There was no train station. There was no downtown.

There was no train station. There was no downtown.

I have been struggling to write about this network for a while. Coordinated inauthentic behavior. It’s big, tangled and sophisticated.  It’s fascinating and spooky.  I don’t know what direction to approach it to start unwrapping the layers and I am having trouble coming up with a catchy theme to tie it together as I pull it apart.

Back in March I stumbled into some stuff that I thought might be “big”.  As I dug in and started to map it out- I kept running into other bogus activity.  To avoid being distracted- but to not lose those other leads, I started a trash pile off to the side: unrelated questionable things to look at later. As I continued to dig, the trash pile grew, began to take shape and wound up being larger than the original investigation.

I took some time to arrange the secondary mess- which I eventually wrote about in “Implants and Extractions” My original plan for the year had been to tackle the problem of fake Native American Facebook pages from Eastern Europe- and now I found myself- like a whitewater rafter- being carried in a chaotic flood of foreign manipulation further from that goal and into the political spectrum.

I wanted to wrap it up with that original set before getting back to the insane situation with Fake Native Facebook, I need to tell the story.

Here is what I have:

  • A substantial cluster of Facebook groups mostly based off of Fox News Hosts
  • A tightly knit group of profiles who are the administrators of those groups
  • a handful of websites they push into the Facebook traffic stream
  • a set of supporting profiles who also seed links into groups

What’s holding me up?  Maybe it’s the question of doxxing.  Some of the groups have been able to enlist real people to work as moderators and I feel bad about the situation.  They probably don’t know what they are involved with, at least not the full extent of it. To complicate things more, some of those real Americans seem to running their own racket that closely resembles foreign manipulation, while some of the foreigners are using very authentic accounts alongside some synthetic ones. Facebook is going to have to sort it out with their tools and guiding terms of service.

A feature of this network that makes it harder to suss out, is it’s level of sophistication.  The ratio of spamming to cover is very low. The cluster of profiles puts a lot of effort into supporting behaviors, while there may be some automation, it’s clear a lot of human labor is involved.  What do I mean by supporting behaviors?

  • liking timeline posts made by other network profiles
  • sharing a random post made by a member in a group, onto their timeline
  • sharing other non-network content
  • posting memes and other non-monetized filler
  • indirect sharing of network content: reposting a network profile’s post
  • amplifying each other’s work in non-network groups
  • natural appearance of commenting
  • network group focus seems more about growing membership than spamming

The main websites:


The motive seems to be profit, not propaganda. The restraint these clickbaiters show and the care they take in spamming makes them stand apart from the typical rabble who games for traffic… in fact the sloppy ones provide some distracting cover.

For example- this morning when I visited one of the network groups to grab some screenshots- I saw they were being spammed by 2 bots seeding links for a website from Macedonia.  It’s possible that they have an arrangement or this spammer has intruded on the network’s audience.  Seven posts, five stories, three hours, two bots, one website… a person wouldn’t be unreasonable to assume that this group’s function was supporting links for the Macedonian. Having two different bots seed links to the same story into a group just four minutes apart- or for one bot to post the same story twice in an hour? That’s just greedy sloppy scheduling of the autoposter!  A clickbaiter can only get away with this sort of garbage with an audience of the lowest hanging fruit and admins who don’t care. (Not to mention the Facebook platform AI that has a big blindspot in its spam and bot detection)

This slideshow requires JavaScript.

Let’s dig in shall we?
Here is the list of groups I came up with:

This slideshow requires JavaScript.

Many of these groups were made throughout 2017. Together they have over 21,000 members. There is also a Judge Jeanine group on MeWe. The Candace Owens Fans group is the newest, made on May 3, 2019. It has the largest membership of the remaining groups with over 5000 members. Several huge groups were recently deleted and two of them each had over 50,000 members- they were:

  • Judge Jeanine Pirro Fans (59,046 members)
  • TV Fox News Babes! (3000 members)
  • Bill O’Reilly Fans (65,000 members)

This slideshow requires JavaScript.

On that note, I would like to take a moment to implore Facebook to be more transparent and communicative about the actions they take and why.  The American conservative community justifiably feels that they are under some sort of censorship attack. Facebook publishes blogposts that merely quantify the number of profiles and groups removed. Without listing them specifically or notifying the involved parties- the resulting voids confirm suspicions about censorship. While the censorship conspiracy gathers evidence and rumors circulate, nothing is offered to help people understand how their filter bubble is shaped by foreign interference and the gaming for their attention by frauds, cheaters and scammers.


Maybe people aren’t being censored, but they sure are being gas-lit!

Over the weekend the Candace Owens Fans group was locked down and there was some confusion about what was going on and who was behind it. Did Facebook do it? or had an Admin archived the group to do some maintenance?  Many felt that it was Candace Owens who was being censored… that’s because they don’t know that the group isn’t hers and don’t consider other reasons why the group might be in crisis.  The fact that those other groups were deleted and these nine remain, tells me that Facebook may not even be aware of the real problem with the group. Otherwise they would have done a more thorough job scanning the surrounds and looking at connections before they hit the delete button on the Pirro and O’Reilly groups.

Update August 14, 2019: The Candace Owens Fans group has changed their cover photo and the Queen Bee, Alexandra, has either deactivated her account or it was deleted by Facebook.

I would like to mention that I discovered and logged the majority of this network in a spreadsheet in a time when the graph search was still functioning.  I do not know if this ever would have come together for me as it did, without that tool.  Yes, there are still ways to find things- I’m not going to give up, but things got a whole lot harder for people.

The Admin team of the Candace Owens Fans group consists of 11. There are five I’d like to highlight. I’ll start with Alexandra, I call her the Queen Bee.
She went to college at the Ohio Christian University, is from Columbus and now lives in Circleville.  She has 358 friends and posts entirely political content from a wide variety of sources. Her profile picture, uploaded on January 21, 2019,  is a beautiful teal blue toned fantasy art of a mermaid in pearls emerging from a moonlit ocean.  Dreamy.

The photos she has uploaded are mainly memes and glamour portraits of the First Family. There are a few pictures that appear more personal- but they don’t pass this dog lover’s sniff test.
That deer is nothing like what we have in Ohio, it’s not even an elk- it’s an exotic Sambar deer shot in Victoria Australia. The woman in the photo is Emma Sears.  As for the cute maternity pictures with that zig-zag summer top- that’s Whitney Bowie and you can read about it in this Buzzfeed story by Victoria Sanusi. The profile really is crumbling now, but I’ll add that the gender is marked as male and sometime around July 14- something happened to Alexandra’s timeline: a bunch of the content she had shared converted to “attachment unavailable” notifications.  Alexandra is an admin in all nine of the still active groups and the three deleted groups as well.

Next up is Eric Beaton.  His profile doesn’t have much info. Just 32 friends and one page like.  Not much to see here.


He’s posting a random assortment of memes and shares of other people’s shares. If you were already familiar with the whole cluster of accounts- you’d notice that at least 20 of Eric’s friends are Admins, Seeders and Amplifiers of this network.  His profile picture is a spooky sullen grey wolf with glowing red eyes… and that picture was uploaded on July 14.  Hmm. So that probably explains why the profile link I had for him didn’t work even though he still appeared as an administrator in 6 of the nine active groups. That also might explain why so much of the stuff Alexandra shared before the July 14th had vanished. He was also an admin in all 3 of the deleted groups. His profile was probably deleted and he just made a new one and went back to work.

Matt Todd, originally from Beavercreek just outside Dayton and now residing in Lima is another Ohio native with a bare bones profile.  He’s marked as female, the friends are hidden.


He has only uploaded three photos ever. The cover photo and profile picture (both of President Trump) were uploaded on January 19, 2019. (That’s two days before Alexandra uploaded her profile photo for those keeping track) Matt’s timeline is a wreck.  Of the 35 posts publicly visible going back to January (including the profile pictures) 20 of them show an attachment unavailable notice.

Ever since we lost graph search I have gotten in the habit to check who has liked a photo.  When Matt Todd updated her profile picture, a bunch of people liked it. I see some familiar names and the ones I don’t recognize are people from Kosovo, Serbia and Albania. Matt is an admin in 6 of the remaining groups and was an admin of the deleted Bill O’Reilly group.


Next up- Eni King. He has an even 100 friends. The groundhog profile picture was uploaded that week of January 25, 2019… it’s been replaced with an American flag.

