​

1. My aim with this post

This guide is for everyone who wishes to learn about multi-accounting and botting. Throughout this guide, I have tried to cover everything there is to know about this world. It doesn't matter if you are a beginner; my attempt with this post is to share everything I know so that you can start your journey as fast as possible and get an overview of what to look out for, possible hurdles you might face and how to overcome them. I have worked in this niche for about three years, making complex bots, scrapers, and numerous reverse engineering projects for clients, myself, and sometimes just for fun! My goal with sharing this is to contribute to the community and possibly create an environment (thread) to discuss a more modern approach for stealth botting and multi-accounting.

2. Overview

Here's a quick look at all the chapters I've discussed in this post.

Feel free to jump to a specific topic if you are familiar with most things and just interested in something specific.

Chapter 01: Tracking

Chapter 02: Network OPSEC

Chapter 03: Virtual Machines (VMs)

Chapter 04: Containers

Chapter 05: Normal Browsers

Chapter 06: Anti-Detect Browsers

Chapter 07: Mobile & Mobile Farms

Chapter 08: Automation & Botting

Chapter 09: Private API & Reverse Engineering

Chapter 10: Final Thoughts

Chapter 11: References

CHAPTER ONE

TRACKING

​

1. What is tracking?

What is stopping you from registering a thousand accounts and automating them? Knowing who your opponents are is always a sane idea so you can make informed and logical decisions instead of simply shooting arrows blindly. I highly recommend you go through this section first so that when we discuss actual methods, you can make informed choices for the amount of stealth you require based on your needs. Depending on the website or app, you might deal with all, some, or none of the hurdles I've discussed in this section. The only way to get it right is to experiment with the bare minimum first (tools you have in hand), then maybe try out an overblown setup (premium proxies, etc.) if the bare minimum doesn't work, and then finally land somewhere in between by experimenting and making logical decisions to start scaling.

2. Footprints

These are user-generated traces meant to track and identify spammy behaviours and bots. Below are some of the most common footprints and how to deal with them.

a) Content metadata & hashes

Any media you upload, download, or capture has metadata attached. It can be used to identify various things like geolocation, content sources, etc. Most social media also store a hash of the content, which can be used to determine if the same content is being re-uploaded.

To deal with metadata, you can strip it using various tools and libraries or, even better, spoof the metadata with a new one so it looks more organic.

To deal with hash, you can do several things like pixel manipulation, colour manipulation, cropping, etc.

b) Usage patterns

How an account is being used matters a lot. If you keep following random people on Instagram 24/7, then it's an obvious giveaway. Websites also limit how many actions can be executed in a given timeframe. You may also stand out if your actions don't align with the millions of other users they have on their platform. To counter this, be as human as possible. Be random enough, but not too random. For example, to farm Gmail accounts, you must first farm out cookies by visiting random websites, doing Google searches, watching YouTube, etc. We will cover this in more depth under the passive fingerprinting section.

3. Fingerprints

Fingerprinting involves collecting numerous meta-data from the device to create a unique hash that can be used to identify whether two or more accounts are co-related or whether an account/profile can be trusted. Fingerprinting can roughly be divided into two sub-categories.

a) Active

Raw device metrics actively collected by apps and websites make active fingerprints. Depending on the platform (browser or Mobile), it can collect anything like user agent, battery percentage, CPU count, canvas, WebGL, GPU metadata, audio metadata, language, timezone, screen properties, and much more! In further sections, we will discuss how this can be spoofed.

b) Passive

Browser history, browser profile age, typing speed, and mouse movements can also tracked/monitored by background agents to generate a trust score. In rare cases, everything matters, including how many social accounts are made with an email and its resulting fraud score. You would have a terrible time if your trust score is low and or fraud score is high. To counter this, be as human as possible; I can't stress this enough! Age your profiles and cookies! If you are targeting multiple platforms, create an alias that interacts with all socials (like a human) instead of explicitly targeting one.

CHAPTER TWO

NETWORK OPSEC

​

1. Proxy

Websites can also track where requests come from and which accounts are associated with which IPs and subnets. They might also know if you are using an IP whose subnet has been flagged, has a low trust score or if the IPs are public/datacentre. As a first measure, you should always use a good proxy. There are roughly three types of proxy: Datacenter, Residential, and Mobile. They can further be bifurcated into static and rotating.

