A deep fake video of Maria Ressa promoting the crypto-currency scam “Bitcoin Method” was released on Facebook on 6 February 2024. The AI edited video was based on Ressa’s appearance in The Late Show with Stephen Colbert from November 2022, where she was invited to discuss her insights about Democracy and freedom and the danger of living in a world dominated by social media.
The computer generated voice is quite similar to Maria’s, but her lips do not match the words she says. Anyone familiar with Maria Ressa and her tireless and fearless struggle against the tyrants in power and towards press freedom in Philippines, knows that this is not her words. The Philippine government has for years tried to bring Ressa down by accusing her for tax fraud, tax evasion, receiving money from the Central Intelligence Agency as well as arrested her a number of times. Although Ressa has been acquitted from all charges, the accusations will stay with her, that is how disinformation works. A seed is planted when a lie is spread, and if it is repeated enough times, it becomes a fact. As Ressa herself describes disinformation “a lie told a million times becomes a fact”.
The same logic applies to this deep fake scam. Although it is unlikely to believe that Maria Ressa has made herself a fortune with Bitcoins, a seed has been planted that perhaps there is a glimpse of truth in that video. Perhaps the awarded and internationally known media mogul behind Rappler.com has not earned her position only by working hard as a journalist?
Despite the low quality of the deep fake, the video was promoted as an advertisement campaign in the Microsoft Network (MSN) targeting the Filipino audiences, with statements such as “The end for her?” and “Maria Ressa could be sued for her remarks on TV“.
The greatest challenge of disinformation is not the lies, but the lack of accountability of those that disseminate the fake information and the silence support from platform providers like META and others that profit from it and allows the disinformation to thrive.
Qurium has investigated the deep fake video in an attempt to figure out what forces that were behind this attempt to defamation and which actors that were involved.
Our findings are the following:
In early February 2024 the domain name ultimainv{.}website was used to distribute fake look-like articles from CNN and Rappler and a fake video of Maria Ressa promoting the bitcoin{.}method.
The articles were later promoted as Ads in the Microsoft Network in the Philippines using the title “The end for her?” with the motive to discredit Maria Ressa.
Meta data of the fake video indicates Russian editors.
An error during the preparation of the defamation campaign against the journalist leaked in the newly registered domain a webpage offering a “Handy Heater” linked to a defunct Russian company. The page was quickly replaced by the malicious pages that were intended as part of the campaign.
The analysis of the different types of content of the domain ultimainv{.}website from January 2024 provides strong links with a network of malicious advertisers included in several cases of online fraud associated with ООО “МЕДИАР” (aka M1), a Russian CPA advertisement network.
Hence, Russian controlled infrastructure was used to set up the clone articles that featured the deepfake of Maria Ressa promoting Bitcoins. Although the deepfake video followed the rule book of a regular scam where a celebrity was used to promote Bitcoins, it was made by Russians, and disseminated to a Philippine audience to maligning Maria Ressa.
The plot – in detail
The case was reported to Qurium via the MSN advertisement (“The end for her?“) which included a link to the domain where the deep fake video was distributed (ultimainv{.}website) which also promoted the “Bitcoin Method” (bitcoinmethod{.}com).
The disinformation campaign against Ressa served the deep fake video in two fake articles (hosted under ultimainv{.}website) with the graphical appearance of Rappler.com and CNN Philippines. These fake articles were disseminated via Facebook.
Fake article imitating Rapper.com
Fake article imitating CNN Philippines.
Collecting evidence and mapping them out
Taking advantage of several forensic elements left in the video and on the website distributing the video and images, Qurium was able to reconstruct the timeline of the malicious campaign. In order to reconstruct the events we managed to obtain timestamps from the following sources:
Domain registration data of ultimainv{.}website and bitcoinmethod{.}com used in the deep fake campaign
Hosting information of domains ultimainv{.}website and bitcoinmethod{.}com
Metadata of the PNG images 4.png 5.png 6.png 7.png from the CNN and Rappler clones
Metadata from the Wistia Video platform left in the cloned websites
Metadata left from the original articles scrapped from CNN and Rappler websites
The hosting of bitcoinmethod.com move from Amazon to Cloudflare to hide its backend and its owners.
