[GUIDE] Multi Accounting & Botting

avilabs

Jr. VIP
Jr. VIP
May 7, 2022
625
334
INTRODUCTION
1. My aim with this post
This guide is for everyone who wishes to learn about multi-accounting and botting. Throughout this guide, I have tried to cover everything there is to know about this world. It doesn't matter if you are a beginner; my attempt with this post is to share everything I know so that you can start your journey as fast as possible and get an overview of what to look out for, possible hurdles you might face and how to overcome them. I have worked in this niche for about three years, making complex bots, scrapers, and numerous reverse engineering projects for clients, myself, and sometimes just for fun! My goal with sharing this is to contribute to the community and possibly create an environment (thread) to discuss a more modern approach for stealth botting and multi-accounting.


2. Overview
Here's a quick look at all the chapters I've discussed in this post.
Feel free to jump to a specific topic if you are familiar with most things and just interested in something specific.

Chapter 01: Tracking
Chapter 02: Network OPSEC
Chapter 03: Virtual Machines (VMs)
Chapter 04: Containers
Chapter 05: Normal Browsers
Chapter 06: Anti-Detect Browsers
Chapter 07: Mobile & Mobile Farms
Chapter 08: Automation & Botting
Chapter 09: Private API & Reverse Engineering
Chapter 10: Final Thoughts
Chapter 11: References



CHAPTER ONE
TRACKING
1. What is tracking?
What is stopping you from registering a thousand accounts and automating them? Knowing who your opponents are is always a sane idea so you can make informed and logical decisions instead of simply shooting arrows blindly. I highly recommend you go through this section first so that when we discuss actual methods, you can make informed choices for the amount of stealth you require based on your needs. Depending on the website or app, you might deal with all, some, or none of the hurdles I've discussed in this section. The only way to get it right is to experiment with the bare minimum first (tools you have in hand), then maybe try out an overblown setup (premium proxies, etc.) if the bare minimum doesn't work, and then finally land somewhere in between by experimenting and making logical decisions to start scaling.

2. Footprints
These are user-generated traces meant to track and identify spammy behaviours and bots. Below are some of the most common footprints and how to deal with them.

a) Content metadata & hashes
Any media you upload, download, or capture has metadata attached. It can be used to identify various things like geolocation, content sources, etc. Most social media also store a hash of the content, which can be used to determine if the same content is being re-uploaded.
To deal with metadata, you can strip it using various tools and libraries or, even better, spoof the metadata with a new one so it looks more organic.
To deal with hash, you can do several things like pixel manipulation, colour manipulation, cropping, etc.

b) Usage patterns
How an account is being used matters a lot. If you keep following random people on Instagram 24/7, then it's an obvious giveaway. Websites also limit how many actions can be executed in a given timeframe. You may also stand out if your actions don't align with the millions of other users they have on their platform. To counter this, be as human as possible. Be random enough, but not too random. For example, to farm Gmail accounts, you must first farm out cookies by visiting random websites, doing Google searches, watching YouTube, etc. We will cover this in more depth under the passive fingerprinting section.


3. Fingerprints
Fingerprinting involves collecting numerous meta-data from the device to create a unique hash that can be used to identify whether two or more accounts are co-related or whether an account/profile can be trusted. Fingerprinting can roughly be divided into two sub-categories.

a) Active
Raw device metrics actively collected by apps and websites make active fingerprints. Depending on the platform (browser or Mobile), it can collect anything like user agent, battery percentage, CPU count, canvas, WebGL, GPU metadata, audio metadata, language, timezone, screen properties, and much more! In further sections, we will discuss how this can be spoofed.

b) Passive
Browser history, browser profile age, typing speed, and mouse movements can also tracked/monitored by background agents to generate a trust score. In rare cases, everything matters, including how many social accounts are made with an email and its resulting fraud score. You would have a terrible time if your trust score is low and or fraud score is high. To counter this, be as human as possible; I can't stress this enough! Age your profiles and cookies! If you are targeting multiple platforms, create an alias that interacts with all socials (like a human) instead of explicitly targeting one.



