DEV Community: Harvey Stone

Twitter Autofollow Tools in 2026: How They Work and What the Data Says

Harvey Stone — Tue, 23 Jun 2026 21:26:17 +0000

TL;DR: The X API removed the follow endpoint from all self-serve tiers in April 2026, making most legacy autofollow tools defunct. The only viable path now is browser extension automation that mimics human-pace behavior within X's own rate limits. Block AI's June 2026 follow-back research (n=9,418 follows) measured a 3.0% reciprocation rate, with 89.5% of follow-backs arriving within 24 hours.

Most autofollow tool recommendations you'll find are outdated. Half of them broke quietly in early 2026. If you've tried one recently and it stopped working, or you're evaluating options now, this guide covers what changed, how the surviving tools actually work under the hood, and what real follow-back rates look like from a sample large enough to trust.

X has 570 million monthly active users as of 2026. The platform still converts for founders and technical builders who want targeted audience growth. The tooling landscape just changed significantly.

Why Most Autofollow Tools Broke in April 2026

In February 2026, X replaced its tiered API pricing model with a pay-per-use system and removed the follow, like, and quote-post endpoints from all self-serve plans. Only Enterprise contracts retain API-level follow access. Any tool built on POST /2/users/:id/following now returns a 403 for non-Enterprise developers.

This killed a large portion of the autofollow tool market. Most SaaS-style growth tools ran on official API credentials tied to a Basic or Pro plan. When those endpoints were pulled, the tools stopped working overnight.

What survived: tools that never used the API for follow actions in the first place.

How Browser-Extension Autofollow Tools Actually Work

Instead of calling POST /2/users/:id/following, browser-based tools trigger follow actions through your own authenticated browser session. The extension runs locally on your machine, uses your existing X session cookie, and simulates the same DOM interactions a human would make.

This architecture has three meaningful properties for developers:

No credential sharing. Your password and OAuth tokens never leave your machine. The extension doesn't need write-level API access because it's operating as you, through your browser, on the live X interface.

Human-pace execution. Good implementations add randomized delays between actions, vary the timing across sessions, and respect your account's daily follow budget. The follow cadence looks behaviorally similar to a human who opens X in the morning, follows some accounts, and checks back in the afternoon.

Local rate limit enforcement. The tool tracks how many follows have been executed in the current session and stops before hitting X's daily cap. No external server is making decisions about your account's follow velocity.

This is the architecture behind tools like GeniusX Follow and CloneX Follow, both of which operate entirely through a Chrome extension with no credential access.

What Are the Real Rate Limits?

X enforces a 400 follow/day cap for free accounts and 1,000/day for X Premium subscribers. Hourly caps apply too: following 50+ accounts in under five minutes triggers a temporary action block regardless of your daily total.

Practical safe ranges, based on what tools report as low-risk:

Free account:     100-200 follows/day
X Premium:        200-400 follows/day
New accounts:     50-100 follows/day (first 90 days)

The daily cap is a ceiling, not a target. Consistently hitting 400/400 on a free account raises detection risk. Most tools default to a conservative daily budget well below the cap.

The official rate limit documentation covers API endpoints. For browser-based tools, the operative limits are the platform-level follow caps, not API rate limit headers.

What Actually Gets You Shadowbanned

The follow-unfollow pattern is X's number one shadowban trigger in 2026. Following 200 accounts, waiting for reciprocation, then unfollowing the non-responders is exactly the behavior X's systems are tuned to detect. High follow velocity (50+ in five minutes), aggressive unfollow rates above 50/day, and bot-like timing without randomization are the top causes of shadowbans.

X's Developer Policy explicitly prohibits "bulk, automated, or robotic following of accounts." The violation is the pattern, not just the volume.

Most shadowbans self-resolve in 2-14 days. Repeated violations escalate to permanent suspension. The risk is real, but it's also manageable if the tool you're using runs at conservative velocity with randomized timing and filters out low-quality target accounts before following.

Targeting quality matters as much as pacing. Following 200 actively engaged accounts in your niche is a different signal than following 200 random accounts. X's systems are more sensitive to the latter.

Targeted Follows vs. Bulk Follows

This is where most cheap autofollow tools fail. They follow anyone, which gets you one of two outcomes: fake accounts that never reciprocate, or real accounts with no interest in what you build.

Both outcomes hurt. Fake followers inflate your following count without adding to your follower count, which damages your follower-to-following ratio. Real but untargeted followers who do follow back rarely engage, which drags your engagement rate down at a time when X's algorithm weights replies and replies-to-you heavily in distribution.

