An AI representation of how social media accounts are being abused by crypto and other scammers.
DAVAO CITY (MindaNews / 24 June) – You might have seen this before: Facebook profiles of others you know suddenly posting wads of money on their My Day posts, with captions in English, which they barely use as a social media language.
For some reason, they’re also extra boastful, posting photos of a family blessing of a new car and maybe that new condominium, aside from their fat cash.
Except that there’s a catch.
You know for a fact that they don’t even have a steady source of income.
A woman from Tugbok in Davao City had fallen prey to such scheming when her account was compromised – with no way of retrieval.
For the past few years, Maricel (not her real name), 58, has lost at least four different Facebook accounts to scammers. She does not typically screenshot anything from her phone. In an age where online banking apps are commonplace, and where screenshots are basic, Maricel does not know how to use both. She had trouble recalling what happened to her account or when the scammer compromised her account.
So Maricel let it go without remedying the situation—until a month ago.
Relatives in Maricel’s family group spotted her old Facebook account acting suspiciously.
Eventually, a confirmation. The hacker who had taken control of Maricel’s account had begun to use it for their own gains.
Maricel-the-fake has been repeatedly showing off thick bundles of thousands of pesos on her Facebook posts. Not bad for a woman who sells dried fish to neighbors every week. To sell her products, the real Maricel even allows regular customers to pay later.
Asked if she remembers what exactly happened, Maricel recalled that she was always lured into “announcements” on Facebook, where she gets most of her information.
Like many Filipinos in this age of smartphones, Maricel only gets updates about the world at large through Facebook feeds, instead of more reliable sources such as news sites or their verified Facebook accounts.
Chances are, if she hasn’t subscribed to the Facebook page of MindaNews or if the post about this article doesn’t reach her feed, she won’t be able to read this story. Maricel has since created her fifth Facebook account, after all her four earlier accounts that were stolen by fraudsters could no longer be recovered.
Maricel narrated that she saw a post claiming that she was somehow eligible to receive ayuda, or government aid. Seeing that it was from a popular Facebook influencer whose name now escapes her, she opened the message, clicked the obscure link, and eventually surrendered total access to her account in the process without her knowing. She would eventually make new accounts, only to fall for the same trick.
To make sure we got Maricel right related to the above-paragraph, we read to her this translation: Nakita ni Maricel ang usa ka post nga nag-ingon nga kwalipikado siya nga makadawat og ayuda, o tabang gikan sa gobyerno. Tungod kay gikan kini sa usa ka popular nga influencer sa Facebook nga nakalimot siya sa ngalan, giablihan niya ang mensahe, giklik ang dili klaro nga link, ug sa proseso nakompromiso ang iyang account nga wala siya kabalo. Nagbuhat siya og bag-ong mga account, apan napatuo gihapon sa sama nga limbong.
Maricel confirmed it.
With little understanding of how the internet works, older Facebook users who are not familiar with social media seem to be the prime targets of scammers.
The modus operandi is one of the behaviors on social media identified by a consortium of media organizations dedicated to identifying, analyzing and investigating influence operations.
Influence operations refer to orchestrated efforts involving the spread of information by various actors, whether they’re connected to governments, private groups or foreign interests. These efforts are driven by financial, political, cultural, ideological, or policy interests and often aim to disrupt the flow of accurate information, targeting important aspects of democratic values, social well-being, safety and peace.
MindaNews sought the help of media consortium partner Qurium Media Foundation, a Swedish digital forensic group specializing in the analysis of online attacks, including targeted malware, digital assaults on media sites, internet censorship, disinformation campaigns, and election fraud. Qurium is dedicated to addressing digital threats against a free and open internet.
To conduct its investigation, the foundation engaged with pages connected to a network of co-opted accounts, aiming to trace a paper trail—perhaps identifying a bank account or location—using digital forensics. By “engaged,” it means they pretended to be potential victims of the scammers.
Results of Qurium’s initial investigation showed that the scammers either ask for Bitcoin investments or other cryptocurrencies to interested investors online, whether they are existing connections or strangers.
In the case of accounts formerly owned by people like Maricel, the fraudsters use them to manufacture proof of the crypto scam’s legitimacy.
The identity thieves would use old account details such as profile photos, old photos of celebrations, or old photos of personal milestones (i.e. blessing of first family car or new housing/condo unit).
Throughout the compromised account, the page would suddenly post suspiciously grateful status messages showing off the account holder’s financial gains. Usually, the status message would link to another account, someone to mention and thank for the sudden rise in wealth.
In April, MindaNews conducted a fact-check of a Facebook Group post about a dog that was allegedly hit by a car in Davao City. In that fact-check, we determined that the post was fake through the use of reverse-image tools.
The post was a part of a scheme to lure victims into a similar phishing scam.
We found out that the account poster was a Facebook Profile that had been compromised. The hacker gathers engagement through heartstring posts such as the injured dog. In other instances, it could be an infant who needs help or other similar posts that aim to gather sympathy through likes and shares. If no one notices or reports that account, the post will have gathered enough engagement and shares to create a fake following.
Once the engagement gains critical mass, the account holder now edits the status message into a similar crypto-sounding message that leads to a similar scam that Maricel had fallen prey to.
MindaNews listed down several suspicious accounts connected to the network of Maricel’s old Facebook accounts, specifically the mentions or thank yous to certain individuals. With the help of Qurium, we found out certain patterns based on the profiles of the suspicious accounts.
To do this, we clicked the profiles of the people being mentioned in the thank-you posts. Next, we sought out the uniform resource locators (URLs), or the web address, that were displayed on these accounts to find a pattern.
Each suspicious account displayed on their profiles some URLs of the crypto sites.
According to the foundation, the network of co-opted Facebook accounts lead to various URLs, as follows.
easyfxtraderz[.]com
programfxtrade[.]com
globalconnectfx[.]com
onlinecryptofxt[.]com
leverageoptionsfx[.]com
fxz-expresstrading[.]com
currencybitcoinfxtrade[.]com
24capitalfx[.]net
metalfxways[.]net
fxtmcoin[.]org
miningbfxtm[.]org
worldcryptofx[.]org
tradersfxglobe[.]org
capitalfxoption[.]org
cryptofxtrading[.]org
fxgoatmetertrader5[.]org
legitimatefxmarket[.]org
Qurium said there was a common denominator among all the URLs: they are all hosted on a server with a specific provider, Rivalhost, a provider that hosts multiple dashboards of similar scam operations.
Qurium and MindaNews are currently reaching out to Rivalhost’s Philippine counterparts to shed light on the existence of the network. We will update this story once we get a response.
We ran one of the URLs, tradersfxglobe[.]org, into an open-source scam detection site called Scam Adviser. The website has a set of parameters that determine trustworthiness of websites. It found that the URL only had a 1 out of 100 Trustscore, with 100 as the highest.
According to Scam Adviser, the website allows payments that says you can get your money back. It has a valid security certificate, and DNSFilter says it’s safe. However, the owner’s identity is hidden, it doesn’t have many visitors, and it shares a server with poorly rated sites. It offers risky financial and cryptocurrency services and is very new.
“Facebook said it was “ayuda” or help, or government assistance,” Maricel said about the post.
And so she clicked the link that was sent to her.
This scam spreads like a virus by messaging existing contacts with suspicious URLs, and until friends, relatives, or neighbors warn each other not to click any links, no one in Maricel’s network is safe from identity theft.
The scammer has effectively stolen the entire social media account and has learned the former owner’s verbal mannerisms. The crypto scammer reads through the account posts and messages, and learns their speech patterns.
Screenshot shows our investigation into common suspicious posts of accounts like Maricel’s. We found this to lead to dubious Bitcoin offers and testimonies.
MindaNews asked Maricel for permission to check her security settings and try to recover her accounts. Despite numerous attempts, we could not retrieve the social media accounts anymore. The backup email address and phone numbers had already been changed.
Reports to Meta also do not yield results, and the profiles remain a part of a web of deceit. As of this posting, most of the accounts remain on the platform. It is worse for the original account holders in the accounts we suspected are stolen identities. Their faces and contents are still on the social media platform. Only one account has been taken down, as of Wednesday, June 12.
In the Philippines, Meta does not require users to submit proof of identity to make sure that the user is who they claim to be. In the case of Maricel, hackers have made it a loophole for them to compromise her identity. In fact, the Meta Verification process that requires valid IDs only works for paid accounts; it is not a requirement.
Maricel’s situation is only a fraction of the dangers of crypto scams in social media platforms like Facebook.
Identity theft
Sad to say, Maricel’s story isn’t uncommon. And if we assume that it’s a matter of social media literacy, you would be surprised. It’s so easy to scam even the most educated.
Maritess (not her real name), 36, a doctor who is also based in Davao City, almost lost her Facebook account to a similar scheme.
For a while, Maritess lost her account to someone who asked her contacts for money.
Eventually, Maritess-the-fake asked her father to send P16,000 into an account, supposedly payable later in the day. The transfer was made, and the family would realize too late what had just happened.
Dr. Maritess’s friends and relatives announced the incident on their own Facebook walls to warn contacts to ignore messages from the compromised account. But before these announcements, a few others had been victimized, sending funds ranging from P1,000 to P16,000.
