This article is the result of a collaboration with Japanese publishing partner Nikkei. You can find Nikkei’s investigation here.

Earlier this year, a man and a woman stood trial in a New York courtroom on charges related to the illicit drugs trade. They had been arrested as part of an undercover sting by the US Drug Enforcement Administration (DEA) after more than 200 kilograms of precursor chemicals used to make the synthetic opioid fentanyl were shipped from China to the US. It was enough to make 25 million deadly doses of the drug, authorities said. 

The Chinese nationals were also accused of conspiring to import tonne-quantities of fentanyl precursors to the US, where tens of thousands of people die from opioid overdoses every year. After a two-week trial, a Manhattan jury found the pair guilty of conspiracy to import fentanyl precursors and conspiracy to commit money laundering. 

Qingzhou “Bruce” Wang, 36, and Yiyi “Chiron” Chen, 32, worked for Hubei Amarvel Biotech (AmarvelBio), a chemical firm based in the Chinese city of Wuhan. They were arrested in 2023 after being lured from China to Fiji as part of a DEA operation and subsequently extradited to the US. The case marked the first time US authorities prosecuted Chinese company executives for trafficking fentanyl precursors.

But court documents showed there may be links to another East Asian country. Bellingcat was contacted by the Japanese newspaper Nikkei, which was investigating AmarvelBio’s connection to Japan, suspecting the country was being used as a command post for the cross-border smuggling operation. 

Nikkei was looking into Xia Fengzhi, a Chinese man referred to in the New York legal proceedings as “the boss in Japan”. It had found an individual by that name who was listed as the owner of a Chinese company selling raw chemical materials called Fushikai Trading Co Ltd, which according to Nikkei was active under the brand name “Firsky”. A website for Firsky China included a certificate for Fushikai Trading with the same identification code seen on Fushikai’s corporate records. The company, according to its website, was a wholly owned subsidiary of Firsky Co. Ltd., which was registered in Nagoya, an industrial city in central Japan. 

Nikkei pulled the corporate records for Firsky in Japan, which showed Xia headed the company. Records obtained by Nikkei also showed that the Chinese company’s supervisor was listed as Qingzhou Wang, the same name as one of the two AmarvelBio executives convicted in the US.

Nikkei asked Bellingcat’s financial investigations team to leverage its expertise in open source research to independently verify the Japanese company’s connection to AmarvelBio. Our investigation uncovered evidence showing the two companies are not only part of the same international smuggling network – they are effectively one and the same. This is how we did it.

The Japan Connection

Linking AmarvelBio and Firsky through domain records was not possible because both websites were registered through a provider that uses privacy protection, which conceals personal details from the public. However, information obtained by US law enforcement can become public during court proceedings.

CourtListener’s Advanced RECAP Search is a free tool operated by the non-profit Free Law Project that allows users to search millions of federal court documents made available through the Public Access to Court Electronic Records (PACER) service. 

A CourtListener search for “amarvelbio.com” returned multiple results, including an exhibit from the federal case against AmarvelBio. This contained subpoenaed domain registration data, which showed that convicted AmarvelBio employee Yiyi “Chiron” Chen registered a number of domains, including for AmarvelBio, its “sister company” Wuhan Wingroup, and Firsky (in both China and Japan).

Another domain (firskytech.com) that was not included in the documents available on CourtListener was registered months after Chen’s 2023 arrest and remains online as of publication. This website lists an address in Wuhan and describes itself as a wholly Japanese-owned supplier of “high purity” chemical intermediates. While its registration details remain private, the contact email listed on the site uses the domain for Firsky China – “firsky-cn.com” – which was registered by Chen and is therefore linked to the network.

Bellingcat also found Chen’s personal gmail address in the source code in archives of three websites (here, here and here) that were in both the subpoenaed registration records and a list of 12 domains US authorities seized after linking them to AmarvelBio, further corroborating her involvement.

Additional domain links between AmarvelBio and the Japanese iteration of Firsky were identified in archived advertisements from the darknet marketplace Breaking Bad, which were found via leak aggregator intelx.io. The chemicals ads were posted under AmarvelBio’s rebranded name, AmarvelTech, following the Chinese company’s indictment in 2023. 

Some of the ads led to whrchem.com – one of the 12 websites seized by the DEA. Domain records discovered via intelx.io revealed that whrchem.com was controlled by two email accounts, one of which used the domain for Firsky Japan – “firsky-jp.com”. The same email is also listed as an “author” on an archive of whrchem.com.

Bellingcat’s analysis of AmarvelBio and Firsky’s profiles, advertisements and salespeople uncovered further links between the two companies, including recycled phone numbers, photographs, watermarks, company bios and compliance certificates that could not be verified.

Searches for Firsky on the Breaking Bad forum returned an existing profile for a salesperson called “Cindy”, whose contact website was listed as bmkpmkbdo.com. A 2024 archive of the site displays Cindy’s WhatsApp number which, searches show, had previously been used in an AmarvelBio advertisement posted on Breaking Bad. 

Firsky has a seller profile with more than 350 active listings on the e-commerce platform ChemicalBook. But in one ad, under descriptions of the company, Firsky is interchangeably described as AmarvelBio.

While many Firsky ads included stock images branded with its watermark, some products advertised by Firsky were clearly branded as AmarvelBio and displayed the “Hubei Amarvel Biotech Co., Ltd” watermark. One Firsky website and AmarvelBio’s ChemicalBook profile both displayed an image of the same factory.

AmarvelBio also has a ChemicalBook seller’s profile and displays a certificate (though “Amarvel” appears to be misspelled “Amarbel”) claiming to show it passed a third party quality inspection. An image of a certificate bearing an identical report number and date, but with Firsky listed under “company name”, was found on one of Firsky’s websites. Under the “General Comments” section, both the Amarvel and Firsky certificates contain a reference to “Huibei Amarbel Biotech Co., Ltd., located in Wuhan”.

The company said to have issued the certificates, SGS-CSTC Standards Technical Services Co. Ltd., told Bellingcat it was unable to verify the documents because they were incomplete.

Earlier this year, Bellingcat and the Estonian outlet Postimees investigated the online sale of nitazene opioids from Chinese suppliers. It found that entities involved in selling the super-strength drugs also used Russian Doll-like setups involving multiple companies sharing the same contact details, salespeople, advertisements and website layouts.

‘Room for Exploitation’

Illicit fentanyl sourced from China and Mexico has fueled the most lethal drug crisis in America’s history. The synthetic opioid is 50 times more potent than heroin – a dose as small as 2mg can be lethal. While fatalities have declined in recent years, the opioid epidemic killed more than 100,000 people between February 2022 and January 2023, and overdose remains the leading cause of death for Americans aged 18 to 44. 

The US government this year imposed tariffs on China aimed at putting pressure on Beijing to stem the flow of fentanyl precursor chemicals into the country. In June, China added two fentanyl precursors to the list of controlled substances in what it described as an initiative to fulfill UN drug control obligations, reflecting its “attitude of actively participating in global drug governance”. At least one of these precursors has been advertised by AmarvelBio and its affiliated companies, including some listings that remain online on third-party trading websites. 

Takehiro Masutomo, a Tokyo-based journalist and the author of Run Ri: Tracing the Footsteps of Chinese Elites Escaping to Japan, has written extensively about the new wave of immigration to Japan by Chinese people, who now make up that largest group of foreign residents in the country. He told Bellingcat that Japan was an attractive destination not only because of its proximity to China, cultural ties, and the relative ease with obtaining long-term residential status via business routes, but also because there were fewer regulatory barriers. He said this left “room for exploitation” by criminals. 