The X algorithm in 2026 rewards engagement relative to audience size. A 500-follower account where 30 people reply to your posts will outperform a 5,000-follower account where no one does.

The right autofollow tool does targeting before it does anything else. It should let you define who you want to reach by keyword, niche, or specific competitor audiences, then filter the candidate list before executing any follows.

What Does a 3.0% Follow-Back Rate Actually Mean?

Block AI's June 2026 follow-back research tracked 9,418 strategic follows across 11 accounts over a 10-day window and measured a 3.0% overall reciprocation rate. Keyword-targeted follows (GeniusX) returned 3.3%. Audience-clone follows (CloneX) returned 2.6%. The difference is directional and within the margin of error.

Timing data from the same study:

Within  1 hour:  30.7% of all follow-backs
Within  6 hours: 68.2%
Within 24 hours: 89.5%
Within 72 hours: 100%   (new reciprocations effectively stop)

The median follow-back arrived 2.8 hours after the initial follow. If an account is going to reciprocate, it almost always does it the same day.

Account size had the largest impact on reciprocation rate:

Under 100 followers:   1.7%
100-1k followers:      1.9%
1k-10k followers:      5.6%
10k-100k followers:   10.9%
100k-1M followers:     6.1%

Mid-size accounts in the 10k-100k range reciprocated at roughly 6x the rate of sub-100 accounts. This is the tier worth targeting if you want to maximize follow-back volume. These are also the accounts that tend to have real engaged communities rather than inflated follower counts.

At 200 targeted follows per day, a 3% reciprocation rate produces 6 new followers per day. That's ~180/month from a single account, compounding as your follower count grows and your account signals improve.

GeniusX vs. CloneX: Which Targeting Method Fits Your Use Case

Both tools run the same local browser extension architecture. The difference is in how they identify who to follow.

GeniusX Follow uses keyword analysis of your existing content and followers to identify accounts in your niche algorithmically. You define the keywords; it handles discovery. Best for accounts with a defined content niche where keyword signals are reliable, and for founders who want the tool to handle targeting decisions autonomously.

CloneX Follow targets users actively engaging with specific named accounts. You give it a list of competitors, KOLs, or adjacent brands, and it follows people who already interact with those accounts. Best for accounts where you know exactly whose audience you want, especially in crypto and Web3 where community overlap is tight.

Both start at $20/month. Higher tiers scale the daily follow budget:

Starter:   48 follows/day    $20/mo
Lite:      96 follows/day    $40/mo
Standard: 192 follows/day    $80/mo
Pro:      288 follows/day   $120/mo
Elite:    480 follows/day   $200/mo  (requires X Premium)
Max:      960 follows/day   $400/mo  (requires X Premium)

Higher tiers above the 400/day free account cap require an active X Premium subscription to stay within X's enforced limits.

The Bottom Line

The API door closed in April 2026. Browser-based tools that run locally without credential access are the only compliant path left for autofollow automation.

Three things to remember when evaluating any tool:

Check the architecture. Does it need your password or a write-level API token? If yes, it's either breaking ToS or already broken.
Check the velocity. Conservative daily limits with randomized delays are safer than tools that push toward the daily cap.
Check the targeting. Bulk follows hurt your engagement ratio. Targeted follows compound.

For keyword-based discovery, GeniusX Follow is the place to start. For competitor audience cloning, use CloneX Follow. Both have the June 2026 research data behind them and operate on the browser extension model that still works.

Frequently Asked Questions

Is Twitter autofollow against X's Terms of Service?

X's Developer Policy prohibits "bulk, automated, or robotic following of accounts." The risk profile depends on how the tool operates. Browser extension tools that run locally, use your own session, and operate at human-like velocity are in a grey zone. Tools that use official API endpoints no longer have access to the follow endpoint on self-serve plans anyway. Staying within conservative daily limits and using quality targeting reduces detection risk significantly.

What's the maximum number of follows per day on X in 2026?

Free accounts can follow up to 400 accounts per day. X Premium subscribers can follow up to 1,000 per day. Hourly caps also apply: following more than 50 accounts in five minutes will trigger a temporary action block regardless of your daily total. Most tools recommend operating at 100-200 follows per day on free accounts to stay well within safe limits.

How long does a Twitter shadowban last?

Most shadowbans on X self-resolve within 2-14 days. Stopping the behavior that triggered it speeds up recovery. Repeated violations escalate the penalty, eventually to permanent account suspension. If you suspect a shadowban, pause automation entirely for 48-72 hours before resuming at a lower velocity.

What follow-back rate should I realistically expect from an autofollow tool?