CHAPTER TWO
NETWORK OPSEC
1. Proxy
Websites can also track where requests come from and which accounts are associated with which IPs and subnets. They might also know if you are using an IP whose subnet has been flagged, has a low trust score or if the IPs are public/datacentre. As a first measure, you should always use a good proxy. There are roughly three types of proxy: Datacenter, Residential, and Mobile. They can further be bifurcated into static and rotating.

Datacenter proxies are usually the cheapest but won't work for most social media. There are many debates between residential and mobile proxies for social media, and I'd say it depends on the use case. If you wish to register many accounts and don't care about using them instantly, residential proxies should be good enough, although the same can be done using mobile proxies. But if you wish to use accounts actively (automated or manual), then mobile proxies are your best bet! Simply register/log in, use the account, rotate the IP, and repeat the cycle with a new account. For social media applications, you'd ideally use a mobile proxy that would rotate IPs within the same subnet. Accounts jumping from country to country are obviously suspicious.

Some use VPNs, but I can't comment on this as I have never tried it and am biased towards mobile proxies. Feel free to experiment with this for your specific use case.


2. WebRTC
When using proxies with browsers, you should mask or spoof webRTC leaks. WebRTC reveals your IP even when a proxy is active. You would install an extension that disables webRTC for a regular browser. Anti-Detect browsers usually support webRTC spoofing; you just need to enable it in profile settings. When using H3-compatible clients and proxies, you won't need to worry about this, as UDP will be proxied, and your IP will be masked completely.

3. HTTP/3

Many websites are now moving to HTTP/3, a new request protocol. Most proxy providers don't support it, and even if they do, your client most likely doesn't support proxying H3 requests. Proxing the H3 protocol is a must for platforms like Instagram.
To counter this, first, you'd need a proxy provider that supports UDP or any VPN protocols like ShadowSocks or OpenVPN. These protocols proxy UDP natively when using supported clients. If your proxy supports UDP, you can use software like ProxyCAP to route TCP and UDP traffic through your proxy. For VPN protocols, you'd use their recommended client to route traffic.


3. TCP/IP Fingerprint
Yes, your IPs leak fingerprints, too! Websites can know what OS you use by your TCP fingerprint and cross-check it with your user agent. When using a proxy, this will generally say Linux, regardless of your OS. You might also need to spoof these fingerprints for some rare use cases. This can only be spoofed by your proxy provider, and some rare providers support OS spoofing for their proxies.


CHAPTER THREE
VIRTUAL MACHINES (VMs)
1. Introduction
This age-old method involves simply using any hypervisor software to create a dedicated environment for a new profile. You must still mask your IP using a proxy, but the hypervisor does most of the spoofing for you. You can create VMs with varying system specifications to create accounts.

a) Websites
Many popular hypervisors, such as Virtual Box, VMware, Proxmox, and QEMU, can be used to create dedicated VMs for accounts.
There's also Qubes OS, where every browser instance you initialize starts within a new, fresh VM.

b) Apps
For mobile apps, you can use emulators like bluestacks.


2. My thoughts on this method
This method is okay if you need quick disposable accounts but don't wish to pay for anti-detect browsers. However, VMs are resource-hungry and slow to boot, so I won't suggest using them for any operation that requires scaling.



CHAPTER FOUR
CONTAINERS
1. Introduction
This method revolves around containerization technology, which is available primarily on Linux. Containers are nothing but very lightweight VMs. One of the most popular ways of using this tech is by using Docker.
You can start browser instances within containers, forward the WSS port and connect your automation script directly to the browser instance within the container. You may also enclose your automation script within the container and connect directly to the browser from within the container. There are projects like docker-android that you can emulate android within docker itself.


2. My thoughts on this method
This method is okay where medium scaling is required, as containers are lightweight, but browsers are not. But it's also not as complex as reverse engineering and faster to prototype. However, you must also consider that the environment is lost once the container is killed, so you should mostly use it when reproducing the os environment is not necessary. Once I created a solution for Zoom bots, since Zoom doesn't require login to join a meeting, no state was required to be maintained. This was the perfect situation for using this method. At one point, we had about 10k bots running in parallel using this method. We could quickly scale this to any amount of bots based on demand as long as we have enough proxies and resources available.



