Bust-AD: Russian-backed Deepfake of a Lithuanian 3 Plus News Reporter Appears on Facebook, Urging ‘Scam Victims’ to File for Money Reimbursement Claim under Interpol

A deepfake video featuring a Russian-speaking TV news reporter from 3 Plus, a channel aired in Latvia, has been flagged for falsely advertising a fraudulent initiative to return lost money to scam victims. This manipulated video, which appears to be an excerpt from a legitimate news report by TV3 Group - a prominent news conglomerate in the Baltic states - has been disseminated through a surge of Facebook advertisements. The ads impersonate the International Criminal Police Organization (Interpol), typically including a text urging victims to follow a link and an AI-generated video

The Debunk.org team found at least four scam ads impersonating Interpol in February 2025, reaching an estimated 18,000 viewers in Lithuania. The advertisements impersonate Interpol to urge victims to follow a link, fill out personal information and apply for compensation for their losses, resulting in theft. However, Interpol has flagged scams similar to those on its official website, warning people against fraudsters impersonating Interpol officers and falsely claiming to help recover lost money. These fraudulent ads leverage a legitimate report on Operation HAECHI V, a worldwide law enforcement operation spanning 40 countries, territories and regions. Over 5,500 individuals involved in financial crimes were arrested and over $400 million were confiscated in virtual assets and government-backed currencies. The ads utilise this report by citing that the lost funds will be distributed to the online scam victims. 

ABCDE FRAMEWORK 

ACTOR

The account disseminating this scam was named Jame. The Facebook account was created in 2022, lacks personal identifiers and does not appear to belong to a real individual, and its activity is limited to promoting this fraudulent campaign. The research of the website shared within the ad has raised a few more red flags. The domain, joversv.site, besides being unavailable now, has several suspicious characteristics, such as a nonsensical name, lack of any emergency contacts, and a private hosting service, which redacts the personal information of the domain owners. 

After looking up the WHOIS data (an open-source registry for websites) for joversv.site, it became apparent that the website was meant to be a throw-away domain with suspicious characteristics - registry data for joversv.site are privacy-protected, obscuring the owner’s identity, with no company name or individual associated with the domain. Many scam sites register domains via privacy services to avoid accountability. The exact registrar hasn’t been confirmed either, as it has been registered via Cloudflare, by Dynadot LLC. The IP hosting website hosts over 700 websites on the same IP addresses, with the addresses previously associated with phishing activity. Furthermore, the site was created on 2025-01-07 and expires on 2026-01-07; fresh registration is a hallmark of fraud sites that pop up overnight. 

Legitimate sites that serve ads usually host an ads.txt listing, which makes those listings available to authorized ad sellers, but scam sites often omit these files to avoid transparency. A check for joversv.site/ads.txt and /app-ads.txt was absent indicating the domain is not using authorized ad networks – consistent with fraudulent or throwaway sites. No file that would normally provide vulnerability disclosure contacts has been found either, its absence means no security contact or policy is advertised. This pattern of behaviour is also typical for illegitimate sites.

The scam with an almost identical text and the same modus operandi has been found on Facebook. This account as well was once again likely stolen and operating only to propagate the scam. Only this time, the whole account has been rebranded to support the scam.

The account enjoys a decent audience of 6.600 followers and it is fully Russian-speaking. The ads have since been removed due to the violation of Meta’s advertisement terms and conditions. The payment for the ad has been Эвеленина Ковальчук (tl: Evelinina Kovalchuk), likely a fabricated name, and includes a typo. However, a mistake has been made by the creators of the scam. The new page includes a non-advertised post with a link to a new domain that previously has been used to host the scam and was left on a post advertising this scam. 

The domain in question is currently unavailable; however, previous WHOIS registration data provided some details. The listed contact person is Irina, purportedly affiliated with Malina Management registered to own the domain. The registered address is Markuveli 23, Mashkara, Coast, 09221, KE, with the associated phone number and email address.

Upon closer examination, the email appears to be a disposable account created solely for this operation, as it shows no signs of prior online activity. Additionally, the actual ownership or validity of the phone number remains unverified. The address additionally seems to be fictitious. Address Line is Markuveli 23, the term "Markuveli" does not correspond to any known street or location in Kenya. Furthermore, there is no record of a city or town named "Mashkara" in Kenya.​ State/Province is indicated as Coast, while Kenya's coastal region is commonly referred to as the "Coast Province", without a specific city or town, this designation is too vague for accurate addressing.​ Kenyan postal codes are also typically five digits, with the first two digits representing the regional code. With no region representing the code of 09, "09221" does not align with Kenya's postal code system.  

Despite the apparent fabrication of the address, research into the name "Mashkara" led to a clothing store in Moscow operating under that name. The business is based in Moscow but maintains production lines and a registry in Nizhni Novgorod, a city approximately 400 km east of Moscow. The owner of this business is Karina Yurievna Manzhula. 