What’s special about him is that he’s promoting one of the network groups, “We Stand With Sean Hannity” as well as pushing links to the network websites on his timeline, THEWASHINGTONDAILYNEWS.TODAY and EDUCATIONBLOGIT.BLOGSPOT.COM.
I call this sort of thing a trailheadIf I stumbled across this profile at random-  there would be plenty of clues to follow down the rabbithole to discover this network of groups. Eni is an Admin in 4 of the active groups and was an admin of the Bill O’Reilly group too.

This slideshow requires JavaScript.

There is another Eni in this network, Eni Sutton.  There are also a handful of Kings. There’s Dorothy Powell King, Loris King, and Ed King.
Eni Sutton is an admin in 4 of the remaining groups and was an admin in the two huge deleted ones. The King bunch aren’t admins in the groups but are supporting seeders, commenters and likers, you’ll see that in a minute.

So here is where the dystopia of inauthenticy really ramps up.  Can I give you an assignment? The window for seeing this “live” may be very short- so I’ll include some screenshots for future readers.  If you go in a big conservative Facebook group, one of the non-network ones…. (I recommend this one with 151,000 members– it has a lot of the network has embedded)  Choose the name of one of the profiles I mentioned, and search in the group for their name. Look at their posts and note what they share.  Then open the comments and take note of who is commenting.

There are a few more profiles I’d like to briefly introduce- this is far from all of them.
Laura Carton is admin in the Hannity and Sarah Sanders Supporters group. Her profile dates back to 2013 and says she is from California City California. For a long time her profile picture was a rather smug looking older woman, and that photo is the only picture of that woman in the assortment of MAGA memes and stock Trump pics uploaded. She shares a wide variety of posts but never anything personal.  Around May 27th something happened, as her timeline falls to pieces before that date.

Ricky Meadows is a very hardworking supporting actor, but is only admin in one group, the closed “The TREY GOWDY SUPPORTERS” group.  The profile was made March 6, 2019 and now has over 1000 friends. (clarification edit: Ricky’s profile is a vintage 2012 model- but the public posting activity begins in March 2019. Also- He just changed his profile photo to a tree.)

Then there’s Kate and Julie.  Kate J. Bowenn’s profile was made July 2nd and her friend list is an almost pure collection of the network knot. Julie J. Bowenn’s profile was made July 18th and the first posts she made that day now show as unavailable. She shares a wide variety of mainstream news links to her timeline and is an admin in Tomi Lahren Fox News & I stand with Sean Hannity.

I can’t leave out Adam J. Coffey of Lima Ohio or Adam Coffey. David Coffey’s profile from mid January was deleted as was Jack D. Good’s profile from November of 2018.  Jack bounced back in mid July 2019 and was an admin in the huge Judge Jeanine and Bill O’Reilly groups until they vanished. Now only the Candace Owens Fans remain under his watch.

Steven Orchard of Toledo Ohio made his profile in mid July and mixed in with the Trump memes has also shared an inviting post promoting a resort on the Albanian Adriatic sea-coast- (just a stone’s throw from Bari Italy which happens to be where some of the websites are registered.)   There’s the adorable little Bona Kasa of Circleville Ohio (that’s where Alexandra is from) who mostly posts in Albanian language content on her timeline- but has no problem posting captions and comments in English when she does support work in many groups.

I sure wish I could use graph search to see what groups this one is in.

I recently found @CindyOtis_ on Twitter, she has a book coming out next year on Identifying and Fighting Fake News.  Her cover photo is a slide from a DFR presentation:

Slide by Andy Carvin Photo by Cindy Otis

I couldn’t agree more.  I frequently think of the modern fight against disinformation like the Victory Garden of the past- it’s something we all need to do. Everyone has to pitch in for our efforts to pay off.  When I think of how many people came in contact with this foreign network every day, Americans even working with them as admins in their groups!… and the administrators of the other American groups who let them in and let them post- looking past all the spamming. The people who have friended the fake profiles, the audiences who take the bait and go along with the plan.  Yes, many real people protect their privacy and many have a separate anonymized account just for their political soapbox- this provides a perfect environment for inauthentic players to do their thing without being called to account.  I think we have to stop being quite so trusting and accepting- and I don’t mean getting paranoid- I mean getting smart.

One last thing Americans, if someone ever calls you out and doubts your authenticity or intent.  Don’t get offended.  You should be happy to have the opportunity to prove yourself.  Thank that person for caring enough to stick their neck out and ask. Patriotism isn’t just an American Flag for a profile photo. Do what it takes to reassure them.

Special thanks for the cover Photo by Kai Oberhäuser on Unsplash

The Taco Keto Secret

The Taco Keto Secret

Three days ago I saw a tweet from Nathaniel Gleicher, Head of Cybersecurity Policy at Facebook- The latest blogpost at the Facebook Newsroom.

Read it here (later)
Removing Coordinated Inauthentic Behavior in Thailand, Russia, Ukraine and Honduras

I like to keep up on these to see what is going on around the world. I wish I had the tools that the Facebook teams do, and wish I could communicate directly with them to show them the things I find, even without those tools.

This update was pretty long and I started skimming through the middle but at the end, in the Honduras part, I saw something that made me sit up-

Finally, we removed 181 accounts and 1,488 Facebook Pages…


That ratio is totally wacked.
Did they make a mistake when writing this up? 1488 profiles and 181 pages would sound more typical- but why would there be such an absurd number of pages with so few supporting profiles?… I read on

…that were involved in domestic-focused coordinated inauthentic activity in Honduras. The individuals behind this activity operated fake accounts. They also created Pages designed to look like user profiles — using false names and stock images — to comment and amplify positive content about the president

Oh wow! This tactic is news to me… VERY interesting! I’m going to be on the lookout.

By 2:22 that afternoon I stumbled across this:


I bet this is one of those pages that looks like a profile that Nathaniel wrote about.”
Quickly hitting the name Aria Grayson to view what other posts this profile had put in the group. There was this orange one… and then a whole lot of this:



There are quite a few things I take away from this:

  • Aria has been posting in the group for a while (she joined in mid-January 2019)
  • Whatever she was spamming is gone now.
  • She got lots of engagement and shares with whatever it was she was spamming.

Even though the thing she shared is gone now (typically this indicates a page has been removed by Facebook) the comments remain and give a clue to the type of baiting the posts contained.

These comments came from two different posts.

Aria looks like a bot working for a network which has lost at least one page and has replaced it with something else.
Let’s go look at Maria Levy shall we?

OK!  Maria Levy is a page, and not a profile of a woman using a picture of the President for her profile. 2,156 people have liked it, and thankfully, despite it’s smaller size- the page transparency tab has some information for us- the page is from Pakistan.

I am not surprised.
My next step is to look at what the page is pushing out. I see a lot of brightly colored engagement baiting posts as well as news articles from the website CONSERVATIVESVIRAL.SITE  A Whois search doesn’t tell us much. No transparency in website “about” information either.

Let’s go back to the Maria Levy Facebook page. I know a bot seeded an engagement bait post from here into a big group. This makes me think that there are probably other bots doing the same thing. Let’s find them!

I choose a post and click on the “shares”  This is a slow loading function. Be patient. Not all shares counted will show. Shares that went into closed and secret groups and privacy shielded personal timelines won’t show up- but posts into public groups (or private groups you happen to be a member) will show.

Tips for looking critically at shares and picking out the bots:

  • One profile shares the same post to many groups.
  • Several profiles sharing to groups in concert
  • Several posting the same caption
  • The earliest shares made soon after the post was put out are typically the bots, a week later? The organic reach.
  • Timestamps
  • The same profiles appear repeatedly in the sharing of many of the page’s posts

These clues are not proof of a bot, but are indicators of bot-like activity.
Here is what I start to see- and interestingly, not too much from Aria Grayson. I see a pattern developing with three other profiles:
Leah Gabriel
Chloe Carter  
Sophia Jackson

They share the engagement bait text-memes (although designed to look like a colorful large text short posts with a the stock Facebook backgrounds- these are images and not actual text based posts)

They also share news stories: I go to their profiles and notice some common threads.
  • Attractive young women
  • Employed at some sort of food chain
  • All University students
  • All have timeline posts with beautiful food, low carb and… Taco Keto?
  • Most have a visible friend list and most have many friends who “fit the profile”
  • They also have friends male and female, from foreign countries (mainly Pakistan) and next to no American friends who don’t fit the profile.

This slideshow requires JavaScript.

I start Google spreadsheet, open up a friends list of one of the Taco Keto Bots and start logging each friend’s profile URL. Because the cluster of friends is tightly knit- eventually I feel that I have gathered up the bulk of the bots plot the interconnections between them. Please remember, the women in these photos are victims of identity theft.

