The black market of asterisks on GitHub, which helps to cheat with popularity

The black market of asterisks on GitHub, which helps to cheat with popularity

Popularity on GitHub helps unlock valuable opportunities for developers and startups. Underground shops sell “stars” for projects on this platform, offering programmers a way to literally follow the popular slogan.Fake it till you make it“.

Github has firmly established itself as the “programmer’s best friend,” combining software development tools with collaboration features that create a kind of social network for the code-savvy. The company’s success has also led to the emergence of an unwelcome feature of social platforms: an illegal market for fake engagement.

The ecosystem of online shops and chats openly sells stars on Github, which users reward interesting projects and which are used to determine the most popular of them. For the bargain price of $6, paid in ether, WIRED bought 50 stars for a dormant GitHub project on a site cheekily named BuyGithub.com. Fake likes appeared in just a few hours.

The fake stars sold on it are just part of a wider black market of online activity used by programmers, investors and other tech professionals to single out promising programmers and startups when deciding who to hire, work for, or at whom invest.

Online stores also offer votes for projects featured on Product Hunt, a community platform that helps users discover the latest in technology, as well as subscribers and views on Kaggle, a community of data scientists, where outstanding achievements can lead to job offers. . It seems that sellers are looking to take advantage of the ambition and perhaps the desperation of people looking for the shortest route to success in an industry sometimes associated with the mantra of “fake it ’til you make it.”

“Almost all online manipulation is some form of attention grabbing to make money — to get attention and then turn it into money or power,” says Filippo Menzer, director of the Social Media Observatory at Indiana University. “GitHub is no different. It’s a market for attention because there are mechanisms by which people gain popularity, influence and reputation because of how popular or widely used their software is.”

“Into the bot universe!”

Fraser Marlowe, head of development at data orchestration startup Dagster, stumbled upon GitHub’s scam market last year after noticing that investors appeared to be using stars on the platform as a signal that an open source project was popular.

His team bought stars from two different online stores and used the data collected in the process to build a model for detecting fake stars in Github repositories. They ran the model on their own Dagster code repository, as well as several others.

Cryptocurrency project Okcash turned out to be the worst offender, with 97% of its 759 stars flagged as fake by the Dagster detector. Meanwhile, only 1.6% of 29,435 stars were flagged as fake for Apache Airflow, an open source project that competes with Dagster. The analysis was limited to stars produced since 2022; Astronomer, the Apache Airflow community company, declined to comment.

Okcash founder Oktoshi San said his project does not worry about “vanity metrics” such as stars and forks, but some community members have launched a giveaway (Okcash tokens) in exchange for stars for the project on GitHub.

Dagster’s findings build on earlier work, including a paper by researchers who found more than 63,000 accounts suspected of being awarded fake stars active on Github between 2015 and 2019. The results were obtained by analyzing data from star sellers in Telegram and Chinese WeChat and QQ chats.

“GitHub’s security service has been aware of the presence of fake stars for many years and is actively working to remove them from the platform,” said Jesse Gerachi, the company’s online security consultant. Jerachi acknowledges that it can be difficult to strike a balance between precisely removing fake accounts and allowing real ones to run smoothly. “Sixty-three thousand suspicious accounts may seem like a lot, but it’s a very small percentage of the more than 100 million developers working on GitHub,” Gerachi says.

After Marlowe posted on his blog about his work tracking suspicious stars, almost all the stars he paid for disappeared within a week. Asterisks purchased by WIRED were also removed less than a month after purchase. GitHub’s anti-abuse team combines manual investigation with software-based methods to detect fraudulent accounts.

“I like to think that GitHub’s star obsession was kind of a holdover from the ZIRP bubble,” says Marlowe, referring to the zero-interest rate policy that recently ended in the US. It’s a professional thing that only venture capitalists and firms obsess over, he says, but over the past year he’s already noticed that people are giving it less and less importance.

Venture capitalists are “programmed” to find fast-growing startups looking for investment, says Pratima Ayyagari, partner at venture capital firm Nauta Capital. Open-source projects can run for years without generating significant revenue, she said, so investors are looking for other signs of growth, of which GitHub’s stars are just one. The success of companies such as business software company Mulesoft and collaborative software development platform Gitlab has sparked a lot of interest in open source companies, she said. “Venture investor money just poured into the area.”

To track open source startups, venture capital firm Runa Capital created the ROSS Index, which ranks companies based on the annual growth rate of Github stars. It has become a widely used benchmark for fast-growing products.

The index is a good predictor of whether a company will receive a round of investment, says Kostiantyn Vinogradov, Runa’s general partner. About a third of all companies included in the index since its launch in 2020 have raised follow-on funding rounds in the next 12 months, he said.

Over time, metrics may survive, says Stuart Geiger, an associate professor at the University of California, San Diego. According to him, two “laws” attributed to sociologists explain why: the more a metric is used in decision-making, the more it will be manipulated (Campbell’s Law), and a metric that becomes a goal ceases to be useful (Goodhart’s Law).

The line between cunning strategy and fraud can be blurred. “If the company becomes number one on Product Hunt, places it on its website, then maybe it will increase customer conversion,” says Vinogradov. “Is it just winning the game? Is this a smart business-oriented strategy?

Kevin Zhang, a former venture capitalist now building his own startup, says Github’s stars seem to be a target for entrepreneurs looking to make an impact. “I began to notice that the founders began to pay more attention to the growth of stars,” he says. “That always raises some suspicions, doesn’t it? Oh, maybe they’ve just been tweaked a bit.”

But Zhang and other investors say that while manipulating metrics like stars can help a startup land its first meeting with venture capitalists, it’s unlikely to land a second one. According to Zhang, investors’ views on GitHub’s performance have changed in recent years due to gamification and a deeper understanding of the open source market. Good performance on GitHub is one promising signal, but it’s not an absolute sign of success, Zhang, Vinogradov and Ayagari say, and information about the founding team, the market and many other factors are taken into account before making an investment.

“We accept cryptocurrencies”

Baddhi Shop, an online store that offers fake likes, launched its services on GitHub earlier this year. It also sells “votes” on Product Hunt, as well as subscriber “votes” and views on Kaggle. When WIRED sent a message to the site’s founder, Nagi Durgarao Baddi, on LinkedIn, responses came back that claimed his business was perfectly legitimate.

When an order comes in for GitHub stars or another metric, the 11-person team starts calling “from different cloud devices,” Buddy said, adding that it’s not spam because the store adheres to each website’s terms of service. GitHub isn’t the most popular offering for metrics manipulation, Buddy added. According to Buddy, likes on Discord, a chat service popular among crypto projects, are ordered daily, and metrics for 10 other services are also popular. Kellyn Sloan, a spokesperson for Discord, says that creating or selling fake accounts violates the terms of service and is taking action in response, including removing users from the service.

Selling fake interactions is most prevalent on major social platforms such as Facebook. The emergence of a likes market for small, new sites like GitHub and Product Hunt may be due to the fact that major platforms are paying more attention to fake accounts, says Stefano Cressi, a researcher specializing in disinformation, fake news and social bots in Institute of Informatics and Telematics. According to him, sellers may be switching to other platforms where it is easier to continue their business.

There is also evidence that now that the Internet is central to almost all areas of human activity, online fraud is occurring even in niche communities. Justin Hollander, a professor at Tufts University near Boston, recently published research showing that Twitter bots are being used to try to influence urban planning. The bots were active in 21 construction projects in the US, including SoFi Stadium in California and mixed-use projects in Atlanta.

“A number of different community organizations and government agencies have used bots,” he says. “We did not manage to find a single group. It seems that any organization that is savvy and active in the field of city formation and is involved in politics is using bots.” Indiana University’s Mentzer compares the widespread use of bots and fake likes to environmental pollution, when garbage accumulates enough to bury something of value. He expects the situation to worsen as technology advances. Mentzer and his colleagues recently discovered evidence of a ChatGPT-based bot network promoting cryptocurrency on Twitter.

“Both humans and algorithms find it difficult to detect fake accounts,” Mentzer says. “And ChatGPT will happily create tons of fake accounts for you that are indistinguishable from the real thing.” AI-powered image generators are used to create realistic and unique fake profile photos, says Menzer, eliminating what in the past was a clear indicator of fake accounts. “It’s an arms race because social bots are getting smarter and smarter, smarter,” Menzer says. No matter what new engagement metrics appear for software projects, companies or people, fraudsters will not be far behind…

Related posts