Deepfake is an image synthesis technology that utilizes AI. It is a collective term for frame-by-frame synthesis of a person in an existing image or a video with another person’s likeness through deep-learning. Deepfakes have been used in different ways, such as creating a parody of a movie scene by replacing an actor with your best friends, and using face swap features on apps like Snapchat. In recent days, however, deepfake is now an emerging societal problem as it has created a new genre of pornography called Deepfake Pornography and thousand of deepfake porn sites.
To prevent potential damages, some countries like South Korea have issued laws against creating and distributing deepfake porns. However, such legal regulations are yet to be issued in most other countries.
In response to the issue of deepfakes emerging as a social issue, large platforms like PornHub took steps to delete all of the uploaded criminal-prone deepfake videos, which creates yet another problem as people have begun to create deepfake porn sites.
Deepfake Porn Sites Distributing Deepfake Videos of K-Pop Artists
The CIP Team decided to track and uncover these deepfake porn sites. Contrary to our hypothesis that the majority of these websites would be located in deep or dark web, they were actually on the surface web, most of them specifically about K-Pop idols.
The analysis of deepfake porn sites below contains images of currently operating sites, and the CIP Team has censored every image that may be disturbing.
A deepfake porn site that distributes deepfake videos of K-Pop idols
What we have found from these deepfake porn sites was frightful. On one of the websites, innumerable videos of popular K-Pop idols synthesized in Japanese porn videos were exposed, and about 190 victims, including Korean actresses, were identified on this site alone.
List of victimized K-Pop idols introduced on a deepfake porn site
This site’s domain appears to have been purchased from an American web hosting registrar, NameCheap in 2019. It even shows a history that its domain was renewed only six months ago in February 2022.
Domain name: ************.net
Registry Domain ID: 2361192048_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2022-02-16T19:52:41.84Z
Creation Date: 2019-02-16T02:27:08.00Z
Registrar Registration Expiration Date: 2023-02-16T02:27:08.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.9854014545
Reseller: NAMECHEAP INC
The server IP address information on this corresponding deepfake porn site, including the domain, can also be found on Criminal IP (https://www.criminalip.io). Upon searching for it, we noticed that this website is run by a French hosting provider, OVH SAS, as well. This implies that even if this deepfake porn site’s domain gets removed, it can instantly change its domain, connect to the same server, and resume the service. Therefore, a request for a complete shutdown of this server needs to be made to this hosting provider to prevent seeing more victims suffering from internet-wide sexual harassment.
Search result of deepfake site’s IP address on Criminal IP
Real Server IP Address Hidden Behind Cloudflare
We took a look at other deepfake porn sites. Unlike the previous website, where immediate legal action was available as its IP address was exposed, the following site used Cloudflare to hide its original IP address.
A deepfake porn site with a disguised IP address using Cloudflare
[Criminal IP Search 101- Tracking Real Servers of Sneaky K-Pop Deepfake Porn Sites]
Upon using nslookup to find IP addresses mapped to the domain address above, two IP addresses (172.67.210.176 and 104.21.69.174) were identified and both of them are of Cloudflare, not of the owner’s server. Cloudflare acts as a first-level filter for traffic at the front-end of a website, protecting against cyberattacks such as DDoS, and it also allows for hiding the website’s IP address. However, because Cloudflare can also conceal the IP addresses of hacker communities and illegal sites, it can also be used with malicious intent. Therefore, the operator of this deepfake porn site is assumed to have hidden its IP address with Cloudflare to avoid tracking.
The result of tracking the deepfake site IP address with nslookup
The following is a search result of 172.67.210.176, one of the two IP addresses the site owner used, on Criminal IP. The result shows CLOUDFLARENTET as the IP Address Owner, and that this IP address is using a Hosting IP. Another noteworthy point is that this IP address is connected to a total of 245 domains, meaning all of these domains are connected to this one Cloudflare IP address.
Search result of this deepfake porn site on Criminal IP Asset Search
List of domains mapped to this deepfake porn site’s IP address
You can also track this hidden real IP address on Criminal IP Domain Search (https://www.criminalip.io/ko/domain). Among the search results of this deepfake porn site’s domain on Domain Search, you can see that this website’s real IP address is 173.xxx.xxx.115 under the Real IP tab. This is the real server IP address the owner uses to run the deepfake porn site.
Search result of the deepfake porn site on Criminal IP Domain Search, displaying Real IP address of the site
Real IP address of the deepfake porn site identified on Criminal IP Domain Search
Then we searched for this deepfake porn site’s real server IP address, found from Real IP, on Criminal IP Asset Search (https://www.criminalip.io/ko/asset) and found out that the owner was from Contabo GmbH, a hosting provider located in Munich, Germany. Since this deepfake porn site operator is currently running the site on a German hosting company server, investigative agencies should reach out to this company about this matter, and take legal action against the owner.
Search result of the Real IP address of the deepfake porn site on Criminal IP Asset Search
On-going Mass-Production of Deepfake Porn Sites
During our research, we discovered countless deepfake porn sites that far exceeded our expectations and asked ourselves how these sites could continue to be mass-produced. We think that the simplified automation system is one of the causes. This is because of the existence of websites providing services like Deepfake Studio, an application that easily produces a deepfake video with only the image of the person to be synthesized and a porn video. As long as this kind of service exists, we will have no choice but to see more deepfake porn sites continue to be created and enlarged.
Deepfake video-producing tool, the major cause of mass deepfake porn site creation
The primary cause of the serious social problem of being flooded with unethical videos is the lack of regulations and administrative processes that can keep up with technological development. Various automation tools are still being used for criminal activities, creating more illicit websites. However, tracking and detecting these criminals is still done manually.
The CIP Team is prepared to provide the found data to the investigative agencies to take a step forward to ameliorate tracking and detecting methods. If you are an investigative agency in need of data, contact Criminal IP Team.
Source: Criminal IP (https://www.criminalip.io)
Related Article:
[…] For those interested in this latest feature, we would like to refer you to our latest post on the Criminal IP blog, where we cover cases of unearthing illegal deep-fake websites using this very feature. […]
[…] For more information, refer to this article about using Domain Search to track down K-pop Deepfake webpages. […]
[…] 2022, a cyber monitoring firm, Criminal IP, analyzed deepfake websites targeting Korean celebrities and singers. The reports stated that a […]