Wednesday, Sept. 6, 2017, around 3 p.m. (France local time).
I’ve just uncovered the most important element of the entire investigation. It’s a photo of a group of friends on Facebook, really nothing special. However, this photo, and the comments under it, allow me to finally confirm the identity of one of the men behind the network.
Then, like in a movie, a few seconds after having taken a few screengrabs, everything disappears. A dozen of the most popular fake accounts in the network go offline.
It’s a total blackout, as if someone knows I’m getting closer to the truth.
Let’s call him “Mehdi.” His name has been popping up in my notes for months. He’s the moderator of a private Facebook group that has more than 600,000 members, and which is often used by the network’s fake profiles to drive traffic. The other moderators of the group are all fake profiles. Everything points to Mehdi.
Then, one day, I find this picture from September 2016, where he made a serious mistake.
One of Mehdi’s friends publishes a group photo and tags her friends, including Mehdi. I recognize him in the picture. But when I put my mouse cursor on Mehdi’s face, I see that he’s not tagged using his name. His face is tagged to Amandine Ponticaud, one of the biggest fake profiles in the network.
A photo published on Facebook. We see 10 young people, 5 women and 5 men. Their faces are blurred. On the right, we see Pablo and Mehdi, two of the administrators of the network.
In the comments, a guy started making fun of Mehdi. Mehdi answered back. But he did so with Amandine’s profile, not his own.
What follows is a flurry of insults between the guy and Mehdi. Mehdi finds a picture of the guy’s mother on his Facebook profile and says he’s going to use it “in his next porno post.” Remember that bait accounts use fake porno links to trap its victims.
Tired of the abuse, the guy blocks Amandine’s profile. But then Mehdi jumps back into the fray, this time under the name Léa Pierné – another fake account in the network. The guy blocks this account, and Mehdi comes back again with yet another of the network’s fake profiles, Isabelle Bekaert.
It’s clear, then, that Mehdi had, in September 2016 at least, access to these three fake profiles, which are some of the keystones of the network. He even admits to publishing “porno links.”
In fact, in the comment section of a July 2017 post by the network, these three same fake profiles were used to give the illusion that people had watched a supposed porno video.
A conversation that took place in the comments section underneath one of the network's posts. Four of the network's fake profiles write that they downloaded the alleged pornographic video linked to by the post.
The Marseille gang
Where things become interesting is when we search for Mehdi’s name on Google. Because, you see, he seems to have been doing this for quite some time. His name pops up on video game forums in France.
Since 2012, forum users have wanted to get him kicked off Facebook. Why? They said he shares “fake accounts” that publish “pictures stolen from chicks’ accounts.” In July 2012, some users banded together in a systematic campaign to flag Mehdi’s Facebook profile.
In these old forum posts, another man is also named, purported to be Mehdi’s partner. We’ll call him “Pablo.” He does seem to be Facebook friends with other people involved in the network. Mehdi and Pablo seem to come from southern France, around the city of Marseille.
By snooping a bit, I found two ads – one published by Pablo, the other by Mehdi – published on the listings website Webfrance in April 2015. In both ads, Mehdi and Pablo try to sell the same Facebook page, now defunct, which had, at the time, 280,000 subscribers. A person writes in the comments that they were scammed “three times” by Pablo, who had tried to sell him “fake accounts.”
In another ad, Pablo says he wants to “quit social media to concentrate on real life.” He says he’s selling three Facebook pages, with 280,000, 129,000 and 70,000 active subscribers. He uses an email address that includes Mehdi’s name in his ad.
Here’s where the story takes an unexpected turn. By searching for Pablo’s name on Facebook, I stumble upon a very strange page. It’s in Pablo’s name and uses his face as a profile picture.
On July 10, 2013, the page simultaneously published 373 pictures in the same public album, accessible to all. These images seem to be screengrabs from computers and mobile phones. In these screengrabs, we can see the inner workings of a sextortion ring of fake accounts.
In this album, we can see pictures of young women, some more explicit than others; anything one would need to, say, create a fake profile to scam men.