Facebook page (ID 03322809538341) is created containing links to the cloned articles.
Rappler.com is scraped to create the clone article.
Deep fake video is uploaded to Wistia.
CNN Philippines is scraped to create the clone article. The clone is published on ultimainv.website.
Deep fake video is released on Facebook.
In a nutshell, the campaign was prepared from 28 November 2023 to 5 February 2024.
Metadata – signs of Russian influence
By studying the meta data of images and videos we have learned about the “attackers” geolocation. Metadata obtained from images on the clone websites (Rappler and CNN Philippines) include Cyrillic script and the timezone of the timestamps is GMT+3 (Moscow, St Petersburg). These are not conclusive proof, but solid indications.
Cyrillic script is found in meta data of images on clone sites.The timezone of the timestamps corresponds to Moscow/St Petersburg (GMT+3).
Who hosts the deep fake video?
TD Globus Contract – a malicious advertisement network
Qurium obtained a cached copy of the content of ultimainv{.}website from the 25th January 2024 just before the website was modified to host the “Bitcoin Method” page with the fake video.
We also found out that the content of ultimainv{.}website matched a page hosted under the domain minpriceclub{.}com and a page hosted under promoshopmedia{.}com.
The original content of the domain was an advertisement of a “Handy Heater” by defunct Russian company TD Globus Contract with the fake company registration number (OGRN) 1161832052832.
The domain name ultimainv{.}website was registered to distribute fake clones of articles from Rappler.com and CNN Philippines released the 5th February 2024. However, one week earlier the website hosted content associated to the Russian companies ООО “ТД КОБУС КОНТРАКТ” and ООО “МЕДИАР” (aka M1.top).
What are TD Globus Contract and M1.top up to?
It turns out that the Russian companies TD Globus Contract and M1.top are involved in an online shopping scam. In a Russian reputation forum the modus operandi of these network of fraudsters is explained: the companies advertise products online and the payment and shipment of goods is arranged by phone. The victim of the fraud picks up the order at its local Postal Office and pays for the goods in person. In many cases, the packages are empty or contain a random low cost product.
Qurium managed to identify dozens of websites including ultimainv{.}website linked to the Russian company “TD Globus Contract” despite that the company is inactive in the company registry since December 10, 2019.
“TD Globus Contract” is not the only company used for the scams. In a few days we identified dozens of “ghost” entities, mostly Russian companies with bogus information associated to the cyberscam network.
Some of the scam websites also include fake European addresses and reuse VAT and Primary State Registration Numbers (PSRN).
M1.top – broker of TD Globus Contract
Qurium managed to collect more than 40 websites associated to “TD Globus Contract”. All of them contained Javascript code forwarding the name and phone number of the victims to api{.}m1.top. M1 is playing a brokering role in the scam network, hiding the malicious advertisers for scrutiny.
Once we understood that m1{.}top acted as an intermediary between the scam sites and their victims, we were able to find more domain names used by M1 as Postback URLs. In a nutshell, M1 provides a set of links so affiliates can gain commissions if specific actions take place.
In all the advertisements that we reviewed, including the sites of the “Bitcoin Method” and the “Handy Heater”, the scammers only collect Name and Phone Number of the victims. This information is then forwarded to M1 by means of an API (api.m1.top) where the next stage of the scam takes place.
A call-center (Tord, run by M1? ) gathers the personal data of the victim, confirms the sale and ships the product to the nearest postal office of the victim. Payment takes place when the package is collected from the Postal Office by means of “cash on the delivery”. The victim does not receive the ordered product but a low quality piece of junk or a bag of sawdust.
The role of M1
In this scenario, M1 is responsible to pay those that help out promoting the content and lead to new scam sales.
In order to remain unaccountable for fraud, the fraud scheme includes three different roles:
Affiliate Advertiser(Publisher): Promotes the goods and forwards the Names and Phone numbers of potential victims to M1. In their website they make clear that they just advertise goods and they are not responsible of anything related to the merchandise.
