kPop Fans: Non-Traditional, Non-State Actors

The Grugq

kPop Fans

The nature of a strategic cyber force is far richer and more varied than is traditionally acknowledged. Earlier this year, Korean pop (“kPop”) music fans came to wider attention when they actively engaged with online political discussions around Black Lives Matter. This is not the first time they have been a well organised online force, but as far as we know, this is the first time they’ve taken part in a broader popular movement.

kPop fans have a years-long history of political advocacy, but it has been music related. Recent forays into mainstream political activism aren’t new - in 2018 they got a hashtag trending StreamFakeLoveToEndTrumpsAmerica - but this is the first time that kPop “stans” (“people obsessed with kPop”) have had a wide impact. Before we understand their recent activism, we need to understand why kPop fans are an effective online force.

BTS Army: Source BTS Official Twitter

ARMY Fandom

A kPop fandom is a group around a band. Each band’s fandom has a name: You”th, PSYcho, Ever Lasting Friends, etc. Some of these fandoms are involved in political advocacy, but the most prominent one is ARMY (Adorable Representative MC for Youth), the fandom for a kPop group called BTS. ARMY is the most cohesive fandom, and also accused of being the most fanatical: you’re either willing to sell your truck to see BTS live in New York City, or you’re not true ARMY, and they’d all pass the No True Scotsman test.

kPop bands are unique in that their fandoms have a direct impact on their business success, and are organised around this, none more so than BTS. ARMY is unique in that they are a solitary fandom where the members are kpop stans only for BTS. Once you’re in ARMY, that’s your family - the people you talk to, your friends. The way people become BTS fans is they’re encouraged to do their own BTS research on Youtube; where they self-radicalise; becoming extremely devoted, based on the “up next” auto-play videos. This is similar to how many other immersive worldviews cultivate their members: they all “go down the rabbithole.”

There are massive online battles between fandoms, including attacks from other fandoms on ARMY that took place from 2014-2016 as BTS was establishing itself in the kPop marketplace. This is important because it creates an us vs them group mentality. But the ARMY members are more cohesive because they’ve had to pull together against outsider attacks.

ARMY social motivations

Typically ARMY operates in the music sphere of influence promoting singles, albums, and concerts for their group, BTS. Previous affirmative social activism has largely featured charity drives. Black Lives Matter isn’t their first engagement with social activism, but it is their first substantial direct engagement with a major political movement. The international fandom appears to be running their political campaigns.

ARMY’s social alignment and motivation is to “make the world a better place.” Where they’ve been most effective is using their numbers to dominate an information channel. When the signal on that channel is bad, e.g. extreme right wing, then swamping it so it’s lost in the noise of videos of dancing kpop idols is good. ARMY bring the noise.

While they emphasise that they’re not all women, ARMY leans very heavily female. 70% are women under 30 years old and the average member is a young woman in their 20s-30s. There are also women over 40, black men, a huge LGBTQ community: a lot of diversity. Because of this large contingent of people who are likely to be politically engaged, ARMY serves as a highly inclusive and effective avenue to drive a variety of progressive social causes. They’re not right-wing or left wing, but rather, their ideologies are informed by the progreeisve music of BTS.

“Army in Action” during Armypedia, Seoul 2019: Source KoreaTimes

ARMY organisation, strategy, operations

For the last decade, Korean music award shows have been determined by online votes, which run for 1-2 months. Fandoms plan and manage long campaigns of active online support to “ballot stuff” their groups. These practices have developed leaders with mobilisation and ops planning skills, and specialists who reverse engineer the most efficient ways to manipulate online systems. As a result, fandoms like ARMY can plan and execute months-long campaigns several times a year.

These music award campaigns and similar promotions are the core online actions of kPop fandoms. ARMY are exceptional in this domain, helping to drive BTS to the top of the charts and to dominate across multiple categories including “most streamed single in 24hrs”. They reverse engineer how to best game the systems, process that information and operationalise it for the ARMY rank and file (e.g. Kpop fans will register tickets for rival bands’ concerts and then cancel at the last minute). They do this multiple times a year, every year. BTS consistently wins, and have for 8 years, because their fans are well organised, cohesive and dedicated. Once a direction is set for the group, the whole group gets onboard and follows. Once a group decides what to do, that’s what its members do.

Through this regular test of organisational capability, ARMY have organically developed systems of organisation; they’ve grown a leadership core, methods of mobilisation, cadres of rankers, and effective communications channels. They’ve been doing this a long time, and that gives them organisational capacity. There are an estimated 40 million dedicated members of ARMY, so organising millions of people in online campaigns is normal.