CHAPTER FIVE
NORMAL BROWSERS
1. Introduction
For some platforms, a normal Firefox browser should be enough, with a few extra plugins for stealth. If you wish to use Chrome, you can look into projects like Ungoogled Chromium. But you'd have to do a lot of spoofing by yourself manually. There's a project called FakeBrowser and FakeChrome that no longer works, but if you know how to read some code, you should be able to rewrite most of the evasions referring to that project. There's also a new tool in the market called fingerprint switcher. You might look into it, but it only supports Windows at the time of writing this.


2. My thoughts on this method
This method is okay where medium scaling is required cause, again, this is a browser. This allows quick prototyping but is slightly complex as you handle stealth yourself. However, it's much faster and easier than reverse engineering. I developed a solution based on this for an SMM panel company a while back; once the hurdle of stealth was overcome, developing and maintaining the rest of the product was a breeze.



CHAPTER SIX
ANTI-DETECT BROWSERS
1. Introduction
If you don't care much about doing things yourself and are fine paying someone to handle all the complexities, you can go with anti-detect browsers. Note that anti-detect browsers have their limitations and might not work for some platforms.


2. My thoughts on this method
This is an excellent solution if you only care about creating and/or managing a limited set of accounts. However, it might become costly at scale. Not all anti-detect browsers support automation, so this is something to look out for.



CHAPTER SEVEN
MOBILE & MOBILE FARMS
1. Introduction
This is a goldmine if you can figure out how to make it work. Some of the highest-quality accounts can be created and maintained using mobile farms. You would need a jailbroken mobile and use some tools to modify its specs on the fly to create multiple accounts on the same device, one after the other. Scale this setup to 500 or 1000 devices?! I have never gone down this path, but I know two journeys here that I'd recommend you go through to learn more.

a) AllOutAnime's Journey
b) evex's Journey

2. My thoughts on this method
It can be costly compared to other methods, but it's also the only way to automate some platforms like Instagram.



CHAPTER EIGHT
AUTOMATION & BOTTING
1. Browser Automation
Several frameworks exist for browser automation, including Selenium, Puppeteer, and Playwright. Their documentation is pretty straightforward. My favourite is Playwright, and I highly recommend you avoid Selenium (it is possible to make it work, but still, a lot of work).

2. Android Automation
I've used Appium before, but nothing is in production yet, so please refer to the journeys I've mentioned under the Mobile & Mobile Farms chapter.

3. GUI Automation
You can use ADB (optional because some apps check if developer options are enabled) and any GUI automation frameworks like AutoIt or pywin32 to automate Android emulators. This automation heavily depends on screen capturing, OCR, and image recognition, but it is very effective. A while ago, I made an Instagram registration script using this method. You can even hook into bluestacks and launch new profiles with different configs by modifying some Windows registry keys.


CHAPTER NINE
PRIVATE API & REVERSE ENGINEERING
1. Introduction
It is the act of intercepting and extracting private APIs from any app or website and replaying it by modifying the request. Some payloads might contain encrypted data, so you might need to go through the source code to reproduce its functionality.

2. Reverse Engineering Web Apps
There is not much to say; Chrome dev tools are your friend! You can also use tools like Burp Suite or HTTP Toolkit to intercept the requests, as they have more advanced filtering methods. Depending on the situation, you can use various methods to extract specific functionality. Sometimes, a Chrome debugger is enough; other times, you would need to write a deobfuscator yourself.

3. Reverse Engineering Mobile Apps
The biggest hurdle is SSL Pinning. You can easily bypass it using Frida. If that doesn't work, decompile and modify the app to trust user certificates. Recompile the app, sign, install, and intercept requests as always with Burpsuite, Proxyman, or HTTP Toolkit. Get into the habit of reading smali code to do static analysis when required. Using Frida, you can hook into functions and understand their behaviour to replicate their functionality.

