DNS

The Emerging Dynamics of Deepfake Scam Campaigns on the Web

Clock Icon 18 min read

Executive Summary

Our researchers discovered dozens of scam campaigns using deepfake videos featuring the likeness of various public figures, including CEOs, news anchors and top government officials. These campaigns appear in English, Spanish, French, Italian, Turkish, Czech and Russian. Each campaign typically targets potential victims in a single country, including Canada, Mexico, France, Italy, Turkey, Czechia, Singapore, Kazakhstan and Uzbekistan.

Due to their infrastructural and tactical similarities, we believe that many of these campaigns likely stem from a single threat actor group. We have observed this threat actor group using deepfake videos to spread fake investment schemes and fake government-sponsored giveaways.

As of June 2024, we had discovered hundreds of domains being used to promote these campaigns. Each domain has been accessed an average of 114,000 times globally since going live, based on our passive DNS (pDNS) telemetry.

Starting with a campaign promoting an investment scheme called Quantum AI, we studied the infrastructure behind this campaign to track its spread over time. Through this infrastructure investigation, we discovered several additional deepfake campaigns leveraging completely different themes that the same threat actor group created and promoted. These additional scam campaigns used different languages and the likeness of different public figures, suggesting that each campaign is intended for a different target audience.

Despite the use of generative AI (GenAI) in these campaigns, traditional investigative techniques remain useful to identify the hosting infrastructure leveraged by these threat actors. As the malicious usage of deepfake technology increases among threat actors, so should defenders’ efforts to proactively detect and prevent these types of attacks.

Customers of Palo Alto Networks are better protected from these attacks via Advanced URL Filtering, which will continue to detect and block websites that are used to propagate deepfake-based scam campaigns.

Related Unit 42 Topics Scams, Phishing

Discovering Quantum AI Hosting Infrastructure

To study the Quantum AI campaign, we decided to analyze the infrastructure behind the websites hosting these attacks. Starting with an initial seed set of detections from our deepfake video detection pipeline, we then looked for additional websites serving up known malicious videos. We observed several Quantum AI-related videos that adversaries were widely sharing via websites hosted on newly registered domains.

Upon further investigation, we identified that the videos themselves were primarily hosted on a single domain:

  • Belmar-marketing[.]online

Next, we searched for other web pages that served video files from this domain and also contained keywords like Quantum AI in the HTML content.

Through this process, we were able to uncover dozens of other scam pages using these videos as a lure. We then used the content on these web pages as well as the pathnames of the video files to create signatures to expand our detections. (See the Indicators of Compromise section for example URLs.)

In May 2024, we noticed that an increasing number of Quantum AI videos were being hosted on other domains as well, including the following:

  • Ai-usmcollective[.]click
  • Fortunatenews[.]com
  • Fiirststreeeet[.]top

We also discovered some sites built using website builders that were promoting the same Quantum AI scam. In these cases, the attackers re-hosted the video directly on the site via the website builder, not on one of the shared video-hosting domains mentioned above.

Quantum AI Example Videos and Web Pages

In Figures 1-7, we present examples of Quantum AI scam web pages and videos discovered by our video analysis pipeline and infrastructure-based investigation. In most of these examples, the scam web page was hosted on a newly registered domain, and the video was hosted as an .mp4 file on one of the shared video-hosting domains mentioned above (e.g., belmar-marketing[.]online).

In most cases, the attackers appear to have started with a legitimate video and added on their own AI-generated audio. Finally, they used lip-syncing technology to modify the lip movement of the speaker to match the AI-generated audio. Most of the videos use Elon Musk as their celebrity of choice, although we discovered a handful of examples using other public figures as well:

  • Tucker Carlson
  • Lee Hsien Loong, the former Prime Minister of Singapore
  • Tharman Shanmugaratnam, the President of Singapore (as of June 2024)

SmartInvests promotional website page featuring a video of a person speaking on stage, flanked by blue lighting, with text overlay encouraging investment to change the world and get rich quickly. Text asks the reader to join the quantum revolution.
Figure 1. Huerwlleiss-herton[.]pro, a website using an Elon Musk deepfake video to promote the Quantum AI scam.
Screen shows a split image with a promotional banner for "Tucker Carlson Originals" featuring Tucker Carlson on the left and Elon Musk on the right, announcing an interview event. On the right side of the screen, there is a web interface for creating an account with fields for name, email, country, and phone number.
Figure 2. Bitquantumai[.]com, a website using a deepfake video of Elon Musk and Tucker Carlson to promote the Quantum AI scam.
Elon Musk presenting on stage at an event, with a projected background image and audience visible. The webpage also shows an overlay with a login prompt from QuantumAI. The Tesla logo is on the bottom right of the screen. There is a CAPTCHA refresh button.
Figure 3. Quantumal[.]xyz, a website used to promote the Quantum AI scam. The web page asks for a referral code to log in.

Elon Musk presenting. QuantumAI logo. Caption that reads "THE WORLD'S FIRST QUANTUM.
Figure 4. Screenshot of an Elon Musk deepfake video used to promote the Quantum AI scam. In the video, deepfake-Elon claims that Quantum AI is the “world’s first quantum computing software developed by his team with a success rate of 91%.”
Elon Musk being interviewed. FOX News channel logo. Caption about Quantum AI's potential to revolutionize industry.
Figure 5. Another screenshot of a different Elon Musk deepfake video used to promote the Quantum AI scam.
QuantumAI website homepage featuring a promotional banner about turning $250 into $9,000, an invitation to sign up for free, and a video playback window showing a news segment with an interviewee speaking, adorned by the Singapore flag in the background.
Figure 6. Griffinware-tm.cloud, a website using a deepfake video of Lee Hsien Loong, the former Prime Minister of Singapore, to promote the Quantum AI scam.
A person in business attire is seated at a news desk with the words "Quantum AI" displayed below. The background features a plain, light-colored wall.
Figure 7. A screenshot of a deepfake video of Tharman Shanmugaratnam, the current President of Singapore, used to promote the Quantum AI scam.

