Wondering if your company has any crime rings sleeping among your users? Most will acknowledge that there are likely some accounts lurking here or there, but may not realize that it’s a big problem. This attitude is held by a lot of companies, large and small, and many think they have it under control. Think again.

Recent research published in MIT Technology Review demonstrated how big this problem can be when they uncovered sleeper cells on Twitter. Juan Echeverria and Shi Zhou, from University College London, uncovered a Twitter botnet, asleep and undetected since 2013, that was made up of approximately 350k accounts.

Star Wars Storm Tropper Army

They discovered the massive botnet while investigating automated accounts. Odd, but correlated, geographic distribution, as well as matching events and behaviors such as how many tweets they published, the phones they used and follower counts, were major red flags that something was going on. The researchers trained a machine-learning algorithm to recognize the Star Wars quotes being used by all the fake accounts and uncovered the massive 350k account pool. Is this an isolated case? No, it’s a drop in a very large bot bucket.

We’ve uncovered some massive sleeper cells in the wild and this recent research is consistent what we’ve found, especially when it come to how long these sleeper cells will incubate before they strike.

We recently analyzed more than 500 billion events and 300 million user accounts from global online services over the past two years to uncover sleeper cells. We found that they are not only prevalent, but also very patient. In fact, 24%-47% of the malicious accounts we uncovered incubated for more than 30 days after registration. That’s one whole month of looking and acting like a normal user, making it so you don’t look at them twice. We also found that 11% incubate for more than 100 days and one-third of all malicious accounts have yet to attack – even after our one year observation period. These are huge groups of user accounts that you don’t know are malicious, even after one full year on your service, because they haven’t done anything wrong yet. They look like normal users and act like normal users, but they are simply getting ready to strike.

One crucial difference in our research is how we detected the sleeper cells in the first place, as our method is very different than that of the researchers above. At Datavisor, we use unsupervised machine learning and don’t need rules, or in this case, Star Wars quotes, to find correlated behavior and patterns. We are able to do that automatically by analyzing global user events and data in real-time. What were steps and layers in the process of uncovering the Twitter botnet, we do in one step.

But while our methods are different, our research results are similar and important to note. All online services need to be aware of the sleeper cell issue and take proactive steps to address it before their bots wake up. The damages they can inflict, both financially and in user trust, can be massive if you don’t detect them first. While destroying sleeper cells may not be as simple as finding the thermal exhaust port to the reactor (Thanks, Galen Erso!), unsupervised machine learning is certainly the Force to be reckoned with in the fight against fraud.