M1 Shop (CPA): Receives the Names and Phone numbers from the publisher and hands over the information to the Advertiser. It is responsible to pay the Publishers for their “actions” and receives money from the Advertisers to play the intermediary role.
Advertisers: They are responsible to create new offerings in the fraud network including nutrition goods (nutra) or cryptocurrency offers. They are responsible of delivering the goods or services to the clients.
For this type of fraud to be effective, advertisers identities need to be protected by M1-Shop and publishers needs to be constantly renewed once their reputation has been compromised.
Ultimately none takes responsibility for the fraud. The websites that promote the products are registered under fake companies and claim that they do not know the final product vendors, and the advertisement network claims that they do not monitor what is promoted in their platform etc. Something is guaranteed though, victims get scammed and everyone in their network gets paid for their “services”.
Tracking actions
The responsibility of M1 can be easily investigated by checking the products associated to the domains that M1 uses to track conversion data (aka Postback URLs). We looked into a dozen of domains associated to M1 postback URLs and all of them have been reported for frauds.
To our surprise we discovered that the Kadam Advertisement Network has published a guide explaining how to promote products offered in the “M1 Shop”. The guide includes references to the domain nametovar{.}com where we found landing page for dozens of products promoted by “TD Globus Contract”.
Finding more domains
The fact that the URLs used by M1 for their promotions share similar patterns and that we found many of such domains hosted in ALTUSHOST B.V. (AS51430) helped us to find even more domains promoting products that are theoretically obtained when paid on delivery (collect on delivery).
There are two variables in the link _lp and _token that are often used when using the advertisement tracker “Keitaro”. Keitaro offers “geo location” features and it was likely used to provide geo fencing to the campaign.
According to Keitaro, M1 is one of their partners.
Conclusions
During the early February, the domain name ultimainv{.}website was used to distribute fake look-like articles from CNN and Rappler and a fake video of Maria Ressa promoting the bitcoin{.}method.
Such articles were then promoted as Ads in the Microsoft Network in the Philippines using the title “The end for her?”
An error during the preparation of the defamation campaign against the journalist leaked in the newly registered domain a webpage offering a “Handy Heater”. The page was quickly replaced by the malicious pages that were intended as part of the campaign.
The analysis of the different types of content of the domain ultimainv{.}website from January 2024 provides strong links with a network of malicious advertisers included in several cases of online fraud associated with ООО “МЕДИАР” (aka M1), a Russian CPA advertisement network.
Appendix 1: Details of timeline
Time
Event
Comment
28-November 2023
Exif Data PNG
5/6/7.png (CNN) 7.png (Rappler)
30-November 2023
Exif Data PNG
4.png (CNN), 4/5/6.png (Rappler)
10-January-2024
ultimainv.website Registered
2024-01-10T19:19:52.0Z
11-January-2024
Urlscan information
@ecarlesi flags page as malicious
23-January-2024
bitcoinmethod.com hosting change
Website moves from Amazon to Cloudflare
24-January-2024
Facebook Page Created
ID 03322809538341
25-January-2024
Bing Cache copy of the page
contains popup-m1 / Riscaldatore portatile
26-January 2024
Rappler article scraped
content=”2024-01-26T11:00:00+00:00″
31-January-2024
CNN Wistia Video Uploaded
uploadDate”:”2024-01-31T11:44:32.000Z”
31-January-2024
Rappler Wistia Video Uploaded
uploadDate”:”2024-01-31T11:44:32.000Z
5-February 2024
CNN article scraped
Published Feb 05, 2024, 1:21:20 PM
5-February-2024
CNN lander timestamp
contains lander/mary-rapler_1707133147 February 5, 2024 11:39:07 AM
5-February-2024
Facebook video released
Media
[4 Mar 2024] Windows Report A scam network used a deepfake video of Maria Ressa to trick people
[3 Mar 2024] Nischad Manipulerad video av Maria Ressa sprids av potentiellt ryskt bluffnätverk
[3 Mar 2024] BNN Deepfake Video Targets Maria Ressa, Linked to Russian Scam Network, Engages Thousands
[5 Mar 2024] PressOne ALERT: Deep fake promotes crypto scam while discrediting Ressa