Block AI's June 2026 research across 9,418 strategic follows measured a 3.0% overall reciprocation rate. Keyword-targeted follows returned 3.3%, audience-clone follows returned 2.6%. At 200 follows per day, that's approximately 6 new targeted followers per day. Claims of 15-30% follow-back rates are not supported by data from real operational campaigns at scale.

Does targeting account size affect my follow-back rate?

Yes, significantly. The same June 2026 study found that accounts with 10k-100k followers reciprocated at 10.9%, compared to 1.7% for accounts with under 100 followers. Mid-size accounts are the highest-value target tier. Accounts above 1M followers reciprocated at 6.1%, but the sample size was smaller and the accounts are harder to reach meaningfully.

Bybit Account Frozen: A Technical Breakdown of Why It Happens and How to Fix It

Harvey Stone — Tue, 23 Jun 2026 21:17:44 +0000

You woke up, opened Bybit, and the withdrawal button is greyed out. Or your account shows "Restricted" with no explanation. You haven't done anything wrong, you haven't broken any rules, and yet your funds are sitting behind a wall you cannot see through.

This happens to thousands of Bybit users every month. The mechanism behind it is not arbitrary. It follows a logic, and once you understand that logic, you can navigate it.

This article breaks down exactly how Bybit's compliance system works, what triggers a freeze, what the unfreeze process looks like step by step, and what documents actually move the needle with the compliance team.

What is Actually Happening When Bybit Freezes Your Account

Bybit is not a decentralized exchange. It is a regulated financial platform operating under licences in multiple jurisdictions including Dubai (VASP licence from VARA), the EU, and several other markets. This means Bybit is legally obligated to monitor transactions for money laundering, sanctions violations, and other financial crimes.

The tool doing the heavy lifting is not a human. It is an automated risk-scoring engine, most likely powered by Chainalysis or TRM Labs (both are standard across Tier-1 exchanges). Every transaction you make gets scored in real time against a dataset of flagged addresses, mixer outputs, sanctions lists (OFAC, EU, UN), and behavioral anomalies.

When a transaction or a cluster of transactions pushes your account above a risk threshold, the system triggers one of several actions: a soft restriction (withdrawal disabled but trading continues), a hard restriction (full account lock), or an Enhanced Due Diligence (EDD) review request.

None of these mean you are a criminal. They mean the algorithm needs a human to look at your case and confirm the funds are clean.

The Most Common Triggers for a Bybit Account Freeze

Understanding what sets off the system is the most useful thing you can do before you even open a support ticket.

Incoming funds from a high-risk address. If you received crypto from a wallet that previously interacted with a mixer, a darknet marketplace, or a sanctioned entity, your account will be flagged even if you had no knowledge of that wallet's history. The Chainalysis Reactor traces transaction paths multiple hops back, so a "clean" deposit can still carry indirect exposure.

Rapid deposit-to-withdrawal pattern. Moving large amounts in and then out quickly, without any trading activity in between, is a textbook money laundering pattern. The algorithm does not know your reason. It sees the pattern and flags it.

Large withdrawal without updated KYC. Bybit applies stricter identity verification requirements for accounts withdrawing above certain thresholds. If your account was created under older, lighter KYC requirements and you suddenly attempt a large withdrawal, the system will pause and request re-verification.

Travel Rule compliance issues. Under FATF's Travel Rule, exchanges must share sender and recipient identity information for transfers above $1,000 USD. If you are sending to a personal wallet or a non-verified counterparty, Bybit may pause the transfer pending proof that you own the destination address.

P2P dispute or counterparty complaint. A single complaint from a P2P counterparty, even if you fulfilled your side of the trade correctly, can trigger an account review. P2P fraud is one of the highest-volume compliance issues on any exchange.

Login from a new device or country with a high-balance account. Bybit's fraud detection layer treats unusual access patterns as potential account takeover events, especially when combined with withdrawal activity.

The Difference Between a Soft Restriction and a Hard Lock

Not all freezes are equal, and misidentifying your situation leads to wasted effort.

A soft restriction typically looks like a withdrawal hold with trading still functional. Your balance is visible, you can open and close positions, but every withdrawal attempt returns an error or enters a pending state. This is almost always an AML review trigger and resolves through the normal support ticket pathway.

A hard account lock is more serious. You cannot log in, or you can log in but cannot access any functions. This usually follows a security event (attempted account takeover, suspicious login) or a more serious compliance trigger. Resolution requires direct interaction with Bybit's compliance team rather than general support.

If you are not sure which type you have, check the Bybit notifications center and your registered email for any communication. Bybit almost always sends an email specifying the restriction type and what it requires.