Asked how it happened, it turned out that a Facebook contact recently fell into a similar situation. However, in the hectic routine of Dr. Maritess, she responded to a question by the compromised account of her Facebook contact. The account user asked the busy doctor her number and her email address. The scammer used these private details to bypass Facebook’s security measures, which allowed the fraudulent user to access her account.
Her account has since been recovered, through an agonizing week-long back and forth with Meta’s recovery methods.
Anatomy of a Facebook scam
Crypto scams on Facebook often follow a structured approach to lure victims.
Scammers create fake profiles, pose as investment experts, and use fraudulent schemes to trick users.
They exploit Meta’s platform despite the company’s community guidelines that prohibit deceptive content and require authentic identities.
For example, Meta prohibits deceptive, misleading, or fraudulent content intended to scam or exploit people for money. This includes cryptocurrency scams.
Meta also requires users to use their real names and authentic identities. Accounts found to be using fake names or impersonating others are subject to removal. Unauthorized access to and use of another person’s Facebook account is prohibited and can result in account termination.
In the network that victimized Maricel, the scammer used the name Anthony Robert as one of the profiles.
Qurium found out that the profile photo used in the Anthony Robert account is a photo of Italy-based journalist Naman Tarcha.
Meta’s guidelines prohibit the dissemination of false information, particularly when it can cause harm. This includes fake news and misleading advertisements. Impersonation and identity theft are explicitly banned. Users cannot create accounts pretending to be someone else, nor can they use stolen identities.
Despite the passage of the Philippine Cybercrime Prevention Act in 2012, which aims to tackle online threats, critics argue that it lacks comprehensive measures to fully protect users from evolving cyber threats. The Foundation for Media Alternatives highlights that many Filipinos remain vulnerable to online violence, particularly women who face significant risks of harassment, cyberstalking, and unauthorized use of personal data.
In 2018, the National Privacy Commission (NPC), in its investigation on cyber vulnerability, asked Facebook CEO Mark Zuckerberg to determine if the data of 1.1 million Filipino users had been shared with Cambridge Analytica. Zuckerberg acknowledged the issue and assured cooperation with the NPC. The NPC requested that Facebook provide documents to determine the breach’s scope and impact on Filipino users, addressing potential violations of the Data Privacy Act of 2012.
With millions of active Facebook accounts, the Philippines has been significantly impacted by the scandal of Cambridge Analytica’s misuse of Facebook user data, second only to the United States.
Based on a September 2023 update, Meta said it addressed several key issues following the widespread problems with crypto scams and account security on Facebook. Meta reported enhancing its detection and removal of fake accounts, improving user education on identifying scams, and increasing transparency around its security practices
POGO connection?
In March, investigators raided a complex hosting Philippine Offshore Gaming Operators (POGOs) in Bamban, Tarlac and found hundreds of foreign nationals being coerced into similar activities online.
According to reports, some of the illegally detained workers were being forced to conduct love scams and crypto scams.
Current guidelines of the Philippine Amusement and Gaming Corporation (PAGCOR) require all operations to conduct businesses in accordance with Philippine Laws.
POGOs can offer various online gaming services, including sports betting, online casinos, and other interactive gaming activities to international customers. They must comply with PAGCOR’s regulatory requirements, including obtaining licenses, adhering to tax obligations, ensuring fair play, and maintaining data security.
However, POGOs cannot target Filipino residents as their customers and are prohibited from engaging in illegal activities such as money laundering and fraud. They must operate within the bounds of the law, avoiding exploitation or harm to individuals and ensuring they do not endanger national security or public order. [Emphasis supplied]
The raid on a POGO facility in Bamban, Tarlac, revealed potential connections to online scams, including crypto.
A quick browse online shows that the crypto scammers are possibly in violation of the Cybercrime Prevention Act of 2012, which criminalizes illegal access, data interference, and computer-related fraud.
For people like Maricel, she found the law vague on what to do next. Does she go to the barangay? The police? The National Bureau of Investigation?
She expressed hopes her stolen accounts get suspended altogether. With Facebook not responding to efforts by family members to mass report her other lost accounts, who knows what will happen to them and who will be victimized next by those stolen accounts?
Dr. Maritess, on the other hand, has since recovered her Facebook account. Prior to the writing of this story, their family had decided to temporarily deactivate her account, for their sanity. Their father’s blood pressure spiked when he learned about the compromised account; and since she “asked,” he was able to send to the stolen account P16,000, no questions asked.
Her family is still deciding whether to press charges or charge this to experience.
Dr. Maritess has since changed her profile photo with her real face, now that she has recovered her account. (Yas D. Ocampo with a report from Ian Carl Espinosa / MindaNews. The authors use ChatGPT in organizing some data and in paraphrasing cited contents).
(This report was produced with support from an Internews initiative aiming to build the capacity of news organizations to understand and monitor disinformation and influence operations in the Philippines.)