“It’s really easy to set up a company here, and everything is cheap compared with other global cities. That’s the main reason,” Takehiro said. “I have been interviewing a lot of newly arrived Chinese people here, and I came across some people, including criminals. Japan may face a potential increase in financial crimes, including money laundering, involving individuals from China.” 

Nikkei reported that Japan may have been chosen as a base because it is not widely associated with trafficking fentanyl precursors and therefore less likely to have shipments inspected. While Firsky has been liquidated in Japan, Nikkei said AmarvelBio’s network continues to operate in China. The whereabouts of Xia Fengzhi, described in US court documents as “the boss in Japan”, remain unknown.

In response to a question on the Breaking Bad forum about the case against AmarvelBio in 2023, a user tagged as an “AmarvelBio Vendor” said US sanctions have “no effect” on Chinese companies. “The only thing they can do is blocking [sic] our website,” they said. “This is no pain to us, we will build a lot of new websites”.

Xia Fengzhi did not respond to requests for comment from Nikkei. Lawyers for Wang and Chen, who are due to be sentenced this month, did not respond to requests for comment as of publication.

George Katz and Connor Plunkett contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.

The post A Chinese Fentanyl Smuggling Network’s Footprints in Japan appeared first on bellingcat.

This article includes data from Justice Delayed, an ongoing project by the author to create a database of criminal cases from more than 650 district courts in India. 

On the night of Sept. 29, 2008, an explosion ripped through a crowded area in the predominantly Muslim city of Malegaon, Maharashtra in India, killing six people and injuring more than a hundred others. Investigators alleged that the blast was triggered by a bomb planted in a motorcycle registered to Pragya Chandrapalsingh Thakur, then a 38-year-old nun and Hindutva (or Hindu nationalist) activist. 

Thakur was the most high profile of the seven people arrested and charged for their alleged involvement in the blast. Almost 17 years later, all of the accused have been acquitted, with the judge reportedly saying that the prosecution could not prove that the bomb was fitted to the  motorcycle or that it belonged to Thakur.

Appearing in court on Thursday, Thakur reportedly told the judge that the investigation had “ruined [her] life”. She was quoted by several outlets saying that she had been “arrested and tortured” by investigators. She also hailed her acquittal as a “victory of Hindutva”.

Meanwhile, the advocate for the victims’ families has reportedly vowed to challenge the acquittals in India’s High Court.

Thakur’s court appearance on Thursday was a rare one: she has been notably absent for most of the trial, citing medical reasons including brain swelling, impaired sight, and a doctor advising bed rest “due to multiple ailments”.

Although attending hearings related to her case was a key condition of her bail, a Bellingcat analysis of documents from the NIA special court shows she was recorded as present at only three of the 162 court appointments that focused on final arguments of the case, from July 24, 2024 to May 8, 2025.

As of publication, Thakur has not replied to multiple requests for comment over email, text messages, and social media about her absences from court. One of her lawyers, Advocate JP Mishra, told Bellingcat that he only has the contact number of Thakur’s personal assistant, and not of Thakur herself.  

Thakur has been on bail since April 2017, when organised crime charges against her were dropped by the Maharashtra Anti-Terrorism Squad (ATS), a state police body. A year later, the National Investigation Agency (NIA) – the main counter-terrorism investigation agency in India – initiated a new case against Thakur and six others over their alleged involvement in the same incident.

In 2019, Thakur was elected as a Member of Parliament for the central Indian state of Madhya Pradesh under the ruling Hindu nationalist Bharatiya Janata Party (BJP), and served five years in the role before stepping down in 2024 at the end of her term. 

Pragya Thakur: Murder Suspect Turned Politician

This is the second criminal case where Thakur has been charged, and then acquitted due to a lack of evidence.

She was previously accused, then acquitted in 2017, of being one of eight people involved in the December 2007 murder of Sunil Joshi, reportedly a close aide of Thakur before they fell out. 

Joshi was a suspect in the 2007 Samjhauta Express train bombing which killed 68 people, mostly Pakistan citizens. Based on local reports, the court acquitted Thakur and her co-accused after finding the case was not investigated with the “required seriousness” by the NIA and state police, who it said produced “weak and self-contradictory evidences”. Thakur was not present in court when the verdict for this case was delivered.

When the BJP fielded her as a candidate in the 2019 general elections, Thakur had been accused of terrorism, murder and criminal conspiracy over the 2008 Malegaon blast.

Nisar Ahmed Sayyed Bilal, whose son was one of the victims of the Malegaon bombing, filed an application in the trial court to prevent her from running in the election, but this was dismissed.

Thakur won her seat by a wide margin against her opponent – a two-time chief minister of the state – and served as a member of parliament for five years.

While in office, Thakur continued to be a controversial figure. She was often quoted making incendiary comments against the country’s minority Muslim community, including accusing them of “love jihad” and encouraging Hindus to arm themselves against Muslims by sharpening their kitchen knives. This was despite the fact that she was representing a constituency with a significantly Muslim population of more than half a million, as of the latest 2011 census data.

In one of her speeches delivered in parliament in December 2023, Thakur criticised the previous government for allowing Muslims accused of crimes to secure bail “despite being criminals”, even though she was out on bail herself.

She has also been quoted in reports claiming that cow urine can protect against Covid-19 and that the same substance had cured her breast cancer. However, a surgeon who operated on her was quoted in an interview saying that she underwent a mastectomy for the latter condition. One of her lawyers, Advocate JP Mishra, also told Bellingcat that Thakur had two surgeries while in jail, and one after her release, to fight cancer.

The verdict on Thursday marks the end of one of the longest-running terrorism trials in the country.

Procedural delays are not uncommon in India’s justice system – it reportedly has a staggering backlog of 50 million pending cases – but Bellingcat’s analysis found that this case took much longer than other similar ones under India’s anti-terror Unlawful Activities (Prevention) Act (UAPA). Data from the NIA special court, which only deals with charges under the UAPA, shows that five other trials it recorded as completed as of July 25 this year were decided in an average of 19.6 months. The Malegaon case was heard 1,187 times over a period of 84 months before Thursday’s verdict was delivered.

Getting the Data

In India’s justice system, each case before a court is assigned a unique Case Number Record (CNR), which is used for all documents related to that case. 

The CNR may change if the case is transferred between courts. For example, the Malegaon case had a different CNR in the 10 years that it was being investigated by the ATS before it was handed over to the NIA.

Searching the eCourts website for case number MHCC020159052016, the CNR assigned to the proceedings for the NIA special court case, returned 1,187 unique court records from July 5, 2018 to May 8, 2025.

We focused on the hearings that took place after final arguments began on July 24, 2024, up to May 8, 2025, when the verdict was initially scheduled to be delivered. The May 8 hearing was postponed to July 31, and there were no other court appearances recorded between then and Thursday’s verdict. 

Of the 162 court records of the case we extracted for this period, one case from October 17, 2024 had no notes recorded in the documents, making it impossible to determine if Thakur was present or not. 

For the remaining 161 documents, we manually checked the text to determine if Thakur was recorded as present. The full dataset of these documents, as well as the assessment by two independent coders (the author and editor of this story), can be accessed here. 

Our analysis showed that Thakur was recorded as present on only three occasions during this period – first on January 30, 2024, more than six months after the final arguments began, at a hearing the next day, and again on May 8 this year when the verdict was originally scheduled to be delivered.

Medical Reasons Cited for Absences

Court documents and local reports show that Thakur’s absence from proceedings for this case dates back years. While the court has accepted medical certificates produced by her advocates, the judges presiding over the case have also repeatedly noted her absences, with one judge specifically stating in 2019 that she should be in court at least once a week. In December 2020, the prosecution argued that it appeared as if she was deliberately avoiding appearing in court.  

“It seems that they have taken the legal process and court for granted,” Advocate Shahid Nadeem, a representative for the victims, told Bellingcat in an email prior to the verdict. 

