07.11.2024
1 min
848
A Canadian pharmacist has been embroiled in a scandal over his alleged role in running a website that hosts deepfake content. The incident has sparked widespread public outrage and debate about the ethical and legal implications of artificial intelligence. The incident has underscored the need to tighten controls on the creation and distribution of deepfake content to protect privacy and human rights in the digital age.
Disclaimer: This article discusses sexual content from the outset.
The MrDeepFakes platform positioned itself as the largest and most user-friendly resource for creating deepfake celebrity pornography. The site, which attracted millions of visits each month, contained about 70,000 explicit and sometimes violent videos that had been viewed more than 2.2 billion times.
The site’s core content consisted of videos in which the faces of famous women were inserted into hardcore pornography scenes without their consent using artificial intelligence.
The site also supported an active community of over 650,000 members who shared tips on creating such content, discussed orders for new deepfakes, and often left misogynistic and derogatory comments about their victims.
For years, the MrDeepFakes website remained shrouded in secrecy, operating in a legal gray area and carefully concealing the identities of those who ran the site. The site’s administrators remained anonymous, allowing the platform to operate and gain popularity.
However, recently, data was released that revealed the identity of a key administrator associated with MrDeepFakes. The discovery was a significant step in understanding who was behind the world’s largest deepfake pornography site, and raised questions about responsibility for the creation and distribution of illegal content.
David Do is a 36-year-old Canadian pharmacist who, according to open sources, lives a modest and respectable life in a suburb outside Toronto. Photos and videos posted online show him with family, friends and colleagues. The university graduate has a well-paying job at a public hospital and drives a new Tesla.
But Do has led a double life: secretly, he is the most prominent figure who controlled the administration of MrDeepFakes. He has also been an influential member of its growing online community, creating his own deepfake porn and helping users who want to create their own.
Online postings show Do as a tech-savvy individual with a long-standing interest in creating and distributing adult content, and also provide insight into the efforts to conceal his identity.
The administrator was identified through a massive data leak analysis of accounts from open breach databases. Cross-referencing email addresses, IP addresses, repeated usernames, and a unique password yielded a digital trail spanning more than a decade. This allowed researchers to link the administrator’s identity to the activities of the MrDeepFakes website.
After the key administrator was exposed, attempts were made to contact him for comment, but he had not responded by the time of publication. It was also noted that the administrator’s Facebook page and the accounts of some of his family members were deleted after the information was made public.
The administrator was then reported to have temporarily traveled to Portugal with his family, after which he returned to Canada. The incident caused significant public outcry, highlighting the importance of combating the illegal use of artificial intelligence technologies.
The MrDeepFakes website was shut down on Sunday. “A critical service provider has permanently shut down,” the platform said in a statement. “We will not be relaunching it. Any website claiming this is a fake.”
The CBC reached out to David Do again on Monday, but he declined to answer questions about his involvement with MrDeepFakes. “Please, I don’t want to be recorded,” he said. “I have to go. I’m busy right now.”
The identity of the person or persons controlling MrDeepFakes has been the subject of media attention since the website emerged following the banning of the “deepfakes” community on Reddit in early 2018.
But the porn site’s hosting providers are scattered around the world, and premium memberships can be purchased with cryptocurrency, making it virtually impossible to trace the owner.
Adam Dodge, founder of EndTAB (End Technology-Enabled Abuse), noted that the MrDeepFakes platform was one of the first to implement deepfakes technology specifically targeting women. He emphasized that the site evolved over time from a video-sharing resource to a kind of training platform and marketplace where artificial intelligence-powered sexual abuse materials were created and distributed. This applied to both celebrities and private individuals.
Dodge also noted that the digital world promotes the anonymity of those who want to cause harm, while making it almost impossible for victims to identify the perpetrator.
The problem of using artificial intelligence to create deepfakes is gaining increasing public resonance, as such platforms are becoming a tool for distributing content without people’s consent. The MrDeepFakes case once again drew attention to the need for stronger legal regulation in the field of digital security and ethics.
German reporter Patricia Schlosser is one of the women who has fallen victim to the increasingly common deepfake technology. Schlosser tracked down a man who uploaded more than 30 non-consensual sexually explicit photos of her to MrDeepFakes.
