Cyberbullying Gone Global: Fediverse Spam and Operation Beleaguer

Cyberbullying Gone Global: Fediverse Spam and Operation Beleaguer
Photo by Andrey Matveev / Unsplash

On February 15th, newly-created Fediverse accounts started posting spam messages from various instances, sending invites to a Discord server for a Japanese troll organization. This spam was widespread across the Fediverse. The posts frame ap12 from “KuronekoServer” as the culprit behind the operation. 

Looking at their spam content (in Japanese), it’s obvious that it’s not just any typical spam. And thus, commences Operation Beleaguer.

Disclaimer

This investigation was a rapid effort between many parties in different countries, time zones, languages, and organizations, all using the limited information that we could uncover. As such, do not expect this report to be definitive of the situation, mistakes may have occurred, even severe mistakes. The intent of the report is to document the situation for general users and admins (mostly the non-Japanese demographic) about what took place and as a call to better secure the Fediverse. Do NOT harass, attack, or go after any parties mentioned.

Additionally, it’s important to note that the spam attack occurred in many different waves. While we have evidence that the first wave was linked to the aforementioned group, we cannot prove at the moment that all waves were. However, based on our own assessment, we believe that the group or an affiliated party is associated with most of the waves, at least those slandering KuronekoServer. While references to subsequent waves are written from this assumption, please note that we cannot definitely link them.

The Timeline

  • December 2023 or earlier: CTKP group gets into disagreement with KuronekoServer, CTKP doxxes group leader kuroneko6423.
Announcement doxxing kuroneko6423
  • Early February 2024: amex2189 crafts a "Misskey nuking script", first used against small servers (https://www.youtube.com/watch?v=E2v_qhDE3A8) advertising CTKP and amex2189.
  • February 14, 2024: Someone in CTKP starts comment spam attacks on various blogs, targeting 0ch+, spamming their manifesto, and “calling out” KuronekoServer.
  • Sometime around this, Misskey spam attacks are being tested small-scale, with the content being death threats to the Miyazaki provincial government, MisskeyHQ, and various others. This is the very first spam message sent. Bots keep sending this message with the same content, renoting different notes from users all over the Fediverse, mainly targeting Japanese instances. The message references and endorses CTKP/CTKPAARR:
Misskey note sending threats to Misskey HQ, the Miyazaki prefectural government, and Palworld
posted on 2024-02-12 04:57:57 by “RAKI <address and name redacted>”i.e. @raki<name redacted>@sushi.ski<[] denotes things omitted in original passage / changed>

<Co-prosperity Trollsphere here refers to CTKPAARR, but uses the name CTKP. You can think of it like Taiwan referring to itself as China vs the PRC>

Co-prosperity Trollsphere [is the] strongest  On Tomorrow 3:34 PM [we] will blow up the Miyazaki prefectural office, govt office and Kwansei Gakuin University and Touei Residence

[We] will use a knife to repeatedly stab girls in Miyazaki Hongou Middle School and feed them to the cannibalists

The anti-troll [Misskey] admin AureoleArk and kuroneko6423 <real name redacted> and ap12 <real name redacted> and <name redacted> from <address and school redacted>, [we] will let them be anal-raped and make them feel hopeless about life
I am <address redacted> <RAKI name redacted>

The idiotic <Parent Name redacted> nurturing me which was a mistake — his one-parent family, and TamaHome, and the criminal company PocketPair who copied Pokemon and sell the game, and the sex offender AureoleArk and Etou Yoshiki (← their name are publicly known and thus are not redacted, but are accidentally redacted in the screenshot), all the people above can’t be forgiven.Fucking search [them] in Co-prosperity Trollsphere

[We] will try to blow up <address redacted> and<insert MisskeyHQ address> MisskeyHQ and Tamahome shops in the entire country and
every single company located on floors below <insert MisskeyHQ address> on 19 Feb 3:34 PM

The female workers in [those] companies will gather the disabled people in “rein” co-prosperity sphere and together [we] will rape them altogether and force [them] to drink the Fukushima waste water

At the same time the GNU SOCIAL admin who is mentally retarded and lived in <address redated> and <address redacted> and <address redacted> and <address redacted>, [we] will burn them like using gasoline like in anime [… omitted description of the burning scene].[We] will check and see if the female staff members from PocketPair and MisskeyHQ have better pussies that feel better than the ones from Miyazaki Hongou Middle School

If Palworld stopped getting sold and pokemons kneel on the ground and they surrender to Co-prosperity Trollsphere then [we] will stop
Let’s raise the very big flag for Wappasutei Ideology and thoroughly bombard the anti-troll headquarters

Those anti-troll servers’ / forces are [committing] tax evasion/stealing and [they are so dumb to the point] not even medicines would work, absolutely useless
On 1st Feb, the great Co-prosperity Trollsphere’s website “荒らし.com” was set up.
Let’s aim to, in a great way, revive trolling that has trolling as the dream/desire, and be determined and unite together!

