Fake Follower Attacks

Fake follower attacks are a form of platform manipulation in which an account is deliberately flooded with suspicious followers, bots, or artificial engagement.

The aim is not always to build an audience. In hostile contexts, the aim may be the opposite: to make the target appear as if they have bought followers, manipulated engagement, or violated platform rules.

This can cause platforms to restrict or suspend the account. The account holder may then be treated as the source of the suspicious activity, even though the activity was directed against them.

How the tactic works

Most major platforms try to detect fake engagement. They look for signs such as sudden follower growth, coordinated activity, automated accounts, mass reporting, or other behaviour that appears artificial.

A fake follower attack exploits those detection systems.

Instead of trying to hack an account or remove a specific post, hostile actors manipulate the signals around the account. They create the appearance of rule-breaking. The platform then becomes part of the attack chain.

A typical pattern may look like this:

1. A journalist, writer, media outlet, activist, or civil society organisation becomes highly visible.
2. Their account suddenly receives thousands of suspicious followers or bot interactions.
3. The platform detects unusual activity.
4. Automated systems restrict, suspend, or delete the account.
5. The target loses access to their audience and has to prove that they did not cause the suspicious activity.
6. During the suspension, fake or impersonating accounts may appear.

This makes the attack difficult to explain. From outside, the suspension may look like an ordinary moderation decision. The platform may say the account was suspended because of unusual behaviour. The attacker remains largely invisible.

Why it matters

Fake follower attacks are especially effective because they exploit the gap between platform policy and political context.

Platforms are designed to detect abuse at scale. They are less effective at recognising when a user is being framed by hostile activity around their account.

For writers, journalists, artists, and civil society actors, the consequences can be serious:

• the account may disappear during a politically sensitive moment;
• audiences may assume the account broke platform rules;
• event organisers, publishers, journalists, or partners may lose confidence;
• the target may lose contact with readers, supporters, or sources;
• impersonators may use the gap to create confusion;
• the restored account may still lose reach, credibility, or momentum;
• the target may become more cautious about posting publicly.

This is why fake follower attacks should not be treated only as spam. In repressive or politically polarised environments, they can function as a form of deplatforming.

The account is not removed by an official censorship order. It is removed by a platform responding to manipulated signals.

Serbia: a documented example

A clear documented example took place in Serbia in January 2026.

According to the Media Freedom Rapid Response and the European Federation of Journalists, the Independent Journalists’ Association of Serbia recorded at least 12 coordinated bot attacks against Instagram accounts belonging to independent media outlets and journalists between 8 and 30 January 2026.

The affected accounts included independent media outlets such as Nova.rs, Nova S, Nova TV, Zoomer, Radar, Autonomija, VOICE, Danas, N1, Ozon Press, and photojournalists Irena Radosavljević and Gavrilo Andrić.

The attacks used more than one method. Some accounts were reportedly targeted with mass reporting from fake profiles. Others experienced sudden surges in fake followers. This artificial activity appears to have triggered Instagram’s automated systems, resulting in temporary suspensions or deletions.

SafeJournalists reported that the official Nova Instagram account jumped from around 204,000 followers to more than 244,000 followers in only a few hours. Within days, the account lost nearly 30,000 followers again. The newsroom described this as a bot attack using fake profiles, showing sudden and unnatural growth.

SHARE Foundation described the wider pattern as “Instagram sabotage”. In mid-January 2026, it reported that around twenty accounts belonging to independent media, journalists, activists, and civil society organisations were suspended. These included media outlets such as Radar and Nova, as well as the civil society organisation CRTA.

In some cases, the damage continued after suspension. When an account is deleted or unavailable, fake accounts may appear in its place. This can confuse audiences, damage credibility, and create new risks for impersonation.

Why Serbia is significant

The Serbian example matters because it shows how platform manipulation can operate in a politically pressured media environment.

The tactic did not need an official order banning a newspaper or arresting a journalist. It worked through Instagram’s own systems. The targeted accounts were made to look suspicious, and the platform’s automated enforcement mechanisms responded.

This creates a useful form of deniability. A government, party-linked network, or hostile actor does not need to publicly demand censorship. The account can be disrupted while the removal itself appears to come from the platform.

This does not mean that direct responsibility is always proven. Attribution is difficult. Fake accounts, bot services, and coordinated reporting networks are designed to obscure who organised or paid for them.

The harm is documented. The mechanism is documented. The political context is documented. Direct attribution for each individual attack may remain unclear.

How this affects writers and cultural workers

Although the Serbian cases focused heavily on media outlets and journalists, the same tactic can be used against writers, poets, artists, publishers, researchers, and cultural organisations.

This matters because many writers now depend on platform visibility. Instagram, Facebook, TikTok, X, YouTube, and other platforms are not only publicity tools. They are where writers build audiences, announce events, publish statements, share work, respond to attacks, and maintain contact with communities in exile.

A fake follower attack can therefore be used to interrupt more than social media activity. It can interfere with publication, translation, event promotion, fundraising, campaigning, and personal safety.

For exiled writers or dissidents, the effect can be even stronger. Their platform accounts may be one of the few direct channels they still control. Losing access can cut them off from readers inside their country of origin, diaspora communities, journalists, and international supporters.

Connection to deplatforming

Fake follower attacks are a form of indirect deplatforming.

The attacker does not need to control the platform. They only need to understand how the platform reacts to suspicious signals.

This shifts the burden onto the target. The target must appeal the suspension, explain the political context, contact support, prove they are not responsible for the fake activity, and rebuild trust with their audience.

In this sense, the platform becomes both the site of the attack and the mechanism through which the attack succeeds.

Warning signs

Possible signs of a fake follower attack include:

• sudden unexplained follower growth;
• large numbers of new followers with empty profiles;
• many new accounts created recently;
• accounts with no profile picture, no posts, or generic usernames;
• large numbers of followers from unrelated regions or languages;
• simultaneous mass reporting, abusive comments, or impersonation;
• platform warnings about unusual activity;
• sudden restrictions after a follower spike.

None of these signs prove a coordinated attack on their own. But when they appear together, especially around politically sensitive posts or public events, they should be documented.

Documentation steps

Targets should record evidence as soon as possible.

Useful records include:

• screenshots of follower counts before, during, and after the spike;
• screenshots of suspicious follower profiles;
• dates and times of unusual activity;
• platform warnings or suspension notices;
• emails from the platform;
• evidence of impersonating accounts;
• links to related harassment, smear campaigns, or mass reporting;
• any public context that may explain why the account was targeted.

This evidence can help with appeals, public statements, legal advice, digital rights support, and future documentation.

Sources

• SHARE Foundation: Instagram Sabotage — The Saga Continues
• European Federation of Journalists / MFRR: Serbia — coordinated bot attacks on Instagram accounts of independent media emerge as new weapon of censorship
• European Centre for Press and Media Freedom / MFRR: Serbia — coordinated bot attacks on Instagram accounts of independent media
• SafeJournalists: Independent Serbian media, NGOs hit by wave of Instagram suspensions, deletions
• SHARE Foundation: Digital sabotage and physical endangerment
• The Geopost / Radio Free Europe reporting: Fake Instagram profiles silence critical voices in Serbia
• Council of Europe Platform: Cyberattacks on Serbian media outlets and journalists