Step-by-Step: How to Actually Unfreeze a Bybit Account

The process seems straightforward, but most users make mistakes that add weeks to the timeline.

Step 1: Do not create a new account. This is the most common mistake. Creating an alternative account to bypass a restriction is a permanent ban offense on Bybit. Work only with the restricted account.

Step 2: Open a ticket through the official support center. Use the in-app Help Center, select "Account Restricted" or "Withdrawal Issue," and describe the situation factually: date of restriction, type of restriction, approximate amount frozen. Keep the tone neutral and informational. Emotional or aggressive language does not help and can deprioritize your ticket.

Step 3: Check your KYC status before they ask. Navigate to Account Settings and check whether there are any pending verification steps. Bybit often restricts accounts silently and waits for the user to discover the incomplete verification. Completing it immediately can resolve the issue without any further correspondence.

Step 4: Prepare your documents before the formal request arrives. The baseline package for any Bybit compliance review includes: a government-issued ID (passport preferred), proof of address (utility bill or bank statement dated within 3 months), and a bank statement for the past 3–6 months showing the fiat origin of your crypto purchases. If the restriction is related to a specific transaction, add a Source of Funds explanation for that transaction specifically.

Step 5: Write a structured cover letter. Bybit compliance works in English. Your letter should follow a clear structure: who you are, what happened, what documents you are attaching, and why each document answers the specific compliance question. A structured letter is processed faster than a disorganized document dump.

Step 6: If the ticket stalls, escalate to compliance@bybit.com. In the subject line, include your ticket number and your Bybit UID. A direct email to the compliance department often moves a stalled ticket. Allow 5 business days before escalating.

What a Source of Funds Package Actually Looks Like

Source of Funds (SoF) is the document set that proves your crypto came from a legitimate source. It is the most common document request Bybit compliance makes, and it is also the most commonly prepared incorrectly.

For salary or employment income: employment contract, 3 months of payslips, and a bank statement showing regular salary deposits followed by the fiat-to-crypto purchase.

For business income: company registration documents, tax filings, and bank statements showing the business receiving payment, then the owner withdrawing to their personal account, then the purchase of crypto.

For crypto trading profit from another exchange: export of your trading history from that exchange, ideally with a P&L summary. If the other exchange does not provide exports, screenshots timestamped and accompanied by a written explanation work as a fallback.

For inheritance or property sale: the legal document (will, sale contract), the corresponding bank transaction, and a chain from that event to your crypto purchase.

The goal is to give the compliance officer a clear, unbroken narrative from a real-world event to the specific funds under review. Gaps in the narrative invite follow-up questions, which extends the timeline.

Professional forensics teams like KarCrypto specialize in building exactly this kind of package: structured, documented, written in compliance-native language.

How Long Does It Take

A standard KYC re-verification resolves in 3 to 7 business days. An AML review triggered by a flagged transaction takes 2 to 4 weeks. Enhanced Due Diligence, which Bybit applies to high-risk profiles or large balances, can run 4 to 8 weeks.

The single biggest factor in timeline is document quality at first submission. If compliance has to send multiple follow-up requests because the initial package was incomplete, each round adds 5 to 10 business days. Getting the documentation right the first time is not just good practice; it is the primary way to control the timeline.

When the Situation Requires Professional Help

Most standard KYC freezes are solvable through the process above. But some situations are genuinely complex.

If the restriction involves an OFAC flag, a sanctioned address in your transaction history (even indirect), or a large sum connected to multiple hops of on-chain movement, a professional blockchain tracing report significantly improves your position. Chainalysis Reactor reports and TRM Labs forensics outputs carry weight with exchange compliance teams because they use the same tools internally.

If you have been waiting longer than 6 weeks without a substantive response and the amount at stake is material, a structured intervention from a forensics team changes the dynamic. The team at KarCrypto has resolved Bybit cases ranging from $12,000 KYC holds to $195,000 EDD reviews. The initial case assessment is free.

The Core Principle to Understand

Bybit does not want to keep your money. The compliance system exists because regulators require it, not because the exchange benefits from frozen accounts. The faster you give compliance exactly what they need, in a format they can act on, the faster the restriction lifts.

The freeze is not the end of the process. It is the beginning of a documentation task. Treat it as such.

If your Bybit account is currently restricted and you are not sure where to start, the first step is to preserve everything: wallet addresses involved, transaction hashes, all correspondence with support. Do not delete anything. Every piece of data is potentially relevant.