Datacenter proxies are usually the cheapest but won't work for most social media. There are many debates between residential and mobile proxies for social media, and I'd say it depends on the use case. If you wish to register many accounts and don't care about using them instantly, residential proxies should be good enough, although the same can be done using mobile proxies. But if you wish to use accounts actively (automated or manual), then mobile proxies are your best bet! Simply register/log in, use the account, rotate the IP, and repeat the cycle with a new account. For social media applications, you'd ideally use a mobile proxy that would rotate IPs within the same subnet. Accounts jumping from country to country are obviously suspicious.

Some use VPNs, but I can't comment on this as I have never tried it and am biased towards mobile proxies. Feel free to experiment with this for your specific use case.

2. WebRTC

When using proxies with browsers, you should mask or spoof webRTC leaks. WebRTC reveals your IP even when a proxy is active. You would install an extension that disables webRTC for a regular browser. Anti-Detect browsers usually support webRTC spoofing; you just need to enable it in profile settings. When using H3-compatible clients and proxies, you won't need to worry about this, as UDP will be proxied, and your IP will be masked completely.

3. HTTP/3

Many websites are now moving to HTTP/3, a new request protocol. Most proxy providers don't support it, and even if they do, your client most likely doesn't support proxying H3 requests. Proxing the H3 protocol is a must for platforms like Instagram.

To counter this, first, you'd need a proxy provider that supports UDP or any VPN protocols like ShadowSocks or OpenVPN. These protocols proxy UDP natively when using supported clients. If your proxy supports UDP, you can use software like ProxyCAP to route TCP and UDP traffic through your proxy. For VPN protocols, you'd use their recommended client to route traffic.

3. TCP/IP Fingerprint

Yes, your IPs leak fingerprints, too! Websites can know what OS you use by your TCP fingerprint and cross-check it with your user agent. When using a proxy, this will generally say Linux, regardless of your OS. You might also need to spoof these fingerprints for some rare use cases. This can only be spoofed by your proxy provider, and some rare providers support OS spoofing for their proxies.

CHAPTER THREE

VIRTUAL MACHINES (VMs)

​

1. Introduction

This age-old method involves simply using any hypervisor software to create a dedicated environment for a new profile. You must still mask your IP using a proxy, but the hypervisor does most of the spoofing for you. You can create VMs with varying system specifications to create accounts.

a) Websites

Many popular hypervisors, such as Virtual Box, VMware, Proxmox, and QEMU, can be used to create dedicated VMs for accounts.

There's also Qubes OS, where every browser instance you initialize starts within a new, fresh VM.

b) Apps

For mobile apps, you can use emulators like bluestacks.

2. My thoughts on this method

This method is okay if you need quick disposable accounts but don't wish to pay for anti-detect browsers. However, VMs are resource-hungry and slow to boot, so I won't suggest using them for any operation that requires scaling.

CHAPTER FOUR

CONTAINERS

​

1. Introduction

This method revolves around containerization technology, which is available primarily on Linux. Containers are nothing but very lightweight VMs. One of the most popular ways of using this tech is by using Docker.

You can start browser instances within containers, forward the WSS port and connect your automation script directly to the browser instance within the container. You may also enclose your automation script within the container and connect directly to the browser from within the container. There are projects like docker-android that you can emulate android within docker itself.

2. My thoughts on this method

This method is okay where medium scaling is required, as containers are lightweight, but browsers are not. But it's also not as complex as reverse engineering and faster to prototype. However, you must also consider that the environment is lost once the container is killed, so you should mostly use it when reproducing the os environment is not necessary. Once I created a solution for Zoom bots, since Zoom doesn't require login to join a meeting, no state was required to be maintained. This was the perfect situation for using this method. At one point, we had about 10k bots running in parallel using this method. We could quickly scale this to any amount of bots based on demand as long as we have enough proxies and resources available.

CHAPTER FIVE

NORMAL BROWSERS

​

1. Introduction

For some platforms, a normal Firefox browser should be enough, with a few extra plugins for stealth. If you wish to use Chrome, you can look into projects like Ungoogled Chromium. But you'd have to do a lot of spoofing by yourself manually. There's a project called FakeBrowser and FakeChrome that no longer works, but if you know how to read some code, you should be able to rewrite most of the evasions referring to that project. There's also a new tool in the market called fingerprint switcher. You might look into it, but it only supports Windows at the time of writing this.