The alleged business – Malina Management – linked to the domain was not easily identifiable online but was located in the Russian business registry using its Cyrillic name. This search provided key details, including its taxpayer identification number (5258079420) and ownership. The registered owner is Aram Artemovich Arutyunyan, and the business is based in Nizhni Novgorod. According to independent business registries, the company engages in 20 types of activities, primarily generating revenue from wholesale textile trade and custom textile manufacturing. This aligns with the previous lead of the clothing brand in Moscow associated with the registered domain’s address, suggesting a possible connection. The business is officially listed as unreliable and is currently involved in a losing litigation case amounting to 252,000 RUB (approximately 2,500 EUR), with outstanding debts totalling 429,000 RUB (approximately 4,300 EUR) as of 2024. However, while the nominal amount of money may differ and seem overstated in Euros due to the fluctuating exchange rate, for a small enterprise, this represents a significant financial burden. For scalability, the total amount of debt would surpass the Russian annual minimum wage standards (approximately 2900 EUR per year) twice. 

Arutyunyan has also been noted to have previous legal trouble. History of financial fraud has been compiled by Bloha-Info, an online portal since 2003, serving as an archive and aggregator of political and regional news, sourcing information from both official and unofficial channels. 

According to Bloha-info, Aram Arutyunyan has been linked to various alleged financial and land fraud schemes. Originally from Kyrgyzstan, his acquisition of Russian citizenship has been questioned, with suspicions of dual nationality. He reportedly leveraged connections within law enforcement and had ties to businesses operating in different sectors, from finance and logistics to agriculture. Arutyunyan's name surfaced in a major land fraud case in Zaoksky District, where he, alongside local officials, was accused of illegally acquiring municipal land using forged documents. The scheme involved forging ownership certificates from 1993 to exploit outdated land laws. Officials acquired agricultural land under pretences and later resold it for profit, causing substantial financial losses to the municipality. Despite the case reaching court and several individuals facing charges of fraud and abuse of power, Arutyunyan managed to avoid criminal liability, exiting the case as a mere witness. Additionally, his business dealings with offshore companies have raised further concerns.

In summary, the identity of Arutyunyan is found through a domain registry that has been linked to the previous iteration of the scam found by Debunk.org in February 2025. Arutyunyan’s business Malina Management currently owns the domain. Considering Arutyunyan's past fraudulent activities and his ties to the ongoing international scam impersonating Interpol, the investigation suspects that the scheme originates from a Russian threat actor.

BEHAVIOUR

The campaign is based on Meta’s social media platforms (Facebook and Instagram) to disseminate deceptive advertisements. The target demographic appears to be Russian-speaking individuals aged 25–65+ in Lithuania, however, the scam is present and has been viewed across other Baltic and European states. The content sample analyzed comes from Facebook’s Ad Library, which suggests that the ads have also been boosted on Instagram. The ads were active between 7 and 10 hours in total. The scams include textual and video urges of clicking the link embedded in the ad, and filling out the user’s personal information. All evidence suggests joversv.site and police-eu.services are malicious, and the intent is likely phishing or identity theft.

CONTENT

The advertisements followed a consistent operational pattern, utilizing AI-generated text that encouraged viewers to click a link and complete a form to claim a reimbursement for funds lost to online scams. The following is the text most used for the scams, which has been identified as 98.7% likely to be AI-generated by PangramLabs. Both the first logged iteration of the scam and the following one that has been identified in the process of the investigation have followed the same pattern, same structure, and same message. Both of the messages have been AI generated and modifications to the text have been minimal, apart from the mentioned domain name, which has been changed from joversv.site to police-eu.services.

Scam 1:

“❗️👮‍♂️ Интерпол вернёт ваши деньги!  

Мошенники присвоили ваши средства? Не ждите – действуйте!  

👉 Подайте заявление в Интерпол, чтобы запустить процесс возврата.  

📝 ✅ Ваш запрос рассмотрят в кратчайшие сроки.  

📝 ✅ Сотрудник Интерпола свяжется с вами для дальнейших действий.  

📝 ✅ Подайте заявление онлайн всего за 2 минуты!”

Translated: “❗️👮‍♂️ **Interpol will get your money back!  

Scammers have embezzled your money? Don't wait - take action!  

👉 Apply to Interpol to start the refund process.  

📝 ✅ Your request will be dealt with as soon as possible.  

📝 ✅ An INTERPOL officer will contact you for further action.  

📝 ✅ Apply online in just 2 minutes!”

Scam 2:

Translated: “❗️Lost money because of internet scammers? We can help you!

👉The first thing you need to do is file an application with Interpol to start the refund process.

📝Your application will be processed today and an Interpol officer will contact you for further action.

📝To get your funds back, apply on our website.

📝Apply via the link below.

https://police-eu [.] services/8ksC1W7d”

The scams also featured AI-generated videos incorporating well-known figures, branding from legitimate news outlets, such as Euronews, and Interpol insignia to appear credible. These videos included AI-generated depictions of Russian government officials, such as Sergey Lavrov, businessmen like Alisher Usmanov and Evgeny Kaspersky, and individuals posing as Interpol representatives. Additionally, they showcased both genuine Russian news reporters and fabricated journalists from Latvian media outlets to deceive viewers.