4. My thoughts on this method
This is my personal favourite. The end implementation is very lightweight and, hence, very scalable. But it is also tremendously difficult, depending on the website of social you target.



CHAPTER TEN
FINAL THOUGHTS

There is no correct answer for botting and multi-accounting. It depends on your needs, the scale of your operation, and the app/website you are targeting. But everything covered here should hopefully give you a good picture of everything you might need to look out for and make a decision that meets your requirements.


CHAPTER ELEVEN
REFERENCES
+ Reverse Engineering
- Github: jamiebuilds/babel-handbook
- Github: iddoeldor/frida-snippets

+ Stealth Evasion
- Github: CheshireCaat/browser-with-fingerprints
- Github: kkoooqq/fakebrowser
- Github: kkoooqq/fakechrome
- Github: ungoogled-software/ungoogled-chromium
- Github: apify/fingerprint-suite

+ Emulator Automation
- Github: SergeyPotapov01/bot_Clash_Royale
- Github: MyBotRun/MyBot
 
Wow! This guide really covers important things in the botting area. Thank you for this contribution.
 
This is a great share! Thank you for taking time to write all this.

I have a question and you might be the right person to answer this.
If we use normal browsers, Lets say chrome and firefox, what data can be extracted by socialmedias from them.
So this question is to create accounts using browsers.

Do you know a way to tackle so that thousands of social media accounts can be registered (specifically on computer devices)
I read somewhere regarding Noiszy which adds cookies to make it look like an authentic users which can help to create accounts. Can you maybe guide the way?

Thank you
 
This is a great share! Thank you for taking time to write all this.

I have a question and you might be the right person to answer this.
If we use normal browsers, Lets say chrome and firefox, what data can be extracted by socialmedias from them.
So this question is to create accounts using browsers.

Do you know a way to tackle so that thousands of social media accounts can be registered (specifically on computer devices)
I read somewhere regarding Noiszy which adds cookies to make it look like an authentic users which can help to create accounts. Can you maybe guide the way?

Thank you
I have shared possible solutions for the same in the post; read carefully and explore
 
very intresting, thank you for the share

is there any Social platform easier to start with?
 
I have shared possible solutions for the same in the post; read carefully and explore
I have read the whole thing and still it'd be great if you can answer this straight forward specifically regarding this.
What tools will be required if we use real mobile proxies.
 
+ Reverse Engineering
- Github: jamiebuilds/babel-handbook
- Github: iddoeldor/frida-snippets
good

I was lookin' for this bs (lol) some time

I couldn't find anything searching for reverse engineering on the internet

tell me how to break captcha using reverse engineering and you have my beers

little spoon feed... but it'd be a very tough example
 
I have read the whole thing and still it'd be great if you can answer this straight forward specifically regarding this.
What tools will be required if we use real mobile proxies.
You would need to develop an automation script. Use one of the frameworks I have mentioned to automate browsers. Then fingerprints would be your hurdle, use some of the tools I have mentioned under normal browser chapter

tell me how to break captcha using reverse engineering and you have my beers
Just outsource that shit to 2captcha workers :p
 
Just outsource that shit to 2captcha workers :p
My bad. It was that I was trying to write requests based bot using c++ and libcurl. That was the problem. Nevermind.

I will do that in node.js next time.
 
But you'd have to do a lot of spoofing by yourself manually. There's a project called FakeBrowser and FakeChrome that no longer works, but if you know how to read some code, you should be able to rewrite most of the evasions referring to that project. There's also a new tool in the market called fingerprint switcher. You might look into it, but it only supports Windows at the time of writing this.

Then fingerprints would be your hurdle, use some of the tools I have mentioned under normal browser chapter

I am able to automate browser, that part is sorted. I just don't understand necessary spoofing/fingerprint thing. I have tried user agent switching, fingerprint switching, visiting some website to add cookie noise, using fresh mobile ip. Still no luck.
 
Possible follow ups.