ARMY has internal leaders, but there are leadership differences between inside and outside South Korea. Inside Korea, it’s the management company for the band telling fans what to do, and the fans do it. Koreans get annoyed at international fans because they’re not as rigid: for instance, some Korean fans were outraged that during a show, people left to go to the bathroom.

The leaders here are self-selected based on factors like their knowledge, their years in ARMY, and their devotion measured in ways that link to their cyber capabilities. For example, ARMY members have done things like artificially inflate the view counts of BTS videos by opening the video, putting the song on repeat and leaving it streaming. When they hit a threshold of number of views in this way (e.g. 20,000 views), they get flair for bumping the song, which contributes to their credibility and nominatability as a leader within the group.

BTS Army - Source: Twitter

Are they a new cyber force?

In summation, we’re talking about 40-50 million highly dedicated, organized, progressive, and tech-fluent people from around the globe who are ready to act. They are a legitimate cyber force with a mission statement of “be nice to people”, and that’s pretty cool.

ARMY have both capability and massive capacity which make them innately suited to a range of impressive cyber operations. Their track record of success speaks for itself. In a highly competitive environment against similar groups, ARMY has consistently demonstrated their superior golden triangle (people, process, technology).

ARMY’s organisation, technical savvy, size and cohesion are impressive attributes that make a formidable player on the global stage of cyber conflict. Whether this player will have a continuing impact on the strategic dynamic of the cyber domain depends on much more than just their composition. The ability of ARMY to be a force of influence in the cyber domain revolves around two key issues:

  1. Efficacy: What can they do besides ballot stuffing, and what will the impact of those actions be?

  2. Longevity: Will it last?

Fandoms in action

What is the cyber force ARMY currently capable of? Pretty much anything you can do with a million people coordinated online.

They’ve had years-long massive troll wars with other fandoms. In response to negative comments from a rival group, for example, millions of fans will try to get their hashtags trending.

They’ve been successful at mobilizing people to partake in massive online activities by asking members to do a single repetitive action, e.g. upload a video, type some tech, etc. The recent activities with police snitch apps, getting Blacklivesmatter trending are great examples of this. If you have a small enough process so an average 20-year-old can do it, they have the technology to scale that to a million people. Asking folks to report activity on a snitching app or tweet with a hashtag are simple asks that can have a massive impact at scale.

We haven’t seen more sophisticated activity yet. But there are reverse engineers in kPop, whose job is to investigate things so other people can develop the process, so there’s the possibility that if their people can turn an activity into a process that doesn’t require extensive training, it can be scaled up again. We have limited information about this.

They already have C2 infrastructure. They already have community, and subgroups (e.g. Detroit ARMY, LGBTQ ARMY) that communicate as cells within a larger community. There’s latent power in a directed community of millions of people lying there waiting to be used. Whilst kPop idols aren’t actively directing this, and it’s unlikely they ever will. Their fandoms are directing this on their own - the leadership within ARMY, rather than the band or its management, are already engaging in movements: supporting BLM, and combating hate-groups.

BTS & BLM: Source BTS Twitter

People, Process, Technology, Culture

ARMY has developed and honed effective uses of existing technologies to mobilise and organise millions of people online. They have a leadership development mechanism that works to create and promote natural leaders. Given a process that can be executed by a tech savvy young person, ARMY’s inherent core capability — operationalising massive capacity — makes them an effective force.

ARMY is a fully realised society. Humans want to belong to social groups, and the need for social engagement and participation is deeply ingrained into the human psyche. Cohesive social groups are the building blocks of states. The characteristics of a cohesive social group are well established and very clear (See the Five basic coordination problems inherent to groups) Every society must solve five fundamental problems common to groups of people:

  1. Hierarchy (who makes the decisions),

    • Band, managers, etc.

    • Natural leaders (organic emergence)

  2. Identity (who is in the group and who is out),

    • Notional membership in the official club

    • Self identify, but most critically, verify identity with knowledge and passion and devotion to the pillars of ARMY identity (This includes accordance with the group)

  3. Trade (how do we trade or share resources),

    • It appears that resources, such as they are, are donated freely. The performance of group identity includes volunteering/donating resources to the group/communal project.

    • Internally there doesn’t seem like much for-profit trade, rather mutual aid.

  4. Disease (how do we handle existential threats to individuals/the group)

    • Threats to the group are external, from other fandoms.