2. My thoughts on this method

This method is okay where medium scaling is required cause, again, this is a browser. This allows quick prototyping but is slightly complex as you handle stealth yourself. However, it's much faster and easier than reverse engineering. I developed a solution based on this for an SMM panel company a while back; once the hurdle of stealth was overcome, developing and maintaining the rest of the product was a breeze.

CHAPTER SIX

ANTI-DETECT BROWSERS

​

1. Introduction

If you don't care much about doing things yourself and are fine paying someone to handle all the complexities, you can go with anti-detect browsers. Note that anti-detect browsers have their limitations and might not work for some platforms.

2. My thoughts on this method

This is an excellent solution if you only care about creating and/or managing a limited set of accounts. However, it might become costly at scale. Not all anti-detect browsers support automation, so this is something to look out for.

CHAPTER SEVEN

MOBILE & MOBILE FARMS

​

1. Introduction

This is a goldmine if you can figure out how to make it work. Some of the highest-quality accounts can be created and maintained using mobile farms. You would need a jailbroken mobile and use some tools to modify its specs on the fly to create multiple accounts on the same device, one after the other. Scale this setup to 500 or 1000 devices?! I have never gone down this path, but I know two journeys here that I'd recommend you go through to learn more.

a) AllOutAnime's Journey

b) evex's Journey

2. My thoughts on this method

It can be costly compared to other methods, but it's also the only way to automate some platforms like Instagram.

CHAPTER EIGHT

AUTOMATION & BOTTING

​

1. Browser Automation

Several frameworks exist for browser automation, including Selenium, Puppeteer, and Playwright. Their documentation is pretty straightforward. My favourite is Playwright, and I highly recommend you avoid Selenium (it is possible to make it work, but still, a lot of work).

2. Android Automation

I've used Appium before, but nothing is in production yet, so please refer to the journeys I've mentioned under the Mobile & Mobile Farms chapter.

3. GUI Automation

You can use ADB (optional because some apps check if developer options are enabled) and any GUI automation frameworks like AutoIt or pywin32 to automate Android emulators. This automation heavily depends on screen capturing, OCR, and image recognition, but it is very effective. A while ago, I made an Instagram registration script using this method. You can even hook into bluestacks and launch new profiles with different configs by modifying some Windows registry keys.

CHAPTER NINE

PRIVATE API & REVERSE ENGINEERING

​

1. Introduction

It is the act of intercepting and extracting private APIs from any app or website and replaying it by modifying the request. Some payloads might contain encrypted data, so you might need to go through the source code to reproduce its functionality.

2. Reverse Engineering Web Apps

There is not much to say; Chrome dev tools are your friend! You can also use tools like Burp Suite or HTTP Toolkit to intercept the requests, as they have more advanced filtering methods. Depending on the situation, you can use various methods to extract specific functionality. Sometimes, a Chrome debugger is enough; other times, you would need to write a deobfuscator yourself.

3. Reverse Engineering Mobile Apps

The biggest hurdle is SSL Pinning. You can easily bypass it using Frida. If that doesn't work, decompile and modify the app to trust user certificates. Recompile the app, sign, install, and intercept requests as always with Burpsuite, Proxyman, or HTTP Toolkit. Get into the habit of reading smali code to do static analysis when required. Using Frida, you can hook into functions and understand their behaviour to replicate their functionality.

4. My thoughts on this method

This is my personal favourite. The end implementation is very lightweight and, hence, very scalable. But it is also tremendously difficult, depending on the website of social you target.

CHAPTER TEN

FINAL THOUGHTS​

There is no correct answer for botting and multi-accounting. It depends on your needs, the scale of your operation, and the app/website you are targeting. But everything covered here should hopefully give you a good picture of everything you might need to look out for and make a decision that meets your requirements.

