INTRODUCTION
1. My aim with this post
This guide is for everyone who wishes to learn about multi-accounting and botting. Throughout this guide, I have tried to cover everything there is to know about this world. It doesn't matter if you are a beginner; my attempt with this post is to share everything I know so that you can start your journey as fast as possible and get an overview of what to look out for, possible hurdles you might face and how to overcome them. I have worked in this niche for about three years, making complex bots, scrapers, and numerous reverse engineering projects for clients, myself, and sometimes just for fun! My goal with sharing this is to contribute to the community and possibly create an environment (thread) to discuss a more modern approach for stealth botting and multi-accounting.
2. Overview
Here's a quick look at all the chapters I've discussed in this post.
Feel free to jump to a specific topic if you are familiar with most things and just interested in something specific.
Chapter 01: Tracking
Chapter 02: Network OPSEC
Chapter 03: Virtual Machines (VMs)
Chapter 04: Containers
Chapter 05: Normal Browsers
Chapter 06: Anti-Detect Browsers
Chapter 07: Mobile & Mobile Farms
Chapter 08: Automation & Botting
Chapter 09: Private API & Reverse Engineering
Chapter 10: Final Thoughts
Chapter 11: References
CHAPTER ONE
TRACKING
1. What is tracking?
What is stopping you from registering a thousand accounts and automating them? Knowing who your opponents are is always a sane idea so you can make informed and logical decisions instead of simply shooting arrows blindly. I highly recommend you go through this section first so that when we discuss actual methods, you can make informed choices for the amount of stealth you require based on your needs. Depending on the website or app, you might deal with all, some, or none of the hurdles I've discussed in this section. The only way to get it right is to experiment with the bare minimum first (tools you have in hand), then maybe try out an overblown setup (premium proxies, etc.) if the bare minimum doesn't work, and then finally land somewhere in between by experimenting and making logical decisions to start scaling.
2. Footprints
These are user-generated traces meant to track and identify spammy behaviours and bots. Below are some of the most common footprints and how to deal with them.
a) Content metadata & hashes
Any media you upload, download, or capture has metadata attached. It can be used to identify various things like geolocation, content sources, etc. Most social media also store a hash of the content, which can be used to determine if the same content is being re-uploaded.
To deal with metadata, you can strip it using various tools and libraries or, even better, spoof the metadata with a new one so it looks more organic.
To deal with hash, you can do several things like pixel manipulation, colour manipulation, cropping, etc.
b) Usage patterns
How an account is being used matters a lot. If you keep following random people on Instagram 24/7, then it's an obvious giveaway. Websites also limit how many actions can be executed in a given timeframe. You may also stand out if your actions don't align with the millions of other users they have on their platform. To counter this, be as human as possible. Be random enough, but not too random. For example, to farm Gmail accounts, you must first farm out cookies by visiting random websites, doing Google searches, watching YouTube, etc. We will cover this in more depth under the passive fingerprinting section.
3. Fingerprints
Fingerprinting involves collecting numerous meta-data from the device to create a unique hash that can be used to identify whether two or more accounts are co-related or whether an account/profile can be trusted. Fingerprinting can roughly be divided into two sub-categories.
a) Active
Raw device metrics actively collected by apps and websites make active fingerprints. Depending on the platform (browser or Mobile), it can collect anything like user agent, battery percentage, CPU count, canvas, WebGL, GPU metadata, audio metadata, language, timezone, screen properties, and much more! In further sections, we will discuss how this can be spoofed.
b) Passive
Browser history, browser profile age, typing speed, and mouse movements can also tracked/monitored by background agents to generate a trust score. In rare cases, everything matters, including how many social accounts are made with an email and its resulting fraud score. You would have a terrible time if your trust score is low and or fraud score is high. To counter this, be as human as possible; I can't stress this enough! Age your profiles and cookies! If you are targeting multiple platforms, create an alias that interacts with all socials (like a human) instead of explicitly targeting one.
CHAPTER TWO
NETWORK OPSEC
1. Proxy
Websites can also track where requests come from and which accounts are associated with which IPs and subnets. They might also know if you are using an IP whose subnet has been flagged, has a low trust score or if the IPs are public/datacentre. As a first measure, you should always use a good proxy. There are roughly three types of proxy: Datacenter, Residential, and Mobile. They can further be bifurcated into static and rotating.
