Cookie Crumbs 3: Accountsquatting with a Bonus & Addressing a Neccessary Change in HF20
During my investigations, I often come across some less relevant cases, stories from the past or inconclusive leads. Some I may find worth mentioning, I will present them to you as "Cookie Crumbs".
Accusation:
@bryner had notified me about @tm888ph in a comment on Case 7.
While Professor Moriarty is still on the loose, I was clearing my backlog of user-submitted leads and stumbled over this one again.
The culprit here doesn't seem to be active anymore, but the scheme and profile might be worth a mention after all.
The Findings:
The account I was notified about, @tm888ph, doesn't have any posting history, it never commented or voted, but take a look at the transfers ledger, that's where the shenanigans are going on.
@tmph888ph has collected a total of 5,338.475 STEEM from 163 (mostly) inactive accounts.
All accounts involved had been created around February to March of this year. Back then, steemit.com still used to top-up new accounts with a whopping 35 STEEM. Someone had simply signed up 163 accounts over the course of roughly one month, just to collect their signup bonuses.
And that's pretty much all that happened.
By the end of June @tm888ph had transferred most of the money out through bittrex and has remained inactive since.
Identifying the Culprit
Including @tm888ph there are 164 accounts directly connected in this operation.
But, under all these, there's only a single one that has a posting history: @rur. The account identifies as a bot and has some limited activity, at first I thought I was on to something here, a hint at a connection to an active user, but I never trust circumstantial evidence alone, and a bit of digging confirmed, this was indeed a dead end. Either pure coincidence, or quite possibly, a false lead left on purpose.
If the content isn't revealing, just follow the money, right?
Yes! About half of it, 2,682.540 STEEM to be precise, went through bittrex, right into the pockets of @tomino.
@tomino identifies as Tomas from the Czech Republic, a "blue-collar intellectual with skin in the game".
Sorry bro, the only "skin" you've brought to the game was that free sign-up money!
Please, get real!
Tomas is nearing his one year anniversary on steemit, but I doubt there will be a great celebration. He seems to have lost interest in this game after all. He is currently powering down, and aside from greeting introduction posts with a self-voted comment, he has become mostly inactive.
Yes, upvote a new user with 1% and your own comment with full power.
It just makes you feel so much better about life, doesn't it?!
Tomas started as a genuine user, at least that's what it looks like, and I'd like to point out again, he has not misused any of those fake accounts. Looking at the full list, I can't help but speculate that he simply had plans on cybersquatting a bunch of potentially valuable account-names and collected a bonus while doing so.
But looking back at him sharing advice for new users about being patient, right before he started registering all these accounts, does taste a bit funky!
Removing the Incentive - Hard-Fork 20
The exploitation works through the steemit.com sign-up process.
Steemit is aware of the problem. They have already made some changes and currently a new account gets preloaded with only half a STEEM vested and some delegated voting power to get started with.
But even with the current model, there's still free money to be collected and a voting stake available to the user at no initial cost. My previous cases, revealing thousands of fake-accounts abusing their free stake or delegation to farm the reward pool, show it pretty well, there's still a huge incentive.
Steemit is addressing this further with their plans for "Effortless Onboarding", a proposed change that would come with Hardfork 0.20.0, "Velocity":
The current system also incentivizes attackers creating multiple accounts in order to acquire free STEEM, which again increases the overall cost of maintaining the protocol. To solve this problem, we propose a new method of burning STEEM (i.e. destroying the tokens and removing them from the token supply) on each account creation and crediting the account with permanent minimum bandwidth instead of providing Steem Power to the new account. This will reduce incentives to abuse the steemit.com signup system and will prevent users from temporarily preventing themselves from transacting after powering down in full.
In essence, a new account would still come at a cost to the creator but without any initial funding and hence, zero voting power. To make this feasible, the protocol must be changed to allow a minimum bandwidth to accounts, even without any funding.
This might not be a perfect solution, maybe there will be new loopholes, but let's appreciate that the problem has been acknowledged and potential solutions are already in development.
yours,
Sherlock
P.S.: The list of accounts registered by @tomino and excerpts from the relevant transaction ledgers have been posted here.
Sorry, no pitchforks today!
There's no open posts and the damage has already been done.
Let's look forward instead!
Are there better solutions to fix the sign-up vulnerability?
Are there other vulnerabilities that need to be addressed?
Which rules would you changed to limit abuse on the platform?
If you want to almost completely solve the spam hazard, this is what should be done:
https://steemit.com/steemit/@stimialiti/to-dan-ned-the-witnesses-and-to-everyone-invested-in-this-platform-to-save-steemit-this-is-what-you-should-do
Do not upvote what inside the link, since votes on expired content only overload the blockchain and have no effect on the authors.
You raise some valid points in your article, and a lot of your suggestions do make sense to me, but I must immediately oppose any tribunals making blockchain-reversal/deletion decisions.
