Increased Bot Activity & What We're Doing About It
Tophhie Social has seen a sharp increase in the number of bots on our platform. Here's what we're doing about it...
It comes as no surprise to anyone that when you publicly announce an internet service or platform, you see a sudden influx of malicious actors and bots.
Tophhie Social is no exception to this.
Over the recent months, I've seen a very sharp increase in the number of programmatic attempts to create accounts on the Tophhie Social Personal Data Server. Given the open and welcoming nature of the platform, this has been open to abuse. Bots have jumped straight onto this "kindness", and used Tophhie Social for scams.
I hate this. I don't allow this. I don't tolerate this.
One such example pulls on the current geopolitical situation surrounding the Gaza/Israel War to encourage users to "donate" to fundraising pages for the families affected by the war. Except, these fundraising links are blatant scams, often coupled with photos of children and families, in heart wrenching situations, in an attempt to pull at the heartstrings of those they're trying to scam.
One such account that found it's way onto Tophhie Social is shown below.
This particular account was brought to my attention by the kind @revfox84.bsky.social. At which point it was quickly deleted from the Tophhie Social platform.
I'd also like to give an honourable mention to @michelbestaat.thereforeiam.eu and @bmann.ca, for bringing to my attention another series of bot accounts that had found their way onto our platform.
When did this start?
I've been silently working on this issue in the background for quite some time now. I first saw the issue arise back in December 2025, I'd seen 4-5 accounts created on Tophhie Social in very quick succession. All accounts had similar themes, posted similar content, and exhibited "automated" like behavior.
When I noticed this, and verified the content was indeed a scam, I swiftly deleted the accounts.
At this point, it was almost "noticed" that Tophhie Social was being monitored and that I was intentionally deleting accounts that exhibited a specific type of behavior, almost causing the bot behavior to increase tenfold. Over the next few weeks I saw an even sharper increase in the number of accounts being created.
What did I initially do about it?
Upon first investigating, it became clear that this account creation behavior followed a pattern.
Account handles followed a very similar pattern... specific letters followed by a series of numbers.
Account creation came from a specific internet ASN (Autonomous System Number). Account creation also came from a small set of IP addresses.
Now, all traffic that goes to Tophhie Social passes through Cloudflare first. (I'm a big Cloudflare advocate). Because we had that technology in place, we created several rules to help stop the bot traffic in its tracks:
- The specific ASN number was blocked completely from communicating with the Tophhie Social server.
- Specific IP addresses were also blocked.
- They were blocked as part of the ASN block, but better safe than sorry.
- I adjusted the rate limit threshold on the createAccount endpoint. Fewer requests were allowed, and lockout duration was made longer.
I also tried User Agent blocking...
However, this caused more issues than it resolved. I found that some atproto apps had been created, and were still serving their default user agent strings; "node" for example. Therefore, blocking these single word user agents locked out access to some atproto apps.
I quickly reversed this.
What happened after that?
I saw a decrease in bot account creation on the platform. Keyword there... "decrease", not a full stop.
Over the next few months the number of bot accounts that got created were minimal, quickly caught, and manually deleted.
This process worked fine for a while, it wasn't time consuming, and my in-house built PDS Admin web interface made this even quicker.
Once a bot was identified, I logged into the admin interface and deleted the account right there. I didn't need console access to the server to complete that task anymore.
However, over recent days it became clear to me that this manual process, needed a technical solution. Not necessarily one for automatic detection and deletion of bots, as I believe account deletion should always be reviewed and executed by a human being, but one to challenge and further limit the ability to create accounts on the platform.
So, what's new?
I've used Bailey Townsend's PDS Gatekeeper solution for as long as I've been aware of it. I initially deployed it as a means of enabling email-based two factor authentication for users on the platform, and it works tremendously.
Recent updates to the solution have allowed it to gatekeep the com.atproto.server.createAccount endpoint. The endpoint that is called whenever an account needs creating... the one bots abused.
Get to the point, what's new?
Bailey, back in January, pushed an update to Gatekeeper that allowed admins to protect the createAccount endpoint with a hCaptcha challenge. Users would now be required to prove they're human, before the request to create a new account was accepted.
Programmatic attempts to create an account, whether that be through calling the createAccount endpoint yourself, or via the Tophhie Cloud API would no longer be possible.
I held off on implementing this when I initially saw the feature for three reasons:
- I didn't want to introduce friction into the sign up process.
- The Tophhie Social sign up page would need re-working to support this functionality. (This is a current work in progress).
- The Tophhie Cloud API currently allowed sign ups to Tophhie Social via its own API endpoint. This would break that API. (This endpoint will soon be removed).
But, over the last few days, and with the increase in bot activity again, I thought it necessary to get this implemented straight away. Most sign ups are carried out from the Bluesky website anyway, and the addition of the hCaptcha challenge introduced only one final hoop to jump through before getting your account.
This was a compromise I was willing to make.
Has it worked?
So far, it seems so, yes!
Over the last couple of days, I've seen a few attempts to create an account on Tophhie Social that were blocked because a valid hCaptcha verification response wasn't provided.
Two of which... follow the same handle patterns as previous bot accounts.
I will continue to monitor the platform, and ensure bot activity is stopped or remediated quickly!
And with that... the story comes to an end! If you have any questions or concerns about the recent bot activity on Tophhie Social, you can reach us at help@tophhie.social or via support.tophhie.cloud.
