Over the weekend, hackers targeted federal social networks such as Mastodon to carry out ongoing spam attacks organized on Discord and carried out using Discord apps. But Discord has yet to take down the server where the attacks are being facilitated, and Mastodon community leaders have been unable to contact anyone at the company.
“The attacks were coordinated through Discord and the software was distributed through Discord,” said Emelia Smith, a software engineer who regularly works on trust and security issues at fediverse, a network of decentralized social platforms based on the ActivityPub protocol. “They were using bots that integrated directly into Discord, so a user didn’t even need to set up servers or anything like that because they could just run that bot directly from Discord to do the attack.”
Smith attempted to contact Discord through official channels on February 17, but has still only received responses via a form. He told TechCrunch that while Discord has mechanisms for reporting individual users or messages, it lacks a clear way to report entire servers.
“We’ve seen these cost server administrators Mastodon, Misskey and others hundreds or thousands of dollars in infrastructure costs and total denial of service,” Smith wrote on Discord Trust & Safety in an email seen by TechCrunch. “The only common link seems to be this discord server.”
In a statement to TechCrunch, a Discord spokesperson said: “Discord’s Terms of Service specifically prohibit platform abuse, which refers to activities that disrupt or alter the experience of Discord users, including spamming or sending mass messages or interactions. Although Discord says it is monitoring the situation, the server responsible for the spam attacks remains online.
Mastodon founder and CEO Eugen Rochko he said in a post that these attacks are more difficult to mitigate than previous ones because they deliberately target smaller servers, which often have fewer monitoring tools. Some of these servers offer open registration, making it possible to quickly start new accounts and post spam. And as Smith notes, these massive spam attacks can drive up server costs, leaving administrators with unexpected bills.
According References in Mastodon, this fully automated attack was triggered by a conflict between teens on two different Japanese language Discord servers.
“It’s this kind of weird social behavior where these kids are basically acting like schoolyard bullies,” Smith told TechCrunch. He believes that they carried out the attack just to show that they can, not because they have any ill will towards these social networks.
“They have technological capabilities that are far above those that are emotional or psychological,” he said.
Kevin Beaumont, a cybersecurity expert, posted on Mastodon that this incident is reminiscent of a similar but much larger attack from 2016, in which three college kids created a botnet to make money on Minecraft. But what they built was so powerful that it managed to take down huge areas of the internet, including sites like Reddit and Spotify.
“I had to do an NPR radio show about it, and the host kept asking me if it was Putin — and I was like, no, they were teenagers. Advanced Persistent Teenagers,” Beaumont was posted.
As a decentralized social media network, the Mastodon team is unable to intervene in moderation issues on servers they don’t own, which is a vulnerability for fediverse. On actively maintained and monitored servers, Mastodon offers tools to prevent automated account registration, such as CAPTCHAs.
While Mastodon’s open source, non-profit model gives users more ownership over their social media experiences, it also limits the company’s ability to hire more developers. Most of the social network is run by volunteers, like Smith herself.
“I would estimate that the entire fediverse is being developed off the back of maybe, at best, 100 engineers,” he said. “All of them are either underpaid, underpaid, or unpaid, trying to build software while supporting a user base of monthly active users in the 1.1 million to 7.4 million range.”