This slideshow requires JavaScript.

There are 44. Some names are recycled. There are three Avery Matthews, three Sarah Dylans, and two each of Aria Grayson, Maria Levy (not including the page Maria Levy) Olivia Liam, Paisley Levi, Penelope David and Zoe Elija. Also in the mix is, Makenzie John, with a man for a profile photo, but fleshed out with pictures of an American female with the accompanying circle of friends.

This use of multiple profiles recycling the same name reminds me of the Pakistan network who hijacked a bunch of American groups. (I wrote about them in part II of Implants and Extractions) and the use of Keto in the profile design reminds me of the cluster of bots, also from Pakistan, spamming for OREGONNEWSPRESS and THEDEPLORABLESOCIETY that I recently featured in a facebook page post. I haven’t found a connecting thread between any of these three distinct clusters.

I’m still trying to pick up the pieces from the “Great Graph Search Disaster of 2019” In the past I would look to see what groups these bots are in, it might give me more insights into what they are up to, and if maybe there are groups that belong to this network.

The Taco Keto aspect of this remains an open ended mystery. Are the spambots merely decorating their profiles with delicious looking food as a cover (as I suspect the MLMhunBots from OREGONNEWSPRESS are doing?) or are they working together to amplify the content of that page? The Taco Keto page says it’s in England. What they are posting is a mixed bag of content not Keto specific… so it’s a run of the mill sketchy content mill type of operation.

Although I can no longer use graph search see the a list of groups a spambot is in, I can find little scraps of clues. A  share from a page sometimes points to a public group the bot is spamming.
I found a share from Olivia Liam going to the “Low Carb and Losing it Original Public Group” and when I searched the group for her name, found the other Olivia Liam was also an active spammer!

The group says it’s in the United States, but features this host of Administrators:

Two of the Admins are pages from Pakistan:
Гермен – Page Layyah and Muhammad Isman Tahir Chisti

The latter page also hosts groups for:

WeeD Nation – (closed) claiming to be in the USA but which has the same admins as the Low Carb and losing It group.

Depression and Anxiety Support– (closed) Another private group allegedly in the USA with the same admin team.

Fibromyalgia Fighters’ Support Group– (Public) also marked as a USA group with this admin team. And featuring posts from the page Fibromyalgia Support for Women from Pakistan. The group serves as a platform to disperse links to the websites:





These are standard issue low-quality health tips websites. The assortment of topics, Marijuana, Depression and Fibromyalgia closely mirror the groups that I discussed with Craig Silverman in 2017 and were detailed in his article:
Welcome to the Age of Cheap Overseas Information

The Fibromyalgia group appears to have no other activity aside from the steady stream of links being posted by (non-American) profiles.


Summary: A new story from the Facebook Newsroom leads me to a rabbithole where I discover inauthenticity at every turn and that in two years, not that much has changed.

Cover Photo: Special thanks to Eiliv-Sonas Aceron on Unsplash

Implants and Extractions (part II)

Implants and Extractions (part II)

In Part One I described two bogus websites that were using a variety of tricks to game both the audience and the advertisers. I showed some fake/stolen profiles that were being used to seed links, memes and to control a group with a large audience and a narrow focus. I showed an admin team of nine that had somehow positioned itself to take over a group 88,000 strong.  All that together has a name now, it’s called “Coordinated inauthentic behavior.”

It was Coordinated inauthentic behavior coupled with Facebook’s ceasing followup reports on reported profiles last year that inspired me to start keeping spreadsheets to understand what was going on. Only because of my own records do I know that two of the seven profiles named Muhammad Adnan Farooqi were deleted.

This is also how I discovered- today- that Facebook got really close to blowing this wide open. (I turned the spreadsheet sideways just because it’s so big, and I don’t expect it to be legible.)  That grey block all the way in the lower left corner… those are the pages and groups. There were 23 that I found tied together in some way..  Today I discovered that three of the pages were recently deleted and one of the groups was returned to it’s original owner!  I’d really like to get her side of the story.
(Those three grey bars on the left- those are the deleted pages) So at this moment, there are five pages and twelve groups that I know of that are being run by this network of click-baiters from Pakistan.

That one bright red line in the grey block- that is this page. Red is the color I mark things that are unusual or alarming.  I was so excited when Facebook finally rolled out the info & ads tab.  But I guess most people don’t even know it’s there.


Back to the spreadsheet, that block of pastel green- those are the profiles of Muhammad Adnand Farooqi, two with their URL in grey are gone now… oh- and I found a new one, so he’s back up to six active profiles. The sienna color, that is Zahida… she has three profiles.

getsmartyspreadsheet Each of the 8 colors represents one of 8 names that is repeated. (eight names- 35 profiles)  Many other profiles are not repeated and are just colored grey.  Each black bar is the title of a group with it’s administration listed below.  You can see the eight colors scattered throughout.  That’s the coordination.


Obviously, not all of these photos are the same person, so it is fair and responsible to warn that any of these photos may be of innocent people whose pictures were stolen just like the Facebook accounts. The URL names don’t match either.

If you have heard people mocking “Coordinated inauthentic behavior” or acting as if this was some sort of made up excuse for what they deem to be “censorship”, please share my blog with them and show them that this is very real,  and it’s not uncommon.  There can be a variety of motivations and it can come from inside or outside our borders. I feel sad to think that once this is published, that Facebook will swiftly make it all vanish and the opportunity to learn from it will be lost.

Hopefully the groups will be returned to their original owners, and those people will be given information about what happened and tools to evaluate their group membership and make sure that this doesn’t happen again. Perhaps professionals from Facebook could work with them to carefully comb through these vulnerable groups to be sure that they are not full of sleeper profiles ready to pick up where they left off.

Since the IRA debacle- how many pages has Facebook removed without even naming, only mentioning them as a count and maybe a country of origin or country of target? How are we to learn?
Here are screenshots I took in March of the three pages that are now gone.
106,133 people liked these pages.
Maybe some were the same person liking more than one page.
Maybe half were fake likes purchased to shoot the page up in the search results.
Maybe some were automated cyborg amplifiers who were programmed with a core list of conservative page likes to share from to build a convincing red white and blue timeline. What concerns me is that not a single one of these people is going to be told that these pages were pumping content into American filter bubbles from Pakistan.

This slideshow requires JavaScript.

If you added the page likes and group members of the whole network together… there’s 500,000 people who SHOULD be told that they were involved with a foreign network that was actively pitting Americans against other Americans.  This might be a rare time when the thought of bots might be a little consoling.  Maybe it’s not really 500,000 red blooded Americans who were so blind and easily manipulated. Maybe there were only 200,000 real people and the rest were just bots pretending to be housewives from Texas. OK, maybe that’s not so comforting.

Diamond and Silk Fan Page (group) – 88,710 members

Conservative Voters 2020 (group) -36,636 members

Trump Fans (group) – 22,814 members

Sarah Huckabee Sanders Fans (group) – 12,076 members

Sarah Huckabee Supporters (group) – 7639 members

Conservative Values Across America (group) – 27,363 members

We Are Conservatives (group) – 40,273 members

Vote Trump 2020 (group) – 18,290 members

Judge jeanine Fans Group – 8981 members

Judge Jeanine Fans Supporters (group) – 5275 members

Tomi Lahren Fans (group) 26,699 members

Ivanka Trump (group) – 106 members

Ivanka Trump Fans (page) – 11,414 likes

Judge Jeanine Fans (page) – 88,684 likes

2020 Make American Great Again (page) –  2358 likes

Trump Train 2020 (page) – 117 likes


Sarah huckabee sanders fans (page) – 18,492

Daniyal Political News (page) – 548 … this page hosts memes seeded into other groups.


Here is a word to keep close to your heart- “resilience” if you combine it with “propaganda” it makes a powerful search query.

Who could miss these admin teams and the posts they pushed out?

Few will have the chance to pick through and examine what happened. How were those profiles taken from their owners and the groups taken from their founders? Few will see  the comments left by all the people who fell for the bait, or how quickly the commenting from a “mainstream” audience plummets without the guiding oversight of an invested moderating team.

These blog posts, for the most part are about the network who played this audience… but for me- my nerves were tested, not by what they did- but by the audience- their comments and attitudes. The tenor of their daily discourse. I can’t articulate what I have been exposed to. I can’t even write a conclusion at the end of this, it’s just going to end abruptly with all the other words unspoken.

The lists that Facebook would show you today of the names of your friends and relatives already in the group to entice you to join… tomorrow, if a group is deleted, not even the members will have any tangible evidence that it ever even existed or that they were a part of it. There will be no debriefing. Odds are they will never know.  They will never suffer a knock to their confidence of consumption… even after a massive recall.


Maybe there will be some “Content Unavailable posts” knocking around, with just a few hints about what might have been there from the quips in the comments. Do people even know that those unavailable notices, sometimes caused by privacy settings… but more typically, when they are found in group postings, having collected comments- those are the shadows of bogus problematic pages that aren’t there anymore.  If you go in a group and scroll back in time and you see those rattly remnants, that is a clue… like syringes on a sidewalk… a street-smart person would use to evaluate the place where they are.

This is not the only network of its kind.  Don’t think that when this blows over it’s done.  People, we need to be vigilant.  We have to do so much better than this.

If you would like to learn more about detecting inauthentic behavior, my Facebook page Exploiting the Niche has some notes and videos as well as many posts that are examples.

Cover photo by Samuel Zeller


Extractions and Implants (Part I)

Extractions and Implants (Part I)

Update: 2 days since publishing…
I worked really hard on this. I thought it was going to make some waves.
Did my blogpost get eclipsed by a photo of a black hole?  maybe.

More likely I just had some bad luck surfacing when I thought sharing was going to be a sure thing. In the 2 days since this published, not only did this not get the traffic I anticipated- of the visitors I did have..
(THANK YOU! I know this is not light reading)
..only 1 out of 5 even clicked through to the part of the story that really matters! 

sad stats

If you don’t have time…

please just jump to part II and scroll through the pictures  

(The pictures are important! I made these screenshots for you!) 
 About 500,000 American Facebook users are being served political content from Pakistan who don’t know it.  I’m asking you to help me get the word out. 


Part I:
These ads were placed on a website called by Google Adsense.
Almost all of the ads I saw when I visited the site were for dental products and dental practices in my region. Obviously some regional targeting was at play, but I am not in the market for a new dentist.

This slideshow requires JavaScript.

This slideshow requires JavaScript.

Look closer at the website and you may begin to understand how the ads were targeted to a person visiting the site, it seems clear the reader is doing some research about getting some dental work done… right?

I wonder if dental implants are expensive? If a person reading articles about the cost and recovery time is going to spend a lot of money by the time it’s all over, and that dental practices would pay quite a bit to outbid their competitors in order to gain a new client? I don’t know that much about the going rate of dental ads on mobile. I don’t know that much about the cost of dental implants either. I guess I could read one of the articles.
I’ll take the first one off the top of that list:

“When people are searching and thinking about the cost that involved in dental The fastens are typically left set up for around seven to ten days. After this time and doing complete procedure while it would not be easy span the gum tissue dental specialist opening has been finished, the dental specialist will proceed with the boring procedure utilizing a lot of bits, every one of which has a somewhat bigger width.”

Clear as mud right? There are three paragraphs of that. I still have no idea how much dental implants cost.
And there is also some of this:

That bizarre article about Nancy Pelosi falling down drunk and being escorted out of the white house- is not my screenshot of the website. On Getsmarty it’s actually two photos of formatted text. So the dental text on the website is searchable, but the Nancy Pelosi story is hidden to the prying eyes of a crawler as a .png file. The dental implant word salad only appears after the dear reader has had all the satire go right over their head and has had their outrage fix anyway.

The Pelosi story was copied from and has been debunked by Maarten Schenk of LeadStories.
The number of levels of fakery going of here is truly stunning.

This is the photo, which is the preview image for the story which actually seems to be titled, “Time to out”

The audience who is who is falling for this seems to have very poor reading habits, if they read the articles at all. They seem to share and comment freely, but I never see comments inquiring about the dental text. There are many digital literacy cues that are overlooked in order for these articles to be taken seriously. When articles are returned in a Facebook search, some of the dental text and other bits of random weirdness shows up in the captions.


If a person shares a article on Facebook, the unusual dental URL of the article may show:


Hold on to your teeth because it’s going to continue to get stranger from here.
Let’s look at a share into a group, the Diamond and Silk Fan Page.
Note: despite the name, this is not a page, it’s a group.


Just to cut down on the number of screenshots I have to make, in the above screenshot I have pointed out how a person can look to see the administration team of their group.
I have to do this because it seems many people don’t know how.

This group has 88,717 members and 9 administrators.
What I want to know is: Why, out of 88,717 people, more people haven’t looked at this and seen a problem?
I don’t have a problem with people named Muhammad or people who don’t have their language set to English… but when your group is based on American politics, considering the current climate and well publicized issues of foreign interference- I would think that some people inside this group would notice something was off and raise the alarm.


Maybe you noticed that the Muhammad Adnan Farooqi who made the post doesn’t have the same profile picture as the one in the administration. Well. There are a bunch of them. There were seven, but Facebook deleted two of them sometime in the past month. Then I found another one last night. Now there are at least six.

It is always so annoying to me when Facebook is so close to something big and it slips right past.


Now that we know who the group administrators are, maybe we can do a better job of recognizing when they put posts into the group. Maybe.


Are you kidding me!… I’m sitting here trying to figure out how I am going to wrap this up with the big reveal…and Zahida here has to share a link to… this is brand new! When I had last looked was the network’s old website and Getsmarty was the new and active one. It looks like Getsmarty may be aging out so they have introduced to keep things fresh… let’s see what is going on.

Oh my eyes. Can you read this? The design and concept are identical to except now the URL is talking about lasik eye surgery. The political outrage article is a photo of text and the medical word salad follows just like at Getsmarty.
The Viraltiktok article is tagged: eye surgery, eye surgery cost, lasik eye surgery and you can see it has successfully scooped up some vision advertising.

“Eye treatment would be now not easy and also treatment an when it goes to surgery it enough to enable the specialist to securely make a clean corneal fold of fitting profundity.
Are influenced by one of the normal kinds of vision issues or refractive mistake and they are doing some the things that not easy and nearsightedness (partial blindness), astigmatism (obscured vision brought about by a sporadic formed and can nothing be done easily and nothing be done frequently effortless methodology,in cases and eye treatment and for most of patients, the medical procedure improves vision and decreases the requirement for restorative Nonetheless.”


I’m including Facebooking basics here because people either don’t know how to do this stuff or don’t believe that it is important. I guess there is a sense of safety in numbers, that when you are in a group with 88,717 members, you trust that if something was up, people would be talking about it. But clearly that’s not the case.

If you notice someone posting website links or memes from pages, try searching the group for their name an see if their behavior seems unnatural. Of course people who own pages will promote them, but if they use fake profiles to do it- that is deceptive astroturfing or spam.


You can search the group for the website or page name and see who else shares it.


Sharmeen is a new to me. I started a spreadsheet on this network on March 14, 2019 and listed all the profiles who were admins of groups, managers of pages and seeders of links. There are about 80 profiles involved. I didn’t see Sharmeen until today.

When I visit Sharmeen’s profile home… I notice something. Do you see it?
Sharmeen Maqbool is operating an account that was stolen from an American woman.
This isn’t the only one of these I have found, one of the Muhammad Adnan Farooqi accounts was also stolen from an American. Other accounts have mismatched names with the profile URL and may have been stolen from people in other countries.


This “Sharmeen” account is using a hijacked American profile to seed both memes and links into the group. How do you feel about a foreign player using a stolen American account to put such volatile divisive content into the American traffic stream through a Diamond and Silk Fan group?

If they would steal American profiles to game the system… what else would they do?
Well… this is a little tricky, it’s so strange how Facebook gives different information depending on what country you are in, or how you are viewing the page (like I would never be able to see the URL on Sharmeen’s account from my phone unless I copied the profile link and pasted it somewhere- and yes- I do that all the time!) the act of copying the profile link does not show the link to me from the mobile Facebook app- it just says “Profile Link Copied”

OK, so here is another inconsistency. Earlier we got a view of the administration of the Diamond and Silk Fan Page- that was a screenshot of my desktop view. The mobile app format isn’t much different… but if I view the admin page of the group while logged into Facebook from a MOBILE WEB BROWSER… there is some critical information included!


In this version of the Admin roster, we can see how long these profiles have been administrators of this group. The group was founded on February 3, 2018 but it is clear that no one from the group’s founding or first year running is still running the group.
How did these Pakistani profiles get control of an American group with amost 100,000 members? Where are the original admins and how did no one notice when this takeover happened?

In part two we’ll look at the pages and groups this network is using to play American outrage traffic.

Cover photo by Samuel Zeller

The DeepRabbitHole

The DeepRabbitHole
Photo by Tony Stoddard

If you arrived here by a link, You can read part of this investigation here.

Over the couple of years that I have been sniffing around in this field of tricky players I have worked hard to learn some OSINT techniques. (OSINT = Open Source Intelligence.) That means finding the information that is publicly available, but maybe hidden in plain sight where no one has looked. While technical skills would be an advantage, my strong points are curiosity and observation. My approach is like Colombo crossed with McGyver.

My mission is to share media literacy information so people can be better equipped when they encounter things like romance scammers, foreign actors and disinformation. When I named my page “Exploiting the Niche” I thought that the term was a common phrase, like “Pushing the Envelope” or “Toeing the line”. It turns out it’s not common enough for me to have assumed. Many people aren’t familiar with how a marketing motivational speaker might use the phrase “Exploiting the Niche” without the slightest sense that maybe that doesn’t make them sound so nice. I thought it was clear that I was going to be talking about people who are doing that, and not that I was doing it myself. WhiteWolfPack is a classic example of someone who is determined to hit a very specific niche market and doesn’t care who they exploit along the way.

It has been a few years since I tried to find the identity of the owner of the WhiteWolfPack website. (Spoiler: I still haven’t) I wondered if maybe I would see something I had missed if I revisited it again since dead-ending back in 2016. One place that I find really helpful to look for information is in comments. Lots of times people have some inside information or context that helps with an investigation. Searching on both Facebook and Twitter I was really excited to see a rumor repeated more than once about a person who was believed to be the owner of WhiteWolfPack. I was excited to think that maybe after all this time, the mystery had been solved. There was even a youtube video linked. As I watched the video my sense of “victory at last” began to fade. I didn’t believe that this woman was associated with the website. When I inquired about how this connection was made, I couldn’t get any answers.

The accused has a wolf sanctuary and spiritual retreat in Arizona. What she is doing with sweat lodge and drum ceremony and all the animal magic of the supernaturally therapeutic wolves… that is a whole ‘nuther rabbithole that is waaaaay outside my lane and scope of my expertise. I’m interested in internet frauds and media literacy. If someone has a physical presence circulating around (in this dimension or another) and is shaking hands with the people who are buying her shtick… I’m out. That’s for tribal members to speak on, not me.

So that leaves me with a balancing act of wanting to explain enough about what I see to rule her out as the owner of WhiteWolfPack, but to not derail this whole blogpost with her specifics. I do want to make it clear that my intent in ruling her out has to do with not coming to the wrong conclusion about WhiteWolfPack, it is not a defense of a white person appropriating sacred ceremony.

Here is what I think happened.

icannWhoIs Domain Registry Search for

Look carefully, Do you see it?

Recently I helped out a person who was sure they had found fake news coming from Panama. In that case I understood right away what had happened. It was likely that a publisher from anywhere around the world was using WhoisGuard, one of the largest domain registry services to protect their privacy/identity. A service that acts as a go-between used their address in Panama to register websites for a fee.

I’ll confess it took a full day for this one to dawn on me because the mystical prattle coming from that wolf lady’s Youtube had me so disoriented. What I think happened is that some well meaning person tried to search for information on and they saw these results. Not understanding that this Scottsdale Arizona address is the DomainsbyProxy business address and that it’s tied to more than one out of ten websites with a top level domain. That investigator got headed on the wrong track thinking that the owner of WhiteWolfPack is in Arizona. This wolf sanctuary lady was a perfect character who could fit the MO of a person who has enveloped themselves with all the trappings of the Native world, but who appropriates with wanton disregard for the people they hurt along the way….that, and… wolves. I can understand how this could have happened.

Here are some points of disconnect:

  • The sanctuary’s website has a very dated style… you almost expect a midi theme song to play in the background , while WhiteWolfPack’s design has a different aesthetic.
  • The sanctuary’s website is very transparent in the historic domain registry details, something that the WhiteWolf master of secrecy would never allow.
  • The sanctuary page has only FIFTY SIX fans. The automatically generated Facebook page for the sanctuary has 309 likes (people are checking in and sharing pictures from their visit) . The page manager appears in photographs with the wolves and the wolf lady. The page manager is not a false identity, she’s a very real person with connections to the sanctuary. There are scores of photos posted by the public and videos of the wolf lady on youtube, uploaded from multiple sources.
    The White Wolf Facebook page on the other hand, has 443,851 likes and no human faces or names associated with it.
  • The White Wolves of the cover photos of are not the resident wolves at the Arizona sanctuary. After watching that woman talk about her wolves and their spiritual healing powers, I can’t imagine that she would ever have the restraint to not highlight those individuals as mystical celebrities at the WhiteWolfPack website if she owned it.
  • This part that really does it for me: The spring thaw in Arizona apparently has caused a lot of flood damage at the sanctuary. They have put out a call for donations on their tiny page. Even if this fund-drive were a con, if you were trying to get donations… and you owned a page with almost half a million likes… wouldn’t you use it? They wouldn’t even need to blow their cover, if they owned They could slip in a story about the sanctuary’s needs in the third person and act as if they were just doing something nice to help wolves. If you had no scruples and had access to an audience half a million strong wouldn’t you target them instead of reaching out to an audience of 56?

OSINT technique for websites with private domains:
Sometimes the Google AdSense or Google analytics codes embedded in the HTML of the webpages themselves will show behind the scenes links between websites.

Step one: right click on the homepage of the website.
Choose “View Page Source” from the menu. (I wish that would cut this whole thing short and pop up a picture of the person doing this, but sadly the page source they mean is HTML code.)

This will cause your computer screen to look
A: Really cool… or
B: Absolutely terrifying
(that’s up to you!)

The shortcut for “find on screen” is CTRL F (hold the Ctrl key as you press F)
that will open a little window where you can type in what you are looking for. Then use the arrows to quickly jump up or down through the HTML document. You will see your search results highlighted.
“ca-pub” are the letters that will precede the unique numeric Google Adsense ID code.

Are you ready for the big reveal?
Copy the Adsense ID code and take it to the website

This search is looking for all the websites making money with google ads that Google is paying to this one account.

Now we have three websites showing in the Spyonweb search.
This could get interesting!
The Buffy Sainte-Marie blogspot hasn’t been updated since August of 2015.
The I Love Music Blogue hasn’t been updated since Whitney Houston died in February of 2012. I think the notable thing here is that this blog is presented in French language.
The other thing that has the potential to throw us off is that the profile of the person responsible for the iLoveMusicBlogue is “Buffy”

The location on this profile says Canada, and yes, I know they speak French in Canada too… but I’m going to bet that nothing here is true. I’m going to give her the benefit of the doubt and say these blogs are NOT run by Buffy Sainte-Marie. Rather, this webmaster chose a celebrity’s audience (perhaps they are a fan) to exploit. Just like on the website, this mystery plagiarist webmaster was getting news alerts from a wide variety of sources all over the web any time someone wrote about Buffy Sainte-Marie and then they would steal the story and republishing it. Although known as a Canadian Musician, the Wikipedia entry on her amazing life and career says Buffy Sainte-Marie lives in Hawaii and has for a long time.

The Buffyblogue (I’m going to call it that now) has a link to a
(BOGUS) Buffy Sainte-Marie FACEBOOK PAGE
This facebook page has a good sized following of 27,106 page likes.
Although the Buffyblogue has not made a new post since August of 2015- the Facebook page continued to be active up to April of 2018, they were reposting older articles from the Buffyblogue archive, That last Facebook post, the Universal Soldier Video was a blogpost pulled from April of 2011.
I think the WhiteWolfPack webmaster has learned that putting dates on the blog articles is problematic if you plan to recycle them for years. I’d be curious to see when they stopped putting dates on their posts.
There are two more interesting connections…

One: The Buffy Facebook Page Info&Ads shows the page has 3 managers from FRANCE.

Two: CrowdTangle shows that the Buffyblogue has had some very dedicated promotion from a Facebook page that some may already be familiar with!
Aboriginal and Tribal Nation News was the primary amplifier of Buffyblogue posts from 2011-2016.

Let’s take a moment to talk about:
(BOGUS) Aboriginal and Tribal Nation News Facebook Page
This page has 317,935 page fans who have fallen for its legit sounding name AND the great quality relevant and stolen Native journalism that WhiteWolfPack serves up. There is no publication “Aboriginal and Tribal Nation News”, online or elsewhere- and if you scroll down their timeline today, all you will find are links to plagiarized articles from WhiteWolfPack until you eventually come to some links to the Buffyblogue. I don’t have time to do that, so if anyone comes across Tribal Nation News sharing any content that does not cycle directly back to their Google Adsense account- please tell me and I’ll take note.