Quantum Computing and Bitcoin: What the 2031 Federal Deadline Means for Developers

Harvey Stone — Tue, 23 Jun 2026 16:45:30 +0000

The U.S. government just set a hard deadline for post-quantum cryptographic migration: 2031

Two executive orders signed in 2025 require all federal agencies to replace classical signature schemes with NIST-standardized post-quantum algorithms. The mandate covers every system that touches federal data. Bitcoin is not on the list. That is exactly the problem.

This post breaks down what the threat actually is at the cryptographic level, why the migration is harder than it looks, and what the developer community should be paying attention to right now.

How ECDSA Works and Why Quantum Computers Break It

Bitcoin transaction signing uses ECDSA on the secp256k1 curve. The security model is simple: deriving a private key k from a public key Q = k * G requires solving the elliptic curve discrete logarithm problem. On classical hardware, this is computationally infeasible at 256-bit key sizes.

Quantum computers running Shor's algorithm solve the discrete logarithm problem in polynomial time. The same algorithm breaks RSA. The same algorithm breaks Diffie-Hellman. Anything whose security depends on factoring or discrete log is vulnerable.

The standard objection has always been qubit count. Breaking secp256k1 requires fault-tolerant logical qubits, not the noisy physical qubits that exist today. Earlier estimates put the requirement at hundreds of millions of physical qubits. More recent work has revised that down significantly:

Year	Paper	Physical qubits estimate
2022	Webber et al. (UCL)	~13 million (optimistic)
2023	Banegas et al.	~317 million (conservative)
2024	Microsoft preprint	Lower still under new error correction models

The trajectory matters more than any single estimate. Every 12 to 18 months the estimates drop. The federal government is acting on that trajectory, not on a specific threshold.

The Signature Size Problem Is Not Solved by Switching Algorithms

When developers hear "just use a post-quantum signature scheme," the natural follow-up is: which one, and what does it cost?

NIST standardized three post-quantum signature algorithms in August 2024. Here is what the numbers actually look like:

Algorithm       | Public Key  | Signature   | Standard
----------------|-------------|-------------|----------
ECDSA (secp256k1)| 33 bytes   | 64 bytes    | —
ML-DSA-44       | 1,312 bytes | 2,420 bytes | FIPS 204
ML-DSA-65       | 1,952 bytes | 3,309 bytes | FIPS 204
ML-DSA-87       | 2,592 bytes | 4,595 bytes | FIPS 204
FALCON-512      | 897 bytes   | ~666 bytes  | FIPS 206
FALCON-1024     | 1,793 bytes | ~1,280 bytes| FIPS 206
SLH-DSA-128s    | 32 bytes    | 7,856 bytes | FIPS 205

ML-DSA (formerly CRYSTALS-Dilithium) is the general-purpose recommendation. At the lowest security level, a single signature is 2,420 bytes versus ECDSA's 64 bytes. That is a 38x increase.

What This Does to Bitcoin Block Capacity

Bitcoin blocks are capped at roughly 4MB (weight units). A standard P2WPKH transaction with an ECDSA signature is around 141 vbytes. A comparable transaction with an ML-DSA-44 signature would be roughly 2,600+ vbytes, just from the signature field alone.

Run the math:

Current block capacity (approx):   ~2,500 transactions
Post-quantum block capacity (ML-DSA-44): ~230 transactions
Throughput reduction:              ~90%

Bolt post-quantum signatures onto Bitcoin's current architecture and you get a chain that processes one-tenth of its current transaction volume. That is not a migration. That is a different product.

FALCON has smaller signatures (~666 bytes at the 128-bit security level) and is the more bandwidth-efficient option, but it uses floating-point arithmetic internally, which creates implementation complexity and side-channel risk. Most secure implementations require constant-time floating-point, which is non-trivial.

BIP-360 Is a Start, Not a Solution

BIP-360 proposes a new output type called P2QRH (Pay to Quantum Resistant Hash). The design is sound at the cryptographic level. It supports CRYSTALS-Dilithium, FALCON, and SPHINCS+ as signature schemes. It handles address encoding for post-quantum public keys.

What BIP-360 does not solve:

1. Throughput. P2QRH does not change block size limits. It does not add compression. It does not address the 90% capacity reduction that comes with ML-DSA signatures. Those problems require separate proposals.

2. Existing address migration. Approximately 6.9 million Bitcoin (per Coinbase's 2024 quantum risk report) sits in addresses where the public key is permanently visible on-chain. P2PKH and P2WPKH expose the key only on spending. P2PK outputs, used heavily in early Bitcoin, expose the public key in the scriptPubKey itself without any transaction ever being broadcast by the owner.

There is no mechanism in BIP-360 to migrate those coins. You cannot migrate funds you cannot sign for. Satoshi's coins, lost wallets, and custodians who are unresponsive all fall into this category.

