Bluesky, until now, has had a reputation as being a more moderation-friendly alternative to X, Threads, Mastodon, and other social networks.

But what happens when the pedal is put to the metal, and shady figures attempt to test the network’s ground rules?

You may not find the results to your liking. That was a realization I made this week after getting an up-close view of an extortion attempt involving a prominent journalist and a well-known entrepreneur.

The initial message that Conor Sen received that kicked off this whole mess.

Here’s what happened: On Monday night, Bloomberg columnist Conor Sen announced on his account that he had been the targeted by an extortion attempt on Bluesky. Someone had purchased his namesake domain and was attempting to sell it back to him. I replied to the thread suggesting a couple of next steps for Sen, only to get an unusual reply: Sam Parr, the founder of The Hustle, suggested that he should give in to the extortion attempt, and that it was in fact not extortion. If Sen cared about his online identity, he should pay $10,000 to $25,000 to protect his identity.

This created a lot of back-and-forth between me and Parr, and led others to criticize the “braindead” take.

The real Sam Parr warning about the fake Sam Parr.

Turns out, it was all part of the scheme. The user had spent weeks building up accounts and buying up domains, then going after prominent blogging personalities. When the actual Parr showed up, the fake Parr started using the other sockpuppets to go after the real Parr, pushing him to buy the fake account.

The user took advantage of a disparity in the incomplete transition between X, formerly known as Twitter, and Bluesky, where a lot of real people are, but some prominent personalities have not yet shown up. And Bluesky, being put to the test, absolutely failed.

The fake Sam Parr attacking me for drawing attention to the impersonation.

It took hours for the network to do something about the obvious extortion attempt. When the real Parr showed up, the fake Parr tried to make it seem like he was the real one. And Bluesky’s moderators … blocked the actual Parr, not the fake one. At this point, I was fully engaged in the mess, and the attempted extorter was not happy about it.

At one point, he wrote to me: “You inserted yourself into something that didn’t concern you at all, drama queen.”

After he did that, I inserted myself again—on a post where a Bluesky employee was announcing a new moderation feature specifically related to verification, in which I screenshotted an interaction on X with Parr. That did the trick—the fake Parr was finally banned soon after.

It goes deeper than Conor Sen and Sam Parr, though.

This is not Matt Yglesias’ newsletter and that is not his domain.

A quick analysis of different websites and accounts shows that the user appeared to be impersonating and/or buying the domains of at least five other prominent creators:

• Matt Yglesias, the well-known political blogger, who has experienced the issue with both his namesake domain and the Slow Boring Bluesky account (which is fake)

• John LeFevre, an investment banker and prominent tweeter

• Collin Rugg, an investor and owner of the conservative news site Trending Politics News

• Alex Lieberman, the cofounder of Morning Brew

• Sahil Bloom, a prominent author and investor

Outside of Yglesias, there’s a clear “type” at play, targeting people with backgrounds in business, investing, and entrepreneurship. (For disclosure, Tedium has been sponsored by Morning Brew in the past and just ran an affiliate ad for The Hustle last week.)

Some of these people own their domains; some of them don’t. The scheme is exploiting those that don’t.

Whoever is doing this is running a very aggressive scheme, one that Parr (in messages to Sen that the Bloomberg journalist publicly shared after the fake Parr was banned) compared to an infamous Twitter troll that was recently sued by a prominent real estate investor. I have no way of easily confirming it’s the same person—apparently, the person who sued spent a lot of money to uncover the troll—but it may be worth keeping in mind.

What all this means for Bluesky

Ultimately, I want to broaden the discussion here to highlight how this situation really undermines Bluesky’s reputation of being structured more effectively for moderation. For one thing, its success has led to the rise of questionable parties purchasing domains of known individuals. This is known as cybersquatting, and has been illegal in the U.S. for more than a quarter-century, thanks to The Anticybersquatting Consumer Protection Act of 1999. The problem is, the legal recourse around trying to mitigate these issues can be costly.

Cybersquatting is not a new issue, of course, but Bluesky’s decision to tie verification to domains as social proof shows the limitations of the strategy. After all, if Conor Sen doesn’t want to register his namesake domain, it just takes one questionable party to do it instead, put up a fake email signup form, and register an account. Domains simply don’t offer enough in the way of social proof for the average person. Bluesky needs to invest in ways to emphasize social proof more prominently, as well.

“The domain verification thing just isn’t going to work; they’re going to need something else,” Sen told me over DM.

The fake Conor Sen website, with a signup box that Sen does not own or control. Not linking for obvious reasons.

But even beyond that, the moderation response to this issue has been dreadful. Sen, who once worked on eBay’s trust and safety team, was dealing with the fake Parr harassing his account for nearly a day before Bluesky banned it. (The illegitimate ConorSen dot com website is still online, and promoting signups to a fake list.) And embarrassingly, when Bluesky took action, the network banned the actual Parr, not the fake one, which the fake account was then able to use to further harass Sen. The Bloomberg journalist ended up having to contact higher-ups at Bluesky publicly to help draw attention to the issue, but other fake accounts related to this incident remain online as of this writing.

“Unfortunately, I didn’t find Bluesky support very helpful, never got a response,” Sen added. “And the fact that I reported the fake Sam but it was the real Sam who got temporarily blocked wasn’t a good sign.”

Sen, Yglesias, and others shouldn’t have to be stuck with anonymous users trying to fake their identities on domains that aren’t theirs. And worse, the weight that Bluesky puts on domains is leading to impersonation fraud and cybersquatting involving domain registrars, which will be significantly harder to navigate and may require access to the legal system to resolve. I don’t think they intended it that way, but Bluesky’s use of the domain system for user verification passes the buck in a dangerous way.

It’s a goddamn mess, and it makes me appreciate why some people may want to skip Bluesky altogether. I’ve been a booster of the network so far—but they need to get this figured out, or all the prominent people who have put their stake over here may find themselves looking for the exits.