Deepfake Campaign Discovery and Tracking

After investigating the Quantum AI scam campaign, we explored broader trends surrounding these deepfake campaigns as a whole.

Uncovering Additional Deepfake Scams

In addition to the Quantum AI scam, we also investigated the other videos that were present on these video-hosting domains. In doing so, we were able to uncover several other scam campaigns (likely propagated by the same threat actor group), many of which use deepfake videos as a lure. These deepfake videos typically use the likeness of public figures like CEOs, news anchors or top government officials.

We discovered deepfake videos in several different languages, including English, Spanish, French, Italian, Turkish, Czech and Russian. Each campaign typically targets potential victims in a single country, including Canada, Mexico, France, Italy, Turkey, Czechia, Singapore, Kazakhstan and Uzbekistan.

Similar to the Quantum AI scam campaign, these videos add AI-generated audio on top of an existing video and use lip-syncing tools to alter the lip movement of the speaker to match the new audio. Visitors to these web pages are prompted to register with their name and phone number, and they are instructed to await a call from an account manager or representative.

In many of these cases, we discovered several newly registered domains hosting the same content (and the same deepfake video lure). This means that each of these scam web pages is part of a larger campaign, not just a one-off scam web page.

For example, in the case of the KazMunayGas scam shown below in Figure 8, we found scammers using the same video across several recently registered domains, including:

  • Aigroundwork[.]top
  • Aitfinside[.]shop
  • Block4aischeme[.]top
  • Systemaigroundwork[.]shop

The Indicators of Compromise section provides a more complete list of these domains.

A news anchor reporting on a financial surge in Kazakhstani banks due to payments from KazMunayGas, displayed on a computer screen with multiple open browser tabs.
Figure 8. Coinframework[.]top, a scam website using an AI-manipulated video of a Kazakh news anchor to promote a fake giveaway started by KazMunayGas, the state-owned oil and gas company of Kazakhstan.
Screenshot of the Kyivstar registration form webpage, featuring fields for name and phone number and an 'Apply now' button. Below is a comment section with a user testimonial about a quick money transfer.
Figure 9. Riseanalyze[.]click, a website linked to from coinframework[.]top. This website contains a registration form for the KazMunayGas-themed scam.
Although the languages and impersonation-targets of these scam campaigns are different, they share the following similarities:

  • They all use similar deepfake techniques
  • They have similar calls to action
  • They host their videos on a small, shared set of domains (that do not seem to be used for any other purpose than to host these scam videos)

This suggests that these campaigns can most likely be attributed to a single threat actor group.

We present some selected examples of these additional scam campaigns in Figures 10-15.

Screenshot of the TotalEnergies website featuring a news video with a person speaking, set against a backdrop displaying the U.S. Capitol building. The page includes text in French about national resources and wealth, dated April 1, 2024.
Figure 10. Invest-toolavenue[.]shop, a scam website using an AI-manipulated video of Patrick Pouyanné (TotalEnergies CEO) to promote a fake giveaway supposedly created by TotalEnergies, a French multinational energy and petroleum company.
A screenshot of a webpage in French from "pokelawee.fr" with an "Inscription" form asking for "Nom de famille" (last name) and a contact number, set against a vibrant orange background. The form contains a text box for entering details and a "Continuer" button. There is a popup to translate the page into English or French.
Figure 11. Invest-toolavenue[.]shop, continued from Figure 10.

President Andrés Manuel López Obrador of Mexico speaking at a desk with the Mexican flag displayed in the background and books on shelves. There is a popup to translate the page into English or Spanish.
Figure 12. Capitalflow-skillful.shop, a scam website using an AI-manipulated video of Andrés Manuel López, the President of Mexico, to promote a fake “Mexican Investment Society Project.”
A screenshot of a website promoting a program with an embedded video featuring a person speaking at a podium, with an American flag in the background. The website is in Italian and includes fields for name and email for registration.
Figure 13. Untamedal.top, a scam website using an AI-manipulated video of Giorgia Meloni, the Prime Minister of Italy, to promote a fake state-sponsored investment program called FinInvest.

Web page interface of The World Bank with a headline about Europeans investing in international banks for diversification and stability. The right-hand portion contains a contact form asking for a first name, surname, email, and phone number, with a submit button to become an investor.
Figure 14. Hugeproject[.]shop, a World Bank-themed scam website using an AI-manipulated video of a woman claiming to represent an international investment bank.
Person smiling in a paused video. On the right is an About Us field. Below this is a revenue calculate and the text "How much do investors earn by trusting us."
Figure 15. Hugeproject[.]shop, continued from Figure 14.

Campaign Activity Over Time

While these campaigns started about a year ago, we observed a large spike of newly observed domains (shown in Figure 16) in February 2024. Unlike typical phishing or malware domains, these domains are relatively long-lived, with an average active time of 142 days.

Line graph showing the 'Number of Domains', over the months from July 2023 to May 2024. The graph shows fluctuations in domain numbers, peaking notably in February 2024.
Figure 16. The number of newly observed domains hosting deepfake videos over time.

Figure 17 shows that the number of active domains exponentially increased until about March 2024, and the total number of active domains has remained steady to the present day.

Line graph displaying the monthly growth in the number of domains from July 2023 to June 2024, with significant increases starting in January 2024. The graph starts at 7 domains and peaks at 175 domains by June 2024.
Figure 17. The number of active domains hosting deepfake videos over time.

Furthermore, it is concerning to note that these domains have a high reach, with each domain being accessed an average of 114,000 times since they first went live, based on pDNS telemetry. The actual number is likely much higher.

Hosting Infrastructure Analysis

Going with the current trend of camouflaging in shared hosting infrastructure, 86.7% of these campaign domains are using the same popular content delivery network (CDN). Multiple IP addresses from the CDN host the same content across different geographic locations, with the U.S., the Netherlands and Russia being the top 3 locations. The utilization of CDNs makes it difficult to attribute the campaign to a particular threat actor or geolocation.

