“It’s a simple plugin that automatically scans Facebook to collect profiles and post messages”, Christoffer Ravnsborg, co-owner of Leadfresh, says when we have him on the phone. It’s an automated tool purchased from a freelance developer on Fiverr.com, a marketplace to hire freelancers for their services. The way Christoffer tells it, it’s a perfectly innocent transaction that he has little to no control over. But our research shows that Christoffer and his colleagues were very much aware of what they were doing, and that they operated with a high degree of sophistication.

We discovered the identity theft when we found a review of the Danish version of Geldninja.nl. “They stole my son’s Facebook profile to promote their own products”, a concerned parent wrote on Trustpilot, a consumer review website. At that time, there were five Facebook comments on Pengepanel.dk singing the praises of the company and waxing poetic about how much money they were able to earn thanks to the website’s tips. “At first, I was a little bit sceptical. But I tried it, and I earned 1,500 kroner today!”

This is characteristic of the over-the-top tone you would expect to find on a fake website or in a cheesy commercial. Are there similar messages on the Dutch version of the site, Geldninja.nl? After a little bit of digging, we find Dutch accounts making similarly suspicious claims: “I earned 120 dollars in just 40 minutes!”

The likes and thumbs ups are fake

The comment box, the thumbs ups and “like” links under the comments are meant to give it an air of credibility and convince visitors to do a bit of online gambling through the site. But we quickly come to the conclusion that all of the comments are fake.

The comment field doesn’t actually work, and if we look at the website coding, the “share” button is disabled. The “like” links don’t take you to Facebook, but lead to Geldnina.nl instead. The people in the profiles are real, though. If we click on any of the names or profile pictures, we end up at Roxana, Hans and Nicole’s real profiles.

We wanted to get to the bottom of this, so we looked at the Facebook comments on the other foreign versions of Geldninja.nl. The site has been translated 14 times into different languages, including Spanish, Polish, Romanian, Italian and French. Without fail, each site features four or five people making similarly laudatory comments.

We find a couple of examples of the exact same wording on different sites. The profiles all follow a similar “conversation” script, asking each other questions like, “What happens to the money that I earn? How do I get it?” and replying with, “You’ll always get paid - you can set up a direct deposit to your account.” It’s one of the conversations that invariably takes place in the fake comments. It appears that Leadfresh wrote a script, just like a screenplay for a movie, and it was acted out over and over again. “I translated the texts through Google Translate for all of the different sites”, Christoffer admits.

We collected all of the names

To get a better picture of the number of people who fell victim to this system, we collected all of the names on the 14 variants of the Geldninja.nl site. We noticed that the victims often came from the same place. For example, on cashninja.it, all of the victims lived in Rome. Nicole, one of the Dutch victims, says that she knows the people whose profiles were used on Geldninja.nl in real life. Hans, Thamara and Roxane all come from the same town as her. The tool apparently selects profiles from the same region in order to make their script seem more credible.

Our investigation didn’t stop at the front end of the sites: we also dug into the history of the websites to see if we could find more individuals who had been harmed by this scheme. The internet archive Wayback Machine is a good way to do that, but Google’s saved pages (cache version) also helped us to identify additional people who had been duped.

That is how we found the first instance of Leadfresh using fake Facebook comments. On 15 July 2016, the Wayback machine made a copy of Moneymarket.dk, the very first website that Leadfresh published about earning money online. On the site, in addition to the profiles of friends, you can see that they even used Mark Zuckerberg’s profile to test out the tool for stealing identities and posting fake comments.

Altogether, we identified 134 victims across the world, from Sweden to Turkey, Finland, Norway and Hungary. We gathered all the names and manually entered them into a spreadsheet. It’s likely that more identities have been stolen since 2016, but we could not definitively confirm that due to a lack of cache versions or inability to access copies of the websites.

"There isn’t a working email address"

One of the victims is Mikkel from Denmark. Two years ago, he found out that his name was being used on the website after someone approached him about it. “Since then, people have been sending me messages pretty much daily asking if I can help them earn easy money with Bitcoins”, he writes.

Last year, Mikkel reached out to the admins of the site and asked them to remove his name and profile. According to Christoffer, he never received that message. “There isn’t a working email address affiliated with the site.”

Following our phone call, Leadfresh says that they have deleted all of the Facebook comments. “The comments are no longer active on the sites and have been deleted. Thank you for bringing this to my attention”, Christoffer writes via e-mail.

At the time of publication, the LinkedIn profile of “Martyna Whittell”, where Leadfresh uses personal photos of one of Christoffer’s former classmates, is still active.

Translation by Traci White