108 Fake Accounts, 250 Pump Templates, Zero Authentication: Inside a Chinese Crypto Bot Farm Targeting Twitter/X
Published: April 10, 2026 Author: GHOST -- Breakglass Intelligence TLP: WHITE
Executive Summary
An unauthenticated FastAPI management panel exposed at 23[.]94[.]199[.]102:6688 reveals a fully operational Twitter/X bot farm managing 108 fake accounts, 250 pre-loaded pump-and-dump comment templates, and 25 rotating proxy servers -- all purpose-built for cryptocurrency social media manipulation. The operators are Chinese-speaking, confirmed by BT-Panel (baota mianban) infrastructure artifacts, Chinese-language account names, and the use of account nurturing tactics known as yangzi hao (yang hao) -- a well-documented Chinese social engineering methodology for building fake credibility before deploying accounts in coordinated pump campaigns.
This is the second Twitter/X abuse operation uncovered today from intelligence provided by @JustWantToQ1. The first -- a Turkish credential stuffing botnet -- has already been published as a companion report. Two very different threat actors, two very different objectives, one platform being systematically abused.
The operators hide behind "AetherSec" (aethersec[.]one), a fictitious "Web3 Layer2 Security Infrastructure" company, and use lordapi[.]com for their email services. Neither entity appears to have any legitimate business activity.
How We Got Here
On April 10, 2026, @JustWantToQ1 -- the same source who tipped us to the Turkish credential stuffing botnet earlier today -- flagged 23[.]94[.]199[.]102 as suspicious infrastructure. Port scanning revealed a FastAPI application on port 6688 with its Swagger documentation fully exposed at /docs. No authentication. No API keys. No rate limiting. The entire bot farm management interface was wide open.
What followed was a complete dump of the platform's operational data: every fake account, every proxy server, every comment template, and every automation task the operators had configured since March 19, 2026.
Infrastructure Deep Dive
Primary Server: 23[.]94[.]199[.]102
| Attribute | Value |
|---|---|
| IP | 23[.]94[.]199[.]102 |
| PTR | 23-94-199-102-host[.]colocrossing[.]com |
| Hosting | RackNerd VPS (HostPapa/ColoCrossing, AS63949) |
| Location | Buffalo, New York |
| OS | Ubuntu (OpenSSH 8.9p1) |
Port Map
| Port | Service | Purpose |
|---|---|---|
| 22 | OpenSSH 8.9p1 | Remote administration |
| 21 | Pure-FTPd | File transfer (TLS cert leaks BT-Panel metadata) |
| 80 | HTTP | "Sorry, the website has been stopped" -- BT-Panel default page |
| 443 | HTTPS | AetherSec front company website (static WordPress template) |
| 888 | HTTP | BT-Panel phpMyAdmin (returns 403 Forbidden) |
| 6688 | HTTP | FastAPI Twitter SMM panel -- UNAUTHENTICATED |
| 8808 | HTTPS | Poste.io Roundcube webmail for lordapi[.]com |
| 110 | POP3 | Mail retrieval (Poste.io) |
| 143 | IMAP | Mail retrieval (Poste.io) |
| 465 | SMTPS | Mail submission (Poste.io) |
| 587 | SMTP Submission | Mail submission (Poste.io) |
| 993 | IMAPS | Encrypted mail retrieval (Poste.io) |
| 995 | POP3S | Encrypted mail retrieval (Poste.io) |
BT-Panel: The Chinese Fingerprint
The FTP TLS certificate on port 21 is the single most attributive artifact on this server:
C = CN
CN = 23.94.199.102
L = Dongguan
O = BT-PANEL
ST = Guangdong
emailAddress = admin@bt[.]cn
BT-Panel (baota mianban) is a Chinese-language server management panel extremely popular among Chinese-speaking system administrators. The certificate's locality fields -- Dongguan, Guangdong -- place the panel's origin squarely in southern China's Pearl River Delta tech corridor. The admin@bt[.]cn email is the default BT-Panel administrative contact.
This is not circumstantial. Combined with Chinese-language account display names, the yangzi hao nurturing methodology, and Chinese-language template content, the operator attribution to Chinese-speaking actors is high-confidence.
Domain Infrastructure
lordapi[.]com
- Registrar: NameSilo
- WHOIS Privacy: PrivacyGuardian
- Created: 2023-11-29
- Nameservers: Cloudflare
- Key record:
mail[.]lordapi[.]comresolves directly to23[.]94[.]199[.]102, bypassing Cloudflare protection - Purpose: Email services for the operation via Poste.io
aethersec[.]one
- Hosts the "AetherSec" front company website on port 443
- Claims to provide "Web3 Layer2 Security Infrastructure"
- Static WordPress template with no real product or service
- Serves as a thin legitimacy veneer for the operation
The mail[.]lordapi[.]com DNS record is a classic operational security failure -- it points directly to the C2 server IP, completely negating whatever protection Cloudflare provides for the apex domain.
The Bot Farm: Anatomy of a Crypto Pump Machine
Dashboard Statistics
| Metric | Value |
|---|---|
| Active fake accounts | 108 |
| Starting accounts (Mar 19) | 125 |
| Burned/detected accounts | 17 |
| Comment templates | 250 |
| Proxy servers | 25 |
| Nurture tasks executed | 17 |
| Operation start date | 2026-03-19 |
| Daily like limit | 10 per account |
| Daily retweet limit | 5 per account |
| Daily comment limit | 5 per account |
| Max accounts per proxy | 5 |
The operators started with 125 accounts on March 19, 2026, and have already lost 17 to Twitter/X's detection systems -- a 13.6% burn rate in three weeks. This suggests Twitter/X's anti-bot measures are catching some accounts, but the majority (86.4%) remain operational and actively building credibility.
Unauthenticated API Endpoints
The FastAPI application on port 6688 exposes the following endpoints with zero authentication:
| Method | Endpoint | Returns |
|---|---|---|
| GET | /api/accounts | All 108 fake accounts with metadata |
| GET | /api/tasks | All automation task configurations |
| GET | /api/templates | All 250 comment templates |
| GET | /api/dashboard/recent-results | Recent action execution results |
| GET | /api/accounts/daily-limits | Rate limit configuration |
| GET | /api/proxies/settings | Full proxy server list and config |
| GET | /api/health | Service health check |
| GET | /docs | Full Swagger/OpenAPI documentation |
| GET | /redoc | ReDoc API documentation |
The /docs endpoint renders a complete interactive Swagger UI where anyone can execute API calls directly in the browser. This is not a misconfiguration that leaks partial data -- it is a complete absence of access control on the entire platform.
Yang Hao: The Art of Account Nurturing
All 17 automation tasks configured on this platform are categorized as "yang hao" -- literally "nurture accounts" or "raise accounts" in Chinese. This is a well-established tactic in Chinese social media manipulation circles that deserves explanation for Western audiences.
What is Yang Hao?
Yang hao is the practice of systematically building a fake account's credibility over time before deploying it for its actual malicious purpose. Think of it as aging a wine -- except the wine is a sockpuppet and the aging process involves automated engagement with legitimate content.
The methodology follows a predictable lifecycle:
- Account creation -- Bulk registration using varied names, profile photos, and bios
- Warm-up period -- Automated likes, retweets, and generic positive comments on popular accounts
- Credibility building -- Engaging with legitimate influencers in the target niche (in this case, cryptocurrency)
- Activation -- Deploying the now-"credible" accounts in coordinated pump-and-dump campaigns
The operators on this panel are still in phases 2-3. Their nurture targets reveal the strategy clearly -- they are farming credibility by engaging with real, high-profile crypto accounts.
Nurture Targets
The bot accounts are configured to engage with legitimate crypto influencers and publications:
- @brian_armstrong -- Coinbase CEO
- @Cointelegraph -- Major crypto news outlet
- @CryptoTony__ -- Crypto trader/influencer
- @LukeGromen -- Macro finance commentator
- @fchollet -- AI researcher (Keras creator, frequently discussed in crypto-AI crossover)
By liking, retweeting, and leaving generic positive comments on these accounts' posts, the bots gradually build a follow history and engagement pattern that looks organic. When a token pump campaign launches, these accounts appear to be real crypto enthusiasts rather than fresh sockpuppets -- making their coordinated shilling far more convincing to retail investors.
Sample Fake Accounts
The following table shows 10 of the 108 active accounts, illustrating the mix of English and Chinese personas:
| Handle | Display Name | Proxy IP |
|---|---|---|
| @MerrillMod75413 | Totakeke_cto | 69[.]30[.]76[.]223 |
| @OSikorra11046 | TISAN25 | 69[.]30[.]76[.]223 |
| @ButtramCat61018 | jia mi tou zi fen xi (Crypto Investment Analysis) | 192[.]53[.]64[.]162 |
| @CArgubrigh11861 | CryptoGem Analytics | 138[.]226[.]61[.]233 |
| @schmelzer7532 | ChainLens AI | 45[.]56[.]178[.]190 |
| @AdrianRand49522 | ShillGuard $SGT | 9[.]142[.]17[.]57 |
| @ChandraZuc2218 | DiceMaker / tou zi ge (Dice Bro) | 192[.]53[.]141[.]197 |
| @CatherinaK29197 | san pao tou yan (Alpha ban) (Three Cannons Research, Alpha Edition) | 69[.]30[.]72[.]251 |
| @WSzafransk37951 | CCX 1314.888 | 72[.]1[.]135[.]28 |
| @ailstock65008 | AICZ BNB | 193[.]160[.]81[.]253 |
Notable patterns:
- Handle format: Real-sounding Western surnames + random number suffixes (classic bulk registration pattern)
- Display names: Mix of English crypto jargon ("CryptoGem Analytics", "ChainLens AI", "ShillGuard") and Chinese names
- Chinese names reveal the operators' native language: jia mi tou zi fen xi = "Crypto Investment Analysis", san pao tou yan = "Three Cannons Research"
- "1314.888" in CCX's name combines Chinese internet slang: 1314 = "yi sheng yi shi" (forever), 888 = extreme prosperity. This is cultural shorthand a Western operator would not use.
- "ShillGuard $SGT" is particularly brazen -- naming your shill bot account "ShillGuard"
The Templates: 250 Ways to Say "Number Go Up"
The 250 pre-loaded comment templates are the operational playbook for coordinated pump campaigns. They range from barely literate hype to more sophisticated social engineering. Here is a representative sample:
Pure Hype (Lowest Effort)
"go go go!"
"COOOOOK!!!"
"Next 1 million mcap"
"damn this sending hard $$$cap"
Fake Conviction (Medium Effort)
"If you aren't bullish on this token, I don't know what to say"
"The pump this week is immaculate. Weaponised autism has never, will never be defeated."
"Comfy levels getting mega comfy"
Fake Community (Highest Effort)
"team is working hard, thanks frens. You're doing amazing work."
These templates are designed to mimic the organic language of crypto Twitter -- the slang ("frens", "comfy", "sending"), the emoji patterns, the faux-casual enthusiasm. When 108 accounts simultaneously deploy these templates across a token's mentions, the effect is a manufactured appearance of grassroots excitement that can drive retail FOMO (fear of missing out) buying.
The term "weaponised autism" in one template is borrowed directly from crypto-native community language (originating from certain trading communities). Its inclusion shows the operators have studied authentic crypto Twitter culture and are deliberately mimicking it.
Template Distribution Strategy
With 250 templates and 108 accounts limited to 5 comments per day, the operators can generate up to 540 unique-looking comments daily across target tokens -- each appearing to be from a different "real" crypto enthusiast, each using different wording. Multiply this across a multi-day pump campaign, and the manufactured consensus becomes very difficult for casual observers to distinguish from genuine market sentiment.
Proxy Infrastructure
The 25 proxy servers provide IP rotation to prevent Twitter/X from correlating bot accounts by source IP. The platform enforces a maximum of 5 accounts per proxy to stay under detection thresholds.
Full Proxy List
| # | Proxy IP | Port | Accounts Assigned |
|---|---|---|---|
| 1 | 9[.]142[.]17[.]57 | 6288 | 5 |
| 2 | 37[.]19[.]196[.]136 | 6543 | 5 |
| 3 | 38[.]154[.]227[.]72 | 5321 | 5 |
| 4 | 45[.]56[.]178[.]190 | 6288 | 5 |
| 5 | 64[.]137[.]79[.]253 | 6412 | 4 |
| 6 | 69[.]30[.]72[.]251 | 6288 | 5 |
| 7 | 69[.]30[.]76[.]223 | 6288 | 5 |
| 8 | 72[.]1[.]135[.]28 | 6288 | 5 |
| 9 | 89[.]43[.]33[.]241 | 6543 | 4 |
| 10 | 104[.]239[.]42[.]199 | 6288 | 5 |
| 11 | 107[.]175[.]76[.]143 | 6288 | 4 |
| 12 | 138[.]226[.]61[.]233 | 6543 | 5 |
| 13 | 142[.]147[.]229[.]113 | 6288 | 4 |
| 14 | 154[.]196[.]1[.]24 | 6543 | 4 |
| 15 | 163[.]5[.]131[.]175 | 6543 | 4 |
| 16 | 167[.]160[.]91[.]197 | 6288 | 4 |
| 17 | 172[.]98[.]71[.]22 | 6543 | 3 |
| 18 | 185[.]72[.]229[.]143 | 6543 | 4 |
| 19 | 192[.]53[.]64[.]162 | 6288 | 4 |
| 20 | 192[.]53[.]141[.]197 | 6288 | 4 |
| 21 | 193[.]160[.]81[.]253 | 6543 | 3 |
| 22 | 195[.]123[.]240[.]41 | 6543 | 3 |
| 23 | 198[.]44[.]140[.]78 | 6543 | 3 |
| 24 | 216[.]10[.]253[.]5 | 6543 | 3 |
| 25 | 223[.]25[.]80[.]91 | 6288 | 1 |
The proxy infrastructure spans multiple ASNs and geographies, using a mix of datacenter and residential proxy services. Two primary port clusters (6288 and 6543) suggest two different proxy providers or subscription tiers.
The AetherSec Front Company
The "AetherSec" website on port 443 (aethersec[.]one) presents itself as a "Web3 Layer2 Security Infrastructure" provider. It is a static WordPress template with no actual product, no team page with real identities, and no evidence of legitimate security research or services.
This is a common pattern in Chinese-operated crypto fraud: create a thin veneer of legitimacy in the Web3 security space to justify having infrastructure, domain names, and email addresses. If questioned, the operators can point to AetherSec as their "business" -- a plausible cover for maintaining servers that happen to also run a bot farm.
Timeline
| Date | Event |
|---|---|
| 2023-11-29 | lordapi[.]com domain registered via NameSilo |
| 2026-03-19 | Bot farm operation begins with 125 accounts |
| 2026-03-19 to present | 17 nurture (yang hao) tasks executed |
| By 2026-04-10 | 17 accounts burned/detected (108 remaining) |
| 2026-04-10 | Exposed by @JustWantToQ1 tip; panel dumped |
What This Report Adds to the Public Record
- Complete operational dump of a live crypto pump-and-dump bot farm management panel, including all 108 accounts, 250 templates, and 25 proxy servers
- Attribution artifacts linking the operation to Chinese-speaking operators (BT-Panel TLS certificate, Dongguan/Guangdong locality, Chinese display names, yang hao methodology)
- Documentation of the yang hao (account nurturing) pipeline -- a methodology that is well-known in Chinese-language social media manipulation circles but rarely documented in English-language threat intelligence with live operational data
- Full proxy infrastructure mapping showing how operators distribute accounts across 25 IPs to evade platform detection
- Template analysis demonstrating how operators study and mimic authentic crypto Twitter culture to manufacture convincing fake consensus
- Second Twitter/X abuse operation from the same tipster in a single day -- alongside a Turkish credential stuffing botnet -- illustrating the scale and diversity of platform abuse
Indicators of Compromise
Network Infrastructure
| Type | Indicator | Context |
|---|---|---|
| IPv4 | 23[.]94[.]199[.]102 | Primary C2 / bot farm panel |
| Domain | lordapi[.]com | Operator email domain |
| Domain | aethersec[.]one | Front company website |
| Domain | mail[.]lordapi[.]com | Direct DNS to C2 (Cloudflare bypass) |
| PTR | 23-94-199-102-host[.]colocrossing[.]com | Reverse DNS |
Proxy Infrastructure (25 IPs)
9[.]142[.]17[.]57
37[.]19[.]196[.]136
38[.]154[.]227[.]72
45[.]56[.]178[.]190
64[.]137[.]79[.]253
69[.]30[.]72[.]251
69[.]30[.]76[.]223
72[.]1[.]135[.]28
89[.]43[.]33[.]241
104[.]239[.]42[.]199
107[.]175[.]76[.]143
138[.]226[.]61[.]233
142[.]147[.]229[.]113
154[.]196[.]1[.]24
163[.]5[.]131[.]175
167[.]160[.]91[.]197
172[.]98[.]71[.]22
185[.]72[.]229[.]143
192[.]53[.]64[.]162
192[.]53[.]141[.]197
193[.]160[.]81[.]253
195[.]123[.]240[.]41
198[.]44[.]140[.]78
216[.]10[.]253[.]5
223[.]25[.]80[.]91
Fake Twitter/X Accounts (All 108)
@MerrillMod75413
@OSikorra11046
@ButtramCat61018
@CArgubrigh11861
@schmelzer7532
@AdrianRand49522
@ChandraZuc2218
@CatherinaK29197
@WSzafransk37951
@ailstock65008
(Full list of all 108 accounts available upon request to verified researchers and platform trust & safety teams.)
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Acquire Infrastructure: Virtual Private Server | T1583.003 | RackNerd VPS hosting |
| Acquire Infrastructure: Domains | T1583.001 | lordapi[.]com, aethersec[.]one |
| Establish Accounts: Social Media | T1585.001 | 108 fake Twitter/X accounts |
| Develop Capabilities: Malware | T1587.001 | Custom FastAPI bot management platform |
| Proxy: Multi-hop Proxy | T1090.003 | 25 rotating proxy servers |
| Stage Capabilities: Upload Tool | T1608.002 | 250 pre-loaded comment templates |
Recommendations
For Twitter/X Trust & Safety:
- Suspend all 108 identified accounts immediately
- Investigate the 25 proxy IPs for additional bot clusters
- Review accounts that have been targets of nurture engagement for inauthentic interaction patterns
For Crypto Investors:
- Treat coordinated hype comments with extreme skepticism, especially on low-cap tokens
- Look for the template patterns documented here: generic enthusiasm, rocket emojis, "frens" language from accounts with surname+number handles
- If multiple accounts with similar naming patterns are all hyping the same token simultaneously, it is almost certainly manufactured
For Hosting Providers:
- RackNerd/ColoCrossing:
23[.]94[.]199[.]102is hosting an active social media manipulation platform - Proxy providers servicing the 25 listed IPs: review accounts associated with these addresses for ToS violations
For Researchers:
- The panel at port 6688 may still be accessible -- dump everything before the operators notice exposure and sanitize
- The
lordapi[.]commail infrastructure may contain additional operational communications - Monitor
aethersec[.]onefor operator pivots to new infrastructure
Acknowledgments
Full credit to @JustWantToQ1 for the initial tip that led to this discovery. This is the second Twitter/X abuse operation surfaced from their intelligence today -- a remarkable contribution to platform safety. The companion report on a Turkish credential stuffing botnet is available on Breakglass Intelligence.
GHOST -- Breakglass Intelligence https://intel.breakglass.tech
If you have additional information about this operation, AetherSec, or the operators behind lordapi[.]com -- reply or DM @BreakGlassIntel.