3. Governance timeline. Bitcoin consensus moves slowly by design. SegWit took three years from proposal to activation. Taproot took two years of soft signaling and a missed activation window before the Speedy Trial. BIP-360 is still in early draft. The 2031 federal deadline is six years away. The overlap between "BIP-360 activates on mainnet" and "a cryptographically relevant quantum computer exists" is genuinely uncertain.

The Harvest Now, Decrypt Later Threat Is Already Active

The most underappreciated part of the quantum threat for developers is that the attack does not require a quantum computer to exist today.

Harvest now, decrypt later (HNDL): an attacker records public keys, signed transactions, and other cryptographic material today and stores it. When quantum hardware matures, they decrypt the stored data.

For most application data, the value of HNDL is limited by data freshness. A harvested TLS session from 2025 is not worth much in 2035.

For Bitcoin UTXOs sitting in exposed addresses, the calculus is different. The funds do not expire. A P2PK output containing 50 BTC from a 2010 block will still contain 50 BTC (or its quantum-era equivalent) in 2031. The incentive to harvest and hold is exactly proportional to the balance, indexed to the eventual BTC price.

If you are building wallets, exchanges, or any application that handles Bitcoin addresses, the question of key exposure is not theoretical. It is a design decision your users' future funds depend on.

What Quantum-Native Blockchain Architectures Are Doing Differently

There is a meaningful difference between chains that add post-quantum signatures and chains that build for post-quantum from the start.

The key insight is that the throughput and key exposure problems are not separate from the cryptography problem. They are the same problem. Any architecture that treats them separately will end up with a 90% capacity reduction, persistent key exposure, or both.

The approaches that actually solve the full problem tend to combine:

Post-quantum signatures at the base layer (ML-DSA or FALCON, not as an optional output type)
Data compression to absorb the signature size overhead without sacrificing throughput
Key rotation mechanisms that ensure public keys are never reused or left exposed on-chain (analogous to BIP-32 HD wallet derivation but at the protocol level)
Migration paths for existing address types built into the consensus rules

QuanChain is an example of a chain that has built all four components into a single integrated architecture: Dilithium-5 signatures, 70% compression of on-chain data, a SpendAndRotate mechanism that rotates keys on every spend, and a three-channel design that maintains 200,000 TPS under full post-quantum signature overhead.

That is the relevant benchmark for evaluating any post-quantum blockchain claim: not which signature scheme they use, but whether they have solved the throughput and key exposure problems alongside it.

Practical Checklist for Developers Working with Bitcoin or Blockchain

If you are building anything that touches cryptographic key management or blockchain transactions, here is what to audit:

[ ] Are you generating fresh addresses per transaction, or reusing addresses?
[ ] Do any of your wallets or contracts use P2PK outputs?
[ ] Is your key derivation scheme compatible with post-quantum key types?
[ ] Have you read FIPS 203, 204, and 205? (NIST published them August 2024)
[ ] Does your dependency chain include any library pinned to ECDSA-only?
[ ] Do you have a migration path documented for when BIP-360 or equivalent activates?

None of these require you to act today. All of them require you to have thought about it before the window closes.

What the 2031 Deadline Actually Signals

Developers tend to be skeptical of policy documents. That skepticism is healthy. But the two executive orders matter less as policy and more as a revealed preference.

The U.S. federal government has access to classified intelligence about quantum hardware progress that no public research lab publishes. When that government mandates a six-year migration across all civilian systems, the signal is: people with better information than we have believe this is real, proximate, and requires lead time to address.

The crypto ecosystem does not have an equivalent mandate. It has a Bitcoin Improvement Proposal in early draft, a small number of quantum-native chains in testnet or early mainnet, and approximately 6.9 million BTC in addresses that cannot be migrated without owner action.

The engineering problems are solvable. The coordination problems are harder. Both require the developer community to treat this as a real constraint rather than a future concern.

For a deeper breakdown of the specific executive order timelines and what the 2031 deadline stages require, this analysis covers both orders in detail.

FAQ

Is SHA-256 also vulnerable to quantum attacks?

SHA-256 is significantly more resilient than ECDSA against quantum attack. Grover's algorithm provides a quadratic speedup for brute-force search, which effectively halves the security level. SHA-256's 256-bit output provides 128 bits of quantum security, which remains above the threshold considered secure. Bitcoin's proof-of-work is not the primary concern. The signature scheme is.

Why not just use larger ECDSA keys?

