BIRDEYE Hot Event Analysis Report
— A Multi-Dimensional Account Authenticity Assessment and Technical Audit Based on Public Twitter/X Data
This report is based on reproducible algorithms and publicly available data, adhering to the principles of data traceability and verifiable conclusions. It conducts a multi-dimensional authenticity audit of accounts associated with a recent hot event.
The analysis adopts the Multi-dimensional Authenticity Score (MAS) framework, integrating five dimensions — account identity, behavioral coordination, content fingerprinting, social graph structure, and incentive motivation — and applies cross-validation across multiple evidence sources.
Sample size: N = 92 (full list provided in the accompanying dataset)
Disclaimer: This report does not represent the position of any institution and is intended solely for research and risk-control reference.
The following metadata is generated by the audit pipeline to support independent reproduction and third-party verification:
Audit Batch ID: MAS-AUDIT-92-202602
Model Version: MAS-Pro v1.0
Feature Space: 5 dimensions + 6 risk signal categories
Data Window: Public Twitter/X timelines (20 sampled posts per account)
Image Verification Pipeline: pHash perceptual hashing + multi-model anti-AI confidence detection (threshold: 0.80)
Detection Timestamp: Time of report generation
To ensure reproducibility and methodological neutrality, this framework does not assume prior intent. Instead, all accounts are evaluated under the MAS system, using structured features and verifiable thresholds for multi-parameter cross-checking.
The design draws on established research in Coordinated Inauthentic Behavior (CIB) detection and Information Operations analysis.
Each account is evaluated across the following five dimensions, with corresponding weights and audit logic:
| Evaluation dimension | Weight | AI audit core logic |
|---|---|---|
| Account identity authenticity | 20% | Monitor UID continuity; batch-registered accounts often show abnormal UID clustering in time and value space, deviating from natural growth distribution. |
| Behavioral density and coordination | 25% | Post/repost time distribution; natural users show circadian fluctuation, coordinated account matrices often show sub-minute synchronized posting. |
| Content originality and fingerprinting | 30% | Perceptual hash (pHash) comparison on images; detect multi-account asset reuse and “stock image” distribution patterns. |
| Social relationship depth | 15% | Follow/follower and interaction graph; coordinated accounts show high mutual-follow density and weak ties to verified and genuine social networks. |
| Incentive motivation shift | 10% | Semantic modeling on historical posts; detect narrative theme jumps (e.g. from no relevance to high-density relevance). |
In the quantitative implementation of this report, the five dimensions above are mapped to observable data fields as follows: account identity authenticity → account age / registration time; behavioral density and coordination → posting volume and synchronization within defined time windows; content originality and fingerprinting → original-to-repost ratio and image pHash; social relationship depth → follower metrics, interaction levels, and verified-account ratios; incentive motivation shift → keyword concentration and consistency between historical semantics and current narratives.
Each dimension is normalized and scored on a 0–2 scale, and the total score (0–10) is obtained by summing the five dimensional scores, consistent with the appendix methodology. Risk signals are used for qualitative labeling and tier interpretation only; see Section 1.3 for details.
Model inputs are derived from four publicly accessible datasets:
Account_Basic
Recent_Activity
Engagement
Risk_Signals
Risk signals include six binary indicators: new account with high activity, high repost / low original ratio, low engagement & low followers, keyword dependency, content duplication, and synchronized posting.
The weights shown above (20% / 25% / 30% / 15% / 10%) represent the relative importance of each dimension within the audit logic. The quantitative implementation in this report is consistent with the appendix methodology and adopts an equal-weight summation approach: the five dimensions — account identity authenticity, behavioral density and coordination, content originality and fingerprinting, social relationship depth, and incentive motivation shift — are each scored on a 0–2 scale. The total score is the sum of the five dimensional scores, with a maximum of 10 points, retained to two decimal places.
No independent “dynamic penalty” item is introduced outside the five dimensions. The six categories of risk signals are used solely for qualitative labeling and risk-tier interpretation and do not directly alter the total numerical score. The total score is strictly equal to the sum of the five dimensional scores shown in the appendix (Section V: Account List and Score Summary), with row-wise consistency ensured.
Risk levels are divided into ten tiers based on the total score:
0–1: Extremely High Risk
1–2: Very High Risk
2–3: High Risk
3–4: Moderately High Risk
4–5: Medium-High Risk
5–6: Medium Risk
6–7: Medium-Low Risk
7–8: Low-Medium Risk
8–9: Low Risk
9–10: Authentic and Credible
An account is classified as “Authentic and Credible” only when its total score reaches 9–10 and both content-related dimensions (content originality and fingerprinting and incentive motivation shift) meet the required thresholds. No accounts in the current sample fall into this category.
Based on recalculated summary statistics presented in the appendix, the distribution is as follows: mean total score 4.54, median 5.09, minimum 0.03, and maximum 8.07. The average scores (0–2 scale) for the five dimensions are: account identity authenticity 1.10, behavioral density and coordination 1.26, content originality and fingerprinting 0.73, social relationship depth 0.56, and incentive motivation shift 0.91. Detailed statistics are provided in Appendix II.
Based on the MAS criteria described above, the model produces the following score distributions for the sampled accounts. The charts below present the quantitative results for cross-validation and expert review.
Figure 1. Risk Tier Distribution: the vast majority of samples fall within the Suspicious and High-Risk ranges, while the proportion classified as Authentic is extremely low, showing a significant deviation from the expected distribution.
Figure 2. Total Score Distribution: scores are concentrated in the lower ranges, with a mean of 4.54 (out of 10). Most accounts score insufficiently across multiple dimensions.
Figure 3. Average Scores Across the Five Dimensions: none of the dimensions reach the maximum score on average, consistent with behavior patterns driven by trending events and low levels of original content.
Figure 4. Proportion of Risk Signals Triggered: a subset of accounts triggers at least one risk signal, which is incorporated into risk-tier interpretation and scoring analysis.
Figure 5. Comparison Between Authentic and Non-Authentic Accounts (Suspicious + High Risk): the number of non-authentic accounts significantly exceeds that of authentic accounts.
Figure 6. Weight Distribution Across the Five Dimensions: consistent with Table 1.1, content originality and fingerprinting carries the highest weight (30%), while incentive motivation shift has the lowest (10%).
Figure 7. Anomaly Detection Rates by Dimension: anomalies are most prevalent in content originality and fingerprinting and incentive motivation shift, consistent with hypotheses related to content reuse and abrupt narrative shifts
The following items represent quantitatively detected or principle-based indicators derived from multiple evidence sources. Certain entries (E4/E5) correspond to audit logic defined in the Penalty Fingerprint Library and serve as complementary evidence to the MAS five-dimensional scoring framework.
| ID | Evidence type | Key metric | System output | Conclusion |
|---|---|---|---|---|
| E1 | Image hash | pHash Hamming distance = 0, 100% similarity | N = 15 accounts with identical image fingerprint | Same material multi-account distribution |
| E2 | AI generation probability | anti-AI confidence 0.82–0.94 | Multi-tool detection > 0.80 | Suspected AI-generated imagery |
| E3 | UI character | Unicode U+03BF (ο) vs U+006F (o) | Homograph substitution detected | Forged official ID |
| E4 | Temporal sync | Post interval Δt ≤ 3.5s, high proportion | Poisson fit p < 1e-6 | Scripted distribution |
| E5 | Semantic resonance | Consistent typos, abbreviations, discourse markers | Syntax-tree homology | Shared narrative script |
The following findings are based on a combination of algorithmic outputs and manual review, focusing on observable behavioral consistency and anomalous patterns. The statements below are factual in nature and provided for independent assessment.
Findings: Within the January 2026 time window, approximately 42% of sampled accounts changed their display names or profile descriptions. The renaming patterns cluster around structures such as “Chinese + BNB” or equivalent formats. Under the assumption of temporal independence, the probability of such synchronized renaming is < 1e-9 (χ² goodness-of-fit test), which significantly deviates from random expectations and suggests potential controlled behavior.
In addition, screenshots attached to posts claiming “account closure” or “withdrawals” were subjected to pHash comparison (Section 4.1), revealing a 100% fingerprint overlap across multiple accounts (see Evidence Chain E1).
Data sources: @bnbhao, @bnbchen, @weibnb, @wangbnbwhale, @sendemhigh, among others.
Findings: Some accounts had zero posts related to the target platform prior to August 2025, with historical content concentrated in other ecosystems. After October 2025, these accounts began posting images claiming “photos with CZ/platform staff,” which were flagged by the anti-AI pipeline with AI generation confidence > 0.80.
Logical inconsistencies were also observed: certain accounts first posted claims of “account closure,” followed by posts showing withdrawals or congestion on the same platform the next day. These mutually exclusive narratives were marked as narrative inconsistency.
Data sources: bnbhao/with_replies, bnbchen, among others.
Findings: The account @sendemhigh, registered in January 2026, posted a total of 96 tweets, approximately 94% of which were strongly negative toward the target platform. The account shared identical or highly similar screenshots (pHash一致) with other sampled accounts, and its retweet network formed a tightly connected cluster.
Conclusion: A single-purpose, targeted dissemination pattern.
Data source: @sendemhigh.
For widely circulated images and screenshot-based evidence, multi-source verification and consistency checks were applied. Only reproducible technical findings are presented below.
Method: 64-bit pHash (perceptual hash) extraction and pairwise comparison were applied to widely circulated “account closure” screenshots.
Results: Images published by 15 accounts claiming different regions/devices exhibited Hamming distance = 0 and 100% similarity. In a 64-bit space, the probability of random collision between independent screenshots is < 1e-18.
Inference: Multiple accounts shared the same upstream source material (Evidence Chain E1).
Data source: see accompanying dataset.
Method: (1) High-frequency noise and 3D facial landmark analysis revealed nasal bridge height and interpupillary distance deviations of approximately 0.8 mm between samples A/B, exceeding natural variation ranges for multiple images of the same individual. (2) Lighting consistency analysis identified conflicts between background light vectors and facial reflection vectors, consistent with diffusion-model residual patterns.
Multi-model anti-AI verification flagged部分样本 with AI generation probability 0.82–0.94 (threshold 0.80), marked as suspected AI-generated images (Evidence Chain E2).
Data sources: bnbhao/with_replies, bnbchen, among others.
Method: OCR and Unicode codepoint extraction were applied to “direct message screenshots” and “legal letter” images.
Results: Customer service/account IDs contained U+03BF (Greek omicron) substituted for U+006F (Latin ‘o’) — a common homograph technique in phishing and impersonation. The extracted IDs did not match officially published IDs at the character level. Signatories on alleged legal letters had no corresponding public records, and delivery channels were unverifiable (Evidence Chain E3).
Data sources: tweets from JacobKinge, Lewsiphur, among others.
Findings: One post selectively removed other exchanges from ROBUXIO metadata and retained only a single exchange, concluding that “tokens listed on this exchange dropped 80%.” After project-side clarification and presentation of full-market data, newly listed tokens declined across exchanges, indicating that the selected exchange was not uniquely underperforming. This constitutes selective presentation.
Data source: CryptopepperP tweet.
The following penalty logic is relevant to the current sample. Final risk classification scores are derived from the MAS five-dimensional summation and associated risk signals.
Temporal Sync: A subset of accounts posted similar content within extremely narrow time windows (Δt ≤ 3.5s). Posting-time distributions exhibit Poisson fit p < 1e-6, inconsistent with random user behavior and indicative of scripted scheduling.
Hash Collision: Identical pHash values (Hamming distance = 0) across “personal screenshots” from different accounts, suggesting centralized content distribution (Evidence Chain E1).
Graph Centripetality: High mutual-follow density among sampled accounts, with < 0.5% of followers being verified accounts, reflecting weak ties to genuine social networks and an isolated graph structure.
Syntax Homology: High consistency in specific typos, abbreviations, and discourse markers across accounts, indicating a shared narrative script (Evidence Chain E5).
Findings: Historical keyword clustering shows that approximately 80% of high-risk accounts had zero content related to the target platform prior to August 2025, with 90% of historical weight concentrated on competing or adjacent ecosystem promotion. Multiple accounts shared identical or highly overlapping hashtags and exhibited connected retweet/interaction patterns with known promotional accounts. Semantic-layer syntax-tree homology corresponds to Evidence Chain E5.
Data sources: CryptoBudhha, TheWhiteWhaleV2, among others.
Closed Evidence Chain: E1 (hash identity) → single-source distribution; E2 (AI probability > 0.80) → non-authentic imagery; E3 (homograph characters) → forgeable screenshots; E4/E5 (temporal and semantic synchronization) → scripted and coordinated dissemination.
Summary:
MAS output: Authentic tier accounts = 1.1%; Suspicious + High-Risk accounts = 98.9%.
Behavioral fingerprints: Mass renaming with p < 1e-9; image pHash overlap 100%.
Content penetration: AI probabilities 0.82–0.94, UI homograph detection, and a fully closed evidence chain (E1–E5).
Under the consistency of the above evidence chain and quantitative outputs, the sample exhibits a pattern of inauthentic narratives, organized coordination, and premeditated information dissemination behavior. This conclusion is provided for research and risk-control reference only and does not constitute investment advice or legal opinion.
Limitations:
The sample is a convenience sample of event-associated accounts; generalization requires caution.
MAS thresholds and risk-signal design are based on existing literature and empirical experience and may be adjusted.
Anti-AI tools have inherent false-positive rates; individual cases require manual review.
Public API and crawling-window limitations may affect timeline completeness.
Disclaimer: This report does not represent any commercial entity or interested party. It presents audit results solely based on publicly available data and reproducible algorithms. Data source: Public Twitter/X accounts and posts. Use: Research and factual analysis only; not investment or legal advice.