A timeline of Thakur’s court attendance during the final arguments:

Thakur has maintained that her absences from court were justified by medical reasons, including conditions she claims were caused by “torture” while in custody of the ATS. During her term as an MP, the court also granted exemptions to her court appearance based on her lawyers’ arguments that she needed to attend parliamentary sessions.

On Sept. 3, 2024, Thakur’s lawyers filed for an exemption for her appearance in court, saying she was “suffering from neurological problem with swelling in brain and is unable to see properly”. The court approved the application on the condition that exemptions were filed for each day the case was heard until Thakur appeared, stating that she should appear at the latest by Sept. 18. 

A week after this application, on Sept. 10, a local BJP leader from Bhopal posted a video on Instagram showing Thakur attending a groundbreaking ceremony for a temple in the Madhya Pradesh city. Bellingcat was unable to independently verify when this groundbreaking ceremony took place, and whether it was during the period that Thakur’s lawyers said she was seriously ill. Bellingcat emailed Kishan Suryavanshi, the local leader who posted the video, to ask when it was recorded, but did not receive a reply as of publication. 

Support Bellingcat

Your donations directly contribute to our ability to publish groundbreaking investigations and uncover wrongdoing around the world.

Donate

On Sept. 18, Thakur’s lawyers filed another application saying that she had been moved from a hospital in Bhopal to one in Meerut, in the neighbouring Uttar Pradesh state. The application said her medical condition had deteriorated, that she was “unable to see properly” and that it would take a “long time” for her recovery. The court approved this application, with the same condition that her lawyers must file exemptions for each hearing that she was absent from court, until a latest date of Sept. 30. 

When yet another application was filed for similar reasons on Sept. 30, Special Judge AK Lahoti warned that Thakur should appear by Oct. 3, or a court order would be issued. One of Thakur’s lawyers began making final arguments for her case that day. 

Despite this warning, the judge continued to grant exemption applications made for Thakur throughout October, as final arguments specific to the charges against her continued in court. Finally, on Nov. 5, 2024, Lahoti rejected an application by Thakur’s lawyers to exempt her from court yet again. 

This application, according to the court documents, was filed with a photocopy of a medical certificate showing that Thakur was undergoing “panchkarm treatment”. This may refer to Panchakarma, a type of Ayurvedic or alternative medical treatment. Mishra, Thakur’s lawyer, told Bellingcat that Thakur was in an Ayurvedic hospital in Meerut at the time.

In response, Lahoti issued a bailable warrant of 10,000 Indian Rupees (US$114) for Thakur, stating that the final hearing would proceed and that Thakur’s presence “is necessary”. A bailable warrant is a warrant for arrest that allows the accused to be released if bail is paid to guarantee their appearance in court. 

The next day, a photo of Thakur was posted to her X profile, with her face looking slightly swollen. In the caption, she seemed to blame the Indian National Congress for “torture” and “suffering”, including brain swelling as well as hearing and visual impairment. The last line of her post, in Hindi, translates to, “If I live through this, I will definitely go to court.” 

‘No Special Treatment’

Thakur’s trial has been a controversial one. In 2015, the former special public prosecutor (SPP) assigned to the case, Rohini Salian, said the NIA had asked her to “go soft” on the case, an allegation the agency denied. 

Nadeem, the advocate for the victims, told Bellingcat: “As far as the appearance of the accused during the trial, NIA’s prosecutor has not taken objection to the exemption application of the accused on most of the occasions.” 

“Victims have limited rights in criminal trials,” he said. 

Bellingcat contacted three senior officials in the NIA vertical of the Counter Terrorism and Counter Radicalization Division, which is part of the Ministry of Home Affairs of India, asking to discuss how the agency viewed Thakur’s absence from court. As of publication, the officials had not replied to multiple emails. 

The current SPP Avinash Rasal told Bellingcat that Thakur had provided medical reasons for her absences during the final arguments and that her reasons were considered by the court. “At no time the case was stalled due to non-appearance of the accused. Their advocates always remained present,” he added. 

Bellingcat’s analysis shows that Thakur’s advocates were recorded as present at all 161 hearings after final arguments began.

On at least two occasions in October 2024, the judge accepted the exemptions filed for her absence while noting that her advocates were present and her absence was “not causing any hurdle in the smooth trial”. The same judge, however, also said the next month that her presence was necessary for the final arguments.

Rasal said there was “no pressure” on the prosecution due to Thakur’s position as a member of parliament. 

“No special treatment was given to anyone.”

Galen Reich designed the scrolling timeline for this piece.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Twitter here and Mastodon here.

The post Former Indian MP’s Terror Trial Was Largely Conducted in Her Absence appeared first on bellingcat.

This article is a collaboration with Alt News, a non-profit fact-checking website in India. Read the article on Alt News’ website here.

They describe themselves as “cow protectors” or “gau rakshaks” in Hindi. On social media, they often post about carrying out charitable work such as operating ambulances for sick or injured cows, feeding stray animals and distributing food to people.

But in the dark of the night, their work takes on a more violent edge. Multiple photos and videos show members of “cow protection” groups chasing, shooting at and beating up truck drivers they claim are “smuggling” cows for slaughter. 

Cows are considered sacred in Hinduism, the dominant religion in India. Many states in the country prohibit the slaughter of cows and have strict laws on the transportation, sale and purchase of cattle. These laws have become more stringent since the Hindu nationalist Bharatiya Janata Party (BJP) came into power in 2014.

The vigilantes attacking truck drivers tend to be closely aligned with hardline Hindu nationalist organisations, and a majority of their victims are Muslims. And while they claim to be doing this for the sake of the cows, in some of the videos the animals can also be seen injured from vehicles overturning during aggressive chases. 

Elaine Pearson, Asia Director at Human Rights Watch, told Bellingcat that cow protection has become part of the political agenda of leaders of the BJP and in some cases they have backed the alleged actions of the suspects “while the police have failed to take action against them”.

Support Bellingcat

Your donations directly contribute to our ability to publish groundbreaking investigations and uncover wrongdoing around the world.

Donate

Bellingcat and our partners at the Indian outlet Alt News found videos on social media showing violent assaults by members of five self-described animal welfare groups, mainly operating in the states of Uttar Pradesh and Haryana where incidents involving cow-related violence have frequently been reported. 

(Editor’s note: We are not sharing links to these videos to avoid amplifying content depicting violent attacks seemingly targeting minority groups. However, if you are a journalist or researcher interested in obtaining this dataset, please email inquiries@bellingcat.com.)

Some of the leaders of these vigilante groups, when we reached out to them, claimed that they were working closely with the local police. One even received an award for “cow and social service” from a cabinet minister, alongside police officers. Senior police officers from the districts that these groups operate in did not answer questions about alleged police support for the cow vigilantes when we could reach them. 

While these groups most likely only represent a small fraction of the “cow vigilantes” in India, who have been reported on by the media and human rights groups in the country for years, our investigation sheds more light on how they informally work together to carry out mob violence against truck drivers.

Akhil Bharatiya Gau Seva Samiti (ABGS)

In a video uploaded in February this year, several men in cars are seen chasing a truck down a highway at night. A man from one of the cars pulls out a shotgun and fires at the truck. Police sirens can be heard in the background but law enforcement does not appear to interfere. 

Akhil Bharatiya Gau Seva Samiti (ABGS), which uploaded the car chase video, is a trust – a non-profit organisation (NPO) formed to promote charitable activities. It was established in 2022, according to the Indian government’s non-profit database. ABGS is based in Vrindavan, Mathura district in the state of Uttar Pradesh. 

While its day job may seem to be “animal welfare”, videos of its members terrorising truck drivers at night are routine and oftentimes, promoted by the trust itself. 