Quantum attacks on elliptic curve discrete log scale better than brute force, so simply doubling key size does not proportionally increase quantum resistance. A 521-bit curve provides roughly 260 bits of classical security but only around 130 bits of quantum security under optimistic assumptions. The NIST-standardized post-quantum algorithms are based on mathematical problems (lattice problems, hash-based constructions) for which no efficient quantum algorithm is known. That is a categorical difference, not a parameter difference.

What is the status of BIP-360 right now?

As of mid-2026, BIP-360 is in draft status. It has received technical review but has not been assigned a BIP number indicating it is ready for implementation. The proposal requires a soft fork with broad miner and node signaling. There is no activation timeline announced.

Can I use FALCON instead of Dilithium in a production wallet today?

FALCON (FIPS 206) is standardized and suitable for production use. The implementation complexity is higher than Dilithium because correct FALCON signing requires careful handling of floating-point arithmetic to avoid side-channel leakage. If you are implementing it yourself, use an audited library. If you are evaluating libraries, check whether they use constant-time floating-point operations.

What is SpendAndRotate?

SpendAndRotate is a key rotation mechanism where every spend transaction automatically rotates the signing key, so a used public key is never reused. It prevents the address reuse vulnerability that puts 6.9 million Bitcoin at elevated quantum risk. It is conceptually similar to how modern HD wallets generate new addresses per transaction, but enforced at the protocol layer rather than the application layer.

X (Twitter) Follow-Back Rate in 2026: Data From 9,418 Strategic Follows

Harvey Stone — Thu, 11 Jun 2026 14:58:15 +0000

We ran our X follow-automation tools across 11 accounts for the first 10 days of June 2026 and tracked every follow and every follow-back. This article reports the results: the headline rate, how fast follow-backs happen, which account sizes convert best, and what the data means for building an X audience in 2026.

Why we measured this

Follow-back rate is one of the most discussed and least measured metrics in X growth. Most advice on the topic is anecdotal: "follow accounts in your niche," "engage before you follow," "avoid big accounts." Almost none of it is backed by actual reciprocation data at scale.

Block AI runs follow-automation tools for crypto and Web3 projects. Our GeniusX tool follows accounts based on keyword targeting — people who have recently posted about a specific topic. Our CloneX tool follows based on audience cloning — people who recently followed a competitor or adjacent account. Both tools log every follow action and every follow-back in production. That gives us a dataset of real follow outcomes, not survey responses or estimates.

This report covers 9,418 follow actions executed across 11 active operator accounts between 1 June 2026 and 10 June 2026.

The headline number

3.0% of strategically targeted follows were reciprocated.

More precisely: 185 follow-backs from 6,127 matured follows, ±0.4 percentage points. The "matured cohort" is the 6,127 follows that were at least 72 hours old at the 10 June cut-off. We use this as the primary denominator because very recent follows have not yet had a fair window to convert. Including all 9,418 follows (many of them less than 24 hours old at cut-off), the raw rate is 3.1% (296 follow-backs).

3% feels low until you look at what is happening inside that number.

Follow-backs happen almost immediately

The most practically useful finding in this dataset is not the overall rate — it is the speed distribution.

Time since follow	Cumulative share of follow-backs
Within 1 hour	30.7%
Within 6 hours	68.2%
Within 24 hours	89.5%
Within 72 hours	100%

Median: 2.8 hours. 25th percentile: 0.9 hours. 75th percentile: 9.2 hours.

Nearly one in three follow-backs arrives within the first hour. More than two thirds arrive within six hours. After 72 hours, not a single new follow-back was recorded across 296 events.

What this tells you about X user behaviour: the follow notification triggers an immediate decision. The target either opens the app, checks your profile, and follows back — usually within a few hours — or they never do. There is no meaningful "long tail" of delayed reciprocation. A follow that has not been returned after three days will not be returned at all.

This has a direct implication for strategy. If you are combining follows with engagement — a reply to a recent post, a like on their pinned tweet — the timing of that engagement matters enormously. Engagement that lands within the first six hours of the follow is present in the target's notifications at the exact moment they are deciding whether to follow back. Engagement that lands two days later is noise.

Account size is the strongest predictor of follow-back rate

This was the sharpest finding in the entire dataset.

Target follower count	Matured follows	Follow-back rate
Under 100	1,958	1.7%
100 – 1k	2,613	1.9%
1k – 10k	1,265	5.6%
10k – 100k	258	10.9%
100k – 1M (low sample)	33	6.1%

The 10k–100k band reciprocates at 10.9% — roughly 6x the rate of sub-100 accounts (1.7%).

The counter-intuitive result is at the bottom of the table. Accounts with under 100 followers are the easiest to reach — they almost certainly see every notification — yet they are the least likely to follow back. The 100–1k band is barely better at 1.9%.

