Mastodon is a growing open-source social media platform with similarities to Twitter. As big shake-ups continue on social platforms, here’s what researchers need to know about the underdog app.
 

Some users have reacted to the Elon Musk takeover of Twitter by moving to other platforms, including Mastodon, a microblogging social networking platform that has been gaining more attention lately. Twitter has been a key resource for open-source intelligence (OSINT) and specifically social media intelligence (SOCMINT) researchers. As more users migrate to Mastodon, practitioners and analysts need to become familiar with the growing platform. 

Mastodon is similar to Twitter but runs on an open-source software based on ActivityPub, a decentralized social networking protocol based on Pump.io's ActivityPump protocol. Mastodon can be used on any computer (via a web browser or desktop application) or mobile device (including Android and Apple). One unique feature of Mastodon is that users can choose from various open-source third-party applications (see Figure 1) to access the platform. While this provides greater flexibility, it also means that there may be differences in security across these applications, particularly since some open-source components may have security vulnerabilities.
 

Image showing the Mastodon third-party integration page with apps like Tusky, Ivory, Mercury, et. al., as options to integrate. 
Figure 1 - Third-party apps to access the Mastodon network

Mastodon was developed by a German software developer "Eugen Rochko," and was first released in 2016. The number of Mastodon users has grown after Elon Musk acquired Twitter to reach over 2.5 million in early December 2022. The number has since dropped again significantly to reach just 1,214,955 active users as of April 25, 2023. (see Figure 2).

The iamge shows the user count on the Mastodon server, as displayed in code, over a one-month period. 
Figure 2 - Mastodon statistics

The decentralized architecture of Mastodon and the number of active users make it important for OSINT practitioners to know how to find information on this platform. However, before we begin, it is essential to understand the different terminologies associated with Mastodon to see how it works.

Mastodon servers 

Mastodon does not operate similarly to traditional social media networks like Facebook, Twitter and Instagram. A single entity does not own it. Instead, it is composed of servers, also known as Mastodon instances, and each instance has its own administrator. 

Each instance on the Mastodon network is connected to the other instance, forming what is known as a federated system. Each Mastodon instance is considered an independent social network website. Users on a specific instance can interconnect with users on other Mastodon instances, and the sum of all these interconnected Mastodon instances constitutes the Mastodon platform.

At the time of writing, there were around 9,500 servers up, according to the site. It's worth noting that not all Mastodon servers are listed publicly on the official Mastodon website. In the case of these "hidden" instances, access is restricted to individuals who possess the exact URL of the instance or have received an invitation from an existing user.  

To sign up for a new Mastodon instance, visit the signup page, where you will see the most popular Mastodon servers grouped according to:

  • Where the provider is based (e.g., Europe, Asia, North America)
  • The topic (e.g., gaming, general, technology, music)

Each server has an administrator who is responsible for enforcing instance-specific rules such as:

  • Server rules (e.g., no racism, sexism)
  • Code of conduct (e.g., which contents are allowed to publish)
  • Moderated server (e.g., Mastodon servers that the users of this instance cannot access or engage with)
  • Privacy policy (e.g., how the Mastodon instance will collect and use the personal information provided by its users); the Privacy Policy is commonly found on the instance users' signup page

The Mastodon instance's server administrator is responsible for moderating the content on their instance.

When it comes to registering on Mastodon, some instances require an invitation, while others don't allow new users to register at all. However, the majority of instances don't have any such requirements and only require a verified email address for registration.

To make the most of the Mastodon platform, researchers will need to create an account. Despite the prompt to pick a server at registration, you can create a Mastodon account on any instance and use it to interact with users on any of the platform’s other servers. Additionally, you can create multiple Mastodon accounts on different instances if you want to.  

As an example, my Mastodon account is registered on the TechHub instance, but I can still follow users on other Mastodon instances, like Social, without opening an account on their instance. Popular Mastodon instances contain thousands of users. Others may have only two users only. 

