A wave of deepfake-finfluencer scams impersonating popular personalities has been exploiting social media platforms like Facebook and Instagram to deceive victims into investing in fake stock market schemes. These scams, involving over 120 ads and multiple bogus identities, have caused significant financial and psychological harm while raising concerns about the regulation of online investment advice. #DeepfakeScam #ShwetaSharma #PigButcheringScam
Keypoints
- Scammers impersonated beauty influencer Prerna Nigam as “Shweta Sharma” using deepfake technology to promote fake stock market investment schemes.
- Over 120 scam ads were identified on Facebook and Instagram, originating from 20 different Facebook accounts.
- The scams rely on deepfake videos and fake testimonials to create false credibility and entice victims to invest with promises of doubling money within hours.
- Multiple bogus finfluencers, including “Elena Fernandez,” have been discovered using stolen identities and AI-generated endorsements.
- Meta removed more than 23,000 Facebook pages/accounts linked to deepfake scams in India and Brazil during March 2025.
- The scams cause severe impact including financial loss, psychological trauma for victims, and criminal charges for offenders under Indian IPC and IT Act provisions.
- These schemes use deceptive domain names and redirect links to Telegram channels for further fraud operations.
MITRE Techniques
- [T1609] Digital Content Creation – Scammers utilized AI-generated deepfake videos impersonating public figures to create seemingly credible investment endorsements. (“CloudSEK’s Deepfake Analyzer has stated the possibility of the video being a deepfake”)
- [T1586] Compromise Infrastructure – Use of multiple Facebook and Instagram accounts and domains linked by reverse IP to orchestrate scam advertisements and redirect victims. (“Domains used to promote them and from performing a reverse IP on them…”)
- [T1204] User Execution – Victims were led to execute fraudulent transactions after engaging with deepfake ads and social media content promising unrealistic returns. (“Screenshots of instant payments made via UPI to investors also helped to drive traffic”)
- [T1566] Phishing – Use of gclnk.com redirect links embedded in Facebook profiles to channel victims into Telegram groups for further scam communication. (“Utilization of gclnk.com links…redirect users to Telegram Channels endorsed by scammers”)
- [T1499] Endpoint Denial of Service – Meta’s automated classifiers remove scam pages after detection, aiming to reduce exposure. (“Meta removed over 23,000 Facebook pages/accounts in India and Brazil in March 2025”)
Indicators of Compromise
- [Facebook Pages] Scam operation accounts – Examples include “Shweta Sharma,” “Mentor Shweta Sharma,” “Expert Shweta Sharma,” among 20 linked pages involved in promoting scams.
- [Telegram Channels] Contact platforms – Multiple Telegram channels promoted through scam Facebook pages using gclnk.com redirect links.
- [Domains] Promotional websites – Domains associated with bogus finfluencers, including those impersonating “Elena Fernandez,” discovered via reverse IP lookups.
- [Instagram Pages] Fraudulent profiles – Instagram accounts circulating deepfake videos and promotional content related to the scam operation.
- [UPI Transactions] Fake payment proofs – Screenshots of UPI transfers shown in scam advertisements to simulate legitimacy.