Kind: captions
Language: en
Meet Marco267.
He might look like a normal person
posting on social media, but actually,
well, Marco 267 is a fake account. And
he was not alone. Marco 267 was part of
a network of hundreds of fake bot
accounts pushing propaganda websites and
some pretty odd information. And all of
them, well, they were ran out of a small
company in Indonesia. And over the next
few minutes, I'm going to show you what
these accounts were sharing, how they
were sharing it, and who was behind it.
And I'm going to show you each step of
the way and the open-source
investigative techniques used. Hi
everyone, I'm Ben, and welcome back to
my channel on open- source investigative
techniques. If you'd like to follow any
of the links to tools or resources
mentioned in this video, check them out
in the description below. And while
you're there, don't forget to click
subscribe. Otherwise, let's get started.
So, before we get too stuck in the
weeds, you might be wondering, what's
Marco even posting about? He mentions
Indonesia and West Papua. Well, for
those of you that don't know, West Papa
was a Dutch colony that declared
independence in 1961, and it was annexed
by Indonesia in 1969 through a vote that
many see as illegitimate. Since then,
the region's seen decades of unrest, a
strong independence movement, and
repeated crackdowns by Indonesian
authorities, including internet
blackouts and bans on foreign media.
With little press access, social media
has become the main battleground for
shaping the narrative. And that's where
this case comes in. Because what we
uncovered wasn't just a normal
information operation. It was a Jakarta
based marketing firm that was running a
fake network to manipulate public
opinion on West Papua. They used bots,
they hijacked hashtags, and they even
created fake pro-independence pages to
push anti-independence content. Social
media platforms later removed hundreds
of accounts, but the tactic still came
back. Well, let's go back to Marco and
what is he actually saying? Well, in
this post, he says, "What are some
secrets that Indonesia have been hiding
in West Papua? Find out the answers
here." And he's also got a heap of
hashtags that he's posting. Some of
those really don't seem relevant to this
post. For example, he's using the
hashtag Westpapa genocide, free West
Papua, and let West Papa vote. It would
be really awful if Marco was actually
putting out some incorrect information
and trying to hijack those hashtags
where there might be legitimate actual
West Papua genocide videos or photos or
people trying to fight for free West
Papua. So, let's take a look at the
video that he's trying to post about.
Well, the video is trying to say that
Indonesia is hiding in West Papa. Some
pretty good news and some pretty good
projects. And the rest of the video is
pretty much the same. When we go back to
Marco, well, actually, he's not really
the only person posting about it. He's
got a lot of friends posting the exact
same content. And they're all posting
the same text and the same hashtags. And
they're even using the exact same little
error in that hashtag about West Papua
where they forgot to put in the hashtag
and put in a space there. Some of us
like to call this a copy and paste
network right here because they're
essentially copy and pasting the exact
same text and hashtags. So, let's go
back to Marco. Well, okay. He's got a
lot of friends posting the same stuff.
Maybe they just really like him. Could
he be a real person, though? One way
that we can find out is by checking out
his profile picture. He seems like a
middle-aged white male, but maybe he's
really not behind the surface. So, what
we can do is use our favorite little
technique, an image reverse search, and
check out where else that photo might be
online. And haha, it's everywhere. It's
on dating websites. Apparently, Marco267
is responsible for the most intense
workout plan you've ever tried on girls
askguys.com. And he's also part of other
some other pretty nefarious scam
websites. It sounds like Marco267's
photo. Whoever he really is has been
taken and utilized around the world
across the internet for very different
purposes. So, let's have a look at the
activity of not only Marco, but some of
his friends. One thing I always like to
look at is posting times. How often is
Marco267 posting? And maybe well, let's
take a look at his friends as well that
we already saw that are posting the
exact same context and and and hashtags.
Well, what about his friends? Here's
someone called Bella now. And here's
another one called Kevin Mah. And these
are lists of time codes of every time
they've posted on one single day. Well,
first of all, you can see they post a
lot, but second, you can see some of the
time codes are pretty interesting.