We can also see statistics of the engagement created by several Facebook pages supposedly belonging to pretty young girls.
What’s more, we see a screengrab of a Facebook chat window, where Mehdi asks a friend to make him administrator of a page. “I’m gonna scam a dude and I just told him that I was admin,” he writes. Mehdi gloats a few minutes later that the scam worked.
There’s also a screengrab of a PayPal transfer worth 500 euros ($740 CDN).
Then come a series of four incriminating screengrabs where we see – beyond doubt – a person carrying out a sextortion scam.
It’s the classic setup: make a man believe that he’s talking to a woman so that he gets naked in front of the camera, then take screengrabs of the exchange to blackmail him.
n the image, we see a Skype video conversation. The owner of the computer is chatting with a man. This man is naked and masturbating. In the small window which usually shows a Skype user what his chat partner is seeing, we see a nude woman masturbating on a bed.
However, behind the Skype window, we can also see that this user is using a computer program to display pornographic videos on Skype, to give his victim the illusion that he is interacting with a woman. In the background, we can see that this user has at least two videos of the same nude woman, which he can display in his Skype window.
I can’t be absolutely certain where these screengrabs come from. It would be very unlikely that someone could manage to fake 373 images to try and make Pablo look bad. Were these screengrabs obtained through a hack? Were they uploaded by mistake by someone working for the network? It’s impossible to know.
Still, it would be a curiously improbable coincidence that screengrabs showing the inner workings of a sextortion ring would be published to a Facebook page bearing Pablo’s name, when he seems to be at the center of a network which does exactly that type of activity.
Pablo and Mehdi both ignored multiple attempts to contact them. However, my colleague Marie-Eve talked to two (real) young women who had participated in the network’s activities by sharing posts from fake profiles. Both confirmed that the network is used to make money. One of them said that she made 10,000 euros ($14,800 CDN) in a single month by “sharing links on Facebook.” She also claimed that the network was based in France, Spain and Italy. Both women abruptly ended all communication with us after initially agreeing to an interview.
Shortly after this, the fake profiles started disappearing. It’s probably no coincidence that the profiles to which Mehdi had access in 2016 disappeared as well.
To me, it’s clear that Pablo and Mehdi are not running this network by themselves. What we’re seeing is most likely several different interconnected networks that co-operate to attract a mutually beneficial audience. Another part of the network, based in northern France and Belgium, seems to run a slightly different scheme, using fake profiles to attract men towards Snapchat accounts. These accounts seem to be running a cyberprostitution ring. But that’s a story for another day.
With regards to the network run by Pablo and Mehdi, its disappearance – which is probably only temporary – allowed me to better understand its scope. The profiles seem to have been deactivated rather than deleted outright. What’s more, Snapchat accounts related to some of the fake Facebook profiles run by the network have continued sharing fake pornography links, using the same tactic as on Facebook.
After having analyzed the HTML code of the webpages from which these links stem, I was able to determine that the network uses a CPA (Cost Per Action) marketing service. By entering a script on a webpage, the network automatically redirects its victims towards fraudulent dating sites, where they’re asked to enter their personal details, including their credit card numbers.
From what I’ve been able to see on the CPA company’s webpage, the network can make up to 28 euros every time someone they sent to the dating site signs up. When we know some of these links can generate thousands of likes and comments on Facebook and that their potential audience can be in the tens or even hundreds of thousands of people, the money that can be made this way is substantial. If we believe what we see on his Snapchat and Instagram accounts, Mehdi seems to be living the life of a globetrotter these days – an expensive hobby.
Are Mehdi and Pablo behind everything that goes on in the network, from A to Z? It would be impossible to tell. Perhaps the network “rents” its audience to fraudsters in exchange for a cut of the profits. Or maybe fraudsters have found out that the network’s posts are perfect hunting grounds. What we know, though, is that the entire process is in place, and it seems to be working well.
And what about Béatrice in all of this?
She seems well, but I never managed to find out who’s behind her profile. She recently stopped sharing sexy pictures.
She started her old scheme again, sharing pictures of sick or handicapped people.