Top takes: A Facebook drama in three acts

An exclusive report, in collaboration with Der Spiegel, reveals a network of fake accounts building fake lifetimes in fake ways

@DFRLab
@DFRLab
Jan 24 · 6 min read
(Source: @nikaaleksejeva/DFRLab via Liannadavis/Wikimedia Commons)

An online network on Facebook discovered by German media outlet Der Spiegel, which partnered with the DFRLab for its analysis, used hundreds of fake user accounts to craft full lifetimes of often breathless drama by deploying common tactics for creating such fake profiles.

The network of accounts participated in what Facebook — in a statement provided to Der Spiegel and the DFRLab — referred to as “scamming behavior,” putting them out of the range of the company’s qualification as “coordinated inauthentic behavior” (CIB). The latter usually entails concentrated and targeted information manipulation, meant to persuade vulnerable audiences for political or financial purposes. In this case, given the real humans behind the accounts, their proclivity toward fabricating whole lives for fake people, and their private engagement with authentic Facebook users — as revealed by Der Spiegel — the accounts appeared to more closely fit the company’s idea of scams. Both CIB and scams lead to removal from the platform.

A joint investigation between the DFRLab and German newspaper Der Spiegel identified at least 329 accounts engaged in this activity. While many of the accounts had cultivated mature user personas, they also exhibited numerous biographical inconsistencies, linguistic errors, and use of stolen content, all of which ultimately helped expose the network.

While the investigation did not result in a conclusive attribution, the DFRLab found some evidence, such as language use and the time zone of postings, to suggest that at least part of the network may have originated in Latin America. In addition, Der Spiegel discovered that some of the accounts made contact via private messages with real users, a finding the DFRLab was able to corroborate via open-source evidence.

This article outlines the main features of the network. Additional pieces by the DFRLab provide greater detail on the content, coordination, and fake nature of the accounts.

Mature user personas

Examples of detailed biographical profiles that included work history, education history, and places of residence. (Source: Meredith Kennedy/archive, left; Miguel Angel Singer/archive, middle; Alice Bergmann/archive, right)

Most of the user personas identified themselves as military or law enforcement personnel. Others listed jobs in the tourism, aviation, arts, and fashion industries.

A word cloud of the most represented professions within the inauthentic network, as generated by DFRLab’s own categorization of the accounts. (Source: @nikaaleksejeva/DFRLab)

In terms of nationality, the accounts were diverse, claiming to hail from over 30 countries, including France, the United States, and Syria.

The countries where the supposed users were allegedly located, according to their profiles. (Source: @nikaaleksejeva/DFRLab)

The accounts often listed one another as family members, tagged each other in photos, and engaged in dramatic exchanges in the comment sections of one other’s posts. These interactions suggested that the operators were aware of one another and coordinating to some extent.

Furthermore, both the DFRLab and Der Spiegel found evidence that the fake accounts had engaged authentic users via private messages.

Authentic users commented on Helena Bergmann’s posts, referring to private messages she had sent them (pink boxes). (Source: Helen Bergmann/archive, left; Helen Bergmann/archive, right)

The care that went into crafting the accounts’ personas may have been an attempt to lend the accounts an air of authenticity so as to avoid arousing suspicion when they contacted real individuals.

Biographical inconsistencies

Majid Najm Al-din’s account identified him as female, as did his original ID, but his profile was that of a man’s. (Source: Majid Najm Al-din/archive)

Many accounts from the network did not identify themselves as native English speakers, but those that did made language errors characteristic of non-native speakers.

An example of a post by a Scottish account with English-language errors underlined. (Source: Facebook/archive)

While many accounts were connected to one another via family ties, there were inconsistencies in the accounts they listed as family members. In one case, for example, an account allegedly belonging to a father was clearly that for a woman.

Stolen content

Alice Bergmann using frame from a video featuring Chilean actress Josefina Montane. (Source: Facebook/archive, left; YouTube/archive, right)

Some accounts copied and pasted text in their posts that originated on fringe media outlets from abroad.

Georg Schonfelder Rommer copied and pasted a list of people from a comment by a user “biersauer” on a post on fringe German blog Ein Parteibuch, a post that itself was taken from Russian fringe media site Southfront.org. (Source: Georg Schonfelder Rommer/archive, left; Ein Parteibuch/archive, right)

Posting charged political content to draw the right crowd

This, in part, explains why the network demonstrated no single or coherent ideological agenda; instead, the accounts seemed to be passionate about disparate political issues, from Kurdish autonomy to the refugee crisis in Europe. Different accounts often contradicted each other in political positioning.

Examples of content the accounts posted. (Source: Vanessa Ferraro Vecchia/archive, top left; George Wozniak/archive, top right; Milan Djokovic/archive, bottom left; Alfred Louis Carter/archive, bottom right)

The one common thread was the likelihood of the content to provoke emotional reactions, a possible tactic to draw in highly engaged users as a part of the scam.

Evidence pointing to Latin America

Accounts listing the languages they speak in Spanish but not including Spanish on the list. (Source: Miroslav Overchenko/archive, bottom left; Mahir Sawiris/archive, bottom right)

Moreover, the time difference between the posting time and the time displayed on a researcher’s computer (in Central Europe) indicated a six-hour difference that matched with the time zone of eleven Latin American countries.

The time zone of the posting time matched with Latin American countries. (Source: Robert Gautier/archive, left; 24timezones.com/archive, right)

Conclusion

That the network was inauthentic and coordinated was clear, though the accounts — by Facebook’s own estimation to the DFRLab — were perpetrating “scamming behavior,” thus falling short of the company’s threshold for “coordinated inauthentic behavior.” Assuming the behavior was indeed intended to scam people in some form, it nevertheless remained unclear what the purpose of the scam was.

Some of the accounts posted innocuous special interest content, melodramatic stories, and flirtatious overtures; others were overtly political. The former behaviors are typical of audience-building attempts. On the other hand, the presence of political commentary on a host of divisive sociopolitical issues suggested that the network was deliberately targeting an audience of highly engaged real users it felt could be scammed.


Nika Aleksejeva is a Research Associate with the Digital Forensic Research Lab (@DFRLab) and is based in Latvia.

Zarine Kharazian is Assistant Editor with @DFRLab and is based in Washington, DC.

Follow along on Twitter for more in-depth analysis from our #DigitalSherlocks.

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

@DFRLab

Written by

@DFRLab

@AtlanticCouncil's Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

DFRLab

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade