Bluesky has an impersonator problem 

Like many others, I recently fled social media platform X for Bluesky. In the process, I started following many of the people I followed on X. On Thanksgiving, I was delighted to see a private message from a fellow AI reporter, Will Knight from Wired. Or at least that’s who I thought I was talking to. I became suspicious when the person claiming to be Knight said they were from Miami, when Knight is, in fact, from the UK. The account handle was almost identical to the real Will Knight’s handle, and used his profile photo. 

Then more messages started to appear. Paris Marx, a prominent tech critic, slid into my DMs to ask me how I was doing. “Things are going splendid over here,” he replied to me. Then things got suspicious, again. “How are your trades going?” fake-Marx asked me. This account was far more sophisticated than Knight’s, and had meticulously copied every single tweet and retweet from Marx’s real page over the past few weeks.

Both accounts were eventually deleted, but not before trying to get me to set up a crypto wallet and a “cloud mining pool” account. Knight and Marx confirmed to us these accounts did not belong to them, and that they have been fighting impersonator accounts of themselves for weeks. 

They are not the only ones. The New York Times tech journalist Sheera Frankel and Molly White, a researcher and cryptocurrency critic, have also experienced people impersonating them on Bluesky, most likely to scam people. This tracks with research from Alexios Mantzarlis, the director of the Security, Trust, and Safety Initiative at Cornell Tech, who manually went through the top 500 Bluesky users by follower count, and found that of the 305 accounts belonging to a named person, at least 74 had at least one impersonation account. 

The platform has had to suddenly cater to an influx of millions of new users in recent months as people leave X in protest of Elon Musk’s takeover of the platform. Its user base has more than doubled since September from 10 million users to over 20 million. This sudden wave of new users —and the inevitable scammers — means Bluesky is still playing catchup, says White. 

“These accounts block me as soon as they’re created, so I don’t initially see them,” Marx says. Both Marx and White describe a frustrating pattern: When one account is taken down, another one pops up soon after. White says she had experienced a similar trend on X and TikTok too. 

A way to prove that people are who they say they are would help. Before Musk took the reins of the platform, employees at X, previously known as Twitter, verified users such as journalists and politicians, and gave them a blue tick next to their handles so people knew they were dealing with credible news sources. After Musk took over, he scrapped the old verification system and offered blue ticks to paying customers. 

The ongoing crypto-impersonation scams have raised calls for Bluesky to initiate something similar to Twitter’s original verification profile. Some users, such as investigative journalist Hunter Walker, have set up their own initiatives to verify journalists. However, users are currently limited in the ways they can verify themselves on the platform. By default, usernames on Bluesky end with the bsky.social suffix. The platform recommends that news organizations and high-profile people verify their identities, by setting up their own websites as their usernames. For example, US Senators have verified their accounts with the suffix senate.gov. But this technique isn’t foolproof. For one, it doesn’t actually verify anyone’s identity, only that they are affiliated with a particular website. 

Bluesky did not respond to MIT Technology Review’s requests for comment, but the company’s safety team posted that the platform had updated its impersonation policy to be more aggressive, and would remove impersonation and handle-squatting accounts. The company says it has also quadrupled its moderation team to take action on impersonation reports more quickly. But it seems to be struggling to keep up. “We still have a large backlog of moderation reports due to the influx of new users as we shared previously, though we are making progress,” the company continued. 

Bluesky’s decentralized nature makes kicking out impersonators a trickier problem to solve. Competitors such as X or Threads rely on centralized teams within the company who moderate unwanted content and behavior, such as impersonation. But Bluesky is built on the AT Protocol, a decentralized, open-source technology, which allows users more control over what kind of content they see and to build communities around particular content. Most people sign up to Bluesky Social, the main social network, which has its own community guidelines which ban impersonation. Bluesky Social is just one of the services or “clients” that people can use Bluesky for, and other services have their own moderation practices and terms. 

This approach means that, until now, Bluesky itself hasn’t needed an army of content moderators to weed out unwanted behaviors because it relies on this community-led approach, says Wayne Chang, the founder and CEO of SpruceID, a digital identity company. That might have to change.

“In order to make these apps work at all, you need some level of centralization,” says Chang. Despite having community guidelines, it’s hard to stop people creating impersonation accounts, and Bluesky is engaged in a cat and mouse game trying to take suspicious accounts down. 

Cracking down on a problem such as impersonation is important because it poses a serious problem for the credibility of Bluesky, says Chang. “It’s a legitimate complaint as a Bluesky user that, ‘hey, all those scammers are basically harassing me. You want your brand to be tarnished? Or is there something we can do about this?’” he says.

A fix for this is urgently needed, because attackers might abuse Bluesky’s open source code to create spam and disinformation campaigns at a much larger scale, says Francesco Pierri, an assistant professor at Politecnico di Milano who has researched Bluesky. His team found that the platform has seen a rise in suspicious accounts since it was made open to the public earlier this year. 

Bluesky acknowledges that its current practices are not enough. In a post, Bluesky said it has received feedback that users want more ways to verify their identities beyond domain verification, and the company is “exploring additional options to enhance account verification.” 

In a livestream at the end of November, Bluesky’s CEO Jay Graber said the platform is considering becoming a verification provider, but because of its decentralized approach would also allow others to offer their own user verification services. “And [users] can choose to trust us — the Bluesky team’s verification — or they could do their own. Or other people could do their own,” Graber said. 

But at least Bluesky seems to “have some willingness to actually moderate content on the platform,” says White.“I would love to see something a little bit more proactive that didn’t require me to do all of this reporting,” she adds. 

“I just hope that no one truly falls for it and gets tricked into crypto scams,” says Marx. 

Main Menu