Full Report
Content warning: This story discusses non-consensual deepfake nude imagery. On the surface, Crushmate appeared to be one of many artificial intelligence “girlfriend” or “companion” apps. Its multiple websites said it specialised in “crafting the AI girl of your dreams”, and on Google and Apple’s app stores, it was described as an “AI chat product designed […] The post Meta’s Suit Against Hong Kong Firm Was Just the Beginning – More Companies Linked to CrushAI ‘Nudify’ Apps appeared first on bellingcat.
Analysis Summary
# Incident Report: Dissemination of Non-Consensual Deepfake Imagery via AI Companion Apps
## Executive Summary
This incident involves a coordinated network of Hong Kong and China-based companies (Joy Timeline, Soul friendship HK Limited, and Wuhan Ruisen Network Technology Co., Ltd.) creating and advertising AI "companion" apps, such as Crushmate, that primarily functioned to generate non-consensual deepfake nude imagery ("nudifying" apps). Attackers utilized social media platforms, specifically Meta's Facebook and Instagram, to distribute thousands of misleading ads promoting these services, leading to severe privacy violations and potential legal action taken by platforms and government bodies. Following initial public exposure and legal engagement, the primary operational domains associated with the apps were subsequently taken offline.
## Incident Details
- **Discovery Date:** January 2024 (Initial 404 Media report regarding ads on Meta platforms)
- **Incident Date:** Ongoing, with aggressive ad campaigns noted leading up to February 2024. Shutdown notices suggest activity ceased "several months" before May 2024.
- **Affected Organization:** Meta (as the platform abused for advertising); Victims (women whose images were used for deepfakes).
- **Sector:** Technology, AI/Software Development, Advertising.
- **Geography:** Companies linked to Hong Kong and China; ads targeted users in the US, Canada, Australia, Germany, and the UK.
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-January 2024 (Ad activity noted months prior to public reports).
- **Vector:** Abuse of legitimate advertising platforms (Meta: Instagram/Facebook) using potentially fake user profiles to evade moderation.
- **Details:** Thousands of ads promoting "CrushAI" branded apps were placed, leading users to websites prompting them to upload photos for "erasing clothes" using deepfake technology.
### Lateral Movement
*Not directly applicable in a traditional network compromise sense.* The movement here was the **expansion of influence/reach** across social media platforms using fabricated advertising accounts and multiple associated domain names.
### Data Exfiltration/Impact
- **Data Stolen/Damaged:** Non-consensual deepfake intimate imagery generated based on user-uploaded photos of real women.
- **Impact:** Severe privacy violations, emotional distress for victims, and potential monetary gain for the operators (Crushmate earned over $45,000 in subscriptions).
### Detection & Response
- **How it was discovered:** Initial reports by 404 Media in January 2024 regarding the ads on Meta platforms. Subsequent investigation by Bellingcat linked multiple related companies and domains.
- **Response actions taken:**
1. **Meta Action:** Sued Joy Timeline, banned them from advertising, and sought recovery of investigation costs ($289,200).
2. **Government Interest:** Illinois Senator Dick Durbin contacted Meta CEO regarding the abuse.
3. **Platform Shutdown:** Crushmate's X profile and US domain ceased operation around April/May 2024, coinciding with the signing of the US "Take It Down Act."
4. **Operator Claim:** A representative stated operations were permanently shut down "several months" prior to the US legislation.
## Attack Methodology
- **Initial Access:** Advertising platform abuse (Meta Ads).
- **Persistence:** Use of multiple associated domains (e.g., .site, .net, .vip, .us) and linked Google Analytics Tags to maintain online presence despite takedowns.
- **Privilege Escalation:** Not applicable (no network system access attempted).
- **Defense Evasion:** Using "multiple fake Facebook profiles" to circumvent Meta's content moderators.
- **Credential Access:** Not applicable.
- **Discovery:** Public monitoring by investigative journalists (404 Media, Bellingcat).
- **Lateral Movement:** Spreading influence via widespread social media advertising targeting multiple countries.
- **Collection:** Prompting users to upload source images for deepfake generation.
- **Exfiltration:** Dissemination of generated non-consensual imagery, primarily via the app/website interface.
- **Impact:** Privacy violation, reputational damage to victims, and financial gain for operators.
## Impact Assessment
- **Financial:** Operators earned over $45,000 in subscriptions (Dec '23 - Jul '24). Meta incurred ~$289,200 in investigation/removal costs.
- **Data Breach:** Generation and potential dissemination of non-consensual deepfake intimate imagery of women, including celebrities and influencers.
- **Operational:** Disruption to Meta's advertising moderation systems.
- **Reputational:** Significant reputational harm to victims and scrutiny placed upon Meta for allowing the ads to proliferate.
## Indicators of Compromise
*(Note: Actual IoCs are omitted/defanged as the primary compromise was platform abuse, not network intrusion.)*
- **Network indicators:** Use of multiple, linked domains (e.g., crushmate.site, crushai.vip) identified via shared, unredacted WHOIS registration data or identical Google Analytics Tags.
- **File indicators:** N/A.
- **Behavioral indicators:** Aggressive placement of highly specific, violating advertisements on social media platforms evading standard moderation filters.
## Response Actions
- **Containment measures:** Meta removed/banned ads and investigated the linked advertiser (Joy Timeline).
- **Eradication steps:** Meta sought an injunction against future advertising. Investigative journalists cataloged and linked affiliated domains.
- **Recovery actions:** The associated domains and social media profiles largely ceased operation or went offline following public pressure and legal threats (coinciding with the US "Take It Down Act").
## Lessons Learned
- **Key takeaways:** Sophisticated advertising networks can be utilized to bypass content moderation systems at scale, even for highly abusive content like deepfake pornography. Identifying related entities requires cross-platform analysis (app stores, WHOIS records, ad networks).
- **What could have been done better:** Faster identification and proactive banning of associated developer entities (Soul friendship, Wuhan Ruisen) by platforms upon initial discovery of one entity (Joy Timeline).
## Recommendations
- Platforms must implement more robust, AI-assisted detection methods specifically targeting pattern recognition across multiple, ephemeral advertising accounts used to push sensitive or abusive services.
- Enhanced scrutiny of developers listed on app stores whose apps are repeatedly flagged, forcing immediate cross-referencing of affiliated corporate entities.
- Greater transparency in WHOIS registration data should be pursued where such data is vital for tracing coordinated disinformation or abuse campaigns.