Posting fees and more downvote-bots is something I'd likely be supportive of.
Good write-up, we always need more active thinkers who contemplate possible routes forward to better the game's mechanics.
If you oppose blockchain-reversal, consider the hard-forks and the replacements which start from scratch and are a complete deletion of both the good and the bad here.
The less deletions a blockchain has, the sooner it gets entirely deleted/replaced.
Especially a blockchain like this one, which had no fees so far, had too small minimal transaction amounts and includes entire posts.
could you elaborate on:
maybe I am missing something?
Once steem blockchain becomes unsustainable, there will be hard forks or replacements which will not include the old posts and these will be the long overdue deletions.
The problem is, that starting from scratch will not only get rid of the spam, but also from the good content.
Steem blockchain is not eternal, not even in blockchain terms, and its being immutable only makes it worse.
There have to be ways to delete obvious spam, not just to prevent future spam.
I guess this is a discussion about the general nature of blockchain then.
As I understand the concept it has to be an immutable ledger.
You may be correct, and I bet you know more than I do about blockchain.
I did stumble upon the phrase 'immutable blockchain' which makes me wonder if there is redundancy in it.
I do not comprehend what prevents a blockchain from becoming mutable in principle.
The whole idea of blockchain is to run an immutable trustless ledger.
Allowing later modifications to older blocks would essentially make the whole idea pointless. It will then require "trust" in those who can change the historic blocks.
Simplified: a new block validates against the previous block, if a previous block gets changed, all subsequent blocks become invalid. So changing old blocks would also require rerunning the whole chain from that point on.
Technically this would only be possible if all "miners" (in case of steem witnesses) were in on it, but even then, copies of the unchanged blockchain would still be available. You would basically create a new chain all together.
I'm not sure how to do this just right, but one of my followers brought to my attention that you investigate people on the platform who aren't on the up and up. This is a post I did yesterday that might interest you...
https://steemit.com/steemit/@richq11/scam-alert-a-public-service-announcement
Thanks! Yes, that's what I do ;)
The kinds of offers like you describe in you post are becoming more and more common. My best advice to anyone, don't go for service offers that are brought to you in any such manner. Only use services that you can see are working!
This comment has received a 1.66 % upvote from @buildawhale thanks to: @stimialiti. Send at least 0.100 SBD to @buildawhale with a post link in the memo field for a portion of the next vote.
To support our curation initiative, please vote on my owner, @themarkymark, as a Steem Witness
This comment has received a 3.52 % upvote from @buildawhale thanks to: @stimialiti. Send at least 0.100 SBD to @buildawhale with a post link in the memo field to bid for a portiona of the next 100% upvote.
To support our curation initiative, please vote on my owner, @themarkymark, as a Steem Witness
This comment has received a 8.33 % upvote from @nettybot thanks to: @stimialiti.
Send 0.100 SBD to @nettybot with a post link in the memo field to bid on the next vote.
Oh, and be sure to vote for my owner, @netuoso, as Steem Witness
Have a great day!
This comment has received a 2.98 % upvote from @buildawhale thanks to: @stimialiti. Send at least 0.100 SBD to @buildawhale with a post link in the memo field to bid for a portiona of the next 100% upvote.
To support our curation initiative, please vote on my owner, @themarkymark, as a Steem Witness
Thanks for your investigations. I know youre busy, but can you check my latest post. Didnt know how to reach you or your team.
J
Noted, I will take a look at the accounts when I find the time. In the meantime please feel free to discuss your findings on steemit.chat:#steemit-abuse.
I am really looking forward to HF20. Validation of genuine users is never easy and especially in the scale steemit is doing.
Paying mining time instead of steem will solve a few issues the current system has. Sure we have the same attack vector registering multiple accounts and flooding everything, but the mining is costly without rewards, so in my opinion this is a step away from abuse and to a better steem.
HF20 will also solve the case of fairly infrequent users who got undelegated after some time and then got locked out of the account.
Thanks for sharing your well-informed perspective!
tips hat
Thank you so much for looking into this. I know it didn't pan out with someone fully caught, but it did lead to more discussion. I didn't understand how much was lost until this post, but at least it shows a crack in the wall that could be at least patched(HF20). Thanks again!
Thanks for pointing this one out! Stay vigilant!
As @rebeccabe said:
The question I have here is whether or not mining for account creation could be exploited by those looking to spam. The HF post states a 'combination of' so I'm hoping they put some thought in to that.
One of the things I've been concerned about is name squatting. I haven't seen any posts about it from Steemit Inc. ¯_(ツ)_/¯ This is a particular problem with those using names of people to commit identity deception.
This is indeed an interesting detail in their proposed change and it might allow some sort of new exploit. Taking into account that these accounts would be created without vesting stake, though, at least it still limits potential reward-pool farming without investing for a stake.