<"revive trolling that has trolling as the dream/desire" seems to be their slogan>
  • We have also received comments from sushi.ski admins stating the admins' email addresses were used as contact emails when the attackers sent bomb threads to different local Japaense entities.
  • February 15, 2024: Misskey attacks ramped up, ap12 from KuronekoServer framed as culprit.
  • February 16-present, 2024: Spam attacks continue, with varying content, some of which include the Discord invite link for CTKP. A culprit has not been identified, but we believe it is CTKP or the CTKPAARR splinter cell.
  • February 19, 2024: According to rein (leader of the original CTKP group), amex2189 has been detained by Japanese authorities. Albeit, please note that this has not been confirmed.
Announcement from Rein, stating that amex2189 has been arrested.

The Threat Actors

荒らし共栄圏 (ctkpaarr) is a CCP-themed Japanese troll group mainly made up of middle schoolers. They are most active on Discord. Their primary activities include raiding/nuking Discord servers and targeted harassment. The group is a splinter cell from another group, CTKP.

Several of their members have already been doxxed, and there are circulating claims that some were expelled from school for their antics.

Key leaders

  • ワッパステイ (wappasutei): leader of ctkpaarr
  • amex2189: a developer at ctkpaarr
  • rapuromu (aka kantai_collection): ctkpaarr senior member

Philosophy

Trolling for the sake of trolling (essentially, lulz.) Yes, seriously. ("Revive trolling that has trolling as the dream/desire")

Behavior

  • Most of the users seem to speak in a Kansai dialect.
  • Their theme is based on CCP aesthetics.
  • They have reward schemes for each raid completed.
Screenshots showing the reward schemes for raiding

The CCP Theme

As we said, the group’s theme revolves around the CCP and Maoism.

Their website (https://荒らし.com/) features many photoshopped images of CCP propaganda, with their leader wappasutei.

They even have a quotes booklet like Mao Zedong

Amazon Books page for "Quotations from Wappasutei"

Past activities

This is not the first time this group garnered attention. In 2022, a previous iteration of CTKP going by the same name raided a large number of Discord servers:

They also DDoS’d open2chan back in 2022. https://twitter.com/satorunet/status/1571656490267840512

And according to KuronekoServer developers, they have been receiving Discord raids as early as 2023-12-29, spamming messages with false accusations on the server owner.

Their current website is still up, including the main website https://ctkpaarr.org/ (which redirects to https://荒らし.com) and their forum. They also have made tools specific for raiding Discord servers, which are said to be made by amex.

Their Ultimate Goal (for this raid; speculative)

To make people associate KuronekoServer and their authors as a “criminal organization”. KuronekoServer describes themselves as a voluntary organization formed by a group of students, operating various Discord bots. There is no public evidence suggesting any wrongdoing on the part of KuronekoServer, making this a false flag operation intending to harm their reputation.

How They Did It

While we couldn’t find a publicly available script with the functionality to spam both Misskey and Mastodon, amex2189 mentions being able to troll Mastodon in a later Discord message. We believe that this updated script is derived from the following: https://github.com/EdamAme-x/misskey-nuke, https://github.com/EdamAme-x/misskey-account-generator. The account generator component is used to generate Misskey accounts, outputting a table of tokens, with the nuke actually performing the spam attack.

A rough-quality screenshot from Google Translate's OCR feature showing amex2189

(Apologies for the bad quality image, I couldn’t figure out how to do translated OCRs on PC -Cappy)

The Aftermath

  • Fediverse instances attacked, full of spam accounts and images.
  • KuronekoServer releases a statement regarding the impersonation, plans to press charges.
  • Misskey.io limits federation from all instances, only data from followed users are federated. Plans to press charges. We have tried to contact Misskey.io admins but up to the time of writing we have not yet received any replies.
  • Many, many posts complaining about the sheer volume of spam caused by this single spammer.
  • amex2189 disappears(?) after 72 hours, possibly because of:
    • Parents being notified of this event, and confiscating his devices.
    • Detained by law enforcement.
  • At the time of this writing, attacks are still ongoing, possibly from other attackers still having access to the script.
One of the newer spam messages, taken from elk.zone

A Word from Kuroneko

We decided to reach out to the staff of KuronekoServer to get their side of the story, here is their response:

今回の様々な人に送られているスパムメッセージについては、90%以上は荒らし共栄圏という日本を含む、アジアを中心とした陰謀や荒らしを中心としたコミュニティからの行為だと確認しております。

荒らし共栄圏が、KuronekoServerへのスパム行為の主犯と、構成されている人達は、主に中学生(13~14歳)と見ています。 KuronekoServerのオーナー、また開発スタッフへ、ストーカー行為・粘着行為をしております。 荒らし共栄圏、またその団体のメンバーへKuronekoServerスタッフが、危害を加えた事実は一切ありません。 彼らはこのストーカー行為・粘着行為を通じて、オーナーやその個人、またスタッフなどに対して、 心的外傷後ストレス(Post Traumatic Stress Disorder)になるのを見て、楽しんでいます。 また、この行為はKuronekoServerブランドに対しての、イメージダウンも目的としています。

Question:誰がこの攻撃を行ったか
Answer:荒らし共栄圏に属している、約6名程の首謀者・その部下

Question:攻撃されている理由
Answer:その中学生達にとって、人が苦しむ姿を見るのが面白いから(日本で起きている誹謗中傷は、大体当てはまります)
以下荒らし共栄圏のサイトになります。
https://荒らし.com/

or machine-translated in English:

We have confirmed that more than 90% of the spam messages sent to various people are from the trolling co-prosperity bloc, a community centered on conspiracies and trolls in Japan and other parts of Asia.

We believe that the troll co-prosperity spamming of KuronekoServer is mainly composed of middle school students (13~14 years old). They are stalking and obsessing over KuronekoServer's owner and development staff. There is no evidence that KuronekoServer staff have harmed the trolling community or any of its members in any way. They enjoy watching the Post Traumatic Stress Disorder that they have created against the owner, the individual, and the staff through this stalking and obsessive behavior. This behavior is also intended to tarnish the image of the KuronekoServer brand.

Question:Who is responsible for this attack?
Answer:About 6 ringleaders and their subordinates who belong to the troll co-prosperity zone.

Question:Why are they being attacked?
Answer:Because it is interesting for these junior high school students to see people suffer (this is true for most of the slander that occurs in Japan).
The following is the site of the trolling co-prosperity zone.
https://荒らし.com/

In further correspondence they mention they've been targeted by CTKP in the past.

Takeaways

  • Many Fediverse instances have open sign-ups without proper limits, enabling this to even happen in the first place. It's important to note that this attack doesn't require any novel exploit, just the existence of unmonitored, un-protected instances with open registration. From what we've seen, these are usually smaller instances.
    • Open registrations should NEVER be enabled on instances without proper protections and monitoring. If you must have open registrations on your instance, use the proper anti-spam and anti-bot mechanisms.
    • We also recommend blocking sign-ups using Tor IP addresses and temporary email domains.
  • The Fediverse can easily be overwhelmed using simple scripts.
  • Mastodon still doesn’t let you disable image caching.
  • Fediverse software such as Misskey and Mastodon need more powerful moderation tools. Akkoma is currently leading in this regard with their MRF feature, which allows administrators to write arbitrary polices to rewrite or delete messages. We hope something like this makes its way into other projects.
    • There are many discussions that need to take place. It is unlikely that one solution will be a "silver-bullet." We will probably need a variety of tools of all types: proactive, reactive, automated, manual.
      • As some starters, we recommend that Fediverse software should block temporary email services by default (or make it easy to), be invite-only by default, allow blocking Tor IPs easily (but not by default), allow automatically holding similar or spam-like messages for review, and add regex rules (or more ideally, a MRF type mechanism) for messages.

FAQ

Q: So, was ap12 the perpetrator? Was it Kuroneko?

A: No. In fact, these 2 characters here are the real victims of this attack. We (the Fediverse) are simply caught in the crossfire.

Q: Will this happen again?

A: Yes, unless we implement strict measures against this, one could simply write another script (or reuse the same one!) and cause the next Fediverse spam attack, possibly even worse given more time and resources.

Q: Will this group finally be busted?

A: Probably not. Or at least if they do, they’ll come back in some form or another. This group consists mostly of minors, which generally are generally treated in the law more leniently than adults. However, with this attack this group is now in the crosshairs of international entities (including us) so hopefully… maybe?

Shoutouts

Finally, shoutouts to KuronekoServer! They've been extremely cordial and informative in our communications.

As the victims of being targeted in this false flag operation, we would like to extend our hand in helping them recover by bringing attention to their products and services.

You can donate to the KuronekoServer developers here.