Get in the habit of checking Page Info&Ads…
Look: Tribal Nation News also has a manager team of 3 from FRANCE.

Just like I requested in part I of this- please let’s crowdsource an effort to notify our friends that this page is not a fraud like WhiteWolfPack… this bogus Native News outlet IS WhiteWolfPack. Go to the community tab on the Aboriginal and Tribal Nation News page page and see if any of your friends are following and send them a message.

Same goes for the White Wolf Facebook page
Get your friends away from it! Let’s not be accidentally amplifying this fraud! Here is a screenshot of White Wolf’s page Info&Ads- showing their page managers in the USA and FRANCE.

Same with the BOGUS Buffy Sainte-Marie page.
Warn your friends if they liked it. Be careful- the WhiteWolfPack owned Buffy Facebook page is older and has a larger following than the
legitimate Buffy Sainte-Marie Facebook page.
Yes, the cheating thief has managed to present a Facebook presence that rivals the real Celebrity! That is an outrage!

When I look at the crowdtangle results for, most of the amplification is from White Wolf Facebook page and the Aboriginal and Tribal Nation News, and they are returning high because of their large audiences, but there are many other pages who are sharing WhiteWolfPack stuff. These pages should also be notified! Be kind and considerate, but there is a certain point where someone’s refusal to acknowledge the harm of stealing from Native journalists becomes a point where I would draw a line. Pages like: Indigenous Life Movement, Oceti Sakowin Camp, Sacred Stone Camp, International Indigenous Youth Council, Standing Rock NoDAPL Image Bank, Wolf Mountain Sanctuary, Walking the Red Road, Frack Free Four Corners, World Indigenous News (WIN)… on and on, there are so many.

Be thorough! Lots of times it’s the small or old projects that have the best OSINT clues. Just in case you might be wondering if I forgot, I didn’t get anything else here, but I did check CrowdTangle to see if anyone was amplifying the IloveMusicBlogue. Nope.

One Note about the Legit Buffy Sainte-Marie facebook page. I am not 100% sure that it belongs to the real Artist… but I have 0% doubt. There is a small amount of merchandising, but hey… that’s fine, even the President of the United States does it. Her posts share a wide variety of sources and she doesn’t steal their content, she amplifies the posts of others- that’s how it is supposed to be done! She also is posting a lot about her recently released authorized biography both on her Blue Check Verified Twitter and her Facebook page and the branding of the social accounts matches. (yes that can be faked by an impostor, but I don’t think that’s all all in question here)

In the end, I think this is going to depend on the supporting structures that this thief uses to do their thing stepping up and doing the right thing. Typically it’s only the authors themselves who have the power to complain, and because WhiteWolfPack spreads their thieving between so many people who may not be in communication with each other, they haven’t pulled together as a unified front.
Google Adsense
Blogger (also owned by Google)
Domains by Proxy (owned by GoDaddy)
They all support this anonymous serial plagiarist. It is absurd that, as seen in this 2 minute video presented by Google a steady stream of content creators each has to learn the complex paths and hoops to jump through just to request that their work not be presented to another audience without their permission… why is this allowed to continue for YEARS?

– The End –

With a hat tip to one of my favorite podcasts, If/Then from Slate
I am going to wrap this up and close a whole bunch of tabs… but I’ll leave a few odd and ends here:

This is a nice website that shows the spectrum of plagiarism with graphics and an uncanny block of text. I’m half tempted to see if they took it from WhiteWolfPack.

White Wolf’s Twitter …huh… the last post was on April 21, 2018
That is the exact time that the Buffy Sainte-Marie FB page stopped posting!!! What on Earth happened?

CuteStat report on

A Canadian senator gets tangled in it on Twitter with a 2018 share of a story written in 2004 and published by WhiteWolfPack on “Wednesday” from here on out. The plagiarism rehash makes the original author look bad too.

The WhiteWolfPack

The WhiteWolfPack

“Chasing With the Horizon” photo by Tahoe Beetschen

Many years ago I tried to do some research into a website that was stealing articles…can’t remember how I came to the conclusion that it was based in France, but my foggy memory thinking it was French stuck. Years went by and I have looked into thousands of other bogus websites since then, but my irritation with this one flagrant plagiarist WhiteWolfPack has not faded.

In Native circles, for the most part people know about this fraud and avoid it. The outliers, people who aren’t super active online, people who aren’t Native, the wannabes and the other New Age hippy types… they enjoy a steady stream of pretty good quality Native, environmental, cultural and wildlife related journalism with beautiful photographs. Superficially it’s a great website- because the web is scoured for all the good stories on certain subjects from a wide variety of publishers. The writing is consistently above average and the photography is top notch… and virtually all of it is stolen.

One thing you can do:
From time to time I’ll be reminded of WhiteWolfPack and go on a tear. I pick some articles, copy some text and search the web looking for the original article (which usually returns lower in the search results than WhiteWolfPack’s plagiarized copy) Then I take note of the author’s name, the publisher and if the photographs were taken from yet another source- I’ll do a reverse image search to try to find out the photographer’s name as well. I’ll compose a tweet to let the people know about the article on the WhiteWolfPack website so they can file a takedown notice. I figure even if the authors don’t follow through, or WhiteWolfPack refuses to comply- at least I might be raising awareness about what they do. This wack-a-mole game annoys me so much, people shouldn’t have to take time out of their day to politely ask a thief to give something back, especially after most of the value has already been extracted.
There are many links in the chain that allow this to go on, including the big platforms who allow the stolen content to be disseminated, the ad-servers who monetize the website, the domain host and privacy registry. All of these other entities are enablers and are shielding a thief from accountability and having to stand responsible for their actions.


Some people don’t understand the problem. They think that as long as the word gets out, that’s all that matters. I guess these people never bought a camera, or a laptop, or a plane ticket to some location to cover a story. I think they have no idea that journalism is a profession… that the journalist’s education cost money too, as does every other element of day to day life. They don’t understand that in order for good journalism to exist, journalism needs to be supported. I think most of them don’t even understand that web traffic converts into money. So they don’t understand that this theft is motivated by greed, and that WhiteWolfPack is not a philanthropic public library curated just for them. If WhiteWolfPack wanted to make a page and share links to people’s stories… and amplified their work to a giant audience- what a wonderful thing that would be! But that is not what they are doing.

Here is a post from Jacqueline Keeler about an article WhiteWolfPack stole from her.

Something you can do:
These page fans, they say they care about Native People, yet they’re supporting a fraud who steals from them.
443,840 people… that’s how many followers the White Wolf Facebook page has!
If you go to the White Wolf Facebook Page while logged in to Facebook- you can see if any of your own friends are following the page by clicking the “community” tab. From there, click > SEE ALL …a window pops up- it should show all your friends who liked the page and there is a handy shortcut to a messenger conversation with each of them. Encourage them to unlike the page and spread the word.

Another thing you can do:
When you see a WhiteWolfPack link shared: find the original article and offer that link in the comments. Explain that the article was stolen and to please support the author by sharing the original publishing. Be sure to not criticize the story which has been taken from it’s context with the date erased. …And no, sticking a teeny hyperlink all the way at the end of the article that says “credit” is not a free pass to take whatever you want. If someone stole a purse and then wrote the original owner’s name on it in tiny letters… would it not be stolen? I have clicked a bunch of those “credits” and most don’t even go to the original article!
Ask administrators of groups to make a policy to not allow WhiteWolfPack links to be shared. You can use the “search within group” function to see if the links are going into any of your groups- usually there are a handful of steadfast WhiteWolfPack fans who are responsible for almost all of the shares.
Would you shop in a store if you knew all the merchandise was stolen? This is no different.

One more thing you can do:
Search Facebook for posts about “WhiteWolfPack” and see what posts you find. There are many people who have been working to expose this and you could amplify their posts, or maybe you will find friends who shared from the bogus website. Pay attention to timestamps and try to stick to just the most recent.
Sarah Sunshine wrote this great post back in January

This is what the website looks like after an article is removed.

Thank You for reading this far…you can stop now if you want but this isn’t the end of the story.
Now it’s time for the nitty gritty stuff.  I’ll update as soon as I can.

Part II is up!

The DeepRabbitHole

Beautiful Nature

Beautiful Nature

Back in early May, I noticed a new post format appear in the ever evolving arena of gaming Facebook’s algorithm. This was coming almost a year after the “still image presented as a video” trick pissed everyone off: plain memes saved as .vid files wedging a briefcase in the closing doors of the video content express train. Never mind that we didn’t get an answer about why video content was given an express train in the first place.

Craig Silverman wrote about these back in July of 2017… and if you read the article, (it’s fun!)… you’d find out that an anonymous source at Facebook denied to Buzzfeed that the video content express train is a thing. Apparently it’s all our fault.

The still meme video asshattery was checked and suppressed by Facebook soon enough. That era of sport seamlessly morphed into the “moving filaments and sparkles over the still meme”- which pissed people off even more than the original cheat. Sorta like a blow-up-doll would, motionlessly mouthing “Loser” at you from the passenger seat of a speeding car in the HOV lane while you are stuck in bumper to bumper traffic. (I only say that as a deeply resentful page manager who, on principle, refuses to employ the cheap tactics my page is dedicated to exposing.) Before the suppression of stage two could even be noticed by the average user, the tactic evolved once again.

This time the posts contained several elements, a mix of file types, both video and still. There were two versions of this- One, I call the tiled meme: a still meme image that is cut in half horizontally.  The top half of the meme is presented as a still video, perhaps with music. The bottom half of the meme is posted as a jpg. When displayed in a single post- the two pieces line up like tiles with a thin line of grout between them.


I know. That’s a paint by number. No comment.

This format is popular with a few of the fake Native American pages. I was seeing it a lot. It was being used not just to get some extra surfacing, it was also being used to spread a lot of fake garbage- like this grammar trainwreck hoax about Willie Nelson being ill:


I also wrote this post about a Glen Douglas image being used as Birthday Bait: (and more birthday bait)  I also want to point out that these examples of homogeneous garbage tile meme content were pulled from three different pages, Proud to be Native America, We are Native American and Native American Proud.  None are Native American owned pages.


The tiled meme trick has some pitfalls, the individual elements sometimes collect their own sets of comments and can also be inadvertently shared alone- destroying the unity of the tiled post format.


There was even a format backlash page created on May 25, 2018  called “Meme Repair and Quality Memes” The page could be the next best thing since unsliced bread.

The other style of mixed file format that I noticed in Early May is a video and usually three photos which are stills pulled from the video.  The effect is redundant to say the least- but packing four elements into one post must have had some beneficial effect as I saw many pages using it. I posted about it on May 12.


The week before I had made a spreadsheet in an attempt to get a handle on the size of the network behind these “Beautiful Nature” pages, and as I dug deeper into the tightly woven tangle, it was clear there was no end in sight.  I eventually set a goal of listing 250 of them.  The pages, like the content within them, were mass produced and formulaic. Some pages I entered in the sheet got the notation “more to mine”- that simply meant that I suspected that page would lead to yet another branch of networking but that I was trying to stay on the path I was already  following.

Some people are confused when I include Kitten content in the list of abuses I warn people about.  They seem to think that Fake News and partisian politics are where the corruption and abuse of the platform is taking place. I say when it comes to profit motivated players- the content is just the vector- what it actually is, that’s irrelevant. Learning to recognize the tactics is how you avoid the abuses.  You can fact check Honey Pot Times stories till Snopes lists you as a benefactor- but as long as you keep going back for more of the same garbage from the same source with the same motivation pumping out the content- you are vulnerable to being suckered and you are supporting an abusive system that is spiraling downward.  If people can’t recognize the abusive lie at the source, when a sick child’s picture is used as pray-bait- I can’t expect that they would recognize when a misquoted politician’s photo is being used as rage-bait.  I had hoped that puppies and sunset content might be a less volatile subject to try to use as an education tool, because it is impossible to approach bogus politically divisive memes without being dismissed by the identity signalling sharer as merely supporting the “other side”.

What could possibly be wrong with “Beautiful Nature”? and why would I spend time documenting a network of serial sunset and hummingbird spammers?

1. The post format I had noticed was an obvious trick for surfacing.  The importance of the content was not balanced with the force of the machine promoting it.  This incongruity is a clear sign that there is something else at play.  No one could reasonably think that it is so important to pull out all the surfacing stops that as many people as possible see and set their sights on an infinity swimming pool photo when the page isn’t even selling a room at the resort.

2. The network was doing what I call “cross amplification” They were sharing posts from one large page into many other large pages.  Obviously the network was in possession   of the raw content (I’m not saying they OWN it… I’m just saying they have it) they could just upload the content on as many pages as they want and this would produce cleaner posts- but by sharing a post from one page- to 30 different pages *they also own* that specific shared post could gain cumulative engagement power rather than each post having to start from square one to build its momentum.  Most people don’t think about these things when they see a page share a post from another page.  But this network was so abusive in it’s off topic cross amplification- some people were leaving bad reviews and seemed confused by the lack of focus. The reason why they were confused is that they weren’t comprehending that all the pages were coming from the same engagement mill.

3.  I can’t even call it a content farm/ content mill- as it appeared to me that all of the content was stolen and used without attribution.  This, more than any other thing, is the “crime” that makes the network the work of truly bad actors.  The whole network is built on the foundation of stolen property.  In the population of low-grade content consumers there seems to be a lot of confusion about copyright, with many believing that once something is posted online you no longer have control over who uses it.  That may be true, but it does not mean that copyright does not exist. Facebook does such a piss poor job protecting the creators of the elements of photography, video and writing that are the essential components of “content” that a general attitude has been fostered that it’s perfectly legitimate to take and reuse what you find just laying around on the internet.  A surprising number of people are unable to grasp the distinction between taking someone’s content and sharing it. Facebook doesn’t simply overlook these crimes against creative people, they have made their blind eye into a lucrative loophole, collecting advertising fees for tee shirts with stolen designs, collecting post boosting fees of freebooted video and monetizing instant articles of plagiarized stories.

If you don’t understand what freebooting is, or why there is any harm in it- here are two youtube videos that do a great job explaining it:
FIX  : Smarter Every Day on Freebooting
Kurzgesagt on Freebooting

In regular practice- pages share on-topic material from multiple sources for the benefit of the interested page audience.  They keep their audience engaged by creating and aggregating relevant content. Sharing posts from a variety of sources builds up community networks and helps out other content producers by putting their stuff in front of more people.  This network did the opposite- it fed their audience a variety of in-network cross amplification content regardless of the theme. The content is severed from it’s source and beret of any important contextual imormation.  People were commenting on photos of Dream Vacation pages asking, “Where is this?” and of course not getting an answer from the automated content factory that was merely scraping someone’s Pinterest for linkless uncaptioned unattributed photos.

Feel free to skip to the end if you want to get to the spreadsheet, I have to do an aside:

Let’s talk about Simplemost.  This is an American content mill owned by the E.W. Scripps company based in Cincinnati Ohio.  Scripps is an old newspaper and broadcasting company behind many local and national stations.
You may be see some familiar logos in this dramatic nationwide map.

Simplemost, in their own words: “The goal of Simplemost is to provide women with the news that can impact their lives, along with ideas and tips to help make things just a little easier.”

OK- I’ll just set the obvious insult to my entire being aside for this blogpost as it’s getting pretty long already… but I’ll just mutter… “What exactly does being a woman have to do with this?”  …OK… flip-flop sales could be considered news… maybe. Especially if the journalist writes lengthy articles about the sale while maintaining that it’s not an advertisement (fine print: they do maybe get a small kickback from sales) We can know it’s not an ad because there are other ads placed within the “article”… you can’t sell ads inside other people’s ads now can you? that’s all the proof you need.  Getting my women’s news from Simplemost makes me almost as happy as being invited to a Mary Kay party.  The fact that Scripps doesn’t have a parallel content mill for men makes me wonder what that might look like… oh never mind, forget I asked.

If this is sparking your curiosity, Daniel Walters wrote an article for the Inlander about Simplemost content on the Facebook pages of local news stations back in February.

How does Simplemost work?  There are lots of content mills like this, it would be good to begin to recognize them, and to adjust your consumption accordingly.  They have a team who churns out content, and they also take submissions.  The content is sorted into categories.  If you have a place that lacks some content- if you just need a little filler to keep your audience idly present- like elevator music for human eyes… assuming you meet their qualifications (lots of page likes and the ability to generate traffic), you can get an account which allows a page owner to use Simplemost content to stock a page that obviously doesn’t have a reason for existing. I’m sorry I can’t find the link to the Simplemost account requirements today- I read it back in May and it didn’t seem hard to find back then.  It even had specifics like the number of likes your page had to have as well as the expected payout for your traffic.  When a Facebook page doesn’t have anything of their own, or anything stolen from someone else, Simplemost can provide the page curator revenue generating filler. Apparently Simplemost does discourage copyright violators and in Section 12 of their terms of use says that they don’t want to associate with them although I am unsure if that extends to the point of distribution and not just the aquisition of content.

