that spammed Bluesky had been created via the social networking protocol Nostr.
Nostr’s protocol powers apps like Damus, Nostur, Nos and others. It is also currently the network of choice for Twitter co-founder and former CEO Jack Dorsey because of its popularity with Bitcoin users. At Twitter, however, Dorsey had backed the project that later spun out to become the decentralized social networking startup Bluesky. But he has since left its board, saying he thinks the Bluesky team to now be repeating the same mistakes he and others made at Twitter. Dorsey today regularly engages on Nostr, which he finds to be a more open protocol.
It may seem strange, but even though Nostr and platforms like Mastodon and Bluesky are all decentralized networks, they don’t actually talk to one other. Mastodon uses the ActivityPub protocol, which is now also being adopted by Meta in Instagram Threads, and other apps and services including Flipboard and open-source Substack rival Ghost.
To allow posts from one network to pass through to another, bridges are being built. Already, that’s been a point of contention between some decentralized social networking users as different groups have argued about how the bridges should be built while others question whether bridges should even exist in the first place.
The latter group could now point to this recent event as an example of the downsides of bridges, as the botnet smartly leveraged bridges to spam another network.
According to the analysis of the attack, the Nostr spam was sent first to Mastodon via the bridge Momostr.pink. Then, another bridge called Bridgy Fed sent the content from Mastodon to Bluesky.
“Fingerprints of this process appear in the Bluesky versions of the posts, where the account handles have the format npub.momostr.pink.ap.brid.gy,” wrote conspirator0@newsie.social on Substack. “The first portion of this (from npub until the first dot) is the public key of the Nostr account, while the remainder (momostr.pink.ap.brid.gy) contains some indications as to the tools used to bridge the posts (Momostr and Bridgy Fed).”
The botnet was able to post the “vote Trump” spam continuously until Bluesky took action against the spam accounts. The dataset for analysis was incomplete because Bluesky began removing accounts while the data was being gathered. Still, from what was collected, it seems that at least 228 accounts managed to post 470 times in a matter of just six hours. Around half of those were “vote Trump” posts while others posted “hello world” with a random adjective sandwiched in between the two words.
Bluesky mitigated the attack fairly quickly and took down the spam accounts. The company hasn’t yet responded to requests for comment about whether it will change its approach to spam or bridges.
As the site The Fediverse Report pointed out, this sort of spam attack was possible because Nostr makes it particularly easy to create new accounts. The incident once again raises the question as to what the fediverse — that is, decentralized social media — actually is. If you join Bluesky, are you consenting to be part of a network that includes Nostr content? Does Bluesky’s network include Mastodon, because a bridge has been built?
These are questions that don’t have solid answers as of yet.