A Twitter account impersonating South Africa National Prosecuting Authority (NPA) Director Shamila Batohi injected uncertainty and turmoil into the country’s online debate a month before the wrap-up of a commission investigating systemic government corruption. The fake account was suspended after it posted a tweet promising high-profile arrests.

Accounts designed to mimic real-life journalists, politicians and political offices, celebrities, and the like are frequently used to target unsuspecting audiences with hyper-political content or outright scams. In South Africa, as elsewhere, social media actors proclaiming to be somebody they are not post highly inflammatory content as a means of rallying political support and provoking opposition supporters, often with the goal of dividing voters and influencing elections. These actors are ideologically or financially compelled to amplify overtly partisan content, particularly in the months leading up to national elections.

NPA Director Batohi was appointed in 2018 and assumed office in February 2019. Her remit was to tackle widespread corruption within government and other organs of state, after previous NPA heads were seen to have failed to address allegations of state capture — the widespread problem of private-sector interests gaining sufficient power over government that they can influence it to their own advantage. In particular, Batohi has been called on to prosecute those implicated in the ongoing Zondo Commission into Allegations of State Capture inquiry, with the Congress of South African Trade Unions calling for 2020 to be the year those who benefit from state capture are locked up. Nearly a year into her tenure, no cases have made it to court, and the NPA boss knows that South Africans are anxious to see results.

As pressure against the NPA boss mounted, the Twitter account @ShamilaBatohi appeared online, using the platform to promise swift action against the corrupt. Despite not being verified, the account lacked any obvious signs of inauthenticity: there was no clear evidence of automation; its handle did not contain any subtle spelling differences (for example replacing the “m” with “n” to create @ShanilaBatohi); and it tweeted out information made public by the NPA, conveying a sense of official government outreach. Indeed, it was so convincing that a multitude of prominent South African journalists, the ombudsman of the National Press Council, and local politicians followed @ShamilaBatohi.

But the NPA denied that the account was affiliated with the national head of the prosecuting authority, alleging that the account had already been reported to Twitter for impersonation multiple times.

@ShamilaBatohi was @NandiWabantu, and @NandiWabantu was @ShamilaBatohi

In December 2019, fact-checking organization AfricaCheck reported that the @ShamilaBatohi account was not officially sanctioned. Following the recent tweeted promise of high profile arrests, local independent news outlet News24 highlighted the account as being fake.

A DFRLab investigation into the account found that @ShamilaBatohi used to go by a different account name, @NandiWanbantu, and that sometime after September 16, 2019, the owner of the account attempted a purge of the account’s previous activity in anticipation of its change of persona.

Scrolling through the account’s timeline before it was suspended, it became clear that several tweets had been deleted. Despite the account owner’s attempt to remove traces of its previous tweets, however, Twitter account managers do not have the ability to delete the responses to their tweets. As a result, the responses to the account’s deleted tweets were still available at the time of analysis.

The account’s favorited tweets were also not removed during the purge of September 2019.

One tweet favorited by @ShamilaBatohi in particular presented evidence of the account before it changed names.

The tweet, originally posted by user @CakesNandi on September 4, 2019, preserved the display names of the seven users that favorited the tweet. (At the time of writing, @CakesNandi appeared also to be suspended from Twitter.) Among these seven users was the previous incarnation of the @ShamilaBatohi account, @NandiWabantu.

Looking at the metadata for the tweet revealed @ShamilaBatohi’s account previously used the @NandiWabantu handle. When looking at the archived likes of the tweet, a user going by the display name “Nandi Cakes” showed up; hovering over the Nandi Cakes profile picture, however, revealed the Shamila Batohi account information. A closer look at the metadata revealed that the account, at the time of liking @CakesNandi’s tweet, went by @NandiWabantu.

Additionally, the user ID currently assigned to @ShamilaBatohi, as confirmed by a Twitonomy analysis of her account, was the same as that for @NandiWabantu.

Searching Google for @NandiWabantu revealed that two cached versions of the account’s tweets were still available, both including the accounts unique user ID in the page elements. The Google search also yielded the casual racism published by the account that would later pose as South Africa’s national director of public prosecutions.

Finally, perhaps the easiest proof that the @ShamilaBatohi and @NandiWabantu accounts were the same could be found when searching Twitter for the username @NandiWabantu, which yields many results for @ShamilaBatohi.

Since Twitter bases its searches off of user IDs as opposed to handles or display names, a search for “@NandiWabantu” would return any other handles currently or previously affiliated with the same user ID number, as was the case here.

“Nandi Cakes” and @CakesNandi

Furthermore, there seemed to be a connection between @NandiWabantu and @CakesNandi, both of which are now suspended. In its previous life as @NandiWabantu, the account at some point went by the handle “Nandi Cakes.”

@CakesNandi, prior to its own suspension, also used “Nandi Cakes” as its display name.

The two accounts interacted with one another up until their suspension. Of all the tweets liked by the @ShamilaBatohi account, posts by @CakesNandi featured most prominently.

While there appeared to be a connection between the two accounts, the DFRLab was unable to prove that @CakesNandi and @ShamilaBatohi were operated by the same user. It is also unknown whether the accounts were related to the litany of similar looking profiles when searching for “Nandi Cakes” on Twitter.

Conclusion

Ultimately, Twitter’s impersonation rules are clear: a user “may not impersonate individuals, groups, or organizations in a manner that is intended to or does mislead, confuse, or deceive others.” The @ShamilaBatohi account appeared to have been in violation of these rules by impersonating a high-ranking prosecutor, making fictitious claims that lead other social media users to believe significant arrests will be made, and pretending to offer legal advice. The account remains suspended.

Tessa Knight is a Research Assistant, Southern Africa, with the Digital Forensic Research Lab (@DFRLab) and is based in South Africa.

Jean le Roux is a Research Associate, Southern Africa, with @DFRLab and is based in South Africa.

Follow along for more in-depth analysis from our #DigitalSherlocks.

The Digital Forensic Research Lab team in southern Africa works in partnership with Code for Africa.