Thought Leadership
A new investigation uncovers deepfake manipulation and a network of 208 crypto scam sites. The financial damage runs into the millions.
International cybersecurity provider Group-IB has published the results of a two-part investigation that illustrates the staggering scale of modern investment fraud operations. Investigators uncovered a complex infrastructure specifically targeting private individuals in Australia and the United States. The operations rely on a combination of state-of-the-art deepfake technology for market manipulation and an industrially scaled network of more than 200 fraudulent trading platforms. According to estimates, the perpetrators generated total revenues of around 187 million US dollars using these methods. The investigation also reveals how the criminals exploit their victims a second time after the initial theft, this time through fake recovery services.
Price manipulation through convincing deepfakes
The first part of the investigation documents a specialized fraud scheme based on the targeted manipulation of stock prices. The perpetrators used deepfake technology to digitally clone the identity of a prominent Australian economist. With this artificially generated likeness, they produced videos and audio messages that were distributed via more than 20 fake WhatsApp accounts. The goal was to push investors into buying shares of EverQuote Inc. (NASDAQ: EVER). Victims were recommended an entry price of 24.79 US dollars as a lucrative investment.
Analysts at Group-IB covertly tracked the entire attack chain. They observed how the concerted campaign initially drove the share price to a high of 27.87 US dollars. Once this level was reached, the operators sold off their own shares, causing the price to collapse. By the end of the observation period, the stock was worth only 14.27 US dollars. This amounted to a loss of 42.4 percent for investors who had followed the recommendation of the deepfake identity. This approach follows the classic pump-and-dump pattern, but the technological deception lifted it to a new level of perceived trustworthiness.
Links to 208 fraudulent domains
In the second part of the investigation, the experts used advanced graph analysis to map the technical infrastructure behind the scam sites. Starting from a single suspicious cryptocurrency platform, investigators were able to establish a connection to a total of 208 fraudulent domains. These websites are designed to look deceptively similar to reputable investment portals. They advertise high return promises and use fake user interfaces to give victims the illusion of growing account balances, while the deposited funds actually flow directly into the operators’ wallets.
The analysis showed that the average deposit per victim was around 200 US dollars. Through the mass deployment of the 208 domains and the automation of victim recruitment, the network was nevertheless able to generate estimated total revenues of 187 million US dollars. The graph analysis also revealed that the domains are linked through shared server infrastructures, identical source code modules, and matching payment gateways. This points to a centrally organized fraud economy in which the criminal infrastructure is provided like a service.
Global crypto fraud network: Fake recovery services
A particularly serious finding is that the fraudsters systematically target their victims a second time. As soon as one of the 208 platforms disappears and users realize they no longer have access to their capital, the same operators reappear under a new name. They pose as specialized recovery firms supposedly dedicated to retrieving crypto assets from scammers.
In this phase of the fraud, the victims are contacted and asked to pay upfront fees or taxes for the recovery of their funds. Because the perpetrators already have all the necessary contact details and information about the original deposits, they can appear highly convincing to their victims. The investigation makes clear that this is a purely fraudulent reactivation of the victims. No actual recovery of funds takes place; instead, those who have already suffered losses are defrauded of additional sums.
Skepticism toward stock tips on private messaging channels
The publication of the two-part report is intended to raise awareness among both companies and private individuals about these new technological threats. The use of messaging services such as WhatsApp to spread investment recommendations through AI-generated identities poses a significant threat to financial markets in particular.
Experts strongly advise skepticism when well-known figures provide specific stock tips through private messaging channels. In addition, crypto platforms should be thoroughly checked for licensing and historical reputation before any deposit is made. The findings of the investigation have been shared with the relevant law enforcement authorities in Australia and the United States in order to push forward the shutdown of the remaining active domains and to block the financial flows of those behind the scheme.
