The attacker seems to be the admin of those two instances. Both instances have their registrations closed.

Edit: It is now open for both of them, or was already. I checked the Fediseer page for both instances and it still says that their registrations are closed.

Though it is suspicious that no captcha, email confirmation or manual approval is required for both of these instances. The admin of lemmy.doesnotexist.club seems to be inactive since their account creation yet this instance is still running. If the admin is the attacker, it could also be that they are the one behind the recent nicole spam.

https://gui.fediseer.com/instances/detail/chinese.lol

https://gui.fediseer.com/instances/detail/lemmy.doesnotexist.club

cross-posted from: https://hackertalks.com/post/8713785

The instances being used are

  • lemmy.doesnotexist.club
  • chinese.lol

Here is an example of the coordinated downvoting https://hackertalks.com/post/8692093

Of course its a controversial user who got someone angry enough to automated downvoting @DonaldJMusk@lemmy.today

But you can see every post they make gets 53ish downvotes from these two instances, plus some organic ones after a few hours.

Current downvoting Accounts

bot-list

LightIsland@chinese.lol MagnificentRow@chinese.lol FondKnowledge@chinese.lol SillyTowel95@chinese.lol HelplessDear@chinese.lol SomberBrain@chinese.lol InexperiencedCloset@chinese.lol NecessaryPerson11@chinese.lol ClosedEmployment@chinese.lol CoarseHair420@chinese.lol BurlyChampionship49@chinese.lol ZigzagNatural@chinese.lol QuestionableDirt@chinese.lol ProudDeparture@lemmy.doesnotexist.club JoyousDouble@chinese.lol UnitedPatience@chinese.lol MajesticArea@lemmy.doesnotexist.club SinfulConference@chinese.lol MoralDivide96@chinese.lol LeadingCarry65@chinese.lol FrillyOpinion38@lemmy.doesnotexist.club LimitedDiscount49@lemmy.doesnotexist.club ForkedScreen@chinese.lol MediumChemistry13@chinese.lol xXxLawfulGrassxXx@lemmy.doesnotexist.club VisibleSentence@chinese.lol AcidicLawyer90@lemmy.doesnotexist.club PriceySink14@lemmy.doesnotexist.club ExcellentBeach@chinese.lol VivaciousNews@lemmy.doesnotexist.club LankyIndependent32@lemmy.doesnotexist.club SpeedyFault@chinese.lol ConcreteHall89@lemmy.doesnotexist.club WorthyPoint12@lemmy.doesnotexist.club SurprisedAdult99@chinese.lol FlashyCrack@lemmy.doesnotexist.club MasculineBeing@chinese.lol RichWeird@lemmy.doesnotexist.club DryCash97@lemmy.doesnotexist.club AuthorizedChair@chinese.lol SlimKiss@lemmy.doesnotexist.club AromaticRoof78@lemmy.doesnotexist.club BewitchedInterview@lemmy.doesnotexist.club ImaginaryDraw@lemmy.doesnotexist.club PertinentGround@chinese.lol SinfulAssumption@lemmy.doesnotexist.club AwkwardAnybody30@lemmy.doesnotexist.club UnwillingRestaurant@lemmy.doesnotexist.club InsubstantialOven@lemmy.doesnotexist.club

A individual user airing their personal biases and manipulating lemmy isn’t good for the community, regardless of how you feel about their target. This is a really bad thing ™

  • freamon@preferred.socialEnglish
    282·
    6 days ago

    The attacker seems to be the admin of those two instances. Both instances have their registrations closed.

    The alternative theory would be that these instances had open registrations, but rightly closed registration down after the admins noticed the bots. chinese.lol is on 0.18.4 with an admin with a 2 year old account, lemmy.doesnotexist.club has an admin with a 1 year account, and it was also that instance that the ‘nicole’ person has used before. This downvote attack would need to be a long time in the planning for what you’re suggesting to be true.

    • asudox@lemmy.asudox.devOPEnglish
      12·
      5 days ago

      Upon inspecting the actual websites, the registrations seem to be actually open for both instances with no email confirmation, captcha or manual approval as one user pointed out. I checked the Fediseer page for these instances. What is the update delay for Fediseer?

      • db0@lemmy.dbzer0.comEnglish
        11·
        5 days ago

        Should be 12 hours, unless they explicitly prevent us from accessing their nodeinfo. Which now that I think about it, I should probably notify on.

      • freamon@preferred.socialEnglish
        121·
        5 days ago

        What is the update delay for Fediseer?

        I don’t know. It’s not something I’m familiar with - it might just default to saying ‘closed’ if it doesn’t have the data.

        It’s interesting that the obvious bot accounts on those instances were set up in mid-March last year, so I’m guessing that these are somebody’s army that they’ve used before, but overplayed their hand when they turned it on the DonaldJMusk person. The admins can reasonably be blamed for setting up instances with open registrations and no protections and then forgetting about them, but I’d be wary of blaming them for being behind the attack directly. The ‘nicole’ person is unlikely to have used their own instance - it’s probably just someone with the same MO as whoever owns the bots, finding and exploiting vulnerable instances.

        • asudox@lemmy.asudox.devOPEnglish
          2·
          5 days ago

          it might just default to saying ‘closed’ if it doesn’t have the data.

          Nope. Fediseer displays unknown fields as N/A.

          The admins can reasonably be blamed for setting up instances with open registrations and no protections and then forgetting about them

          No, I don’t think they forgot. Would you forget about something you regularly pay for?

          • snooggums@lemmy.worldEnglish
            71·
            5 days ago

            People forget about subscriptions all the time when they are cheap enough. The admin might even have some kind of grouped payment for multiple domains/sites and doesn’t bother cleaning them out to shut them down.