  5. Punishment (who are we allowed to punish as a group, and for what).

    • Group ostracisation

Recent operations

Traditional ARMY fundraising: ARMY raised a million dollars in 24 hours to help organisations engaged in justice work. This sort of charity work is completely in line with traditional ARMY actions and many previous operations. Far more interesting are their offensive operations against groups and organizations antithetical to core ARMY social motivations.

Police Snitch Apps: Dallas Police promoted their app “iWatch Dallas App” to report (snitch) on Black Lives Matter protesters. The kpop fandoms rallied to “ballot stuff” the app with short clips of kpop idols’ music videos and deny the app’s capability to the police. The police took the app down amidst mocking reports about the Amazon Web Services hosting costs that were allegedly incurred. Cloud hosting costs notoriously bloom under high load.

White Supremacist Hashtags: White supremacists attempted to ride the Black Lives Matter movement to promote their own counter hashtag #WhiteLivesMatter on Twitter. Again the kpop fandoms rallied to bring the noise, flooding the hashtag with videos and images of kpop idols and drowning out the original intent. Kpop fandoms’ operational capacity was perfect to deny and disrupt.

These earlier ballot stuffing denial and disruption attacks were used in social justice campaigns targeting (a) a minor operational capability (Dallas Police snitch app iWatch Dallas), and (b) a virtual social awareness campaign for white supremacists.

Donald Trump’s Tulsa Rally: The most interesting operation was using an anti-band tactic in a political context. One tactic used by kpop fandoms against rival bands is to book tickets for shows and then cancel at the last minute. The intention being to deny access to the real fans, to create a false impression of market interest, and/or to deny the band an audience thus impacting their concert revenue and embarrassing them.

Donald Trump’s Tulsa Rally, June 2020: Source Getty

When the Trump campaign announced their Tulsa political rally, originally on Juneteenth, to significant outrage, they made some serious tactical errors. Firstly, scheduling an indoor rally during a pandemic would always be problematic with regards to turnout. Secondly, they attempted to measure interest and infer turnout based on an insecure online poll. Thirdly, they believed the numbers from their insecure online poll. This level of failure to account for miscreants online is baffling.

The Trump campaign had a simple signup web form to request a notional “ticket” to the rally. Although the rally was actually open access, the campaign team intended to use “ticket” requests as a metric to gauge interest from the body politic. Trump’s campaign team turned the web from into an unsecured online poll. For kpop fans, this was playing on easy mode.

The final error was the most damaging to the campaign, turning a simple troll into a serious political catastrophe. Parscale, Trump’s campaign manager lauded as an online tactical genius, bragged repeatedly about the increasingly implausible numbers generated by the kpop stans ballot stuffing the ticket request box. Trump himself began bragging about the numbers, which climbed rapidly into the hundreds of thousands and eventually topped one million.

The campaign attempted to clean up the ticket requests, reporting that about 300,000 fakes were removed. Why they touted the one million number when they believed a third of them were spurious is left as an exercise to the reader. Given the actual turn out was 6,200 there were at least 690,000 additional false requests that were not detected by the digital campaign team. The embarrassment from the Tulsa rally failure smashed the Trump campaign resurgence. This was a serious political blow.

Where next?

War is politics by other means.

All politics are local.

On the internet, everything is local.

Kpop fandoms are cohesive loosely organised groups of ideologically similar people. A million people is a political force, and so when kpop stans act in unison they have political power. This is also a cyber force. Their massive impact can be international, because the internet flattens geolocality.

An apocryphal story about the battle at Little Bighorn: Lieutenant Colonel George Custer arrived with a couple hundred soldiers to attack a huge Native American village consisting of 2,500 or more warriors. All of Custer’s men were killed in the ensuing battle. Later, one of the several tribal chiefs was asked, “Who gave the order for our warriors to attack?” The chief answered, “No one, but we could not have stopped them if we tried.” Native americans use consensus to determine action, and if all the young men want to go fight, then a few old men can’t do anything but lead.

Whenever you have millions of people there is inherent latent force, and we should expect more cyber-activist events from these groups going forward.

2019 NU’EST Fanmeet, “Pink Ocean” Seoul - Source: Twitter


The Grugq
Hacker Attaché

The Grugq is a pioneering information security researcher with two decades of experience at almost every level of the field. He has worked extensively with threat intelligence, disinformation, digital forensic analysis, binary reverse engineering, rootkits, mobile phone security, Voice over IP, telecommunications and financial services security. The Grugq has been quoted and referenced routinely in The New York Times, Washington Post, Forbes, Wired, TechCrunch, BoingBoing, VICE and BBC News. Grugq’s quotes and insights are so frequently referenced at security conferences that he’s informally known as the “most quoted man in infosec".