We observed that the attackers primarily hosted their videos on a small set of attacker-owned domains. Attackers presumably did this to circumvent takedown issues that could occur on more popular video-hosting platforms.

Until April 2024, we observed that the deepfake videos were predominantly hosted on belmar-marketing[.]online. However, starting in May 2024, the attackers began to rotate their video hosting locations more frequently. As such, we observed that videos were now mainly hosted on fiirststreeeet[.]top, ai-usmcollective[.]click and fortunatenews[.]com.

Looking for web pages that link to videos hosted on these domains has been very valuable for tracking the spread of these campaigns so far. We will continue to monitor for new video-hosting domains as these campaigns progress.

How the Quantum AI Scam Works

During our research, we observed posts and ads promoting Quantum AI on various social media platforms (shown in Figures 18-20). According to the Australian National Anti-Scam Center, scammers often first use these sorts of social media ads or fake news articles to link to scam web pages that ask for the victim user’s contact information.

Tweet pinned by Quantum Trading Post X account. Elon Musk has thrown his support behind the Quantum AI revolution, signaling a future where we all stand to profit. This cutting-edge tech promises to redefine trading. 100% guaranteed profits. Video of Elon Musk speaking. Quantum AI logo.
Figure 18. Social media post linking to a Quantum AI scam web page.
Screenshot of a social media post from 'ELON_MUSK_BOT3' with a patterned green background and text promoting an investment opportunity. The post invites members to contact the admin for setting up an investment plan, highlighting acceptance of various cryptocurrencies like Bitcoin, Ethereum and more.
Figure 19. Messaging platform post linking to a Quantum AI scam web page.
A person's hand holding a smartphone displaying an advertisement for joining QuantumAI. A laptop keyboard and bundles of 100 dollar bills are also visible on the desk. An accompanying Facebook post by "Elon Musk Tesla Company" encourages viewers to invest in Quantum AI.
Figure 20. Social media post using a video to promote the Quantum AI scam.

After visiting the scam landing page and filling out a form to sign up for the platform, one of the scammers gives the victim a phone call. In this call, the scammer tells the victim they’ll need to pay around $250 to access the platform.

The scammer instructs the victim to download a special app so that they can “invest” more of their funds. Within the app, a dashboard appears to show small profits. From there, the scammers continue persuading the victim to deposit more of their money and may even allow the victim to withdraw a small amount of money as a way to gain trust.

Finally, when the victim tries to withdraw their funds, the scammers either demand withdrawal fees, or cite some other reason (e.g., tax issues) for not being able to get their funds back. The scammers may then lock the victim out of their account and pocket the remaining funds, causing the victim to have lost the majority of the money that they put into the “platform.”

Overview of the Web-Based Deepfake Scam Landscape

Quantum AI is not the only scam that adversaries are using involving deepfakes. In this section we’ll discuss other techniques and services that they have been using.

In early 2024, a company lost $25 million to attackers who used deepfake technology to impersonate their chief financial officer on a video conferencing call. While video conferencing deepfakes have received significant attention as a result of this attack, web-based deepfake scams are an emerging threat that researchers should monitor as well.

2024 is predicted to be the largest voting year in history. Over 60 countries are holding significant elections this year, meaning that around half the world's population could be directly affected by these events. In response, researchers have raised concerns about the potential for deepfakes to promote political misinformation. However, the impact of deepfakes is not limited to the political domain. Cybercriminals have already been creating and sharing deepfake videos for their own malicious purposes.

Deepfakes Used to Promote Scams and Phishing Attacks

Since the advent of GenAI, attackers have used deepfakes to promote political misinformation, and even to further voter outreach. For example, in early 2024, a Democratic political consultant used an audio deepfake of Joe Biden to discourage voters in the state of New Hampshire from voting in the upcoming primary election.

In India, politicians actively encouraged their supporters to create deepfakes to promote their own candidacies. In 2022, an unknown threat actor used manipulated deepfake videos of Ukrainian President Volodymir Zelensky as a part of information warfare in the Russia-Ukraine war.

Now, we are seeing cybercriminals start to use deepfake media to promote their own scams and phishing attacks as well. In recent months, reporters have observed scams impersonating figures like Elon Musk (shown in Figure 21), Bill Gates and Warren Buffett to peddle fake cryptocurrencies, giveaways and other investment schemes. These are created with the ultimate goal of stealing funds from victims. (Our previous tweets on this topic have more details.)

Elon Musk is featured in an NBC broadcast discussing Liberty Coins, with an inset image of a golden coin.
Figure 21. Screenshot of an Elon Musk deepfake video seen on patriotsmaga2024[.]com, a website promoting the sale of fake “Trump Liberty Coins.”
Previously, these attackers might have used paid actors to promote their scams (e.g., by creating videos purporting to be a client who profited from a fake investment scheme). With the increasing popularity and effectiveness of tools that use AI to generate content (e.g., images, audio and video), attackers are now able to create these videos in a cheaper and more convincing way.

Deepfakes as a Service

Our researchers have encountered cybercriminals selling, discussing and trading deepfake tooling and creation services across forums, social media chat channels and instant messaging platforms. These tools and services offer capabilities for generating deceptive and malicious content including audio, video and imagery. The ecosystem surrounding deepfake creation and tooling is alive and vibrant, and cybercriminals are selling a variety of options from face swapping tools to deepfake videos.

Face swapping tools like Swapface (shown in Figure 22) range in price from free to over $249 a month. Adversaries abuse these tools, placing the videos they create on diverse platforms and social media platforms. Swapface offers user-friendly filters and face swapping that operates in real time, allowing users to alter or replace faces in videos.

Screenshot of SWAPFACE's pricing page showing various subscription plans ranging from a free tier to an Enterprise plan, detailing features like image faces per day, team access, and no tracker storage for each level.
Figure 22. Swapface tooling subscription cost.