ABGS president Bharat Gautam shared a post in November 2024 that shows a smashed-up car, with a sign for “Akhil Bhrataiya Gau Seva Samiti” on top of it, after what he described in Hindi as a “heavy encounter with cow smugglers”. 

Alt News spoke to Gautam, who said that cows are “not an animal”, but a mother figure in Hinduism.

Gautam claimed that his team works closely with Vrindavan police to save cows from being slaughtered for meat. “We either pass on the information we receive [about trucks transporting cattle] to the police and they accompany us in our pursuit or we patrol areas we know are frequented by cow smugglers,” he said, adding that the police register cases against the drivers based on complaints filed by his team once the vehicle is caught. Multiple calls by Alt News to the Vrindavan police station’s general line, as well as to the direct lines of senior police officials from the district, to request for comment on ABGS’ claims went unanswered. 

“We help the administration but they can’t do everything so it’s also our duty to protect our religion, our mother,” said Gautam.

However, videos shared by his team reveal that the cows they claim to rescue are also frequently injured during their car chases. For example, a video from February last year shows a pick-up truck that had overturned apparently as a result of being pursued, causing the cattle inside to fall onto the road. The video shows three men sitting on the ground, looking gravely injured, and several people hitting them while posing for photos. Meanwhile, the cows can be seen sprawled on the side of the road, also apparently injured.

Gautam’s team operates in Uttar Pradesh, which is one of at least 20 out of 28 states in India that either partially or completely bans the slaughter of cows and the sale of beef. When Alt News asked Gautam about his team’s use of violence, he shifted the blame onto the truck drivers. “Cow smugglers collide with our cars … shoot at us,” he said.

ABGS’ headquarters are located in Vrindavan city’s Venkatesh Temple. When Alt News contacted the temple, they claimed to have no connection with the group. “We only rent out a space,” a temple staff member said. 

Gautam told Alt News that the temple does offer some support to his team, including manpower and financial assistance. But he maintained that most of their work was self-funded and denied receiving any government aid or donations, despite the trust having appealed for donations on social media.

His “cow protection” activities have also won him recognition from the Uttar Pradesh government. In January last year, he received an award for “cow and social service” from a cabinet minister in the state. For this, he was congratulated in the presence of the district magistrate of Mathura city, who is responsible for maintaining law and order in the district, and Mathura police. 

Multiple calls made to senior police officers in Mathura district went either unanswered or the officers did not comment when asked about the Mathura police’s relationship with Gautam and whether they supported cow vigilantism.

Team Sonu Hindu Palwal

While ABGS’ vigilante activities have been particularly visible on social media, our investigations found it is part of a network of local groups based in Uttar Pradesh and Haryana. In a video uploaded on June 27, Gautam says that cow vigilantes have been working under the guidance of one “Sonu Hindu Palwal” the past five years. 

In March, videos shared by ABGS and several related cow vigilante groups show cars chasing a truck, and two men being brutally beaten and kicked.

Bellingcat geolocated the incident to a location outside a police station in Beri in the state of Haryana based on the trees, lamp posts and a temple seen in one of these videos, posted by a member of “Team Sonu Hindu Palwal”.

This location matches reports of an attack that took place in Beri on March 9, where eight men  were arrested after a police officer on the scene filed a complaint. The officer’s complaint stated that the mob shouted “we will not leave you Muslims alive today” while beating up the two men from the truck. 

A man who goes only by one name, Sonu – his official name listed on court documents – was among the eight arrested. He operates a team named after himself called “Team Sonu Hindu Palwal”. Palwal is the district in Haryana state where his team primarily operates.

Sonu told Bellingcat that he is the Palwal district president of Gau Raksha Dal (GRD) – literally “cow protection” unit – an NPO established in 2012. The GRD is one of the largest cow protection networks in India, and its leader told Human Rights Watch in 2017 that the network’s volunteers have a presence in nearly every state.

When asked about the incident in Beri, Sonu said that while they were chasing the truck drivers, the truck collided with another car, and the passengers of that car beat up the truck drivers. “We were blamed”, he said – even though videos of the assault were shared by members of his own team.  

Bellingcat also showed Sonu several videos posted by cow vigilante groups including Team Bharat Gautam that either tagged Team Sonu Hindu or mentioned them in their captions. These videos showed men surrounded by members of the cow vigilante groups, who were hitting them or otherwise treating them roughly. Sonu was personally seen posing for a group photo in one of these videos, even though he wasn’t shown assaulting anyone. When shown these videos, Sonu denied that his team beat people up.

The cow vigilante leader did not directly respond to our questions about what he thought about violence committed by members of his team, but said: “Do whatever you want. Our job is to save cows and we will continue to do so.”

The day after his arrest in Beri, videos of Sonu’s supporters celebrating his release began circulating on Instagram. He and others from his team were paraded in a car with garlands around their necks and a procession followed them while dancing to “Hindutva pop”, a genre of music associated with the Hindu far-right which carries lyrics with anti-Muslim rhetoric.

The men beaten up by Sonu and his team in March were arrested after a counter-complaint under animal cruelty and cow protection laws was filed against them.

When Alt News called the police station’s number, the police personnel who answered did not seem to know whether the two men seen being attacked in the video were still in jail. One of them said that the case has been transferred to the crime unit but was unable to provide any details of the investigating officers. 

However, bail orders for the two men who were beaten up, which Bellingcat found on the district court website of Palwal, indicated that they each spent at least two months in custody before being released on bail.

Alt News spoke to Sonu who said that his team is tipped off by “informants” whenever cows are being transported, receiving details such as the vehicle’s route and licence plate number. 

According to Sonu, the rescued cows are taken to shelters, while the people transporting them are handed over to the police. He said that the police sometimes show up after a vehicle is intercepted, but at other times the police are with the gau rakshaks during these incidents. 

Alt News’ questions to the Additional Superintendent of Police, Palwal about Sonu’s claim that the police accompanies his team in their pursuits of truck drivers went unanswered.

Bellingcat also found links between Team Sonu and a Mumbai-registered charitable trust, through a photo Sonu posted showing a large truck which he described as an “ambulance for sick or injured cows in Palwal”. There is a Google Pay number shown on the vehicle for receiving donations.

The signage on the ambulance says the service is “courtesy of” an organisation called “Shri Mahesh Chand Dalmia Charitable Trust”, which appears to be a misspelling of “Shri Mahesh Chandra Dalmia Charitable Trust”, a registered trust based in Mumbai. 

Sonu told Alt News that Shri Mahesh Chandra Dalmia Charitable Trust supported his team’s ambulance after local priests in Vrindavan introduced the organisation to his work. 

According to the government’s NPO database, the trust works in the sectors of “Education & Literacy, Any Other, Health & Family Welfare”. The trustee, or person who manages the trust, is listed as Satyadeo Banka. 

Banka is regularly tagged on Facebook in videos of Team Sonu’s attacks on truck drivers. His posts on the platform also frequently promote ideas in line with Hindutva, a nationalist ideology that advocates for establishing India as a Hindu nation-state. 

We attempted to contact Banka on social media but did not receive any response. Alt News contacted the trust’s president, Rahul Dalmia, on the phone and emailed him about his organisation’s relationship with Team Sonu Hindu Palwal, asking whether he was aware of the group’s violent activities and Banka being tagged in their “cow protection” videos. Dalmia declined to be quoted when asked about the trust’s work over the phone, and did not respond, as of the time of publication, to further questions over email about whether the trust supported cow vigilantes in any way.

Live For Nation 

In 2021, Sonu congratulated someone he referred to as “LFN’s Parveen” for joining the Haryana government’s cow protection force, in a post on Facebook. LFN is the abbreviation of “Live For Nation”, a registered NPO in Haryana’s Faridabad which aims to “save cows”. This group was also involved in a car chase last year that resulted in the death of a 20-year-old man.

On Aug. 23, 2024, Aryan Mishra, 20, was out with his friends on a drive when five cow vigilantes – all LFN members – allegedly “mistook” them to be cattle smugglers and began chasing their car before firing at them. Mishra was killed in the incident. 

One of the accused who was arrested, Anil Kaushik, reportedly told Mishra’s father that he thought the boy was Muslim and regretted killing a Brahmin, the highest ranking caste in the Hindu caste system. Kaushik identified himself as a member of Haryana government’s special cow protection task force, which Parveen is also a part of. 

His full name is Parveen Vashisth and his Facebook bio says that he is a member of the Haryana government’s “special cow protection task force”. Vashisth also names the task force while sharing videos on Instagram of cow vigilantes from Team Sonu Hindu chasing trucks. 

Alt News reached out to the “Haryana Gau Seva Aayog”, the government body responsible for overseeing the task force. Its chairman, Sharwan Garg, said that anyone can engage in cow protection work independently, provided they stay “within the limits of the law and coordinate with the authorities”.

However, Vashisth’s videos on Instagram showing Team Sonu Hindu chasing after trucks, shooting at them and assaulting drivers appear to show that these “limits” are often breached.

Gau Seva Mission

Another organisation that claims to work for cow welfare and operates in the same network uploaded a video on Jan. 9, 2025, showing vigilantes capturing a man they claimed was a “cow smuggler”. In multiple videos, the man looks gravely injured and bloody. His vehicle is also badly damaged. 

The organisation, “Gau Seva Mission”, is based in Vrindavan, like ABGS. Its leader, Govind Singh, is frequently tagged in videos of attacks on alleged “cow smugglers” along with Bharat Gautam, Sonu and Parveen Vashisth. 

Singh told Alt News that he is a veterinary doctor by profession and bears most of Gau Seva Mission’s expenses through his private work. 

Gau Seva Mission appears to be known to the Uttar Pradesh government. In November last year, Singh uploaded photos and videos of the chairperson of the Uttar Pradesh government’s cow service commission visiting his office. 

Singh told Alt News he used to be a member of the GRD – the NPO that Sonu is a member of – but left the organisation to start his own group, although he did not say when this was. One of Singh’s Facebook posts from three years ago gives the helpline number of GRD’s Vrindavan branch – the same number is now the helpline number of Gau Seva Mission. Its office also used to be at the same address as the office of the Vrindavan branch of GRD at least until March 2022, according to older images of the location on Singh’s Facebook account. 

Gau Vansh Sewa Dham

Another organisation that claims to be involved in animal welfare but whose leader has been involved in cow-related violence is “Gau Vansh Sewa Dham”, in Haryana’s Faridabad. It is run by Shiva Dahiya, who told Alt News that the group runs a hospital for cows.

Videos of injured cows being treated are all over the Facebook page of the organisation, and Gau Vansh Sewa Dham makes regular appeals for donations to support their rescue and relief efforts. Dahiya said that the money for his organisation’s work is raised from the community. 

Posts on Instagram that tag Dahiya show him seemingly participating in or being present at the scene of vigilante attacks targeting those transporting cattle. For example, one post from February shows him holding tire puncture spikes to stop a truck. In another, he is seen pulling an injured man, who was slumped over, up by his hair so his face was visible as a group of vigilantes – also including Sonu – posed for a picture with several captured men. 

However, when Alt News asked if the car chases ever got violent, Dahiya said, “We don’t want to do any wrong by our hands”. And when asked if he had ever done anything wrong, he replied, “By the grace of God, never.”

Dahiya denied there was any violence committed by “cow protectors”.

“We never beat anyone,” he told Alt News.

Shalaka Shinde contributed research to this piece.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Twitter here and Mastodon here.

The post Violence in the Name of Cows: The ‘Animal Welfare’ Groups That Beat Up Truck Drivers in India appeared first on bellingcat.

India and Pakistan have been trading blows in the wake of a militant attack on tourists in Indian-administered Kashmir last month. 

On May 7, India said it had launched missile strikes in Pakistan and Pakistan-administered Kashmir. Pakistan – which denies any involvement in the April attack on the tourists, most of whom were Indian – then claimed to have shot down Indian drones and jets.

Claims and counterclaims of ongoing strikes and attacks have been forthcoming from both sides. Some have been difficult to immediately and independently verify, creating a vacuum that has enabled the spread of disinformation.

For example, on May 8, a deepfake video of US President Donald Trump appearing to state that he would “destroy Pakistan” was quickly debunked by Indian fact-checkers. Its impact was therefore minimal.

However, the same cannot be said of another deepfake video spotted by Bellingcat and, by the time of publication, at least one Pakistani outlet.

The altered video had been shared on X (formerly Twitter) nearly 700,000 times at the time of publication and purports to show a General in the Pakistani army, Ahmed Sharif Chaudhry, saying that Pakistan had lost two of its aircraft. 

A Community Note was later added to the video on X detailing it as an “AI generated deepfake”.

However, several Indian media companies had already picked up and ran with the story, including large outlets like NDTV. Other established news media that featured quotes from the altered footage in their coverage include The Free Press Journal, The Statesman and Firstpost. 

Bellingcat was able to debunk the video by finding another clip of the same press conference from last year. The video confirms that a different audio was added over the original footage, with Chaudhry’s lips appearing to sync with the altered audio.

The position of the microphones, Chaudhry’s position in relation to the flags, and his movements are identical. Both videos cut to the audience which is also the same.

You can see the video published on Facebook in 2024 here and the manipulated video published on X here.

Mohammed Zubair, co-founder of Indian fact-checking organisation Alt News, told Bellingcat that mis-and-disinformation are commonly found on Indian social media. But while it may be easy enough for trained fact-checkers to debunk a deepfake where an old video is recycled and the audio manipulated, Zubair was concerned that the common public may just hit the share button because of its emotional appeal. “It is actually very worrisome because it looks very convincing,” he said.

Bellingcat contacted NDTV, The Free Press Journal, The Statesman and Firstpost about the details of this story but did not receive a response before publication.

NDTV and The Statesman later deleted their reports without clarification. Yet experts warn videos like these act as a warning to the continued and evolving dangers of disinformation. 

Rachel Moran, a senior research scientist at the University of Washington’s Center for an Informed Public, told Bellingcat that the speed with which such videos can be created and posted brings a new challenge.

“In crisis periods, the information environment is already muddied as we try to distinguish rumours from facts at speed,” Moran said. “The fact that we now have high-quality fake videos in the mix only makes this process more taxing, less certain and can distract us from important true information.”

Correction: This article was amended on May 9 to clarify that the Facebook video of Chaudhry was published in 2024 and not 2025.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.

The post India-Pakistan Conflict: How a Deepfake Video Made it Mainstream appeared first on bellingcat.

This article is the result of a collaboration with TjekDet, Denmark’s fact-checking media outlet, Danish newspaper Politiken, and the Canadian Broadcasting Corporation (CBC). Watch CBC’s documentary here. 

Warning: This article discusses non-consensual sexually explicit content from the start.

MrDeepFakes billed itself as the “largest and most user-friendly” platform for celebrity deepfake pornography. The website, which was visited millions of times every month, hosted almost 70,000 explicit and sometimes violent videos, which had collectively been viewed more than 2.2 billion times.

They show mostly famous women whose faces have been inserted into hardcore porn with artificial intelligence – and without their consent.

In the background, an active community of more than 650,000 members shared tips on how to generate this content, commissioned custom deepfakes, and posted misogynistic and derogatory comments about their victims.

