Skip to content

As Twitter users migrate to Mastodon, threat actors are taking notice

Elon Musk’s takeover of Twitter prompted mass migration to a social network called Mastodon. What is it, and what does it mean for the cyber threat intelligence community?

Photo by Florian van Duyn / Unsplash

Since Elon Musk officially concluded his acquisition of Twitter, many of its users have migrated to the alternative social platform Mastodon. In fact, the social network gained more than 1 million new users since the acquisition of Twitter closed. In fact, on the very day that the sale became official--October 27th--the hashtag #mastodon trended on Twitter.

Figure 1: Mastodon was the 6th trending hashtag on Twitter on October 27th, the date that Twitter was officially acquired.

Although many consider the platform to be a Twitter alternative, it’s very different in both design and function. Mastodon is a decentralized self-hosted social network. It allows microblogging features like Twitter, but it operates as many independently run nodes called "instances." Since its code is open source, anyone can establish their own Mastodon instance. However, while the instances are independently administered, users may communicate between instances.

Cybersixgill For Threat Hunters
Access Cybersixgill’s fully automated underground intelligence solution for threat hunters to eliminate future threats.

The concept of decentralized servers prevents Mastodon from being controlled by a single company or person, unlike popular social media platforms like Facebook or Twitter.

The platform does however have several similarities to Twitter: Users can “toot” (tweet) and “boost” (retweet) other posts, and they can follow other users or hashtags.

Figure 2: On October 2022, there was a spike in new Mastodon users and active new Mastodon instances.

Why is Mastodon such a big draw?

Although one can understand why many people chose to leave Twitter, why do many find Mastodon to be such an attractive alternative?

Traditional social media networks generate revenue from advertising. The more they can fine-tune an ad to a user, the more they can earn for the ad. In order to optimize ad revenue, social media companies track user activity and create user behavioral profiles. However, many consider this to be an invasion of privacy, and therefore find it refreshing that Mastodon is open-source, ad-free, not-for-profit, and does not track user behavior.

Figure 3: The actor commented on a post titled “Leave Twitter - move to Mastodon” about his personal view of the new platform. He describes Mastodon as a “fresh take on digital communication” and emphasizes the importance of decentralized social media.

Furthermore, advertising revenues also rise when user engagement increases. Social media companies try to maximize engagement by using automated algorithms to amplify posts considered likely to be popular. Unfortunately, many of these posts can be vitriolic and divisive, turning feeds into toxic environments. However, on Mastodon, there are no recommendation algorithms. Posts simply appear in chronological order, and the posts that receive the most organic engagement appear in the most feeds.

Similarly, Twitter upset many people by introducing an $8 monthly fee for verification. While Mastodon users can choose to donate to cover their instance’s maintenance fees, anyone can use the environment without paying.

Figure 4: The actor complains about the $8 monthly fee for verification on Twitter, suggesting other free alternatives like Mastodon.
Cybersixgill for Analysts
Eliminate alert fatigue and preemptively protect your organization by cutting through the noise from the deep and dark web.

Finally, the decentralized nature ensures that the entire fediverse, the collective of Mastodon instances, is not controlled by a single entity or policy. Instances can be founded on a theme or idea, attracting like-minded users. Each instance admin can choose how to run their fief, which includes which posts to block and which users to ban. This allows users to find spaces more attuned to their interests without content that they find objectionable.

Discussions of Mastodon on underground forums

In recent weeks, many actors on the underground have discussed Mastodon. For example, one actor searched for privacy-themed instances so they could find like-minded peers.

Figure 5: An actor seeks Mastodon instances to join, specifically ones related to privacy. Other actors reply with suggestions.

In another post, a Telegram account associated with the Antifa movement posted an invite to follow them on Mastodon:

Figure 6: A Telegram account associated with the Antifa shares an invite to join their Mastodon instance. 

Even forum administrators are becoming involved. In one post, the admin of a popular underground hacking forum shared links to a variety of social media platforms, including their Mastodon account:

Figure 7: On Mastodon, the admin of a notorious forum advertises that they opened a Mastodon instance of their own.

As Mastodon increases in popularity, many ethical hackers and security researchers have shared security recommendations to protect Mastodon servers from compromise.

For example, an actor shared a Mastodon Honeypot, a tool designed to detect unauthorized attempt to access a server. Using this tool, the server owner can lure the attacker, isolate them, and analyze their behavior.

Figure 8: The actor shares a free Honeypot for Mastodon’s instances, a computer security tool designed to detect and isolate an unauthorized attempt to access a server. 


After the acquisition of Twitter, many Twitter users searched for a new social network to meet their needs – a platform that is decentralized, safe, and independent. Many found what they wanted in Mastodon, and the significant migration began.

Cybersixgill is a deep and dark web threat intelligence platform that analyzes dark web activity undetectably and autonomously.

Will it become the new Twitter? Will this become a platform for security researchers to share their insights on cybercrime and threat intelligence? Will threat actors use it to conduct criminal activity? While we cannot know for sure how popular it will become for both beneficial and malicious purposes, we know from past experience that threat actors always seek ways to exploit new tools and platforms to serve their interests. We will therefore pay close attention.