For this investigation, researchers conducted a forensic analysis of forums on the MrDeepFakes website. The forums are a virtual space where members order deepfakes and exchange tips on how to create videos using the same technology used to create revenge porn.
The videos posted on the site are described solely as “celebrity content,” but forum posts contained “nude” images of private individuals. Forum members called the victims “bitches” and “whores,” and some claimed that the women’s behavior provoked the spread of sexual content involving them. Users who requested deepfakes of their “wife” or “partner” were directed to send private messages to the creators and communicate on other platforms, such as Telegram.
A search of the forums turned up two accounts for MrDeepFakes “employees.” One joined in March 2019 and is also listed as a “moderator.” Another joined in February 2018 and is also listed as an “administrator” (two additional administrator accounts created in 2018 and 2021 were not listed as staff, and one now-defunct account, previously listed as a staff member and moderator, was created a year after the site was created).
Thus, the focus of this investigation was the oldest forum account with the user ID “1” in the source code, which was also the only profile that contained the combined titles of employee and administrator. For a long time, this account used the nickname “dpfks”.
The researchers began by analyzing the profile. dpfks’ bio contained little identifying information, but the archive for 2021 shows that the account had posted 161 videos that had garnered over five million views. He had been awarded the “Verified Video Creator” badge.
Forum posts document dpfks’ involvement as a creator and community leader. The archived data shows that dpfks published a detailed guide to using the software that creates deepfake porn, published website rules and content guidelines, advertised for volunteer moderators, and provided technical advice to users.
Dpfks’ posts had the slogan: “Fake it until you make it.”
In a 2019 archive, in responses to users on the site’s chat, dpfks stated that they were “dedicated” to improving the platform. “There’s a reason we’re the biggest deepfake site. I care about the community and educating others.”
“I don’t think other site owners care enough about creating their own deepfake and updating [sic] . My first few deepfake were terrible too, the more you make, the better you get.”
Legitimate online platforms take steps to protect users’ personal information, but data breaches are common and can affect anyone from the average user to senior U.S. government officials. In this case, the data breaches allowed researchers to link email accounts reused on porn sites, warez (pirated content) forums, and server administration platforms to a key operator of MrDeepFakes.
Central to the findings was a single email account – [email protected] – that was used in the “Contact Us” link at the bottom of the official MrDeepFakes forums page in archives from 2019 and 2020.
Using the stolen data, the researchers linked this Gmail address to the alias “AznRico.” This alias appears to be a combination of a well-known abbreviation for “Asian” and a Spanish word meaning “rich” (or sometimes “sexy”). The presence of “Azn” suggests the user’s Asian origin, which was confirmed by further research. On one site, a forum post stated that AznRico was writing about his “adult site,” which is short for a pornographic website.
The alias AznRico was often associated with a personal Hotmail address under David Do’s full name, which appeared in the leaks along with this username 22 times. The researchers also found AznRico’s cryptocurrency trading account, which later changed its username to “duydaviddo.”
Analysis showed that MrDeepFakes’ Gmail address was used to register a profile on a separate pornographic website. This profile used a unique 11-character password that was also used on other accounts, including a profile on the dating site Ashley Madison registered to K’s personal Hotmail address. A search of the hacked databases for the unique password returned 17 results linked to other email addresses that contained K’s full name.
Further searches of K’s Hotmail account led to further leaks of information indicating his date of birth. The Hotmail account was also linked to a residential address in Ontario, where, according to public records, a house owned by K’s parents is located. This email address was also used to register a Yelp account for a user named “David D,” who lives in the Greater Toronto Area.
Do has never publicly admitted to running MrDeepFakes, but one email address published by the porn site formed the basis of a digital trail that led to usernames, passwords, and other email accounts matching his personal and professional details dating back to 2008.
David Doe remains anonymous, but photos of him have been posted on social media by his family and employer. He also appears in photos and on the guest list at a wedding in Ontario, and in a university graduation video.
Doe’s Airbnb profile featured rave reviews of trips to Canada, the United States and Europe (Doe and his partner’s Airbnb accounts were deleted after CBC contacted him on Monday). His home address, as well as that of his parents’ home, have been blurred out on Google Street View, a privacy feature available upon request.