For years, the website has been shrouded in secrecy, existing in a legal grey area and concealing the identity of those who control it. Until now.

Bellingcat, in collaboration with Danish outlets Tjekdet, Politiken and the Canadian Broadcasting Corporation (CBC), has conducted an investigation to reveal the identity of a key administrator behind MrDeepFakes.

David Do is a 36-year-old Canadian pharmacist who, based on open source information, lives an unassuming and respectable life in the suburbs outside of Toronto. Photos and videos posted online show him with family, friends and colleagues. The university graduate has a well-paying job in a public hospital and drives a new Tesla.

But Do has been living a double life: in secret, he is the most prominent figure identified to have had control over the administration of MrDeepFakes. He was also an influential member of its growing online community, producing his own deepfake porn and assisting users who want to make their own.

Online posts show Do is a technically minded individual with a long-standing interest in creating and distributing adult content, and provide an insight into efforts to obfuscate his identity.

We identified Do by cross-referencing data from massive credential leaks, which are publicly available via breach databases. A series of burner emails, IP addresses, repeated usernames, and a unique password reveal a more than decade-long digital trail that allowed researchers to link him to MrDeepFakes.

Bellingcat, Tjekdet, Politiken and CBC have sent Do multiple requests for comment since late March but did not receive a response as of publication. Last month, the CBC hand-delivered correspondence to Do setting out the findings of this investigation, but he declined to comment.

Shortly after, Do’s Facebook page and the social media accounts of some family members were deleted. Do then travelled to Portugal with his family, according to reviews posted on Airbnb, only returning to Canada this week.

On Sunday, the MrDeepFakes site was shut down. “A critical service provider has terminated service permanently,” a notice on the platform says. “We will not be relaunching. Any website claiming this is fake.”

CBC approached David Do again on Monday but he refused to answer questions about his involvement with MrDeepFakes. “I don’t want to be recorded please,” he said. “I have to go. I’m busy right now.”

Update: David Do is on leave from his position as a hospital pharmacist, his employer confirmed on May 13, while an internal investigation is underway. Separately, the Ontario College of Pharmacists has said it is “taking immediate steps to look into this matter further and determine the necessary actions we need to take to protect the public”.

‘Fake It Till You Make It’

The identity of the person or people in control of MrDeepFakes has been the subject of media interest since the website emerged in the wake of a ban on the “deepfakes” Reddit community in early 2018.

But the porn site’s hosting providers have bounced around the globe and premium memberships can be bought with cryptocurrency, which have made it virtually impossible to trace ownership.

Support Bellingcat

Your donations directly contribute to our ability to publish groundbreaking investigations and uncover wrongdoing around the world.

Donate

Adam Dodge, the founder of EndTAB (End Technology-Enabled Abuse), said MrDeepFakes was an “early adopter” of deepfake technology that targets women. He said it had evolved from a video sharing platform to a training ground and marketplace for creating and trading in AI-powered sexual abuse material of both celebrities and private individuals.

“Our digital world is really good at empowering people who want to do harm by allowing them to remain anonymous while simultaneously making it almost impossible for victims to unmask them,” he said.

In January, Bellingcat, in collaboration with the German YouTube channel STRG_F, examined the companies behind two apps used for creating deepfakes that it advertised prominently on its homepage.

For this investigation, researchers conducted a forensic analysis of the forums on MrDeepFakes’ website. The forums are a virtual marketplace where members commission deepfakes and trade tips on making videos with the same technology that is used for creating revenge porn.

Videos posted to the tube site are described strictly as “celebrity content”, but forum posts included “nudified” images of private individuals. Forum members referred to victims as “bitches”and “sluts”, and some argued that the womens’ behaviour invited the distribution of sexual content featuring them. Users who requested deepfakes of their “wife” or “partner” were directed to message creators privately and communicate on other platforms, such as Telegram.

A search of the forums returned two accounts for MrDeepFakes “staff members”. One joined in March 2019 and is also listed as a “moderator”. The other joined in February 2018 and is also listed as an “administrator” (two additional administrator accounts, created in 2018 and 2021, were not listed as staff members, and one now-defunct account previously tagged as staff and moderator was created in the year after the site was set up).

Therefore, the focus of this investigation ​was the​ oldest account in the forums, with a user ID of “1” in the source code, which was also the only profile found to hold the joint titles of staff member and administrator. The long-time handle used by this account was “dpfks”.

Researchers began by analysing the profile. The dpfks bio contained little identifying information, but an archive from 2021 shows the account had posted 161 videos which had amassed more than five million views. It earned the badge of “Verified Video Creator”.

Forum posts document dpfks’ involvement as a creator and leader in the community. Archives show dpfks posted an in-depth guide to using software that creates deepfake porn, published website rules and content guidelines, advertised for volunteers to work as moderators, and gave technical advice to users. 

Dpfks’ posts carried the tagline: “Fake it till you make it.”

In a 2019 archive, in replies to users on the site’s chatbox, dpfks said they were “dedicated” to improving the platform. “There is a reason why we are the biggest deepfake site. I care about the community and teaching others.

“I don’t think other site owners care enough to make their own deepfakes, and keep uptodate [sic] with it. My first few deepfakes were s**t too, the more you make, the better you get.”

David Do’s Links to MrDeepFakes

Pirated Movies to Deepfake Porn

David Do keeps a low profile under his own name, but photos of him have been published on the social media accounts of his family and employer. He also appears in photos and on the guest list for a wedding in Ontario, and in a graduation video from university.

Do’s Airbnb profile displayed glowing reviews for trips in Canada, the US and Europe (Do and his partner’s Airbnb accounts were deleted after CBC approached him on Monday). His home address, as well as the address of his parents’ house, have both been blurred on Google Street View, a privacy feature that is available on request.

In the late 2000s, while studying at university, Do was involved in the creation of Xinoa (xinoa.net), a warez forum. Do’s personal Hotmail address, which includes his full name, is visible in source code as an admin contact for the site, archives from 2008 show.

The profile page “ddo” is tagged as the “Root Admin” and “Xinoa Owner”, and lists a date of birth matching that of Do. The profile includes download links to television shows, one of which was accompanied by a comment about “exam week” in 2009, when Do was studying at university. This username is also similar to Do’s Instagram profile (“ddo.jpg”), a link to which was included in the bio section of his Facebook account under the name “Doh Dave”. Both social media accounts have been deleted.

An account on an internet marketing forum was registered using a Xinoa administrator email address, breach data shows. That account was linked to an IP address owned by the University of Waterloo, where Do earned degrees in biomedical science in 2010 and pharmacy in 2014, according to Rocketreach.

The 2015 Ashley Madison data breach shows user “ddo88” registered on the dating site with Do’s Hotmail address and was listed as an “attached male seeking females” in Toronto. They described themselves as being of Asian ethnicity, 173 cm tall and weighing 66 kg. The breached profile was linked to a Toronto-based address and also contained a date of birth, which matches Do’s birth date in public records.

Xinoa would become the springboard for a more sophisticated operation.

In February 2018, when Do was working as a pharmacist, Reddit banned its almost 90,000-strong deepfakes community after introducing new rules prohibiting “involuntary pornography”. In the same week, MrDeepFakes’ predecessor site dpfks.com was launched, according to an archived changelog.

An analysis of the now-defunct domain shows the two sites share Google analytics tags and back-end software – as well as a forum admin who used the handle “dpfks”. Archives from 2018 and 2019 show the two sites redirecting or linking to each other. In a since-deleted MrDeepFakes’ forum post, dpfks confirms the link between the two sites and promises the new platform is “here to stay”.

“MrDeepFakes.com was formerly dpfks.com and we opened our doors shortly after the Reddit ban,” the 2018 post said. “I know joining a new forum or community feels like starting fresh, and starting over, but the community is small, and all the important players will stick together. I promise to keep this community running as long as I can, so that the deepfake community does not have to scramble and relocate again.”

Later in 2018, in a post on Voat, a defunct online message board similar to Reddit, dpfks said they “own and run” MrDeepFakes. In response to another user, dpfks refers to their life outside of operating a porn website. “I just got home from my day job,” the post said, “now back to this!” Some of dpfks’ earliest posts on Voat were deepfake videos of internet personalities and actresses. One of dpfks’ first posts on the MrDeepFakes’ forums was a link to a deepfake video of video game streamer Pokimane.

Other targets included the American politician Alexandria Ocasio-Cortez, for whom dpfks shared a folder containing more than 6,000 images that could be used to create deepfake pornography. Before it shut down this week, MrDeepFakes hosted 125 graphic videos tagged with Ocasio-Cortez that had collectively received more than 5.3 million views. After discovering she had been transposed into a deepfake porn video last year, Ocasio-Cortez told Rolling Stone that “digitizing violent humiliation” was akin to physical rape and sexual assault. 

Another target of dpfks was American YouTube personality Gibi_ASMR, who gained popularity online with her ASMR (Autonomous Sensory Meridian Response) videos. Dpfks created and shared pornographic deepfakes of the YouTuber on the MrDeepFakes forums. In a statement published by EqualityNow in 2021, she said: “They’re running this business, profiting off my face doing something that I didn’t consent to, like my suffering is your livelihood. It made me really mad, but again, there was nothing I could do so I just had to leave it.”

In 2018, dpfks posted a two minute deepfake video of an Academy Award-winning American actress with the description: “[Name omitted] doesn’t do porn, but in this fake video she is completely naked with her legs spread in the air. Watch her face … while she struggles to take it.”

Forum posts under various aliases match those found in breaches linked to Do or the MrDeepFakes Gmail address. They show this user was troubleshooting platform issues, recruiting designers, writers, developers and search engine optimisation specialists, and soliciting offshore services.

The username “AznRico” was commonly associated with Do’s email account and could be found across several postings online. In 2009, years before MrDeepFakes was launched, this now-banned user posted to an internet marketing forum discussing online money-making techniques, including the monetisation of video traffic.

AznRico also posted on an auto lighting forum in 2009 to ask for advice about fixing headlights for a car in Canada – a 2006 Mitsubishi Lancer Ralliart. In another thread on the same forum, AznRico uploaded several images of the car, one of which was archived and contained metadata indicating that it was captured on a Sony Ericsson K850i.

In 2008, on a separate forum, AznRico said he had this model phone and posted about troubleshooting the device (that forum was subject to a data breach exposing David Do’s personal Hotmail address and unique password).

Public records obtained by CBC confirm that Do’s father is the registered owner of a red 2006 Mitsubishi Lancer Ralliart. While Do’s parents’ house is now blurred on Google Maps, the car is visible in the driveway in two images from 2009, and in Apple Maps imagery from 2019. CBC confirmed the car was still at the house last week.

In 2011, on a freelance job board, AznRico asked for help building a video streaming plugin. This profile also listed that the user was based in the same Ontario city where Do’s parents’ home is located. In 2018 – the same year MrDeepFakes was launched – AznRico asked for advice to fix slow load times on their porn site, which they said received about 15,000 to 20,000 visitors a day. Breach data shows this account was linked to Do’s personal Hotmail address.

In one forum post from January 2020, user “dj01039” complains that PayPal had limited their “stealth account”, which was used to “sell virtual goods” (PayPal was intermittently available as a payment option on MrDeepFakes). The username dj01039 matches the abbreviation of an email address (davidjames01039@gmail.com) that was linked to a PayPal donation button on MrDeepFakes in December 2019. 

In June 2020, on another forum, a user with the same alias (who later changed it to “ac2124”) said their stealth account had been permanently closed and wanted to know about front companies that could accept payments on their behalf. The user described themself as the “webmaster of an adult tube site” who takes a cut from creators who post original porn videos, and also earns revenue from running ads. By December 2020, ac2124 said their website was earning between $4,000 and $7,000 a month.

Breach data also links the MrDeepFakes Gmail to an account on support forums for Kernel Video Sharing (KVS), a commercial content management system, where user “mongoose657” (formerly dj01039) sought help managing a video tube site. The discussions, from 2021 to 2024, were consistent with backend issues encountered when running a large website: storage solutions, ticket system failures, and outsourcing development work.

On the adult webmaster forum GoFuckYourself.com in 2020, dpfks (subsequently changed to “mjmango”) enquired about anonymous debit cards, which were advertised as allowing users to withdraw cash or pay for purchases anonymously. In 2021, mjmango responded to another user’s enquiry about how to monetise tube sites.

In another forum, ac2124 enquired about countries to form an offshore company and expressed concern about “know your customer” checks, which are used by the banking sector to confirm the identity of their customers. In a 2020 post, ac2124 said they had decided to make a “dummy site/front” for their adult site and enquired about online payment processing and “safe funds storage”.

In 2022, ac2124 sought advice for a Canadian citizen who operates an “adult niche website” and asked about “a company setup that focuses on privacy”. The post said: “At a bare minimum, this person shouldn’t be listed on any public registrar (as director, shareholder, UBO, etc). Open to using nominees, opening trusts, etc. What are some setups, or jurisdictions that should be looked into?” This user also asked specifically about setting up a company in the British Virgin Islands or Cayman Islands, both secrecy jurisdictions.

In late 2023, mjmango left positive feedback for an adult graphic designer below a post from the designer containing a MrDeepFakes logo. “Purchased another logo recently. As always great communication and allowed multiple re-edits,” the comment said. In March 2024, ac2124 posted about delays accessing a service that creates a “proxy” for a “high-risk website” so it can process transactions from the online payment processor, Stripe.

In April 2024, Dutch outlet Algemeen Dagblad (AD) reportedly made contact with the owner of MrDeepFakes, who was anonymised in their subsequent reporting. AD reported that this person claimed to have sold the website, but did not provide any evidence to support this claim. Our investigation could not confirm whether the site was ever sold, and if so when. 

David Do did not respond to multiple requests for comment about his involvement with MrDeepFakes.

Correction: This story initially said the AznRico post about the K850i phone was from 2009, when it was 2008. The article was updated on May 8 to reflect this.

Ross Higgins, Connor Plunkett, Beau Donelly, George Katz, Kolina Koltai and Galen Reich contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.

The post Unmasking MrDeepFakes: Canadian Pharmacist Linked to World’s Most Notorious Deepfake Porn Site appeared first on bellingcat.

Bellingcat has identified at least 22 villages damaged by airstrikes in Myanmar, despite a temporary ceasefire declared by the State Administrative Control (SAC) or the military junta from April 2 to 22 following a 7.7 magnitude earthquake that hit the country on March 28. The ceasefire has been extended to April 30.

The earthquake’s epicentre was recorded just 16km northwest of Mandalay, the second-largest city in Myanmar, and it struck just before 1pm local time. More than 3,000 people died and aid groups report that over 17 million people living in earthquake-affected areas are in urgent need of food, water, shelter and healthcare.

The country, which has already been devastated by four years of civil war, continues to be hit with multiple aftershocks. The SAC, ruling Myanmar since seizing power from the democratically elected government in 2021, declared a temporary pause to fighting only after the main opposition coalition announced one – except in the case of defensive actions. 

Bellingcat has geolocated at least 19 villages damaged in military assaults during the first 20 days of the ceasefire. Two of them were identified from ground reporting. Three additional villages were damaged after the earthquake but before the ceasefire – bringing the total to 22 villages.

