BANNER: Screenshots of identical and similar Facebook ads that led to financial scam websites. (Source: DFRLab via Facebook)

During Georgia’s spring 2024 protests against the foreign agents law, at least fifteen Facebook pages shared deceptive Georgian-language ads to deceive users and draw them into a financial scam. The ads imitated news outlets and used altered photos, image compilations, and headlines to mimic news coverage. The images in the ads featured the logo of the English-language local media outlet Georgia Today and directed users to websites impersonating the reputable local media outlets Tabula and Ambebi.ge. The fraudulent websites plagiarized content from the authentic websites. At least one website in the operation requested users’ personal information and offered fraudulent investments in SOCAR, an Azerbaijani oil and gas company.

Facebook is one of the most popular social media networks in Georgia. Amid the spring protests, it was actively used by Georgian democracy activists to share information and mobilize actions. The DFRLab previously reported how government and pro-government Facebook pages targeted the protests with dozens of ads, spending over $90,000 on Facebook to amplify government propaganda and discredit the protests.

Dozens of ads on Facebook exploited the spring protests in Georgia to siphon attention toward false ads and lure users into a financial scam. Various Facebook pages shared ads with identical images and headlines. The pages also used an audience network feature that, according to Meta, allows ads to be placed in “high-quality mobile apps, especially in gaming apps where players are deeply engaged.”

We grouped the identified ads into three categories. The first category used images from protests, emphasizing Georgian flags. The second category featured images of politicians, including photos of Georgian Dream chairman and former prime minister Irakli Garibashvili, as well as opposition politicians. The third category used photos, including digitally altered ones, of Mikheil Lomtadze, a Georgian billionaire. Some ads falsely claimed that Lomtadze was summoned to court for assisting protesters despite not being publicly involved in Georgian politics and not living in Georgia. The ads had a similar style, including design, font, colors, and clickbait headlines such as “Whole Georgia is in shock! What do they truly hide behind the new law?” “New Georgian law! Government’s evil plan?” and “Georgia on the verge of crisis,” among others.

We conducted a reverse image search for the photos in the ads and found the images were taken from elsewhere and sometimes altered. One of the ads featuring Mikheil Lomtadze included a photo with multiple edits, including the addition of bruises on his face. It also featured a four-year-old background image of Georgian police. The ad falsely claimed that Lomtadze was arrested.

The fifteen identified Facebook pages had nearly no activity besides the sponsored ads on Meta platforms. Eight of these fifteen pages operated as false media pages, using identical profile images featuring a logo with the text “24/7 NEWS.” Additionally, two pages used their names to indicate they were media outlets, “News Ge24/7” and “News Georgia.” While only three pages were created in May 2024, all eight pages changed their profile images to the “24/7 NEWS” logo in May, coinciding with the widespread protests in Georgia.

The DFRLab found that at least four pages also targeted users in other countries. Two pages ran ads in Turkish, while another two posted clickbait content about Belarus. The administrator location was available for three of these pages, with admins residing in Belgium, South Africa, Vietnam, Peru, Algeria, Indonesia, and other Southeast Asian countries, indicating a possible international operation.

The misleading Facebook ads linked to scam websites often promoted financial investment opportunities. The destination websites were typically unrelated to the content of the ads and mostly contained text copied from legitimate websites. Many of the fake websites plagiarized content from Nomadcapitalist.com, a site that assists entrepreneurs and investors with tax reduction and asset diversification and protection. Most of the websites copied a specific section of Nomad Capitalist that featured Russian text about investing in real estate in Tbilisi, Georgia.

To examine whether the websites stole code from Nomadcapitalist.com, the DFRLab compared HTML code snippets of Nomadcapitalist.com and one of the fraudulent websites, kilargrunt.com. We found that both websites contained many similarities. The source code of both websites had nearly identical meta tags and properties, including character sets, http-equiv, viewport, title, and description tags. In addition, the author, publication details, and Twitter card properties were almost identical. This suggests that Nomadcapitalist.com’s HTML code may have been duplicated by the Kilar Grunt website.

The DFRLab discovered that most of the identified domains were registered through NameCheap, Inc., a US-based domain registration company. NameCheap uses a service called Withheld for Privacy, which keeps the owners’ information hidden from public WhoIs databases. Consequently, the true identities of the people behind these websites was not available in domain queries. Additionally, some of these websites were created on the same day or within a few days of each other, indicating possible coordination between them.

The DFRLab discovered that at least one website impersonated SOCAR, the state oil company of Azerbaijan, and encouraged users to submit personal data via a registration form. The website claimed that visitors could invest in SOCAR and earn a profit. It outlined three steps for investing: first, filling out the registration form with a name, email address, and phone number; second, waiting for a call from a “manager” to discuss investment details; and third, investing in SOCAR by making a minimum deposit of 700 GEL ($255). After completing these steps, investors were promised a profit.

Notably, the DFRLab previously reported on similar ads in Polish featuring a comparable registration form for investing in the BitQT trading service.

The DFRLab found no evidence that these websites were monetized, as there were no signs of native or programmatic advertising, such as Google Ads.

Some of the websites impersonated reputable Georgian media outlets, using their logos and similar visual designs. One such website mimicked the Georgian media outlet Ambebi.ge, though the domain on the fraudulent website was ambebi.ru. It posted a sensational headline about Valeri Meladze, a Russian singer of Georgian origin, falsely claiming he was arrested. The headline read, “Valeri Meladze will be questioned in court: The National Bank is going to file a lawsuit because a secret was revealed about how any citizen of Georgia can earn a lot of capital.” Another website impersonated the media outlet Tabula with a headline stating, “Why is the government afraid of protests and what is truly behind demonstrations in Georgia?” The banner image depicted an anchor from the pro-government TV channel Imedi and a photo of Levan Khabeishvili, a parliament member and leader of the opposition party United National Movement, after he was beaten by police during a demonstration. The content on the fake Tabula website discussed an investment opportunity in SOCAR.

The DFRLab also discovered what appear to be fake bank transfer documents purportedly from two Georgian commercial banks, TBC Bank and Bank of Georgia. One document includes a likely fake testimony from an account holder who claimed to have received a transfer from SOCAR and decided to invest more in SOCAR. These bank confirmations feature Georgian male names and show the amounts they received from SOCAR. However, there are several inconsistencies in these documents: both contain identical bank account numbers, IBAN codes, and phone numbers, while the names and surnames of the account holders are different.

Sopo Gelava and Givi Gigitashvili, “Suspicious Georgia protest-related Facebook ads lure users into financial scam,” Digital Forensic Research Lab (DFRLab), December 10, 2024, https://dfrlab.org/2024/12/10/suspicious-georgia-protest-related-facebook-ads-lure-users-into-financial-scam/.