Over the weekend, hackers targeted federated social networks such as Mastodon in a sustained spam attack organized on Discord and executed using the Discord application. However, Discord has not yet removed the server that facilitated the attack, and Mastodon community leaders have not been able to contact anyone within the company.
“The attack was coordinated through Discord, and the software was distributed through Discord,” said the author, who regularly addresses issues of trust and safety for Fediverse, a network of decentralized social platforms built on the ActivityPub protocol. said Emelia Smith, a software engineer at “They were using a bot that integrated directly with Discord, so the user didn't even have to set up a server or anything like that. To carry out the attack, he could run this bot directly from Discord. That was all I needed.”
Smith attempted to contact Discord through its official channels on February 17th, but has still only received responses via a form. She told TechCrunch that while Discord has mechanisms for reporting individual users or messages, it lacks a clear way to report an entire server.
In an email seen by TechCrunch, Smith wrote to Discord Trust & Safety that “Mastodon, Misskey, and other server admins can cost hundreds or even thousands of dollars in infrastructure costs and overall service costs.” I saw rejection occurring.” “The only common link seems to be this Discord server of his.”
In a statement to TechCrunch, a Discord spokesperson said, “Discord's Terms of Service define the platform's terms of service, which refers to activities that disrupt or alter the experience of Discord users, such as sending or interacting with spam or unsolicited bulk messages. Abuse is specifically prohibited.” Discord says it is monitoring the situation, but the servers responsible for the spam attack remain online.
Mastodon founder and CEO Eugen Roszko said in a post that these attacks often intentionally target small servers that don't have throttling tools in place. He said the attacks are more difficult to mitigate than past attacks because of the large number of attacks. Some of these servers offer open registration, allowing you to immediately start a new account and post spam. And, as Smith points out, these high-volume spam attacks can drive up server costs and leave administrators with unexpected bills.
According to reports on Mastodon, this fully automated attack was sparked by a conflict between teens on two different Japanese Discord servers.
“It's this kind of strange social behavior, and these kids are essentially acting like schoolyard bullies,” Smith told TechCrunch. She believes they carried out the attacks not because they had any malicious intent against these social networks, but simply to show they were capable.
“They have technical capabilities that are far above their level emotionally or psychologically,” she said.
Cybersecurity expert Kevin Beaumont wrote on Mastodon that the incident was reminiscent of a similar, but much larger, attack in 2016. In this attack, three college students created a botnet to make money playing Minecraft. But what they built was so powerful that it was able to destroy vast swathes of the internet, including sites like Reddit and Spotify.
“I ended up doing a radio show on NPR about it, and the host kept asking me if it was Putin, and I said, 'No, it's teenagers.' I thought: forward-thinking, tenacious teenager,'' Beaumont posted.
As a decentralized social media network, the team at Mastodon cannot intervene in moderation issues on servers they do not own. This is the vulnerability for the Fediverse. On actively maintained and managed servers, Mastodon provides tools to prevent automatic account registration, such as her CAPTCHA.
Mastodon's nonprofit, open-source model gives users more ownership over their social media experiences, but also limits the company's ability to hire more developers. Much of the social network is run by volunteers, like Smith herself.
“I think the entire Fediverse is probably being developed with the power of 100 engineers at most,” she said. “They're all working hard to build software, either underpaid, underpaid, or unpaid, while supporting a user base of 1.1 million monthly active users to 7.4 million monthly active users. ”