The 770-Ad Deception: How Russian Scammers Weaponized Trusted Faces Across Two Countries

On August 20-21, 2025, LetsData identified a sophisticated fraud operation that launched 770 Facebook ads in under a month from a single page. 

The campaign didn't just target one country; it ran parallel operations across the Czech Republic and the United Kingdom, using AI-generated arrest images of prominent figures to lure victims into crypto scams. Former Czech Prime Minister Andrej Babiš, Czech actor Jakub Prachař, and British journalist Martin Lewis all appeared in fake detention photos, their trusted faces weaponized to steal money and personal data.

This wasn't amateur fraud. The operation exhibited industrial-scale infrastructure with Russian fingerprints: disposable domains, geo-cloaking technology, coordinated bot networks, and international front administrators masking centralized control. The campaign revealed how modern scam operations borrow tactics from state-level information operations, creating hybrid threats that combine financial theft with institutional erosion.

The Industrial Scale: 770 Ads, Two Audiences, One Infrastructure

The numbers reveal systematic coordination. A single Facebook page generated approximately 770 ads within 30 days, an average of 25 ads daily. Most were removed or made inactive by August 22, but active ads continued targeting victims across two distinct geographic segments.

Czech audiences saw headlines like "Obvinění Andreje Babiše se potvrdilo!" (Andrej Babiš's accusations have been confirmed!) or "Tragický konec Andreje Babiše! Dnešní ranní zpráva šokovala všechny Čechy!" (The tragic end of Andrej Babiš! This morning's news shocked all Czechs!). British audiences encountered parallel messaging about Martin Lewis being detained for statements made on live ITV broadcasts.

The localization demonstrated sophisticated audience segmentation. Each market received culturally tailored content featuring locally recognized figures, localized language, and region-specific media brands. But beneath the surface variations, the infrastructure remained identical—revealing centralized planning and execution.

The Doppelganger Pipeline: From Fake News to Crypto Theft

The operation followed a three-stage deception funnel designed to maximize victim conversion:

Stage #1. The Bait 

Facebook ads claimed to link to legitimate local news sites: U3R.CZ and MLYNEC.CZ (Czech restaurant websites) for Czech audiences, similar front domains for British users. The ad library showed these URLs, creating false legitimacy.

Stage #2. The Redirect 

Clicking any ad triggered immediate redirection to disposable domains. Czech users landed on spitecho[.]top. British users were distributed across at least four domains: sermontaskez[.]xyz, coastlays[.]top, agreegain[.]top, and derrgloudser[.]top. These single-use domains were registered shortly before the campaign, classic infrastructure for avoiding detection and takedowns.

Stage #3. The Trap 

Victims arrived at perfect replicas of Seznam Zprávy (Czech) or BBC (British). The Doppelganger sites copied logos, layouts, menus, and footer designs with one critical difference: nothing worked. Menus weren't clickable. Search boxes were decorative. The entire site existed only to display one fake article.

The fake articles presented "exclusive interviews" where Babiš or Lewis revealed secret investment platforms: Záloha Corebit (Czech) or Stonegate Bitflow (British). Both platforms promised extraordinary returns and urged victims to deposit minimum amounts (6,000 CZK for Czech audiences) and await calls from "account managers" who would verify their accounts—classic advance-fee fraud mechanics.

Both looked the same, but featured different languages and testimonials. In the case of the British campaign, it was Sir Jim Ratcliffe and Sir Keir Starmer.

The Trust Manufacturing System: Bot Comments and Social Proof

Below each fake article, the operation deployed manufactured social proof through dozens of bot-generated comments. The pattern repeated across both language versions:

Czech examples included "Monika Janovičová" claiming 7,900 CZK transformed into 963,432 CZK, and "smellthecoffee101" reporting that a borrowed 6,600 CZK became 900,000 CZK within four days. British-targeted sites featured different names but identical profile pictures and story structures—revealing template-based generation.

The comments followed psychological manipulation formulas: start small, achieve massive returns, thank the "manager," add emotional markers (emojis, gratitude expressions). This manufactured consensus created false legitimacy, pushing hesitant victims toward registration.

The Infrastructure Signatures: Detecting Russian Coordination

Four technical indicators revealed the operation's Russian origins and professional infrastructure:

1. Geo-Cloaking Technology 

The sites deployed sophisticated targeting. Czech IP addresses saw the fake Seznam Zprávy content. British IPs encountered BBC replicas. All other geographic locations received generic placeholder pages. This geo-fencing served dual purposes: maximize targeting efficiency and evade platform moderators accessing from non-target countries.

2. Russian Code Fragments 

Source code analysis uncovered Russian language comments embedded in the Doppelganger sites. The spitecho[.]top domain contained multiple Russian annotations—technical notes left by developers revealing linguistic origins despite Czech and English front-end content.

3. International Front Administrators 

Facebook transparency data showed six page administrators located in the United States and one in Indonesia. This geographic distribution creates plausible deniability—but the pattern is classic scam network behavior. Operations rent or purchase international accounts to bypass platform checks and country-specific restrictions while maintaining centralized backend control.

4. Disposable Domain Architecture 

The operation employed different infrastructure layers:

This multi-layer system, legitimate front domains masking disposable destination domains, mirrors "Doppelganger" tactics previously documented in Russian information operations. The same FIKED (Front, Intermediary, Destination) strategy identified by researchers analyzing state-level influence campaigns appeared in this financially motivated fraud.

The Hybrid Threat: Financial Fraud Meets Information Operations

The campaign pursued three objectives simultaneously:

Primary Goal. Financial Theft 

Extract money through fake crypto platform deposits, capturing minimum investments of 6,000 CZK per victim across hundreds of targets.

Secondary Goal. Data Harvesting 

Collect phone numbers, email addresses, and potentially banking details through registration forms—valuable assets for future fraud operations or dark web sale.

Tertiary Goal. Trust Erosion 

Weaponize trusted figures (politicians, journalists, media brands) to erode institutional credibility. When prominent faces appear in fabricated arrest scenarios on fake news sites, public trust in both individuals and media institutions degrades—even after debunking.

This hybrid approach demonstrates how criminal operations increasingly adopt tactics from state-level information warfare. The infrastructure supports both immediate financial extraction and long-term societal impact.

Detection and Defense: Recognizing Industrial-Scale Fraud

LetsData identified this operation through behavioral signatures that distinguish coordinated campaigns from isolated incidents:

Volume and Velocity: 770 ads in 30 days from a single page exceeds organic or small-scale fraud patterns, indicating automated systems and substantial resources.

Cross-Border Coordination: Simultaneous parallel campaigns targeting distinct audiences with localized content reveals centralized planning and execution capability.

Infrastructure Sophistication: Geo-cloaking, disposable domains, Doppelganger replication, and bot comment systems require technical expertise beyond amateur fraud.

Linguistic Fingerprints: Russian code fragments despite Czech/English content point to operational origins separate from front-facing targeting.

Template Replication: Identical structural patterns (ad formats, Doppelganger layouts, bot comments, crypto platforms) across language versions reveal standardized playbooks.

These indicators enable real-time detection before campaigns reach saturation. The 30-day window this operation ran represents preventable damage—with proper monitoring, platforms could identify and disrupt such campaigns within 48-72 hours of launch.

Beyond Individual Cases: The Systemic Threat

This campaign matters beyond its immediate victims. It demonstrates the convergence of criminal fraud operations and information warfare tactics. When scammers adopt Doppelganger infrastructure, geo-cloaking technology, and coordinated bot networks previously associated with state actors, the distinction between financial crime and hybrid threats dissolves.

The 770 ads represent industrial-scale capability with exportable components. The same infrastructure deployed against Czech and British audiences can target any democracy, any trusted figure, any media brand. The Russian technical fingerprints suggest knowledge transfer from information operations to criminal networks, or potential overlap between the two.

For platforms, institutions, and citizens, the message is clear: modern fraud operates at the scale and sophistication of information warfare. Detecting these operations requires moving beyond reactive takedowns to proactive pattern recognition, identifying behavioral signatures before campaigns achieve saturation.

When trusted faces become weapons and legitimate media brands become theft vehicles, every click carries risk. The 770-ad deception proved that Russian-linked operations can weaponize anyone's reputation across any border, at industrial scale, within weeks.