  1. Write more concrete guide for reverse engineering with practical examples in node.js
  2. Suggest a framework structure for automation of mobile based on a real project (identify common automation patterns first)
  3. Suggest a framework structure for automation of desktop based on a real project (identify common automation patterns first)
  4. Explain hidden tactics to speed up puppeteer and automation
  5. Explain secrets (of course very important!) publicly to spoil the milk
  6. Create a guide to write testable automation code
  7. Write how to effectively add scheduling features to programs
  8. Write how to recover automation programs when they crash
  9. Write how to scale automation using microservices and other enterprise development tactics
  10. Suggest how to split code and create a testing environment to develop complex scenario automation faster
  11. Create a complete course for reverse engineering a random platform (it doesn't have to be something popular)
  12. Explain how to do multi threading in node.js in a healthy way - that doesn't have to be done in a brutal while loop way
  13. On machine learning in automation for web - possibly with Amazon Sagemaker
  14. Elaborate on moving mouse and cursor, clicking in different points (not in the middle of an element like puppeteer does)
  15. Elaborate on importance of cookies and surfing the internet to mimic users

Anyone who knows can do this.
 
Last edited:
  1. Write more concrete guide for reverse engineering with practical examples in node.js
  2. Suggest a framework structure for automation of mobile based on a real project (identify common automation patterns first)
  3. Suggest a framework structure for automation of desktop based on a real project (identify common automation patterns first)
  4. Explain hidden tactics to speed up puppeteer and automation
  5. Explain secrets (of course very important!) publicly to spoil the milk
  6. Create a guide to write testable automation code
  7. Write how to effectively add scheduling features to programs
  8. Suggest how to split code and create a testing environment to develop complex scenario automation faster
  9. Create a complete course for reverse engineering a random platform (it doesn't have to be something popular)
  10. On machine learning in automation for web - possibly with Amazon Sagemaker
  11. Elaborate on importance of cookies and surfing the internet to mimic users
I'll cover all these someday soon in detail.

For now, let me answer these as they aren't as complex to be covered in a dedicated post:
1. How to recover automation programs when they crash?
By registering a 'systemd' service in Linux. Similarly, there are services on all platforms, and you simply need to register your program there.
Or you may simply use Docker: `docker run --always `

2. How to do multi-threading in node.js in a healthy way
Look into worker threads for node.js
Or you may simply use Docker-Compose: `scale` param

3. How to scale automation using microservices and other enterprise development tactics
To simplify, microservice is a fancy term for a program with an HTTP server for communication running on top of it.
You may optionally use a more modern communication protocol like gRPC instead of good old HTTP.
All this runs within a container, and we allow other containers to communicate with each other.
This gives us a lot of flexibility cause we can scale up or down certain services based on demand.

For a more enterprise solution, I usually don't register services for crashes or handle multi-threading myself.
I focus on creating a single perfect instance that runs optimally within a container. I optimize this instance as much as possible.
This way, I can use docker and Kubernetes to scale up and down the services, and it also takes care of health checks and recovery.

Some would argue that this is an overblown solution and that docker containers use some extra resources.
But I would sacrifice that small amount of extra resources any day for a more robust and overblown solution that's proven to work at scale and won't give me headaches from time to time.

4. Elaborate on moving mouse and cursor
I maintain a fork for playwright. There's probably something out there for puppeteer as well
avilabss/ghost-cursor-playwright
 
Good. I don't know about docker as I use windows and chrome. Is it possible to run headful browser on docker? I think it's a problem. What's the solution for Windows?

I'm gonna make test environment and improve testing speeds of singular features in multi-feature programs tenfold.

From what I saw running docker for crypto project on EOS that I quit after a week it was that it creates a lot of problems and adds complexity. Dunno though how it would work in automation.

I had to understand c++ and docker and blockchains and all that stuff which I don't understand, so I quit that crypto idea altogether and will never come back in 20 years unless I become interested in low level programs and cryptography.

Maybe it wasn't docker's problem but running it on windows and all that networking stuff was painful to setup. Boring as hell.
 
Last edited:
Back
Top
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features and essential functions on BlackHatWorld and other forums. These functions are unrelated to ads, such as internal links and images. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock