Similar type of bot attacks target Instagram profiles of Serbian student movement and Macedonian independent media outlet · Global Voices

This article is based on coverage by Meta.mk News Agency published on November 16 and November 23, 2025.  An edited version is republished here under a content-sharing agreement between Global Voices and Metamorphosis Foundation. 

Coordinated attacks attempting to shut down the Instagram accounts used by the student movement in Serbia and independent media in North Macedonia occurred almost simultaneously during November 2025. These large scale operations involved huge increase in fake followers on their profiles through bot activity, aimed to trigger an automatic shutdown response from the social media platform’s algorithm.

A quick reaction by student movement prevented the damage to this crucial element of their information infrastructure, according to TV N1. In response to a previous similar attack of this kind, Macedonian media outlet Sloboden Pechat has locked their Instagram profile to prevent further bot activity.

Serbia: Bot attack against student protest movement via fake profiles and mass reports

The bot attacks in Serbia focused on Instagram profiles run by students involved in the Students in Blockade movement. The students first noticed a sudden spike in suspicious followers on the main movement’s profile Students in Blockade — which has over 1 million followers — along with parallel attacks on the social media profiles of individual faculties and departments.

Balša Bulatović, a student at the Faculty of Technical Sciences (FTN), explained in a statement for N1 TV that two types of attacks were identified, both sharing the same goal of deactivating the student profiles.

The first involved the sudden increase in fake, foreign followers. The second involved mass reports for inappropriate content, designed to trigger an automatic reaction from the AI used by Meta’s platform, which locks the profile pending review.

The civic association IT Blokada, which serves as an IT support unit in the  student movement, publicly warned that the movement’s communication channels were under attack, describing the operation as “a coordinated attack to erase the key communication channels.”

One of the student groups affected, Poljoprivredni blokada (Agriculture Students in Blockade), posted the following statement:

Ovo očigledno predstavlja jedan od jadnih pokušaja kontrole stanovništva i sprečavanje širenja slobodne misli koja poziva na pobunu protiv trulog režima.

This obviously represents one of the pathetic attempts to control the population and prevent the spread of free thought that calls for rebellion against the rotten regime.

Other groups gradually regained control of their profiles, and posted defiant public response to the attackers, whose identity remains unknown.

Ako ste mislili da sa svojim polupismenim kadrom i botovima možete da nadmudrite alumni klub najvećeg fakuleta u ovom delu Evrope…
Iz naših učionica izašlo je hiljade i hiljade inženjera koji rade u najvećim svetskim kompanijama, uključujući i Metu.
Više sreće drugi put! 😘

— FTN SE BUDI (@ftn_se_budi) November 17, 2025

If you thought that with your semi-literate staff and bots you could outsmart the alumni club of the largest faculty in this part of Europe… Thousands and thousands of engineers who work in the largest global companies, including Meta, have come out of our classrooms.
Better luck another time! 😘

Balša Bulatović further explained that “Until now, the attacks were carried out through institutions or certain state organizations. This is a new type of attack, in my opinion one of the ‘more creative attacks’ where the goal is to silence the students’ voice.”

He added that Instagram is the primary communication channel for the movement, and that disabling the most-followed profiles would mean that “automatically [would] cut off the contact of students with the rest of the world.”

Professor Djordje Krivokapic, founder of the digital rights organization SHARE Foundation confirmed in a statement for N1 TV that the student profiles were successfully restored through collective action. He categorized the incident not as hacking but as a manipulative attack involving the abuse of online mechanisms.

He noted that such a coordinated attack, involving hundreds of thousands of new followers from “eastern markets,” is unprecedented in scope and clearly requires significant resources and organization, pointing to a highly motivated perpetrator, though their identity is currently unverified.

Imali smo sve indikatore da je cela komunikaciona infrastruktura studentskog pokreta bila pod rizikom da bude neutralisana određenom vrstom manipulativnog napada čije aspekte analiziramo.

We had all the indicators that the entire communication infrastructure of the student movement was at risk of being neutralized by a certain type of manipulative attack, the aspects of which we are currently analyzing.

If student profiles were indeed “neutralized,” he argued that responsibility should first be sought from the platforms themselves.

Međutim, mediji i civilno društvo imaju dužnost da obaveštavaju javnost i platforme o ovom pitanju i da na taj način podignu pažnju mnjenja i platformi kako bi ovakve zloupotrebe mehanizama u onlajn okruženju bile stopirane.

However, the media and civil society have a duty to inform the public and the platforms about this issue, and in that way raise awareness among the public and the platforms so that such abuses of mechanisms in the online environment can be stopped.

He also emphasized that no similar attack at this scale has previously been observed:

…vidimo da je ovde sve podignuto na viši nivo, vidimo stotine hiljada novih pratilaca sa istočnih tržišta. Nemamo verifikovane informacije šta se dešava, ali je jasno da je operacija većeg obima koja zahteva značajne resurse i organizacione kapacitete.