The criminal application of deepfake tooling and creation services and tools includes the following activities:

  • Facilitating the creation of fake identities
  • Committing bank fraud
  • Orchestrating disinformation campaigns
  • Bypassing know-your-customer verification checks
  • Performing cryptocurrency theft

These services can manipulate visuals and audio with alarming precision, leading to significant ethical and security concerns. The cost of generating a deepfake video can vary widely, typically ranging from $60 to $500, reflecting the complexity and quality of the requested forgery.

As seen in Figure 23, we also discovered messaging platform channels specifically advertising the creation of deepfake videos for scam purposes.

Channel by Deepfakes from SM Crew. Posts show two seperate videos. Channel profile shows 37 subscribers, an anime character and A$AP Rocky, information in Cyrillic and some redacted text.
Figure 23. Messaging platform channel dedicated to deepfake generation services.

The accessibility and range of costs make deepfakes particularly versatile tools for maliciousness, posing challenges for both individuals and institutions trying to safeguard against fraud and misinformation.

Conclusion

Despite the use of GenAI in these campaigns, traditional investigative techniques remain useful to identify the hosting infrastructure leveraged by these threat actors. As threat actors increase their use of deepfake technology, organizations should also proactively defend against these types of attacks.

Palo Alto Networks researchers will continue to monitor these deepfake-based scam campaigns and continue to discover and investigate additional deepfake-based scam campaigns. As such, we can ensure that our customers are better protected from them via Advanced URL Filtering.

Indicators of Compromise

Deepfake Scam Examples

Deepfake of Kevin O'Leary sitting at a table during a television interview, with a caption that reads: 'Canadian residents are quitting their 9-5 with this AI trading bot' and a subtitle stating 'at least 27,000 CAD per month.'
Figure 24. Screenshot of a scam video containing a deepfake of Kevin O’Leary.

Example 1

  • Web page URL: xtradgpt[.]online
  • Video URL: hxxps://quontic[.]site/wp-content/uploads/2024/07/449030935_482215324194392_281914555774571171_n[.]mp4
  • Language: English
  • Country targeted: Canada
  • Deepfake of: Kevin O'Leary (Canadian businessman)
  • Summary: Promoting an AI trading bot that allows Canadian citizens to earn at least $27,000 Canadian dollars per month
Deepfake of Tharman Shanmugaratnam on business attire is presenting, with text overlay stating "The possibility of earning from $8,000" in a studio setting.
Figure 25. Screenshot of a scam video containing a deepfake of Tharman Shanmugaratnam (Prime Minister of Singapore).

Example 2

  • Web page URL: euphemiouslystner[.]life
  • Video URL: hxxps://hemicdn[.]com/1501-1400-3505[.]mp4
  • Language: English
  • Country targeted: Singapore
  • Deepfake of: Tharman Shanmugaratnam (Prime Minister of Singapore)
  • Summary: Promoting a fake investment scheme named Quantum AI
Deepfake of Patrick Pouyanné, speaking about an investment platform supported by the government and guaranteed by the Bank of France, with the U.S. Capitol in the background and the TotalEnergies logo displayed in the corner.
Figure 26. Screenshot of a scam video containing a deepfake video of Patrick Pouyanné (CEO of TotalEnergies).

Example 3

  • Web page URL: invest-toolavenue[.]shop
  • Video URL: hxxps://ai-usmcollective[.]click/videos/TotalEnergies_news_FR[.]mp4
  • Language: French
  • Country targeted: France
  • Deepfake of: Patrick Pouyanné (CEO of TotalEnergies)
  • Summary: Promoting a fake investment platform sponsored by TotalEnergies, and guaranteed by the Bank of France
Deepfake of President Andrés Manuel López Obrador of Mexico giving a speech in an office, with the Mexico flag prominently displayed to the left. Above the video is text in Spanish. The browser option to translate to English is selected.
Figure 27. Screenshot of a scam web page containing a deepfake video of Andrés Manuel López Obrador (President of Mexico).

Example 4

  • Web page URL: capitalflow-skillful[.]shop
  • Video URL: hxxps://ai-usmcollective[.]click/videos/MexicanPartnership_man_MX[.]mp4
  • Language: Spanish
  • Country targeted: Mexico
  • Deepfake of: Andrés Manuel López Obrador (President of Mexico)
  • Summary: Promoting a fake “Mexican Investment Society Project”
Deepfake of Giorgia Meloni speaking at a podium with a United States flag in the background. There are subtitles in Italian that mention a monthly amount of 10,800 euros.
Figure 28. Screenshot of a scam video containing a deepfake of Giorgia Meloni (Prime Minister of Italy).

Example 5

  • Web page URL: untamedal[.]top
  • Video URL: hxxps://ai-usmcollective[.]click/videos/FinInvest_woman-performing_IT[.]mp4
  • Language: Italian
  • Country targeted: Italy
  • Deepfake of: Giorgia Meloni (Prime Minister of Italy)
  • Summary: Promoting a fake state-sponsored investment program called FinInvest
Scam video with deepfake of Andrej Babiš speaking during a news broadcast on Prima News.
Figure 29. Screenshot of a scam video containing a deepfake of Andrej Babis (Czech politician and businessman).

Example 6

  • Web page URL: hxxps://hybridpowerit[.]com/
  • Video URL: hxxps://ai-usmcollective[.]click/videos/ImmediateMatrix-PNewsQZ-Invest[.]mp4
  • Language: Czech
  • Country targeted: Czechia
  • Deepfake of: Andrej Babis (Czech politician and businessman)
  • Summary: Promoting a fake investment platform for Czech citizens
Deepfake video of Alisher Usmanov presenting in a business suit, standing against a plain background. Subtitle suggests discussion of money with a mention of 10,000 lirasini.
Figure 30. Screenshot of a scam video containing a deepfake of Omer Koc (Turkish businessman).

Example 7

  • Web page URL: rondeliercore[.]com
  • Video URL: hxxps://hemicdn[.]com/video_5848484848485[.]mp4
  • Language: Turkish
  • Country targeted: Turkey
  • Deepfake of: Omer Koc (Turkish businessman)
  • Summary: Introducing an AI-powered trading bot that allows users to earn a stable income of 10,000 Turkish liras
Deepfake video of Alisher Usmanov sitting at a desk with a microphone, speaking, displayed on a website. In the background, a blurred cityscape with a prominent tower is visible. The browser option to translate the page to English is selected.
Figure 31. Screenshot of a scam web page containing a deepfake video of Alisher Usmanov (Uzbek and Russian businessman).

Example 8

  • Web page URL: hxxps://naatuureeffocus[.]com/
  • Video URL: hxxps://ai-usmcollective[.]click/videos/USM_novosti-usmanov_UZ[.]mp4
  • Language: Russian
  • Country targeted: Uzbekistan
  • Deepfake of: Alisher Usmanov (Uzbek and Russian businessman)
  • Summary: Presenting a new investment platform for citizens of Uzbekistan

Update on Sept. 19, 2024

Deepfake video of former President Donald Trump speaking on television, with captions displayed, against a backdrop of the U.S. flag and presidential seal. Subtitle reads "as a token of appreciation every AMF check you have will be worth $10,000."
Figure 32. Screenshot of a scam video containing a deepfake of Donald Trump.

Example 9

  • Web page URL: mtgaeth[.]vip
  • Video URL: hxxp://mtgaeth[.]vip/video/videos-2[.]mp4
  • Language: English
  • Country targeted: United States
  • Deepfake of: Donald Trump (45th President of the United States)
  • Summary: Selling fake "American Monetary Fund" (AMF) checks, which Americans can cash out for $10K after the 2024 US presidential election
Deepfake of Matthew Amroliwala reporting on BBC News about a new investment project from Elon Musk, noting that British people will receive a return on investment. The screen displays 'EXCLUSIVE' and 'UK' tags with a time stamp of 17:22.
Figure 33. Screenshot of a scam video containing a deepfake of Matthew Amroliwala (BBC Newscaster).

Example 10

  • Web page URL: bitvidex360[.]trade
  • Video URL: hxxps://bitvidex360[.]trade/wp-content/uploads/2023/08/Bitvidex360-Trade[.]mp4
  • Language: English
  • Country targeted: United Kingdom
  • Deepfake of: Matthew Amroliwala (BBC Newscaster)
  • Summary: Announcing a fake investment project from Elon Musk that allows British residents to earn an income of 5,700 pounds per day
Phishing webpage mimicking the site of the Federal Government of Brazil featuring a deepfake video of Luiz Inácio Lula da Silva, displayed alongside the national emblem. The webpage includes a notification about the calculation of compensation, a video progress bar indicating 1:26 of 1:46 minutes viewed, and a blue button labeled 'I want to receive my compensation.' Some of the information has been redacted.
Figure 34. Screenshot of a phishing web page containing a deepfake video of Luiz Inácio Lula da Silva (President of Brazil).

Example 11

  • Web page URL: consultar-resgate[.]com/ll/etapa2
  • Video URL: hxxp://consultar-resgate[.]com/videos/vsl[.]mp4
  • Language: Portuguese
  • Country targeted: Brazil
  • Deepfake of: Luiz Inácio Lula da Silva (President of Brazil)
  • Summary: Announcing a government program called Indeniza Brasil that will provide compensation to Brazilian citizens whose personal data was leaked due to a government database system failure
Deepfake of Emomali Rahmon flanked by flags. The setting includes official decor with a white and gold interior. Subtitles in Russian are visible at the bottom of the screen.
Figure 35. Screenshot of a scam video containing a deepfake of Emomali Rahmon (President of Tajikistan).

Example 12

  • Web page URL: crisiswatch[.]online
  • Video URL: hxxps://ai-usmcollective[.]click/videos/GP_prez-tajikistan_RU[.]mp4
  • Language: Russian
  • Country targeted: Tajikistan
  • Deepfake of: Emomali Rahmon (President of Tajikistan)
  • Summary: Announcing a fake government-sponsored giveaway through a partnership with Gazprom

Update on Oct. 23, 2024

Screenshot from CTV News website featuring a deepfake video interview with Jagmeet Singh, discussing a new law related to guaranteed income.
Figure 36. Screenshot of a scam web page containing a deepfake video of Jagmeet Singh (Canadian politician).
  • Web page URL: weixinchannelsmall[.]com
  • Video URL: hxxps://d2l7oiuw3gwvbg[.]cloudfront[.]net/video/JagmeetSingh_923_jag[.]mp4
  • Language: English
  • Country targeted: Canada
  • Deepfake of: Jagmeet Singh (Canadian politician, leader of the New Democratic Party)
  • Summary: Announcing a fake government-sponsored investment program through a partnership with Imperial Oil
Deepfake of Christine Lagarde, President of the European Central Bank, delivering a speech at a podium with the ECB logo in the background.
Figure 37. Screenshot of a scam video containing a deepfake of Christine Lagarde (President of the European Central Bank).
  • Web page URL: kotrotshmot[.]site
  • Video URL: hxxp://kotrotshmot[.]site/video/1735[.]mp4
  • Language: English
  • Region targeted: EU
  • Deepfake of: Christine Lagarde (President of the European Central Bank)
  • Summary: Introducing a fake investment project launched by the European Central Bank and Eurosystem
Screenshot of a Tagesschau web page featuring a deepfake video of Theodor Weimer, CEO of Deutsche Börse. The page includes text descriptions and the Deutsche Börse Group logo in the background.
Figure 38. Screenshot of a fake news website imitating Tagesschau (German TV news
program) and using a deepfake of Theodor Weimer (former CEO of Deutsche Börse).
  • Web page URL: new-company[.]store
  • Video URL: hxxps://new-company[.]store/video/1512_3[.]mp4
  • Language: German
  • Country targeted: Germany
  • Deepfake of: Theodor Weimer (German businessman, former CEO of Deutsche Börse)
  • Summary: Promoting a limited-time offer to trial a fake stock trading algorithm created by major banking corporations
Maib website displaying a news article with a deepfake video of the President of Moldova speaking at a podium, featuring the Moldovan flag in the background.
Figure 39. Screenshot of a scam web page containing a deepfake video of Maia Sandu (President of Moldova).
  • Web page URL: currrencyspot[.]buzz
  • Video URL: hxxps://ai-usmcollective[.]click/videos/Maib_prezident_RU[.]mp4
  • Language: Russian
  • Country targeted: Moldova
  • Deepfake of: Maia Sandu (President of Moldova)
  • Summary: Promoting a fake investment project called “Maib”, which claims to provide Moldovan citizens with up to 30,000 lei per month

Campaign-Specific IoCs

Video Hosting Domains

  • video[.]belmar-marketing[.]online
  • fiirststreeeet[.]top
  • ai-usmcollective[.]click
  • fortunatenews[.]com
  • conspatriots2024[.]com

Quantum AI Scam Web Page Examples

  • agentvisitliarpoint[.]click
  • ai-usmcapital[.]click
  • ai-usmfence[.]click
  • ai-usmoutlay[.]click
  • ai-usmroot[.]shop
  • ai-usmside[.]shop
  • alt-fin-side[.]shop
  • baelandworld[.]com
  • bikeputaware[.]click
  • bit-360[.]site
  • blackenedretl[.]shop
  • blaroya[.]com
  • boarbooks-rh[.]cloud
  • cavernaid-ky[.]cloud
  • certifilite[.]com
  • coredale-pg[.]cloud
  • crystalincantation[.]com
  • d1g1talpoint[.]xyz
  • dearetung[.]homes
  • dflihdr[.]top
  • directors[.]homes
  • dongice-jksd[.]cloud
  • echolimirs[.]top
  • edenovougobio[.]site
  • enter-up[.]top
  • excellentone[.]one
  • fabulous4onee[.]monster
  • firstcoyotecapital[.]click
  • flowcyber[.]click
  • flowersys-sv[.]cloud
  • flowpulse[.]click
  • foodtruckit[.]com
  • fourhillsfarmva[.]com
  • g-tradytactics3[.]site
  • gatenewtechlikew[.]world
  • gfnuw[.]top
  • ggenniusprrojecct[.]site
  • globalmastersilvernew[.]world
  • globalpolytechasd[.]world
  • globalpolytr[.]world
  • goldzonexa[.]world
  • gravetechno-jy[.]cloud
  • greenrealm[.]world
  • grottostones-gl[.]cloud
  • groundbreakinginitiative[.]top
  • gtriotit-wqm[.]site
  • hideoutglownew[.]pro
  • hotelierjobz[.]com
  • huerwlleiss-herton[.]pro
  • iaqa[.]life
  • illjp4gpz[.]sbs
  • illjp4xty[.]sbs
  • inc-co[.]site
  • infosysdata[.]store
  • inv-platform2024[.]site
  • investcontribution[.]top
  • jetshow-qi[.]cloud
  • juoguquda[.]com
  • kevxk[.]top
  • kos4mzf[.]monster
  • kurtilast[.]top
  • kuvukye[.]space
  • lartons[.]top
  • liketechnewgateq[.]world
  • lozlas-ta[.]cloud
  • lozlas-tb[.]cloud
  • lozlas-tc[.]cloud
  • lsuhhf[.]top
  • maplegateu-yj[.]xyz
  • metawings[.]top
  • milfarka[.]store
  • mmajp1oxg[.]monster
  • newforestjoyzonega[.]world
  • newglowhideout[.]pro
  • njecil[.]top
  • oakcloudhi-ere[.]world
  • oakcloudhi-erg[.]world
  • onlinepasivechange[.]sbs
  • originalquantum[.]shop
  • outlayquantum[.]shop
  • owrsasd-tf[.]cloud
  • passionquantum[.]shop
  • peerfeectwall[.]online
  • pinkwheels-ra[.]cloud
  • pinkwheels-rb[.]cloud
  • prevaczcgv[.]site
  • pro-fitters[.]store
  • promisingendeavor[.]website
  • qatuk[.]org
  • quantum-ai[.]link
  • quantumai[.]tools
  • quantumal[.]xyz
  • qvantum-ai[.]tech
  • redwoodrest[.]world
  • registration-form[.]website
  • restigood-oo[.]cloud
  • ricegoodniceproas[.]world
  • rockriddle[.]world
  • rwtfoa-hpl[.]cloud
  • sacvenih[.]sbs
  • ser2kke[.]monster
  • silvermaster-gtj[.]cloud
  • spacemome[.]online
  • spikemaster-ra[.]cloud
  • spikemaster-rj[.]cloud
  • srkgjh[.]top
  • sskkilfulinnvestoor[.]site
  • st-twp[.]cloud
  • stakspat[.]site
  • stockainet[.]site
  • subterrasphere[.]world
  • superstarone[.]one
  • swapfavour[.]com
  • sweetchaseonly[.]click
  • techmerge-ai[.]space
  • techverseasx[.]world
  • testdomaintest[.]site
  • theebeestbrookeer[.]website
  • thequantumai[.]org
  • treewavet[.]world
  • tulalavno[.]store
  • ultravirilehemer[.]com
  • unityventurehub[.]space
  • voidrover-hjsi[.]xyz
  • whitesphereworldjoyful[.]world
  • wizardstar-srea[.]xyz
  • wizardstar-sred[.]xyz
  • wizardstar-sree[.]xyz
  • wizardstar-srej[.]pro
  • wizardstar-sren[.]pro
  • wizardstar-srey[.]xyz
  • wizardstarsrea[.]pro
  • wizardstarsreb[.]pro
  • wizardstarsrek[.]pro
  • wizardstarsreo[.]pro
  • wztnb[.]shop

Quantum AI Scam Video URL Examples

  • hxxps[:]//video[.]belmar-marketing[.]online/videos/QuantumAI_Muskpresentations_EN[.]mp4
  • hxxps[:]//video[.]belmar-marketing[.]online/videos/QuantumAI_musk_EN[.]mp4
  • hxxps[:]//telegra[.]ph/file/3ae9666ce78ae1ba90b47.mp4
  • hxxps[:]//fortunatenews[.]com/video/quantumal__video[.]mp4
  • hxxps[:]//fiirststreeeet[.]top/videos/QuantumAI_Musk-presentation_EN[.]mp4

TotalEnergies Scam Web Page Examples

  • invest-toolavenue[.]shop
  • invest-toolrealm[.]shop
  • investseries[.]shop

TotalEnergies Scam Video URL Examples

  • hxxps[:]//video.belmar-marketing[.]online/videos/TotalEnergies_news_FR[.]mp4
  • hxxps[:]//ai-usmcollective[.]click/videos/TotalEnergies_news_FR[.]mp4

World Bank Scam Web Page Examples

  • hugeproject[.]shop
  • higheststudy[.]click
  • growthventure[.]click
  • growthwall[.]click

World Bank Scam Video URL Examples

  • hxxps[:]//video[.]belmar-marketing[.]online/videos/TheWorldBank_woman_EN[.]mp4
  • hxxps[:]//ai-usmcollective[.]click/videos/TheWorldBank_woman_EN[.]mp4

KazMunayGas Scam Web Page Examples

  • aifaith[.]shop
  • aiprincipal[.]top
  • aireliance[.]top
  • aishield[.]shop
  • aiside[.]shop
  • aisimple[.]top
  • aitfinoutlay[.]top
  • block4aiendeavor[.]shop
  • block4aifinancier[.]shop
  • block4aiinitiative[.]shop
  • block4aimethod[.]top
  • block4aioperation[.]top
  • block4aipatron[.]top
  • block4aiprecaution[.]top
  • block4aiprotection[.]shop
  • block4aiprotection[.]top
  • block4aisafeguarding[.]shop
  • block4aischedule[.]top
  • block4aisystem[.]top
  • block4aitask[.]top
  • block4aiwell-being[.]shop
  • block4alinitiative[.]shop
  • coinaibarrier[.]top
  • coinaibasis[.]top
  • coinaiboundary[.]top
  • coinaichannel[.]top
  • coinaicommunicate[.]top
  • coinaieducate[.]top
  • coinaienclosure[.]top
  • coinaifence[.]top
  • coinaifinancier[.]top
  • coinaiframework[.]top
  • coinaimedium[.]top
  • coinaimethod[.]shop
  • coinaipartition[.]top
  • coinaiprecaution[.]top
  • coinaischedule[.]shop
  • coinaischeme[.]shop
  • coinaishareholder[.]top
  • coinaiside[.]top
  • coinaistage[.]top
  • coinaitask[.]shop
  • coinaiwell-being[.]top
  • coinalcommunity[.]shop
  • coinalendeavor[.]top
  • coinalgamble[.]shop
  • coinalguard[.]top
  • coinalinitiative[.]shop
  • coinalinternational[.]shop
  • coinalprecaution[.]shop
  • coinalsafeguarding[.]top
  • coinalsafetynet[.]shop
  • coinalsafetynet[.]top
  • coinalscheme[.]top
  • coinaltask[.]top
  • coinalundertaking[.]shop
  • coinaluniversal[.]top
  • coinalwell-being[.]shop
  • coinalwell-being[.]top
  • coinalwidespread[.]top
  • coinangelinvestor[.]top
  • coinbacker[.]shop
  • coinband[.]shop
  • coinband[.]top
  • coinbarrier[.]top
  • coincapitalist[.]top
  • coincollective[.]shop
  • coincommunity[.]shop
  • coincommunity[.]top
  • coindependence[.]shop
  • coinfinancier[.]shop
  • coingamble[.]top
  • coingathering[.]shop
  • coininitiative[.]shop
  • coinpartition[.]top
  • coinreliance[.]shop
  • coinside[.]top
  • coinundertaking[.]shop
  • coinundertaking[.]top
  • easylender[.]top
  • gaibarricade[.]top
  • gaibasis[.]top
  • gaiboundary[.]top
  • gaicurriculum[.]top
  • gaidiscover[.]top
  • gaifence[.]top
  • gaiintermediary[.]top
  • gailegalentity[.]top
  • gaimiddleman[.]top
  • gaipioneer[.]shop
  • gaiprecaution[.]shop
  • gaiprecaution[.]top
  • gaiprestige[.]shop
  • gaiprincipal[.]top
  • gaiprinciple[.]top
  • gaiproduction[.]top
  • gaiprotection[.]top
  • gairesplendent[.]top
  • gairush[.]shop
  • gaisafeguarding[.]shop
  • gaishield[.]shop
  • gaiside[.]shop
  • gaisource[.]top
  • gaitfinagent[.]shop
  • gaitfincore[.]shop
  • gaitfinfacilitator[.]shop
  • gaitfinnegotiator[.]shop
  • gaitfinroot[.]shop
  • gaitfinsalesperson[.]shop
  • gaitfinside[.]shop
  • gaitfinsource[.]shop
  • gaiwell-being[.]shop
  • gaiwise[.]shop
  • gaiwonderful[.]top
  • galtcoindiscover[.]top
  • gbeginstart[.]shop
  • gblock4aiacquaint[.]top
  • gblock4aiangelinvestor[.]shop
  • gblock4aicommunicate[.]shop
  • gblock4aiendeavor[.]shop
  • gblock4aifinancier[.]shop
  • gblock4aifortification[.]top
  • gblock4aiguard[.]top
  • gblock4aiinitiative[.]shop
  • gblock4aimethod[.]shop
  • gblock4aimethod[.]top
  • gblock4aioperation[.]shop
  • gblock4aioperation[.]top
  • gblock4aipatron[.]top
  • gblock4aiprotection[.]top
  • gblock4aisafeguarding[.]shop
  • gblock4aisafeguarding[.]top
  • gblock4aisafetynet[.]top
  • gblock4aischedule[.]top
  • gblock4aischeme[.]top
  • gblock4aisequence[.]top
  • gblock4aishield[.]shop
  • gblock4aisystem[.]top
  • gblock4aitask[.]shop
  • gblock4aitask[.]top
  • gblock4aiwell-being[.]shop
  • gblock4aiwell-being[.]top
  • gblock4aiworldwide[.]shop
  • gblock4alinitiative[.]shop
  • gbrightenclosure[.]top
  • gcapitalstart[.]click
  • gcentralboundary[.]shop
  • gchiefcommunicate[.]top
  • gcleverbacker[.]shop
  • gcleverbacker[.]top
  • gcoinaiangelinvestor[.]top
  • gcoinaibacker[.]top
  • gcoinaibarricade[.]top
  • gcoinaibarrier[.]top
  • gcoinaibasis[.]top
  • gcoinaichannel[.]top
  • gcoinaieducate[.]top
  • gcoinaienclosure[.]top
  • gcoinaifence[.]top
  • gcoinaifinancier[.]top
  • gcoinaiframework[.]top
  • gcoinaimedium[.]top
  • gcoinaimethod[.]shop
  • gcoinaiprecaution[.]top
  • gcoinaisafetynet[.]top
  • gcoinaischeme[.]shop
  • gcoinaisequence[.]shop
  • gcoinaishareholder[.]top
  • gcoinaisystem[.]top
  • gcoinaitask[.]shop
  • gcoinaiwell-being[.]top
  • gcoinalband[.]shop
  • gcoinalcommunity[.]shop
  • gcoinalendeavor[.]shop
  • gcoinalgamble[.]shop
  • gcoinalguard[.]top
  • gcoinalinitiative[.]shop
  • gcoinalinternational[.]shop
  • gcoinalprecaution[.]top
  • gcoinalrisk[.]top
  • gcoinalsafeguarding[.]top
  • gcoinalsafetynet[.]shop
  • gcoinalsafetynet[.]top
  • gcoinalschedule[.]top
  • gcoinalscheme[.]top
  • gcoinaltask[.]top
  • gcoinaluniversal[.]top
  • gcoinalwell-being[.]shop
  • gcoinalwidespread[.]top
  • gcoinangelinvestor[.]top
  • gcoinassurance[.]shop
  • gcoinband[.]top
  • gcoinbarrier[.]top
  • gcoincapitalist[.]top
  • gcoincollective[.]shop
  • gcoincommunicate[.]shop
  • gcoincommunity[.]shop
  • gcoincommunity[.]top
  • gcoincredit[.]shop
  • gcoindependence[.]shop
  • gcoinfinancier[.]shop
  • gcoingamble[.]top
  • gcoingathering[.]shop
  • gcoininitiative[.]shop
  • gcoinmedium[.]top
  • gcoinpartition[.]top
  • gcoinreliance[.]shop
  • gcoinside[.]top
  • gcoinundertaking[.]shop
  • gcoinundertaking[.]top
  • gdrivenfacilitator[.]top
  • geffortlesslegalentity[.]top
  • genergyemporium[.]store
  • gexceptionalmodule[.]top
  • gexhilaratingcontribution[.]club
  • gexxclusivefoundation[.]space
  • gfinancingstart[.]shop
  • ggiftedcollective[.]top
  • ggroundworkband[.]shop
  • ggrrandventure[.]fun
  • ggrrandventure[.]site
  • ggrrandventure[.]website
  • gharmoniousundertaking[.]top
  • ghighestrisk[.]top
  • gimmenseinitiative[.]top
  • gimportantinternational[.]club
  • gincompleteuniversal[.]top
  • ginnspiringdefense[.]site
  • ginstitutestart[.]shop
  • ginvestfortification[.]shop
  • ginvestguard[.]shop
  • ginvestingstart[.]shop
  • ginvestprecaution[.]shop
  • ginvestwell-being[.]shop
  • gnetworkstart[.]click
  • goriginatestart[.]shop
  • grrandventure[.]site
  • gscarceai[.]top
  • gsplendidai[.]top
  • gsubsidystart[.]shop
  • gsurprisingai[.]top
  • gsystemaibarricade[.]top
  • gsystemaibasis[.]shop
  • gsystemaiboundary[.]shop
  • gsystemaiboundary[.]top
  • gsystemaifence[.]shop
  • gsystemaifence[.]top
  • gsystemaigroundwork[.]shop
  • gsystemainegotiator[.]shop
  • gsystemaiside[.]shop
  • gtopinvestigate[.]shop
  • individualestablish[.]top
  • investfortification[.]shop
  • riseanalyze[.]click
  • safegroup[.]shop
  • subsidystart[.]shop
  • systemaibarricade[.]shop
  • systemaibasis[.]top
  • systemaigroundwork[.]shop
  • systemainegotiator[.]shop

KazMunayGas Scam Video URL Examples

  • hxxps[:]//video[.]belmar-marketing[.]online/videos/kazmunay-preland.mp4
  • hxxps[:]//ai-usmcollective[.]click/videos/kazmunay-preland.mp4

Liberty Coin Scam Web Page Example

  • patriotsmaga2024[.]com/wp/2024/04/09/statement-from-president-trump-9th-of-april-2024/?1717411716131

Liberty Coin Scam Video URL Examples

  • hxxps[:]//conspatriots2024[.]com/wp-content/uploads/2024/04/0-02-05-39b70d3c0c0582890da2793bd7551a4adacea2faef6e1303a943db46b875cde7_1c6dbb11ce91a9.mp4
  • hxxps[:]//conspatriots2024[.]com/wp-content/uploads/2024/04/0-02-05-aca301a44b073ea87338efcd18aa41f18ebd53e8462b780976412fc70a3a28d2_1c6dbb100c4956.mp4

Additional Resources

Updated Sept. 25, 2024, at 11:15 a.m. PT to add additional IoCs as well as screenshots from the deepfake videos in the same section. 

Updated Oct. 23, 2024, at 8:30 a.m. PT to add additional IoCs as well as screenshots from the deepfake videos in the same section. 

Enlarged Image