Full Report
This article is the result of a collaboration with TjekDet, Denmark’s fact-checking media outlet, Danish newspaper Politiken, and the Canadian Broadcasting Corporation. Warning: This article discusses non-consensual sexually explicit content from the start. MrDeepFakes billed itself as the “largest and most user-friendly” platform for celebrity deepfake pornography. The website, which was visited millions of times […] The post Unmasking MrDeepFakes: Canadian Pharmacist Linked to World’s Most Notorious Deepfake Porn Site appeared first on bellingcat.
Analysis Summary
# Threat Actor: David Do (Associated with MrDeepFakes Administration)
## Attribution & Identity
* **Identified Individual:** David Do, a 36-year-old Canadian pharmacist living near Toronto.
* **Role:** Identified as a key administrator and influential member of the MrDeepFakes online community.
* **Known Aliases/Usernames:** `mjmango` (used in offshore corporation forums) and `ac2124` (used when discussing payment processor issues).
* **Known Associations:** Associated with the administration and content generation for the website MrDeepFakes.
## Activity Summary
* **Operation Focus:** Administration and operation of **MrDeepFakes**, described as the largest and most user-friendly marketplace for non-consensual deepfake pornography (NCIP).
* **Scale of Operation:** The website hosted nearly 70,000 explicit videos, viewed over 2.2 billion times, primarily targeting famous women.
* **Community Facilitation:** Managed an active community of over 650,000 members who shared tips, commissioned deepfakes, and posted derogatory comments.
* **Content Creation:** David Do produced his own deepfake porn and assisted other users in creating content.
* **Shutdown:** MrDeepFakes was shut down on May 4th, shortly after David Do was informed of the impending exposé, citing termination of service by a critical service provider.
## Tactics, Techniques & Procedures
* **Digital Obfuscation/Anonymization:** Employed burner emails, multiple IP addresses, repeated usernames, and a unique password structure to establish a decade-long digital trail while attempting concealment.
* **Community Engagement:** Actively participated in the platform's community, providing technical assistance and engaging in the sharing/creation ecosystem.
* **Financial/Administrative Obfuscation:** Searched for corporate solutions focusing on privacy, specifically inquiring about establishing entities in secrecy jurisdictions like the British Virgin Islands or Cayman Islands to avoid public registration as a Director, Shareholder, or UBO for an "adult niche website."
* **Transaction Evasion:** Sought services to create a "proxy" for a "high-risk website" to process transactions, likely to circumvent restrictions from standard payment processors like Stripe.
* **Post-Discovery Actions:** Deleted relevant Facebook and associated family social media accounts shortly after being approached by investigators.
## Targeting
* **Sectors:** Not applicable (Focus is on non-consensual content distribution rather than corporate espionage or traditional sector disruption).
* **Geography:** Primarily operated globally via the internet, though the identified administrator resides in Canada.
* **Victims:** Primarily famous women (e.g., Jenna Ortega, Taylor Swift, Alexandria Ocasio-Cortez) whose faces were inserted into pornography without consent. Also targeted non-public individuals, including high school students.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly mentioned. The core technical mechanism relies on **Artificial Intelligence (AI)** for deepfake generation.
* **Infrastructure (C2, domains, IPs):**
* Core platform: `MrDeepFakes` website.
* Payment Infrastructure: Utilized services requiring "proxy" solutions to interface with processors like Stripe.
* Obfuscation Tools: Reliance on burner emails and VPN/IP masking techniques.
## Implications
This case highlights the convergence of sophisticated AI technology (deepfakes) with dedicated dark web/grey area economies that thrive on data misuse and anonymity. The subject, a seemingly legitimate professional, was deeply embedded in running a large-scale illicit platform, showcasing the difficulty in attributing and dismantling such operations without extensive investigative work leveraging credential leaks and cross-platform digital trails. The rapid shutdown upon exposure indicates dependence on fragile infrastructure susceptible to legal/reputational pressure.
## Mitigations
* **Enhanced Digital Forensics:** Utilize cross-referencing of vast breach databases (passwords, emails, usernames) to link anonymous operations to real-world identities.
* **Monitoring Corporate Secrecy:** Increased scrutiny of inquiries related to setting up shell corporations or utilizing nominees across secrecy jurisdictions for "high-risk" or privacy-focused "adult niche" businesses.
* **Payment Processor Vigilance:** Implement stricter onboarding and monitoring for services acting as proxies for high-risk content platforms to prevent financial processing continuity.
* **Legal Framework Support:** Support and adhere to emerging legislation criminalizing the distribution of non-consensual deepfake pornography (referenced in the context of the US Take it Down Act).