When you sign up for Mastodon, your account information is saved in the instance that you choose. It's important to remember that the administrator of that particular Mastodon server can view your information.

Running a Mastodon instance 

Anyone with adequate technical skills can run a Mastodon instance. Mastodon server software is free and open-source. To run your instance, you need the following:

  • A domain name
  • Hosting server to host Mastodon files
  • Email service to send emails to registered users and send confirmation links and notifications 
  • SSL certificate to secure connections to the Mastodon instance 
  • Mastodon software

Setting up and running a Mastodon server requires a certain level of technical expertise that may not be feasible for individuals without a technical background.

Finding Mastodon instances

We can find websites running Mastodon instances by searching for all websites using the Mastodon software, and the BuiltWith website publishes them (see Figure 3).

The screen capture of Built With shows the number of websites using Mastodon. The list includes a box highlighting the text that reads: 14,125 Current Mastodon Customers 
Figure 3 - List of all websites worldwide using Mastodon

We can expand any Mastodon website in the BuiltWith list to find more information about it. Check Figure 4 for details about a Mastodon instance called ProductTalk

The image shows a screen capture from the website ProductTalk. A box highlights the section showing the names, levels and contact fort he developers behind the website. 
Figure 4 - BuiltWith Mastodon websites list contains different information about each instance, such as admin contact information and email address

There are other websites to facilitate searching for Mastodon instances: 

  • The website instances.social provides a helpful tool for finding Mastodon servers based on various criteria, such as language, permitted and prohibited content, as well as the minimum and maximum number of users within the instance (see Figure 5).
A screen capture shows details of Mastodon instances. The search box is filled with English Language, Advertising and Nudity without NSFW tags, with a minimum of one user and maximum of 5000. The search results reveal several sites meeting the criteria. 
Figure 5 - Mastodon Instances website provides a good tool for finding Mastodon servers based on different search criteria
  • Mastodon.Help is another website for finding Mastodon instances. You can adjust your search query to narrow down the returned results (see Figure 6).
A screen capture with the title "Instances" at the top shows the number of instances and users on Mastodon with a search box available with various narrowing options. 
Figure 6 - Mastodon.Help is an initiative developed by volunteer enthusiastic Mastodon users to facilitate searching for Mastodon instances

The Maston.Help website provides rich information (see Figure 7) about every Mastodon instance, which significantly reduces the time needed to search for a particular one. For example, you can expect to find the following information when searching for Mastodon instance (please note that not all Mastodon servers publish the same amount of details):

  • Instance name
  • Instance language
  • Instance header image 
  • Number of users
  • Active users (last month)
  • Active users (last six months)
  • Characters per post (max) – the default is 500, but it can be modified to allow more (e.g., 1000 characters)
  • Known instances
  • Most-used hashtags (last week)
  • Last successful check
  • Software – The Mastodon server software version
  • Registrations – such as open, need approval from the instance admin or closed
  • Email – the email address of the instance administrator
  • Short description – brief information about the instance
  • Long description
  • Server rules
  • Moderated servers
  • Date of creation – when the instance was first created
  • Display name of the instance admin
  • Admin bio
  • Admin photo 
     
A screen capture shows search results of a specific Mastodon instance called Glasgow.social. The results detail the language, users, creation date, hashtags and other details about the instance including the registered email. 
Figure 7 - Mastodon.Help provide a rich information about Mastodon instances

What's next? 

This article provided an overview of the Mastodon platform, outlining fundamental concepts for proficient utilization and navigation. The subsequent article will delve into the Mastodon interface, detailing techniques for acquiring comprehensive information about Mastodon instances and users.

Even while conducting OSINT and SOCMINT, researchers need to be aware of how their digital fingerprint could be affecting their investigation. Learn more about why and how to manage attribution while conducting OSINT and how to manipulate your point of presence to find key data.
 

Tags
Anonymous research OSINT research Social media Threat intelligence Trust and safety