There's a lot of patterns there. The
pattern like 32 minutes 56 on the hour
repeated
five six times. Perhaps we've got Kevin
Mah. Look at him. 3254 on the hour
numerous amounts of times. And so this
is really interesting to see. And this
is something that we indicate might be a
script, might be a level of automation
to show repeat time patterns being used.
So, now that we've seen Marco 267 might
not be a real person, and we've also
seen that some of his friends might be a
little bit botty, a little bit
automated, let's take a look at some of
his other friends. Well, I collected
some activity on that day from Marco267.
Here he is pictured as a little red dot,
and we're going to see him as part of a
much bigger network. This network is
Twitter accounts using the hashtag free
Westpapa for that day. Now we can see
Marco267's little network of friends
over here and we can see some of the
other accounts like free West Papa ID,
Papa West ID, West Pupper ID, but also
some others like Hendra Offxy,
uh, Idola Jakarta 48, and some of the
others. Here's Marco 267, and we can see
some of the relationships there. So,
let's go to one of those accounts,
Westper ID, that seem to be pretty
popular. A lot of people are retweeting
the video with those comments and with
those hashtags.
The interesting thing that we see about
Westpuffer ID is that it's got a website
link and that's always useful because
sometimes people make mistakes with
websites. So, let's click on the website
link and let's check out the website.
Whenever you're doing this kind of
stuff, I always recommend using a VPN
and making sure you mask any indicators
that might give away you, your identity,
and your location because some of these
could be a little bit of a trap. For
this website, it's also got some linked
social media accounts that we can see in
the top right there. And those are
always useful to check out just because
some social media platforms have some
transparency tools that we can utilize
to see some of the activity behind them.
This website specifically is West Papa
ID's website. It's the link that we
followed to from that Twitter account.
And on it, you can see some pretty heavy
propaganda stuff, some very Indonesian
supportive stuff of what's happening in
West Papua. It claims to be a West
Papwan news website, uh, which is also
pretty interesting. So, this is the
Facebook account that was linked to that
website. It's West Papua Indonesia.
Again, you can see the username,
Westpapa.
Seems to have quite a few people liking
it. It's got 152,000 people that like
it, 153,000 that follow it. So, it says
that it's uh West Papa Indonesia is a
media established to give insights in
data and facts for international
audiences. How very interesting. What's
also interesting is that they run ads
and those ads are targeting specific
groups. For example, here's a post from
West Papua. Uh, it was taken down
because it goes against Facebook's
policies, but this post was trying to
target who? Well, they tried to target
people in the Netherlands. And many
other ads try to target people in
Europe. That's kind of interesting. I
don't really know the motivation behind
why they're doing that, but it's a
useful thing to find out when we're
doing this research. So, let's go back
to the website. Well, the fun fact about
websites is that whenever you start up a
website, you often have to give some
details like a phone number, a name, an
email address. Often time you can make
that private except this person didn't.
I'm blocking out these details because I
think this person was just an employee
of a marketing firm and was just doing
their job. So, I prefer not to dox their
details. But, we can see a couple of
those details there, such as the start
of a phone number, the name, uh, and
they also left an email there. The
organization was actually fake. It
didn't lead to anything whatsoever. But
the phone number, well, that was
definitely useful. For those of you that
use WhatsApp and you use your profile
picture in there, well, news for you,
that might lead to other things. So for
this person, I took their phone number,
saved it in WhatsApp, and did an image
of her search on their profile picture,
and that took me to some of their
profiles on things like freelancer.com,
where they were advertising themselves
as a digital marketing freelancer that
was really good at running social media
campaigns. Further to that, I also got
their name and was able to identify the
person on LinkedIn and the company that
they work for. There were quite a few
similar other people working at that
same company called Insight ID. And I'm
not going to expose their details
either, which is why I've got them
blurred out and why I won't expose their
names. But one person who was running
the organization is this person Abdul
insight.org.
