Over the weekend, hackers targeted federated social networks like Mastodon to carry out ongoing spam attacks that were organized on Discord, and conducted using Discord applications. But Discord has yet to remove the server where the attacks are facilitated, and Mastodon community leaders have been unable to reach anyone at the company.
“The attacks were coordinated through Discord, and the software was distributed through Discord,” said Emelia Smith, a software engineer who regularly works on trust and safety issues in the fediverse, a network of decentralized social platforms built on the ActivityPub protocol. “They were using bots that integrated directly with Discord, such that a user didn’t even need to set up any servers or anything like that, because they could just run this bot directly from Discord in order to carry out the attack.”
Smith attempted to contact Discord through official channels on February 17, but still has only received form responses. She told TechCrunch that while Discord has mechanisms for reporting individual users or messages, it lacks a clear way to report whole servers.
“We’ve seen this costing server admins of Mastodon, Misskey, and others hundreds or thousands of dollars in infrastructure costs, and overall denial of service,” Smith wrote to Discord Trust & Safety in an email viewed by TechCrunch. “The only common link seems to be this discord server.”
In a statement to TechCrunch, a Discord spokesperson said, “Discord’s Terms of Service specifically prohibit platform abuse, which refers to activities that disrupt or alter the experience of Discord users, including spam, or sending unsolicited bulk messages or interactions.” Though Discord says it is monitoring the situation, the server responsible for the spam attacks remains online.
Mastodon founder and CEO Eugen Rochko said in a post that these attacks are more difficult to moderate than past ones, because they deliberately target smaller servers, which often have fewer moderation tools in place. Some of these servers offer open registration, making it possible to quickly start new accounts and post spam. And as Smith notes, these mass spam attacks can drive up server costs, leaving admins with unexpected bills.
According to reports on Mastodon, this fully automated attack was sparked by a conflict between teenagers on two different Japanese language Discord servers.
“It’s this sort of weird social behavior, where these kids are essentially acting like schoolyard bullies,” Smith told TechCrunch. She thinks that they carried out the attack simply to show that they can, not because they have any ill-will toward these social networks.
“They’ve got technological capabilities that are well above where they are emotionally or psychologically,” she said.
Kevin Beaumont, a cybersecurity expert, posted on Mastodon that this incident recalls a similar, yet much larger attack from 2016, in which three college kids created a botnet to make money on Minecraft. But what they built was so powerful that it was able to take down huge swaths of the internet, including sites like Reddit and Spotify.
“I had to do a radio show on NPR about that one and the presenter kept asking me if it was Putin — and I was like, no, it’s teenagers. Advanced Persistent Teenagers,” Beaumont posted.
As a decentralized social media network, Mastodon’s team is unable to intervene in moderation issues on servers that they don’t own, which is a vulnerability for the fediverse. On servers that are actively maintained and moderated, Mastodon offers tools to prevent automated account registration, like CAPTCHAs.
While Mastodon’s nonprofit, open source model gives users more ownership over their social media experiences, it also limits the company’s ability to hire more developers. Most of the social network is run by volunteers, like Smith herself.
“I would estimate that the entire fediverse is developed off of the backs of maybe, at best, 100 engineers,” she said. “All of whom are either low paid, underpaid, or unpaid, who are trying to build software, and at the same time, are supporting the userbase of monthly active users in the range of 1.1 million to 7.4 million.”