In the late 2000s, while at university, Do participated in the creation of Xinoa (xinoa.net), a warez forum. Archive data from 2008 shows that Do’s personal Hotmail address, which contains his full name, is displayed in the source code as the site’s administrator contact.
The “ddo” profile page is tagged with the tags “Root Administrator” and “Xinoa Owner”, and also lists a date of birth that matches Do’s. The profile contains links to download TV shows, one of which is accompanied by a comment about “exam week” in 2009, when Do was at university. This username is also similar to Do’s Instagram profile (“ddo.jpg”), which was linked to in the bio section of his Facebook account under the name “Doh Dave”. Both social media accounts have since been deleted.
The breach data shows that an account on an online marketing forum was registered using the email address of the administrator Xinoa. The account was linked to an IP address belonging to the University of Waterloo, where Do earned a degree in biomedical sciences in 2010 and a degree in pharmacy in 2014, Rocketreach reported.
The 2015 Ashley Madison data leak showed that a user named “ddo88” registered on the dating site with Do’s Hotmail address and was listed as a “hostage man seeking women” in Toronto. He described himself as Asian, 5’8” tall, and 150 pounds. The compromised profile was linked to an address in Toronto and included a date of birth that matched Do’s date of birth in public records.
Xinoa served as a springboard for a more complex operation.
In February 2018, when Do was working as a pharmacist, Reddit banned its nearly 90,000-strong deepfake community after implementing new rules prohibiting “involuntary pornography.” That same week, dpfks.com, the predecessor to MrDeepFakes, was launched, according to an archived changelog.
Analysis of the now-defunct domain shows that the two sites share Google Analytics tags and server software, as well as a forum administrator who used the nickname “dpfks.” Archived data from 2018 and 2019 shows that the two sites redirect or link to each other. In a since-deleted post on the MrDeepFakes forum, dpfks confirms the connection between the two sites and promises that the new platform is “here to stay.”
“MrDeepFakes.com used to be called dpfks.com, and we opened our doors shortly after Reddit was banned,” the 2018 post reads. “I know joining a new forum or community is like starting over, but the community is small and all the important players will stick together. I promise to keep this community going for as long as possible so the deepfake community doesn’t have to hustle and move again.”
Later in 2018, in a post on Voat, a defunct online forum similar to Reddit, dpfks claimed that they “own and operate” MrDeepFakes. In a reply to another user, dpfks talks about his life outside of working at the porn site. “I just got home from work,” the post said, “and now I’m back at it!” Some of dpfks’ earliest posts on Voat were deepfake videos of internet personalities and actresses. One of dpfks’ first posts on the MrDeepFakes forums was a link to a deepfake video of video game streamer Pokimane.
Other targets included US politician Alexandria Ocasio-Cortez, to whom dpfks shared a folder containing over 6,000 images that could be used to create deepfake pornography. Before MrDeepFakes was shut down this week, the site hosted 125 graphic videos tagged with Ocasio-Cortez, which had a combined total of over 5.3 million views. After discovering that she had been turned into a deepfake porn video last year, Ocasio-Cortez told Rolling Stone that the “digitalization of violent humiliation” was similar to physical rape and sexual assault.
Another target of dpfks was US YouTube star Gibi_ASMR, who rose to fame online for her ASMR (autonomous sensory meridian response) videos. Dpfks created and distributed pornographic deepfakes of the YouTuber on MrDeepFakes’ forums. In a statement published by EqualityNow in 2021, she said: “They are running this business, profiting off my face, doing things I didn’t consent to, as if my suffering is your livelihood. It made me very angry, but again, there was nothing I could do, so I just had to let it go.”
In 2018, dpfks posted a two-minute deepfake video of an Oscar-winning American actress, with the caption: “[Name omitted] doesn’t do porn, but in this fake video she is completely naked with her legs spread. Watch her face… as she tries to accept it.”
Forum posts under various aliases are consistent with those found in the Do or MrDeepFakes Gmail breaches. They show that this user was troubleshooting platform issues, recruiting designers, writers, developers, and SEO specialists, and outsourcing services.
The username “AznRico” was commonly associated with Do’s email and appeared in several online posts. In 2009, years before MrDeepFakes was launched, this now-blocked user posted on an online marketing forum discussing methods for making money online, including monetizing video traffic.