If we have a look at Abdul's
registrations of websites, well gosh,
there's a lot. And there also a lot on
one single day. Abdul registered on 2018
August 6 registered survival
westpapa.com west papa genenocide.com
papaaratnews.com
Asia-Pacific Reports West Papa video I'm
not going to go through all of them but
a lot of websites a lot of news websites
as well around West Papa almost gave no
chance for anyone who actually wanted to
have a human rights website or a news
website about West Papwa the chance to
register a domain because Abdul pretty
much registered all of them. So myself
and an awesome researcher called Elise
Thomas did this investigation and
published this report with Bellinkat and
you can find the link in the description
below where all of these details have
been published including exactly how we
did all these steps. I'm also conscious
I've covered them very quickly here but
it is a very in-depth report detailing
all of the data that we collected. After
we published that we noticed that social
media platforms took action. Facebook
took down the network that was present
on Facebook and Instagram. Twitter took
down apparently 795 accounts which it
identified were pushing content from
suspicious news websites and promoting
progovernment content. And also Google
took down stuff from YouTube as well.
And after we published that, well, of
course, the website went down and this
marketing firm was no more. Now, usually
I'd like to end this with a happy story,
but the network lived on using a couple
of different tactics such as writing in
Dutch or writing in German and also
using very graphic memes with lots of
words on them to target West Papan
independence movements, West Papan
autonomy and voting for independence and
again also using those hashtags. The
type of accounts posting this content
were quite interesting. For example,
here's one on the left called Jasmine
Eloise who is apparently an Australian
reporter. And here's Eliza Florence on
the right who apparently likes to smile.
And these accounts were posting in
English and Dutch and German. Also,
we'll also get to why some of the
profile pictures on these accounts are
interesting. Again, you'll see many of
them were also emerging on Facebook,
too. Again, really targeting the same
kind of thing. You can see the keywords
there being special autonomy. Pretty
much most of the posts were around that.
But once we collected the profile
pictures of all of the accounts from
Twitter, from Facebook, from Instagram,
we noticed a bit of a pattern. Can you
see it on your screen here? And I'll
leave it for 2 seconds and you can tell
me if you see it.
If some of you said that maybe they had
a really good photographer taking a very
good portrait photo, you're probably
right. Well, actually, these are all
generated photos. And the way we can
test that is by drawing red lines. When
these photos were generated, it was
generated using a website called
thisperson does notexist.com. And the
eyes were always in the exact same
location. Really easy way to test that
out is just to match up the photos like
this and to draw lines to show the
symmetry between every single photo and
all of the eyes in the exact same
location. But it's not the only thing,
of course. If we look a little bit
deeper, the devil is always in the
detail. And one of these folks, if we
have a look at their cap, we can see,
well, that's a pretty weird hat and also
a bit of an odd logo. We can see this
person, their glasses are a little bit
odd. They're wearing jewelry on one ear,
unless the other one lost it. And you
can see the mouth and the teeth are a
little bit different as well. And many
of these accounts were very much posting
a lot of similar activity. You can see
the accounts on Instagram here, for
example, were pumping out this content.
So, what have we gone through here?
Well, we've gone into a little bit of
context about why this information is
actually important about West Papua's
independence and about what's actually
happening in West Papua, especially
where there might not be much
information actually heard from the
ground because of internet cuts and
internet blackouts because of limitation
of media access as well. We've also
identified the discovery of a bot
network and the people behind it being a
marketing firm called Insight ID, but
also the persistence of new operations
even after those other networks have
been taken down. And so I really invite
you to have a look at some of the links
in the description and specifically the
long report that Elise and I wrote which
really goes into some of the techniques
used some of the information gleaned
from using creative open-source
investigative techniques to uncover the
truth.
I hope you enjoyed this session which
was a little bit more about information
operations, disinformation networks and
also the open source investigative
techniques that can be used to expose
them and understand what they're posting
and who's behind them. See you in the
next session.