An exclusive report, in collaboration with Der Spiegel, reveals a network of fake accounts building fake lifetimes in fake ways
An online network on Facebook discovered by German media outlet Der Spiegel, which partnered with the DFRLab for its analysis, used hundreds of fake user accounts to craft full lifetimes of often breathless drama by deploying common tactics for creating such fake profiles.
The network of accounts participated in what Facebook — in a statement provided to Der Spiegel and the DFRLab — referred to as “scamming behavior,” putting them out of the range of the company’s qualification as “coordinated inauthentic behavior” (CIB). The latter usually entails concentrated and targeted information manipulation, meant to persuade vulnerable audiences for political or financial purposes. In this case, given the real humans behind the accounts, their proclivity toward fabricating whole lives for fake people, and their private engagement with authentic Facebook users — as revealed by Der Spiegel — the accounts appeared to more closely fit the company’s idea of scams. Both CIB and scams lead to removal from the platform.
A joint investigation between the DFRLab and German newspaper Der Spiegel identified at least 329 accounts engaged in this activity. While many of the accounts had cultivated mature user personas, they also exhibited numerous biographical inconsistencies, linguistic errors, and use of stolen content, all of which ultimately helped expose the network.
While the investigation did not result in a conclusive attribution, the DFRLab found some evidence, such as language use and the time zone of postings, to suggest that at least part of the network may have originated in Latin America. In addition, Der Spiegel discovered that some of the accounts made contact via private messages with real users, a finding the DFRLab was able to corroborate via open-source evidence.
Mature user personas
Many of the accounts had cultivated mature user personas that presented a wealth of detailed biographical information, including work history and education.
Most of the user personas identified themselves as military or law enforcement personnel. Others listed jobs in the tourism, aviation, arts, and fashion industries.
In terms of nationality, the accounts were diverse, claiming to hail from over 30 countries, including France, the United States, and Syria.
The accounts often listed one another as family members, tagged each other in photos, and engaged in dramatic exchanges in the comment sections of one other’s posts. These interactions suggested that the operators were aware of one another and coordinating to some extent.
Furthermore, both the DFRLab and Der Spiegel found evidence that the fake accounts had engaged authentic users via private messages.
The care that went into crafting the accounts’ personas may have been an attempt to lend the accounts an air of authenticity so as to avoid arousing suspicion when they contacted real individuals.
Ironically, the high degree of biographical detail these accounts provided ultimately exposed them by creating greater room for error and inconsistencies in the personas. Some accounts had different names in their Facebook IDs than their screennames, as well as conflicting listed and presenting genders, suggesting that they may have changed identities at some point.
Many accounts from the network did not identify themselves as native English speakers, but those that did made language errors characteristic of non-native speakers.
While many accounts were connected to one another via family ties, there were inconsistencies in the accounts they listed as family members. In one case, for example, an account allegedly belonging to a father was clearly that for a woman.
Many accounts from the network used images of “B-List” Latin American celebrities as profile pictures. Slight digital modifications, such as image mirroring and use of visual filters, suggested the accounts took steps to avoid detection via reverse image search.
Some accounts copied and pasted text in their posts that originated on fringe media outlets from abroad.
Posting charged political content to draw the right crowd
In addition to divulging details about their personal life in emotionally loaded posts, some of the accounts also posted charged political content. The exact nature of the content, however, was likely a superficial aspect of the network, as it was presumably targeting a highly engaged audience that the operators of the network felt might be most susceptible to their scam.
This, in part, explains why the network demonstrated no single or coherent ideological agenda; instead, the accounts seemed to be passionate about disparate political issues, from Kurdish autonomy to the refugee crisis in Europe. Different accounts often contradicted each other in political positioning.
The one common thread was the likelihood of the content to provoke emotional reactions, a possible tactic to draw in highly engaged users as a part of the scam.
Evidence pointing to Latin America
A few corroborating pieces of evidence suggested that the network might have been, at least in part, operated out of Latin America. Besides using images of Latin American celebrities, many of the accounts allegedly from other parts of the world frequently listed the languages they spoke in Spanish.
Moreover, the time difference between the posting time and the time displayed on a researcher’s computer (in Central Europe) indicated a six-hour difference that matched with the time zone of eleven Latin American countries.
This network was sprawling and longstanding. Some of the most prominent accounts, including Robert Gautier and Helena Bergmann, had been active since 2012–2013, having adopted fairly consistent and well-developed personas. Despite the conviction with which they played their parts, however, biographical inconsistencies and similar patterns of behavior revealed that these accounts were not who they claimed to be.
That the network was inauthentic and coordinated was clear, though the accounts — by Facebook’s own estimation to the DFRLab — were perpetrating “scamming behavior,” thus falling short of the company’s threshold for “coordinated inauthentic behavior.” Assuming the behavior was indeed intended to scam people in some form, it nevertheless remained unclear what the purpose of the scam was.
Some of the accounts posted innocuous special interest content, melodramatic stories, and flirtatious overtures; others were overtly political. The former behaviors are typical of audience-building attempts. On the other hand, the presence of political commentary on a host of divisive sociopolitical issues suggested that the network was deliberately targeting an audience of highly engaged real users it felt could be scammed.
Nika Aleksejeva is a Research Associate with the Digital Forensic Research Lab (@DFRLab) and is based in Latvia.
Zarine Kharazian is Assistant Editor with @DFRLab and is based in Washington, DC.
Follow along on Twitter for more in-depth analysis from our #DigitalSherlocks.