Instagram influencers with up to 40m followers use Russian bots


Top Instagram influencers are relying on Russian bots to boost their presence, Cybernews research has revealed.

A bot service allegedly linked to Russia was found leaking clients’ private data and messages, revealing that almost half a million of its fake accounts are being used by high-profile influencers.

Our discovery is a stellar example of just how big the fake social media account problem is. For example, Twitter deletes over 310 million bot accounts annually, which is equivalent to approximately 10 bot accounts every second.

Instagram is estimated to have about 95 million fake accounts among its total user base of approximately one billion, indicating that roughly one in ten accounts is not genuine. Elon Musk was agitating to crack down on bots plaguing the platform upon taking the lead on Twitter. However, the figures from the SparkToro internet usage auditing tool show that over half of Musk’s followers are “fake” – meaning they are either spam accounts, bots, or no longer active.

Bot account status
Bot account status

Russian bots as a service

On October 7, the Cybernews research team discovered an open Cassandra instance storing private data belonging to instarobot.pro. The Russian-language website offers services that enable spamming and botting on Instagram and goes under the brand-name Zeus.

The leaked data includes a wealth of private information, such as who purchased botting services and for which accounts. The database contained full messages sent through the service, along with details of sender and receiver accounts, message contents, and timestamps.

Leaked information reveals that some of the high-profile Instagram accounts are most likely using bot services – some of them having up to 40 million followers. Also, the data shows that Zeus used at least 443,000 different bot accounts.

Platform users' emails
Platform users' emails

The list of Instagram accounts allegedly using Russian bots is vast, although their specific social profiles cannot be disclosed for legal reasons.

Among the Instagram accounts allegedly utilizing Russian bots are those associated with eco-conscious clothing, as well as glasses, jewelry, and furniture brands. The list also includes a popular travel blog, as well as social media and digital marketing agencies, photographers, influencers and public figures, business consultancies, and brand-mentor accounts.

The music industry is not immune either, with some bands allegedly relying on bot services. Other fields included graphic artistry, fashion modeling, dance studios, events venues, health and beauty, and fitness-related accounts.

While the Zeus bot service is most likely targeting Russian customers, among the leaked social accounts there were also ones allegedly located in Spain, Poland, and the UK, as well as countries in Latin America.

Researchers were able to see statistics for almost 16,000 affiliate links posted by bots, providing information on how many people clicked on the links, how many of them registered for an account, and how much they were paid for using the affiliate link.

Cybernews tried to contact instarobot.pro for five months, but at the time of writing the service provider had not responded. Nor had it closed the open instance.

Logs with credentials
Logs with credentials

Violating Instagram’s terms

The tools provided by Zeus allow one to analyze Instagram accounts, purchase fake likes and comments, as well as mass viewing of stories, mass following of accounts, and automated direct message (DM) responses. Using such tools is generally considered to violate Instagram’s terms of service and can negatively affect users.

Zeus claims its clients include multinational corporations such as Samsung, Bridgestone, and Puma. However, this claim is likely false. The service domain is registered by an individual whose details are redacted, but one could be linked to Russia. According to data from WHOIS , the domain owner’s address is in Nizhegorodskaya Oblast, Russia.

Many risks, including account hijacking

The open instance allowed anyone to access bot account logs, which contained plaintext credentials. This poses a risk of account hijacking, which could be valuable depending on how the bots were "warmed up".

This warming-up process involves taking specific actions on an account to bypass bot-detection mechanisms or make the account appear more trustworthy in the eyes of the platform. Once an account passes these steps, it is typically not inspected as thoroughly, making it more valuable to hijackers.

The email addresses found in the leak could also be used by similar service providers to spam or spear-phish owners. The database also contained an “exploit” keyspace, which was created by someone to check if it was possible to make entries into it. The presence of this keystore suggests that the database is not well maintained and rarely checked.

Bot farms with millions of fake accounts

Apart from spamming, spreading crypto scams, and fraudulent boosting of social media accounts, bots were linked to disinformation campaigns, targeting political opponents, and baiting audiences across a number of countries. The notorious Internet Research Agency (IRA) in Russia is known to be using bots and trolls to push political agendas and destabilize society on polemical topics.

Using bots as a tool of propaganda is extremely prevalent in the context of the Russian-Ukrainian war. The cyber department of the Ukrainian Security Service (SSU) took down bot farms in 2022 that used fake accounts to disseminate Russian disinformation across social networks and messaging platforms.

Among the dismantled farms, one had over a million bots that not only spread fake news but also sold its services to Russian clients.