A Russian-linked cyberscam network used a deepfake video of Maria Ressa to promote a crypto scam campaign in the Philippines, distributing fake CNN/Rappler articles via clone domains and Facebook ads. The investigation links the operation to Russian actors and ad networks, including TD Globus Contract and M1.top, with metadata suggesting Moscow time and Cyrillic scripting. #MariaRessa #Qurium #BitcoinMethod #TDGlobusContract #M1top #Rappler #CNNPhilippines
Keypoints
- Deepfake video of Maria Ressa promoting Bitcoin Method circulated via Facebook and MSN ads targeted at Filipino audiences.
- Domain ultimainv{.}website was used to host fake CNN/Rappler articles and the deepfake video, forming the campaign’s landing pages.
- Clone articles imitating Rappler.com and CNN Philippines were created and published in January–February 2024.
- Metadata and domain history point to Russian editors and a Russian advertising network ecosystem tied to the campaign.
- Defamatory content coexisted with a defunct Russian business page (Handy Heater) on the same domain, indicating an opportunistic shift in pages.
- Russian network infrastructure and CPA ad broker M1.top coordinated the promotion and tracking of victims’ data, with a long list of associated domains.
- Keitaro geo-location parameters (_lp and _token) were used for geo-fencing, implying targeting and attribution efforts.
MITRE Techniques
- [T1589] Acquire Infrastructure – “Domain registration data of ultimainv{.}website and bitcoinmethod{.}com used in the deep fake campaign” – The campaign relied on registering and using domains to distribute content. [“Domain registration data of ultimainv{.}website and bitcoinmethod{.}com used in the deep fake campaign”]
- [T1583.001] Domain Registration – “Domain registration data of ultimainv{.}website and bitcoinmethod{.}com used in the deep fake campaign” – Domains were intentionally acquired to host campaign content. [“Domain registration data of ultimainv{.}website and bitcoinmethod{.}com used in the deep fake campaign”]
- [T1583.002] Web Hosting – “Hosting information of domains ultimainv{.}website and bitcoinmethod{.}com” – The campaign used hosting services to publish clone articles and videos. [“Hosting information of domains ultimainv{.}website and bitcoinmethod{.}com”]
- [T1036] Masquerading – “The disinformation campaign against Ressa served the deep fake video in two fake articles (hosted under ultimainv{.}website) with the graphical appearance of Rappler.com and CNN Philippines.” – The fabrications mimicked legitimate outlets. [“The disinformation campaign against Ressa served the deep fake video in two fake articles (hosted under ultimainv{.}website) with the graphical appearance of Rappler.com and CNN Philippines.”]
- [T1204.001] User Execution: Malicious Link – “The articles were later promoted as Ads in the Microsoft Network in the Philippines using the title ‘The end for her?’” – Users would encounter promoted content that included malicious links. [“The articles were later promoted as Ads in the Microsoft Network in the Philippines using the title “The end for her?””]
Indicators of Compromise
- [Domain] ultimainv{.}website – used to host fake CNN/Rappler content and the deepfake video; bitcoinmethod{.}com also referenced.
- [Domain] api.m1.top – part of M1’s postback network used to relay victim data.
- [IP] 213.5.70.57, 213.5.70.60, 213.5.70.58, 213.5.70.131, 213.5.70.114, 213.5.70.113 – observed hosting and infrastructure indicators.
- [Facebook Page] ID 03322809538341 – page disseminating the cloned content.
- [Other Domains/Names] nametovar{.}com, promoshopmedia{.}com, besttovarsale.com, luckysaleonline.com, magsh.site, many more linked to M1 postback ecosystem.