Most of these videos followed a consistent format, with a brief AI-generated segment (typically under a minute) at the beginning, where an individual urged viewers to click the link in the ad description to claim reimbursement through a supposed Interpol initiative. The remaining nine minutes of the 10-minute videos primarily displayed a static banner reinforcing the call to action.

All the videos were confirmed to be AI-generated following an analysis conducted through the MeVer group MAAM platform. This platform was developed as part of the AI-CODE project, aiming to help investigators analyse, categorise, and test versatile media formats.

One interesting aspect of the videos is the impersonation of legitimate news reporters or news channels. Two cases stand out - one involving the Lithuanian 3 Plus News channel and the Russian 1TV channel. The model of operation seems to be clear – an existent reputable reporter is found, after which a deepfake of them is created, set in the legitimate backdrop of the associated newsroom studio. The deepfake advertises the scam, seemingly from a reputable news outlet. However, while the studio remains accurate to the source and the reporter’s occupation, the branding on the screen has always been mismatched. For example, Valeriya Korablyova, a prominent Russian news anchor who works on 1TV, is deepfaked into the real 1TV studio, promoting the scam. However, the logotypes in the corner and other branding are taken from Rossiya1, another legitimate news outlet. Another insight can be found in the second example of the Lithuanian 3 Plus. The reporter impersonated is Anastasya Lebedich, who works on the Youtube-only news segment show of the Lithuanian TV3 channel. It was possible to pinpoint the exact video that seemed to have been sourced for the deepfake. The deepfake went along the regular script while promoting the scam, however, the branding, once again, did not match the real TV3 channel branding.

The advertisements present a highly deceptive and AI-generated disinformation campaign, exploiting artificial intelligence to fabricate false claims of law enforcement initiatives aimed at reimbursing scam victims. In reality, no such program exists. The use of Interpol’s logo creates a false impression of legitimacy, making viewers believe the scam is backed by an internationally recognized law enforcement agency. The fictitious association with legitimate news outlets grant an illusion that mainstream media and political authorities support the initiative.

This AI-driven deception is further weaponized to manipulate victims by instilling a sense of urgency, pressuring them to immediately submit their personal data. The actual content of the fraudulent form remains unknown, but it is likely designed to harvest sensitive information, including names, addresses, and financial details, exposing individuals to identity theft and financial fraud. This case underscores the growing danger of AI-generated disinformation, which enables scammers to fabricate entirely fictitious narratives, impersonate trusted entities, and exploit public trust on an unprecedented scale.

DEGREE

Currently, the true impact of these ads remains unclear, as no official complaints have been reported, leaving the total financial losses unknown. The fraudulent TV3 news segment has been viewed by over 18,000 people in Lithuania, but this does not necessarily mean that all viewers have fallen victim to the scam or submitted the fraudulent form. The latest domain joversv.site, had available data on the reach and other metrics of the ads that were disseminating this domain on Meta. The target countries have varied per post, focusing on European countries. Whilst, generally the target demographics have varied, there has been a recurring focus on Latvia, Lithuania, and Estonia. There have been 278 ads published with this domain between 13.01.2025 and 19.02.2025. The total reach of all of these ads has added up to 1,088,829 views. The maximum reach of a singular ad has been 21390 views, despite the ads typically staying up only between 2 and 48 hours per ad. The majority of ads enjoyed a range of 100 - 2000 views per listing. 

EFFECT

While the direct financial impact of this scam remains uncertain, its broader societal and geopolitical consequences are deeply alarming. This operation specifically targets Russian-speaking communities across Europe, with a strong focus on the Baltic states, making it a transnational cybercrime threat. The use of AI-generated disinformation and deepfake technology not only manipulates victims but also risks eroding public trust in legitimate law enforcement agencies such as Interpol. As a result, real victims of financial fraud may hesitate to seek assistance, fearing they could fall prey to yet another scam.

Moreover, this scam can likely be attributed to a Russian individual with a known history of fraudulent activities, reinforcing concerns about the increasing sophistication of cybercrime originating from Russia. The advanced AI-generated elements, including deepfake videos of government officials and news anchors, highlight the evolving capabilities of non-state actors in conducting deception at scale. If a single fraudster can orchestrate such a complex operation, it raises the critical question of what state-backed entities could achieve with greater resources and expertise.

This incident serves as a clear warning about the potential for large-scale foreign influence operations (FIMI) using similar or even more advanced AI-driven tactics. With state-level funding, AI-powered disinformation campaigns could be weaponized for election interference, social division, and geopolitical destabilization, making it a pressing national security concern for European governments and beyond.

In an era where seeing is no longer believing, digital literacy and scepticism are more crucial than ever. It is imperative to question the authenticity of online content, verify sources, and remain vigilant against manipulative narratives. Public awareness, media scrutiny, and proactive cybersecurity measures are our strongest defences against the growing wave of AI-powered fraud and foreign interference threats.