When the audience clicks on the Simplemost content- that makes money for the page owner.  So you see- they can fake out 300,000 people to like a page allegedly about Beautiful Nature, and then slip them a link or twenty about stuff like a reboot of the show “The Nanny” and make money. (note: this screenshot shows a Simplemost instant article, so Facebook is also serving and profiting from targeted ads to the viewer)  Simplemost pays the page for the traffic- advertisers pay Simplemost to show their ads to the visitors (or pays a little kickback when people buy products after reading Simplemost “articles”).  The people who are being sent aimlessly around only pay with their time and digital footprints.  Simplemost content, like the cross amplification I mentioned earlier- carries with it the cumulative weight of the rolling engagement snowball.


There is another mill called Providr- they are another content source the Beautiful Nature network is using.  Providr is only interested in working with pages with a quarter million likes and up.  My spreadsheet notes some of the pages sharing Simplemost and Providr content- but it may not be a complete listing, if I did not thoroughly scroll through the page posts- I may have missed it.  I may have also not known to note the associations until I was deep into the job, which is now alphabetized.

I saw a lot of Providr content as I was hopscotching through the Beautiful Nature network last night.  The cheap train trip map caught my eye over and over.  So I had to do some backtracking when I saw the Providr train map associated with a website called  This is what Zia Uddin’s train-trip article looks like (whoohoo- I  did it! I archived a webpage for a solid link in the future!…Providr’s website wouldn’t let wayback crawl it I guess) The 3 month old website is registered to Abdul Samad in Karachi. This website is featured prominently on the Facebook page “Luxury World” with over 1,100,000 likes.  Does Providr also licence their content for filler on other websites (with faked bylines)? The article posted to Providr’s website on 12/13/17 does not name the author.

Before I get to the Beautiful Nature spreadsheet- I just wanted to mention this other strange little set of at least 12 pages I found, one has been disabled.  I named this set “Pages with long and vulgar names” I remain stunned by my lack of naming imagination in the face of what I now understand could be infinite possibility. These pages all use Simplemost content. Some, like #12- almost exclusively. Other content mills used by these pages include,,, and  I wonder what Simplemost thinks about their brand being the core content of pages like these?


This example from the Beautiful Nature network, “Wonderful Nature Clicks” I just pulled to show redundant excess- they have posted 15 Simplemost articles in the past five hours. That streak abruptly switches off to cross amplification of network page posts before going back to Simplemost- for a total of about 50 posts in 12 hours.

Here is a strange one- On the page “Stories in Picture” Tina left a negative one star review and two more people chimed in agreeing with her.  Thank goodness some people are paying attention, but what follows… this is just the sort of thing that has me thinking people are asleep at the wheel.  Guillermo posts a five star review using Tina’s negative comment word for word except he adds “excelente page” at the end. How weird.


Relentlessly curious as I am, I went to Guillermo’s profile to see if he had reviewed anything else and found this on the page WebArt.  (this page was not included in the Beautiful Nature network and only appears connected through Guillermo)


This page “Beautiful Animals Moment” is full of awful reviews that don’t seem to be coming from bots- people are pissed!

“This page does not publish things according to its title, it shows animals been devored, animal suffering and it’s frecuently disgusting.Not animal friendly at all.I don’t want to see anymore.”

“Is this suposed to be funny or is it about animal torture ?
This page is not about beautiful animal moments at all.”

“Horrible, cruel, animal torture videos, this group should be closed down”

So about that…

I made the “Beautiful Nature” spreadsheet back on May 7th and 8th, I made a small post about it on the 12th and then I set it aside.

This week I was working on another spreadsheet- documenting military Romance scam profiles that are using the stolen photos and variations of the name William Galbraith- I feel the need to document reported profiles because Facebook ceased sending feedback reports in late May.  Now there is zero record of reported profiles or feedback about Facebook’s action (or inaction) The reporting process is now a bit like putting notes in a bottle and tossing them into the sea. So hopefully spreadsheets like this (with over 100 same name profiles using photos that should be cataloged in a facial recognition database by now) may force a little bit of accountability and highlight how hollow their PR promises ring when they speak about their fantastic new tech that can detect bad actors.


This brought up a conversation with Felicia over at Unfakery who I had worked with on a botnest of autoposting profiles. That strange situation was publicized in a Buzzfeed article.  Felicia said that amazingly, even after all the publicity, the bot accounts were still present on Facebook.

I wondered what was going on with the Beautiful Nature Network.  Pages I had not reported, but merely listed. At the time- due to the effect of surfing hundreds of network pages for hours on end- my own newsfeed was overwhelmed with network shares from my own backstabby hummingbird and rolling fields of lavendar loving friends.  At least from the algorithmic filter I’d created, it seemed as if that network was well on it’s way to total platform domination that week.  So imagine my surprise when I opened my spreadsheet and began to open tabs- that many of the links were broken.  Turns out, precisely 50% of the links I had managed to document were broken: 124 of 249. (as of 6/25/18)   Well that’s interesting.  I must not be the only person who can find banal pretty content problematic.  Facebook was already on the case… but what case were they on?  They took a much bigger bite out of the Beautiful Nature network than they ever did to the Fake Native pages from Kosovo.  What was the violation those removed pages had committed that called for their removal? Big…BIG pages… gone.  For what reason? I could guess- but the part that is confusing to me is that so many pages from the same network proved to be seriously problematic- yet 50% of them remain.

This list is just the tip of the iceberg, it is in no way complete.
Deleted page links are marked with red.
Here is the link to the spreadsheet

Is it really that hard to detect bogus accounts? 

Is it really that hard to detect bogus accounts? 

A tweet by Zeynep Tufekci about the unchecked virality and potential of profiteering from hatemongering on Facebook reminded me of a post I had written back in February of 2017.


Many clickbait sites simultaneously ran a story about a muder that had happened in Germany in February of 2016. The story was pushed out with outrage headlines and together had garnered almost 50,000 shares when I counted last February.

Curious if this story was still floating around I searched Facebook for it again. I found a garbage clickbait website with more ads than copy. The page was full of ads, invasive popups and the article had a Spetember 14, 2017 date. Can you even find the article?


The website yourviralstory .com is listed as being registered to a Rafael Joseph Rivera and is hosted by the same IP address as another website, Newsduterte. Com.


The story was placed in a Facebook group called “Hispanics, Latinos, Mexicans for Trump.” by a profile called Budak Xiel Lhanie.

Searching the group for posts by Budak I see that Budak has only posted links to two websites, Yourviralstory and Newsduterte.

Going to Budak’s profile I feel confident that this profile of an alleged Harvard graduate is not legitimate and have no qualms about posting about it critically and publicly.

The two following links will open with search results showing the actual posts and groups as your own FB privacy settings allow you to view them.

Of the public groups Budak is a member, three of them are local to the Philippines. Eighteen of them are Donald Trump focused groups and one is for Sean Hannity fans.

Of the public postings Budak has made, all of them link to either Yourviralstory or Newsduterte.

On September 9, 2017 Budak made 32 posts of 11 different articles from Yourviralstory into Donald Trump groups. Budak never posts links to the same story more than three times and Budak almost always posts links to the same story exactly three times. This is likely an adaptation to fly under Facebook’s radar as a spammer. It goes without saying that the introduction text Budak adds with each post is identical each time.

Timestamps also reveal automation:

10:26 AM- 10:40- 11 posts

1:33 PM- 1:40 – 12 posts

3:41 PM – 3:45 – 9 posts

I find it had to believe that Facebook’s machine learning is so simplistic that a cluster posting pattern like this would not register as a problem:

3 3 3 3 3 3 3 3 3 3 2 3

But one like this maybe would (also 32 posts)

1 3 2 1 1 3 2 6 2 3 1 7

I don’t really have more words to summarize this quick and dirty peek at the flood of garbage content on facebook that flows unchecked. There you have it.

While the news is full of concerns about Russian trolls, political ads and collusion there are many other players who are toying with incendiary subjects, not always *fake* news; sometimes real news, misused, tied in a knot, cherry picked and amplified beyond it’s logical place in space and time, possibly for no reason other than simple profit.