Several factors likely explain this. Accounts below 100 followers are disproportionately new, inactive, or bot-adjacent. Many may never open the app at all. Even among active sub-100 accounts, there is no established habit of checking who followed them because it happens rarely enough to be a non-event. Compare this to an account with 50,000 followers: they actively monitor their following list, have a clear sense of their audience, and are more likely to make deliberate follow-back decisions.

The 100k–1M band shows a rate of 6.1%, lower than the 10k–100k peak. This band had only 33 matured follows and the figure carries a wide confidence interval. It is plausible that very large accounts use stricter follow-back criteria or that their notification volume makes individual follow notifications invisible. We expect to have a more reliable sample in the July edition.

For crypto and Web3 growth specifically, the 1k–100k range maps cleanly to active KOLs, mid-tier creators, engaged project founders, and community builders. These are also the accounts whose follow-backs move your TweetScout and Sorsa score most, since both metrics weight follower quality over follower count.

Keyword targeting vs. audience cloning

Method	Matured follows	Follow-back rate
GeniusX — keyword targeting	3,755	3.3%
CloneX — audience cloning	2,372	2.6%

Keyword targeting led by 0.7 percentage points. This gap sits within the ±0.4 pp margin of error for a single month, so we are not declaring keyword targeting the winner from this one edition. That said, the direction is plausible.

When GeniusX follows someone, it is because that person has recently posted about a keyword we are targeting. They are active on the platform right now, engaged with the topic, and likely to check their notifications. When CloneX follows someone, it is because they recently followed a competitor — a weaker signal of present engagement. The stronger immediate engagement signal from keyword-targeted accounts may be what drives the slightly higher reciprocation rate.

We will report on this comparison again in July once we have a larger stratified sample.

What 3% actually means for your growth

At 3%, for every 1,000 strategic follows you earn roughly 30 genuine mutual connections. That sounds modest until you consider two things: scale and targeting quality.

On scale: an account running a continuous follow campaign at 300–500 follows per day accumulates 9,000–15,000 follows per month, which at a 3% rate means 270–450 new mutuals every month. Compounded across six months, that is a meaningful audience built from people who have actively chosen to follow back — not passive impressions or paid reach.

On targeting quality: the 3.0% headline is an average across all follower bands and both targeting methods. A campaign deliberately concentrated in the 1k–100k band using keyword targeting operates at a rate closer to 8–11% in that segment. At 1,000 follows per month in that band alone, that is 80–110 genuine mutual connections from exactly the tier of account that drives authority metrics and organic reach.

Each mutual follower is also a person who will see your posts in their home timeline without any paid amplification. For crypto and Web3 projects trying to build a credible audience before a product launch or token event, this is the organic visibility floor that everything else compounds on top of.

Methodology

Dataset: 9,418 follows executed across 11 active operator accounts, 1–10 June 2026
Tools: Block AI GeniusX (keyword targeting) and CloneX (audience cloning)
Follow-back detection: the target account followed the subscriber back within the hold window (follows are held 3–7 days before being unwound)
Matured cohort: only follows at least 72 hours old at the data cut-off are used to compute follow-back rates, to avoid deflating the rate with unmatured follows that have not yet had a chance to convert
Follower bands: measured at follow time, not at the time of reporting
Confidence interval: ±0.4 percentage points on the headline follow-back rate
Limitations: targets are selected by keyword-recency and audience-clone logic, not a random sample of X. These figures describe strategically targeted follow campaigns and should not be generalised to X-wide follow behaviour

Full report with all tables: https://www.blockmm.ai/research/x-follow-back-report

What we are measuring next

From June 2026 onward, Block AI is capturing a richer snapshot for every follow: the target's following-to-follower ratio, verified and premium status, account age, posting frequency in the 7 days before the follow, and whether the subscriber account is a personal, project, or business profile.

The July 2026 edition will include breakdowns for whether verified accounts reciprocate at higher rates, which subscriber account types generate the most follow-backs per campaign, and whether the keyword-vs-cloning gap widens or narrows with a larger sample.

TL;DR

3.0% of strategic follows get a follow-back (matured cohort, n = 6,127)
89.5% of follow-backs arrive within 24 hours; median is 2.8 hours
10k–100k follower accounts reciprocate at 10.9%, 6x higher than sub-100 accounts
Keyword targeting (3.3%) outperforms audience cloning (2.6%), directionally
After 72 hours, no new follow-backs occur — the window is closed

Block AI builds X growth automation for crypto and Web3 projects, including GeniusX and CloneX follow tools. This data is drawn from production follow records — every number is a real action, not a survey estimate.