On the other hand, the required baseline minimum bandwidth probably does open up new avenues for potential spamming and will require some attention to detail.
Yes, the quest for good account names will become a struggle soon, I wonder if we'll see the day where a real celebrity comes to steemit just to find his name has been snatched by an imposter in the past!
What about requiring people to prove ownership of a prominent existing social media platform account OR pay a small joining fee. This allows anonymity to continue, but at a fair price which would reduce this abuse problem.
When I joined you could use facebook.com ownership to create a steemit.com account. The problem of course is that there are a lot of ways to circumvent this. You could pay users on mturk.com to create 1000's of facebook/steemit accounts at 10 cents each.
How do people create these accounts when so cheaply when they require a unique mobile phone SIM for each? I'm missing something I think.
You can actually register temporary virtual numbers for receiving texts at NO cost online, these numbers are usually under certain country codes, but I know for a fact that this has been used to sign up a multitude of accounts here in the past. I'll not leave a link here for obvious reasons.
Right. That makes sense now thanks. Is getting a valid (genuine) list of numbers not offered by any third-party service? It seems like it would make a great business, but maybe it's very difficult for some reason I still can't quite understand.
This does seem reasonable, until you consider the armies of fake facebook and twitter profiles.
While this would certainly make the abuse of the sign-up process a tad harder for the average script-kiddy, it probably wouldn't really lock out all the dedicated cheaters, though. I think this would not be any better, maybe even worse than the requirement for a cell-phone number.
I think the current proposal in HF20 does already go further by removing the incentive for signing up for accounts without the intention of actually publishing content or investing into it's voting power.
Right I see, I wasn't really aware that was a problem on those networks too - I don't use them much myself.
I remember Google did some verification by postal address for business services, it was quick and no less convenient than the currently delayed signup process, it is probably cost prohibitive for Steem Inc. though.
Yes, and considering they want to "onboard millions of new users", I think removing the cost to themselves is one of the driving arguments in their current approach. From what I understand this does effectively also remove the incentive for excessive multi-accounting but I am not entirely certain if this is really comes without new issues, allowing a minimum bandwidth without any available vesting?!
I'm concerned about this bandwidth without corresponding vestings thing... the foundation for that model seemed very well considered by Dan, and this looks to me to undermine it.
It does not allow anonymity to continue since:
One is required to provide with both a cellular phone number and an email account.
Are there any anonymous social media?
It is easy to obtain both a cellular phone number and an email account anonymously, so since that's all they require, most social media networks permit anonymity.
Hey! How did you connect tm888ph with tomino if payments went through bittrex?
I'd like to not reveal all my tricks of the trade openly.
The coincidental evidence does speak for itself, you'll find the respective transactions in the appendix posted here.
Should @tomino contest my findings I'll be more than happy to elaborate the factual evidence I am keeping under the counter for now.
It's stealing. If a shop is offering free samples of snacks with a sign saying: "please take one" and I put the whole lot in a bag without paying for anything and leave the store; I am a thief.
That's a very valid analogy!
Excellent work Mr Holmes and an entertaining read as always.
I wonder if I may bring your attention to a fake account ring that I have reported to @patrice and @steamcleaners but that I have a feeling runs deeper than it appears. @patrice and his team also have a lot on their plate and your influence may be helpful in showing these charlatans that this kind of conduct isn't welcome on Steemit.
If you find the time please have a look at an account called funaddaa that I have linked to at least 5 other accounts claiming to be well known individuals and/or websites. So far it appear that gordonramsay, foxnews.com, hdporn, buzzfeed.com and pcmobilezone are run by the same individual, using the same MO.
The additional curious bit is that most of these accounts get upvoted by somealaskaguy which doesn't post at all and just upvotes. I'm not saying there's a link, but it might be worth investigating.
Sounds like you have done some solid research yourself already! Thanks.
I'll file this high up under my open leads and will look into it soon!
tips hat
Thank you! I look forward to what you might uncover!
It never ceases to
amazedepress me the level of effort people put into extracting as much reward as possible from Steemit without doing anything to deserve it.I hadn't thought of creating multiple accounts to get free steem which can be transferred to a holding account. No wonder people get aggressive about not having their accounts verified quick enough. They're all desperate to get free money for doing feck all! I vote for a system like Google, you only get to use your contact number three times to verify your account. Mind you, that wouldn't worry people, they'd use multiple phones wouldn't they?
I suspect the only answer is people like @sherlockholmes uncovering these individuals for us to downvote them. I clearly need to do more to support your work. We need more people like you unfortunately.
The current signup requires a unique phone number for each account. As we can see, that doesn't seem to stop anyone.
As my grandfather used to say: "If it's not nailed down they'll take it, mind you, even then they'd take it and the nails as well!"