Datacenter proxies are usually the cheapest but won't work for most social media. There are many debates between residential and mobile proxies for social media, and I'd say it depends on the use case. If you wish to register many accounts and don't care about using them instantly, residential proxies should be good enough, although the same can be done using mobile proxies. But if you wish to use accounts actively (automated or manual), then mobile proxies are your best bet! Simply register/log in, use the account, rotate the IP, and repeat the cycle with a new account. For social media applications, you'd ideally use a mobile proxy that would rotate IPs within the same subnet. Accounts jumping from country to country are obviously suspicious.
Some use VPNs, but I can't comment on this as I have never tried it and am biased towards mobile proxies. Feel free to experiment with this for your specific use case.
2. WebRTC
When using proxies with browsers, you should mask or spoof webRTC leaks. WebRTC reveals your IP even when a proxy is active. You would install an extension that disables webRTC for a regular browser. Anti-Detect browsers usually support webRTC spoofing; you just need to enable it in profile settings. When using H3-compatible clients and proxies, you won't need to worry about this, as UDP will be proxied, and your IP will be masked completely.
3. HTTP/3
Many websites are now moving to HTTP/3, a new request protocol. Most proxy providers don't support it, and even if they do, your client most likely doesn't support proxying H3 requests. Proxing the H3 protocol is a must for platforms like Instagram.
To counter this, first, you'd need a proxy provider that supports UDP or any VPN protocols like ShadowSocks or OpenVPN. These protocols proxy UDP natively when using supported clients. If your proxy supports UDP, you can use software like ProxyCAP to route TCP and UDP traffic through your proxy. For VPN protocols, you'd use their recommended client to route traffic.
3. TCP/IP Fingerprint
Yes, your IPs leak fingerprints, too! Websites can know what OS you use by your TCP fingerprint and cross-check it with your user agent. When using a proxy, this will generally say Linux, regardless of your OS. You might also need to spoof these fingerprints for some rare use cases. This can only be spoofed by your proxy provider, and some rare providers support OS spoofing for their proxies.
CHAPTER THREE
VIRTUAL MACHINES (VMs)
1. Introduction
This age-old method involves simply using any hypervisor software to create a dedicated environment for a new profile. You must still mask your IP using a proxy, but the hypervisor does most of the spoofing for you. You can create VMs with varying system specifications to create accounts.
a) Websites
Many popular hypervisors, such as Virtual Box, VMware, Proxmox, and QEMU, can be used to create dedicated VMs for accounts.
There's also Qubes OS, where every browser instance you initialize starts within a new, fresh VM.
b) Apps
For mobile apps, you can use emulators like bluestacks.
2. My thoughts on this method
This method is okay if you need quick disposable accounts but don't wish to pay for anti-detect browsers. However, VMs are resource-hungry and slow to boot, so I won't suggest using them for any operation that requires scaling.
CHAPTER FOUR
CONTAINERS
1. Introduction
This method revolves around containerization technology, which is available primarily on Linux. Containers are nothing but very lightweight VMs. One of the most popular ways of using this tech is by using Docker.
You can start browser instances within containers, forward the WSS port and connect your automation script directly to the browser instance within the container. You may also enclose your automation script within the container and connect directly to the browser from within the container. There are projects like docker-android that you can emulate android within docker itself.
2. My thoughts on this method
This method is okay where medium scaling is required, as containers are lightweight, but browsers are not. But it's also not as complex as reverse engineering and faster to prototype. However, you must also consider that the environment is lost once the container is killed, so you should mostly use it when reproducing the os environment is not necessary. Once I created a solution for Zoom bots, since Zoom doesn't require login to join a meeting, no state was required to be maintained. This was the perfect situation for using this method. At one point, we had about 10k bots running in parallel using this method. We could quickly scale this to any amount of bots based on demand as long as we have enough proxies and resources available.
CHAPTER FIVE
NORMAL BROWSERS
1. Introduction
For some platforms, a normal Firefox browser should be enough, with a few extra plugins for stealth. If you wish to use Chrome, you can look into projects like Ungoogled Chromium. But you'd have to do a lot of spoofing by yourself manually. There's a project called FakeBrowser and FakeChrome that no longer works, but if you know how to read some code, you should be able to rewrite most of the evasions referring to that project. There's also a new tool in the market called fingerprint switcher. You might look into it, but it only supports Windows at the time of writing this.