AznRico also posted on an automotive lighting forum in 2009 to ask for advice on repairing headlights for a 2006 Mitsubishi Lancer Ralliart in Canada. In another thread on the same forum, AznRico uploaded several images of the car, one of which was archival and contained metadata indicating that it was taken with a Sony Ericsson K850i.
In 2009, on a separate forum, AznRico claimed to have this model of phone and posted a troubleshooting post for the device (this forum was the site of a data leak that exposed David Doe’s personal Hotmail address and unique password).
У 2009 році на окремому форумі AznRico заявив, що має цю модель телефону, і опублікував допис про усунення несправностей пристрою (на цьому форумі стався витік даних, в результаті якого було розкрито особисту адресу Hotmail та унікальний пароль Девіда До).
Public records obtained by the CBC confirm that Do’s father is the registered owner of a red 2006 Mitsubishi Lancer Ralliart. While Do’s parents’ home is now blurred on Google Maps, the car can be seen in the driveway in two images from 2009 and in Apple Maps images from 2019. The CBC confirmed that the car was still near the house last week.
In 2011, freelancer job site AznRico asked for help building a video streaming plugin. The profile also indicated that the user lived in the same Ontario town as Do’s parents’ home. In 2018 — the same year MrDeepFakes was launched — AznRico asked for advice on how to fix the slow loading of its porn site, which it said was getting about 15,000 to 20,000 visits a day. Security breach data shows that this account was associated with Do’s personal Hotmail address.
In a January 2020 forum post, user “dj01039” complains that PayPal has restricted their “hidden account” that was used to “sell virtual goods” (PayPal was occasionally available as a payment option on MrDeepFakes). The username dj01039 matches the shortened email address ([email protected]) that was associated with the PayPal donation button on MrDeepFakes in December 2019.
In June 2020, on another forum, a user with the same alias (who later changed it to “ac2124”) reported that his hidden account had been permanently closed and wanted to know about shell companies that might be accepting payments on his behalf. The user described himself as an “adult website webmaster” who receives commissions from creators who publish original pornographic videos, as well as revenue from advertising. By December 2020, ac2124 said, his website was earning between $4,000 and $7,000 per month.
The leaked data also links MrDeepFakes’ Gmail to an account on the support forums for Kernel Video Sharing (KVS), a commercial content management system, where user “mongoose657” (formerly dj01039) sought help managing the video site. The discussions, which spanned from 2021 to 2024, coincided with back-end issues that plague the operation of a large website: storage solutions, ticketing system failures, and outsourcing of development work.
On the adult webmaster forum GoFuckYourself.com in 2020, user dpfks (later changed to “mjmango”) asked about anonymous debit cards that were advertised as allowing users to withdraw cash or pay for purchases anonymously. In 2021, mjmango responded to another user’s question about how to monetize porn sites.
On another forum, ac2124 asked about countries for setting up an offshore company and expressed concerns about the “know your customer” checks used by the banking industry to verify the identity of their customers. In a 2020 post, ac2124 reported that they had decided to create a “front/front site” for their adult site and asked about online payment processing and “secure storage of funds.”
In 2022, user ac2124 sought advice from a Canadian citizen who runs a “niche adult website” and asked about “a company structure that focuses on privacy.” The post stated, “At a minimum, this person should not be listed on any public registrar (as a director, shareholder, ultimate beneficial owner, etc.). It is open to the use of nominees, opening trusts, etc. What structures or jurisdictions should be considered?” This user also asked specifically about forming a company in the British Virgin Islands or the Cayman Islands, both jurisdictions that are secretive.
In late 2023, user mjmango left a positive review for an adult graphic designer under his post that featured the MrDeepFakes logo. “Recently purchased another logo. As always, great communication and allowed for a few re-edits,” the comment read. In March 2024, user ac2124 posted a report of delays in accessing a service that creates a “proxy” for a “high-risk website” so that it can process transactions from online payment processor Stripe.
In April 2024, the Dutch newspaper Algemeen Dagblad (AD) reported that it had contacted the owner of MrDeepFakes, who remained anonymous in subsequent reporting. AD reported that the person claimed to have sold the website, but provided no evidence to support this claim. Our investigation was unable to confirm whether the website was ever sold, and if so, when.
David Do did not respond to multiple requests for comment on his involvement with MrDeepFakes.