…we can see that here everything has been taken to a higher level; we see hundreds of thousands of new followers from eastern markets. We do not have verified information about what exactly is happening, but it is clear that this is a larger-scale operation requiring significant resources and organizational capacity

All of this, he says, shows that the attack was carried out with strong motivation and clear intent. Krivokapić noted that “at this moment it’s not possible to determine whether this the regime, its private satellites, external actors seeking to destabilize Serbia or the region, or even other actors with a different agenda are behind this attack,” but emphasized that Meta recognized the abuse in time and reacted.

North Macedonia: Media outlet Sloboden Pechat targeted by mass bot activity

A similar cyber-attack unfolded in North Macedonia earlier in November. The target was Sloboden Pechat, one of the country’s most influential media organizations, which publishes an eponymous daily newspaper and associated popular online media outlet,  and an Instagram profile with nearly 70,000 followers.

As Meta.mk reported, the outlet experienced “an attack that is extremely sophisticated, not simple at all, involving multiple layers, and evolving over time.” Its editorial team told Meta.mk that the intention of the attackers was to make the profile “less visible, with the attackers attempting to trigger what is known as a ‘shadow ban.’”

Over a week-long period, the profile was flooded with hundreds of identical bot comments containing only the word “like.” According to the media outlet, usernames associated with the comments “were generic, sounded unusual, and included illogical numbers,” suggesting automated activity.

Readers began to notice that something strange was happening. Although posts displayed hundreds of comments, only a handful were visible. Some followers even asked whether someone was “testing bots in the comments.”

The attack evolved from spam comments to mass liking, which cannot be easily deleted or controlled. The outlet temporarily locked its Instagram profile to prevent further damage, though this limited its ability to communicate with the broader public.

As Meta.mk quotes the editorial team:

Првпат во сите овие години, главниот профил на Слободен печат е заклучен… сега имаме лимитиран опсег само до луѓето кои не следат, па нашите објави не може да се споделуваат на „стори“, а во понудите за пријателства имаме над 999 понуди од сомнителни профили, затоа што ботскиот напад не заврши, само е „миниран“, односно им ја затворивме вратата.

For the first time in all these years, the main Sloboden Pechat profile is locked… now our reach is limited only to the people who already follow us, our posts cannot be shared in Stories. Meanwhile our follow requests list shows over 999 requests from suspicious profiles. The bot attack hasn’t stopped; it’s only been ‘mined,’ meaning we’ve closed the door on them.

To counter the shadow ban, the outlet appealed to readers to interact with specific posts to boost visibility. The editorial team told Meta.mk:

Тоа што требаше да биде напад се претвори во доказ дека зад Слободен печат стои заедница што верува во вистината, слободата и во независното новинарство.

What was meant to be an attack turned into proof that behind Sloboden Pechat stands a community that believes in truth, freedom, and independent journalism.

A cyber-security expert interviewed by Meta.mk offered broader context. According to Božidar Spirovski, founder of the platform BeyondMachines:

Скоро е невозможно да се одбраните од ботови. Ова е платен сервис, има такви безброј на светот. Алгоритмот прави шедоубен мислејќи дека сопственикот се самопромовира преку ботови, и токму затоа некој може лесно да го злоупореби.

It is almost impossible to defend yourself from bots. This is a paid service, like countless others in the world. The algorithm triggers a shadow ban thinking that the owner is self-promoting through bots, and precisely because of that, someone can easily abuse it.

He added that bots may be used to generate income, promote content, or suppress content, and can even “create the illusion that a certain topic is trending.”

A growing threat to digital civic space

Although the Serbian student movement ultimately prevented lasting harm, and Sloboden Pechat managed to stabilize its account through defensive measures, the near-simultaneous attacks highlight how vulnerable civic actors remain when their communications depend on commercial platforms with automated moderation systems.

In both cases, the attackers exploited platform algorithms designed to detect inauthentic or “artificial” behavior. By orchestrating such behavior, attackers attempted to weaponize the platforms’ safety mechanisms to silence activists and journalists.

The similarities between the two cases — timing, tactics, and goals — underscore a broader regional trend: anti-democratic Western Balkans actors using increasingly sophisticated tools like bot networks to suppress critical voices.

In his statement for Meta.mk, cyber-security expert Spirovski warned:

Ботовите се направени да ја автоматизираат целта на тој што ги продава. Направени се за да направат пари, промоција на некој сајт или пак во овој случај за загушување на содржината. Ова се најосновните механизми. Но ботовите може да бидат многу комплексни, може да ставаат вистински содржини, да ставаат конструирани содржини со некоја специфична цел, сами меѓусебе да разговараат и да создаваат илузија дека некоја тема дека е интересна, тоа е веќе моќна пропаганда.

Bots are created to automate the goals of whoever sells their services. They are designed to make money, promote a website, or in this case, to suffocate content. These are the most basic mechanisms. But bots can be much more complex — they can post real content, post fabricated content with a specific purpose, even talk to each other and create the illusion that a certain topic is trending. That is already a powerful form of propaganda,

Civil society, media organizations, and large online platforms need to work more closely to prevent abuses that undermine democracy and online visibility of stakeholders demanding public accountability.