2. My thoughts on this method
This method is okay where medium scaling is required cause, again, this is a browser. This allows quick prototyping but is slightly complex as you handle stealth yourself. However, it's much faster and easier than reverse engineering. I developed a solution based on this for an SMM panel company a while back; once the hurdle of stealth was overcome, developing and maintaining the rest of the product was a breeze.
CHAPTER SIX
ANTI-DETECT BROWSERS
1. Introduction
If you don't care much about doing things yourself and are fine paying someone to handle all the complexities, you can go with anti-detect browsers. Note that anti-detect browsers have their limitations and might not work for some platforms.
2. My thoughts on this method
This is an excellent solution if you only care about creating and/or managing a limited set of accounts. However, it might become costly at scale. Not all anti-detect browsers support automation, so this is something to look out for.
CHAPTER SEVEN
MOBILE & MOBILE FARMS
1. Introduction
This is a goldmine if you can figure out how to make it work. Some of the highest-quality accounts can be created and maintained using mobile farms. You would need a jailbroken mobile and use some tools to modify its specs on the fly to create multiple accounts on the same device, one after the other. Scale this setup to 500 or 1000 devices?! I have never gone down this path, but I know two journeys here that I'd recommend you go through to learn more.
a) https://www.blackhatworld.com/seo/my-journey-to-greatness.1516469/
b) https://www.blackhatworld.com/seo/my-journey-to-1-000-000-a-month-profit-with-reddit-services.1493369/
2. My thoughts on this method
It can be costly compared to other methods, but it's also the only way to automate some platforms like Instagram.
CHAPTER EIGHT
AUTOMATION & BOTTING
1. Browser Automation
Several frameworks exist for browser automation, including Selenium, Puppeteer, and Playwright. Their documentation is pretty straightforward. My favourite is Playwright, and I highly recommend you avoid Selenium (it is possible to make it work, but still, a lot of work).
2. Android Automation
I've used Appium before, but nothing is in production yet, so please refer to the journeys I've mentioned under the Mobile & Mobile Farms chapter.
3. GUI Automation
You can use ADB (optional because some apps check if developer options are enabled) and any GUI automation frameworks like AutoIt or pywin32 to automate Android emulators. This automation heavily depends on screen capturing, OCR, and image recognition, but it is very effective. A while ago, I made an Instagram registration script using this method. You can even hook into bluestacks and launch new profiles with different configs by modifying some Windows registry keys.
CHAPTER NINE
PRIVATE API & REVERSE ENGINEERING
1. Introduction
It is the act of intercepting and extracting private APIs from any app or website and replaying it by modifying the request. Some payloads might contain encrypted data, so you might need to go through the source code to reproduce its functionality.
2. Reverse Engineering Web Apps
There is not much to say; Chrome dev tools are your friend! You can also use tools like Burp Suite or HTTP Toolkit to intercept the requests, as they have more advanced filtering methods. Depending on the situation, you can use various methods to extract specific functionality. Sometimes, a Chrome debugger is enough; other times, you would need to write a deobfuscator yourself.
3. Reverse Engineering Mobile Apps
The biggest hurdle is SSL Pinning. You can easily bypass it using Frida. If that doesn't work, decompile and modify the app to trust user certificates. Recompile the app, sign, install, and intercept requests as always with Burpsuite, Proxyman, or HTTP Toolkit. Get into the habit of reading smali code to do static analysis when required. Using Frida, you can hook into functions and understand their behaviour to replicate their functionality.
4. My thoughts on this method
This is my personal favourite. The end implementation is very lightweight and, hence, very scalable. But it is also tremendously difficult, depending on the website of social you target.
CHAPTER TEN
FINAL THOUGHTS
There is no correct answer for botting and multi-accounting. It depends on your needs, the scale of your operation, and the app/website you are targeting. But everything covered here should hopefully give you a good picture of everything you might need to look out for and make a decision that meets your requirements.
CHAPTER ELEVEN
REFERENCES
+ Reverse Engineering
- Github: jamiebuilds/babel-handbook
- Github: iddoeldor/frida-snippets
+ Stealth Evasion
- Github: CheshireCaat/browser-with-fingerprints
- Github: kkoooqq/fakebrowser
- Github: kkoooqq/fakechrome
- Github: ungoogled-software/ungoogled-chromium
- Github: apify/fingerprint-suite
+ Emulator Automation
- Github: SergeyPotapov01/bot_Clash_Royale
- Github: MyBotRun/MyBot
