“Pro-Trump spam” on Bluesky comes from rival decentralized social network Nostr

Decentralized (distributed) social networks are not immune to spam caused by automated bots, as the recent Bluesky spam attack shows. Earlier this month, a series of posts calling for “always remember to vote for Trump” appeared on the Bluesky network, posted by accounts with random names and default profile pictures.

However, spam does not originate from Bluesky itself. Instead, it arrives at Bluesky by going through two other decentralized networks: Mastodon and Nostr. To do this, automated bots take advantage of “bridges” – paths built between networks so they can operate interoperably.

Although the spam attack occurred on May 11, a detailed analysis of the event by a data scientist was published only a few days before, giving the incident more attention. As explained by the Conspirador Norteño blog, the spam accounts on Bluesky were created through the Nostr social network protocol.

The Nostr protocol supports applications such as Damus, Nostr, Nos, etc. It is also the preferred network of Jack Dorsey, co-founder and former CEO of Twitter, because of its popularity with Bitcoin users. However, at Twitter, Dorsey championed the project that would become the decentralized social network startup Bluesky. But he has since left the board, arguing that the Bluesky team is now repeating the mistakes he and others made at Twitter. These days, Dorsey regularly participates on Nostr, which he considers a more open protocol.

It may sound strange, but even though Nostr and platforms like Mastodon and Bluesky are both decentralized networks, they can’t actually talk to each other directly. Mastodon uses the ActivityPub protocol, which is also being applied by Meta in Instagram Threads and other applications and services including Flipboard and Ghost (substack’s open source competitor).

To allow posts from one network to flow to another, bridges are being built. This has become a point of contention among some decentralized social network users as different groups debate how to build the bridge, while others question whether the bridge should exist at all. Are not.

The latter group can now point to this recent event as an example of the downsides of bridges, as automated bots wisely took advantage of the bridge to spam another network.

According to analysis of the attack, spam from Nostr was first sent to Mastodon via the Momostr.pink bridge. Then another bridge named Bridgy Fed sent content from Mastodon to Bluesky.

“Traces of this process appear in the Bluesky post versions, where the account handle name is in the format npub.momostr.pink.ap.brid.gy,” conspirator0@newsie.social wrote on Substack. “The first part of this string (from npub to the first dot) is the public key of the Nostr account, while the remaining part (momostr.pink.ap.brid.gy) contains some indication of the public key tool used to connect posts (Momostr and Bridgy Fed).”

Automated bots can continuously post “vote Trump” spam until Bluesky takes action against the spam accounts. The data set for analysis was flawed because Bluesky started deleting accounts while the data was being collected. However, from what was gathered, it appears that at least 228 accounts posted 470 times in just six hours. About half of them were “vote Trump” posts while others were “hello world” posts with a random adjective sandwiched between the two words.

Bluesky mitigated the attack fairly quickly and took down the spam accounts. The company has not yet responded to requests for comment on whether it will change its approach to spam or bridging.

A report from The Fediverse Report indicates that the spam vulnerability appeared because Nostr allowed easy account creation. This event raises questions about the nature of decentralized social networking platforms (Fediverse). When joining Bluesky, will users accept connection to content from Nostr? Does Bluesky’s network include Mastodon through built bridges?

Currently, there are still no definite answers to these issues.