>I wouldn't have thought to reach out to shills
Neither did I, but after I started waxing philosophical reminding people about 'enemies both foreign AND domestic', I found shills starting to waver, after they realised their enemies aren't always external - they could be their own employers. Thesedays, I hear the emphasis on 'domestic' fairly regularly amongst grey and white hats.
Appealing to shills doesn't mean compromising. Stick to your message. In some ways, it's a psychological battle - you trying to convince them and them trying to convince you. And if not you, then they're trying to convince 'the audience'.
Home field advantages:
1) You work for free (they cost money - attrition. Some might be 'free' but they're less likely to be 'loyal' unless they're zealots).
2) You're adaptable (they have to follow a script, play to a specific agenda, follow orders - you can troll to your hearts content. If it came out they were being racist, harassing or discriminatory they're legally liable)
3) They run the risk of being exposed and it all backfiring (if someone 'exposes' you for being concerned citizens there's no repercussions)
4) There's a risk their technology will fall into enemy hands (think EternalBlue-style exploit leaks)
5) Whatever they're doing now software-wise, you can likely do better: passion and talent trumps money and manpower any day of the week.
Some forum configs for better resistance:
1) Introduce post flood delays (ideally variable on post size). No true human can 'mass post' within seconds. Essentially, force bots to have a post rate akin to a human (makes the human job easier).
2) Daily captcha can be easily thwarted by a handler with low tech - they solve the captcha for the day and then leave the bot to run, either:
2a) Prompt on every post, or
2b) Prompt after X number of posts (X being whatever you'd consider 'spam' or 'bulk posting').
Alternatively, you could modify your admin powers to 'anchor' specific posters with a 'every post' captcha (which can be used as a litmus paper test). Expect the handlers to whine about it - it's easier to social engineer the admin into disabling the captcha or reducing it than it is for some tech companies to build tech to solve the captcha (as said: some are homebrew, some are commercial - commercial ones auto-solve, homebrew, not so much).
3) If you plan to deploy your own bots, instigate a policy that bots (to avoid being banned) must self-identify as bots. Consider setting up bots that hunt shills and bots ('hunter-killer' units) - these can be passive (they only need to 'read' the board and report the findings).
4) Bots sometimes break on escape characters or unicode characters: /?x009 '~;:¬
/?-(*& any decent programmer will escape the read posts, but it can help to bork them with garbage information