Said systems can probably cope with most of the regular stuff, but what about an army of Twitter followers? Most are going to be signed in, they are going to be spread out geographically, they are going to be real people with real browsers with cookies, etc.

Yes, but those aren’t spoofed identities, they’re actual humans intentionally clicking the link. This is harder for the defender to defend against, but it’s also vastly harder for the attacker to scale. Defenses against this sort of “organic” traffic do exist, because this is something that people committing ad fraud attempt to do using compromised browsers of real people.

Edit: I mostly want to stress that there’s a huge body of (largely proprietary) work on this topic. Thousands of skilled people have been full-time employed for decades thinking about exclusively this topic, on both the offensive and defensive side, in a continuously escalating arms race. Anyone just getting started on this topic has a couple of decades of literature review to catch up on before they should imagine that their proposals are novel. I don’t mean to discourage you if it’s a topic you find interesting, but you should bear in mind that the answer to “But has anyone thought of XYZ?” is “Yes” for basically all values of XYZ. There’s a lot of money at stake if the answer is no.

It sounds like a really fascinating topic! If someone is interested, where he/she would need to start? any papers that review most/all methods that are up to date?