CHAPTER ELEVEN

REFERENCES

​

+ Reverse Engineering

- Github: jamiebuilds/babel-handbook

- Github: iddoeldor/frida-snippets

+ Stealth Evasion

- Github: CheshireCaat/browser-with-fingerprints

- Github: kkoooqq/fakebrowser

- Github: kkoooqq/fakechrome

- Github: ungoogled-software/ungoogled-chromium

- Github: apify/fingerprint-suite

+ Emulator Automation

- Github: SergeyPotapov01/bot_Clash_Royale

- Github: MyBotRun/MyBot

After recruiting the necessary amount of audience and number of stars who create a lot of quality content for social networks, it is not promotion that comes first, but earning money, so the algorithm does not allow new artists to promote, but forces them to buy traffic in order to earn money themselves. Based on this, TikTok does not yet have as much content as other “older” social networks, and therefore it is much easier to promote here now.

So if you think that TikTok is not the social network where you can promote yourself and your products, you are very much mistaken. Right now, it's time to make crazy videos and gain audience by any means, buy ads from everyone and try to get as much profit in it as possible. Remember how there were really interesting videos in YouTube’s trends a few years ago. Remember how there were bloggers and pranksters on Instagram. I believe the same future awaits TikTok; some people quickly become super stars, and then the algorithm stops promoting you in recommendations and makes you buy ads. So catch the moment to become popular now.

When promoting my account, I noticed several illogical features of the algorithm:

1. TikTok better promotes videos that were shot and uploaded from an iPhone rather than from an Android-based phone.

2. Priority is given to short videos, but not always. It all depends on how users react to your video. At what point exactly a person will like it or write a comment. That is, if the video is longer than usual, but they watch it for a long time, it will also get into recommendations.

3. Very bright videos, lots of colors that annoy teenagers.

4. Videos with inadequate and frantic behavior of the main character are good for promotion. Or something with a mystery at the beginning of the video, when it makes a person wait for the end.

5. Use hashtags. So far, the algorithm for using hashtags is clear. You only need to use themed hashtags in order for TikTok to understand the topic of your video. Untargeted hashtags make people watch the video less, which immediately causes the video to disappear from recommendations.

6. Strange use of the hashtag #recommendations or #want to appear in recommendations. People who write such hashtags get into recommendations. The question is how and why?

7. After publishing a video, TikTok will automatically show your video in the recommendations of people who have expressed interest in your video using hashtags. There can be 100 or even 1000 such views. Further fate will depend on how these 100 or 1000 people react to your video. If you get a lot of reactions, there's a chance you'll get 500,000 or 1,000,000 hits and get a lot of subscribers to your profile. Don't forget to prepare your profile for subscriptions. Same algorithm applies – crazy profile photo, a few words about yourself.

8. TikTok likes unapologetic, rule-breaking people. Don't be ordinary.

9. In addition, post the videos on your social networks, share them on Twitter and Reddit, send them to friends – a few live views won't hurt. Ask people to watch until the end of the video, like, repost, and comment it.

10. Talk to your subscribers in the comments. The more the better. Don't miss a single comment, respond to everything, even to your own comments. Create the illusion of communication, boost the communication with your friends under the video.

11. Popular tip. Attract subscribers in one video and then get them to go to your profile and watch the end of the video on your profile. You can cut one video into several pieces and upload it in parts. The second method is to put a bright pink avatar and attract people's interest, making them wonder what it means. The third method is to put a hair mask on top of the video so that the person will try to remove it and thus contact the video and stay a few seconds longer. Remember: Your task is to retain the audience for as long as possible. Make people watch the video to the end by any means. This is where you have to use your imagination to the maximum.

12. Use your Instagram, YouTube, and OnlyFans to boost engagement under videos. Publish videos to Shorts.

13. After you've uploaded your video to TikTok, try uploading it to YouTube Shorts. One of the social networks might become successful.

14. Build your content strategy around the news. Choose a topic that everyone talks about. Link such information to your activities, your attitudes and opinions. People are warmed up by TV and are willing to watch a continuation in TikTok.

15. Don’t use untested sources of traffic so as not to destroy the account analytics and do not get shadowbanned.

16. The one-phone-one-account strategy works well. Too many accounts on 1 phone causes suspicion and shadowban. New TikTok accounts from new phones are promoted better.

Start now. Such an active algorithm will not work for long. Soon you will be paying for advertising and getting minimal income from it, because there will be enough stars like you on TikTok. Hurry up!

 Like Quote