The airstrikes targeted civilian areas in territory held by rebel forces and territory where the junta is fighting to regain control. The villages damaged after the ceasefire were geolocated by cross-referencing our findings with NASA FIRMS or satellite imagery alongside local and other media sources.

Villages bombed since the earthquake on March 28; the epicentre is marked in black, yellow and red

“It’s quite clear that only the military can do airstrikes. The rebels don’t have aircrafts,” Aye Chan Naing, co-founder and editor-in-chief of Democratic Voice of Burma (DVB), one of Myanmar’s largest independent media organisations, told Bellingcat.

Lacking jets or fighter planes, resistance groups heavily rely on commercial drones “improvised into sort of military use,” Naing said.

Targeting and scaring civilians is part of the military’s strategy, he explained. “If you support the rebels, then you know we [the military] are going to burn the village.”

“At a moment when the sole focus should be on ensuring humanitarian aid gets to disaster zones, the military is instead launching attacks,” said UN Human Rights Office spokesperson Ravina Shamdasani on April 11.

“Since the earthquake, military forces have reportedly carried out over 120 attacks – more than half of them after their declared ceasefire was due to have gone into effect on 2 April,” she told journalists.

According to local media reports, the Myanmar military carried out an aerial attack just hours after the earthquake struck. Anti-junta armed group TNLA claimed that the military bombed Nawng Len village, approximately 120km from the earthquake’s epicentre in the eastern Shan State. Seven members of a TNLA-aligned ethnic armed organisation (EAO) were reportedly killed in the attack.

We were not able to independently confirm the airstrike, but we were able to geolocate images of several damaged buildings, to a location in the north of the village. The intact buildings can be seen on Google Earth imagery in late January.

The military junta did not respond to Bellingcat’s request for comment.

Attacks in Worst-Affected Earthquake Areas

Out of the 22 villages we identified, 14 of them are in either Sagaing or Mandalay, which were some of the worst affected areas by the earthquake. Large parts of both regions are located in central Myanmar, where a lot of townships are either contested or under junta control.

The military tries to cut the rebels’ survival pipeline, Naing told Bellingcat.

“They understand that the rebels cannot survive without civilians because that’s where they get food and maybe tax money,” he said.

Since the rebels don’t have permanent bases, members are difficult to locate. While drones might strike and kill a few individuals, it’s much easier for the army to identify and target areas where civilians live, Naing added.

On April 9, twenty people were reportedly killed in an airstrike in Nan Khan in Sagaing’s Wuntho Township. We were able to geolocate images of damaged buildings to the coordinates 23.9983922,95.8881422.

Just days before this attack, on April 6, Thone Pan Hla in Chaung-U Township was reportedly attacked in an airstrike, killing three members of a family. “The motivation for such an attack on a village of melon farmers is difficult to understand. It seems to be an effort to terrorise a civilian population that strongly supports the anti-regime National Unity Government (NUG) and its armed rebel PDF wing,” reported The Times newspaper. NUG is the country’s parallel government in exile, elected democratically and ousted in the 2021 coup.

About 25km northeast of Thone Pan Hla is the village of Ngar Shan also in Chaung-U Township. Local news outlets reported that the village was burned down by the junta, just days after the earthquake. While we weren’t able to geolocate specific images or independently confirm the cause of the fire, thermal hotspots were detected at the site on March 31. This lines up with the timeline and reports of 170 houses being burned in Ngar Shan on April 1 local time.

Images of the destruction shared on Facebook show the village in ruins. However, NASA’s Fire Information for Resource Management System, FIRMS, detects thermal hotspots in the entire village in the early hours of that day.

A false-colour infrared map from Sentinel Hub’s Copernicus platform also reveals signs of destruction in the village. Though commonly used to assess vegetation health, this type of imagery shows plant-covered areas in deep red, while cities and exposed ground are grey or tan, and water appears blue or black. Following the attack, exposed ground, indicative of possible damage, can be seen primarily in the northwest of the village.

Chaung-U Township is located in the southern Sagaing region, where the geography poses challenges for resistance armies.

“Unlike ethnic resistance groups along Myanmar’s borders, or those in northern Sagaing near India, the resistance forces in southern Sagaing do not have foreign borders across which they can attempt to retreat,” wrote Centre for Information Resilience’s Myanmar Witness in a December 2024 report. 

Sagaing remains an epicentre for violence with a strong resistance presence due to the region’s strategic importance. A state of emergency was declared in the state following the quake.

Repeated Bombings in Lost Territories

Another region of strategic importance is Mandalay where the Central Military Command is located in the Mandalay Palace, reported to have been damaged in the earthquake. Mandalay is also a logistical hub in Myanmar’s heartland, and since late last year, the SAC has been trying to retake townships it has lost there. 

Two of those townships are Thabeikkyin and Singu. Both were attacked during the ceasefire. 

On April 19, the Myanmar military reportedly carried out an airstrike on the village of Yae Htwet in Thabeikkyin Township. The attack killed at least 27 people, according to the BBC. The report added that pro-military Telegram channels claimed the attack targeted PDF camps, the armed wing of the anti-regime National Unity Government. 

Just a day earlier, 13 people were reportedly killed in an attack on Leik Kya village, located 3km north of Yae Htwet.

A separate aerial attack was reportedly carried out over a village in Thabeikkyin, killing two people. It took place on April 13 in Chaung Gyi along the highway running through the village. We were able to identify distinct features of the roof of buildings across the street from the attack and, along with the location of trees, match satellite images of the area.

Bellingcat also geolocated a school (here: 22.689505, 96.016978) in Singu Township, the site of a reported airstrike in Kyi Tauk Pau village that injured six people.

Destruction of Schools and Religious Sites

The junta has a track record of targeting schools. According to a tally by Radio Free Asia last November, nearly 200 schools were hit by airstrikes since the 2021 military coup in regions and states which have seen fighting by resistance forces opposing junta rule.

A school in Sagaing’s Shwebo Township was reportedly bombed during the ceasefire on April 20, killing two people, including a pregnant woman. According to DVB, Shwebo Township People’s Administration, a local anti-junta governance body, said displaced people were taking shelter in the school.

Bellingcat found four schools and seven religious sites – monasteries and churches – damaged in recent attacks.

Peter Bouckaert of the human rights and advocacy group Fortify Rights called the attacks on churches and monasteries that could be hosting people displaced by the earthquake “a great violation of the laws of war”.

“These are protected sites under international humanitarian law. They are direct deliberate attacks on these protected institutions,” he told Bellingcat.

The junta has a history of attacking religious sites. During the ceasefire, a Baptist church was bombed in Mindat in the neighbouring Chin State, where several armed opposition groups have emerged since 2021. While there were no reported casualties at the church, six people were killed in the attack on the town.

Mindat was taken over by resistance forces last year amid reports of hundreds of homes destroyed by alleged junta shelling, arson, and airstrikes. A lot of this damage is now visible on Google Maps’ updated imagery from January 2025.

Several churches in Chin State have been damaged in the past few years, Myanmar Witness had found in 2023. It is the only Christian-majority state in Buddhist-majority Myanmar.

Battle for Control of Town Rages Amid Ceasefire

Indaw is a small town close to the border with Kachin, a state partly controlled by the Kachin Independence Army (KIA)-led resistance forces. Indaw was reportedly bombed on April 1 when it was still under the junta’s control. According to local accounts, two people were killed and eight others injured. A monastery was damaged in the attack. We were able to geolocate the images of the aftermath by comparing old pictures and satellite images of the monastery with structures still standing after the recent attack.

The destruction on April 1 was just one of the many assaults the town has witnessed since resistance forces launched an offensive in August last year. The junta’s reported airstrikes against the resistance displaced hundreds of people, and many others fled. 

Despite the ceasefire, on April 8, resistance forces captured Indaw after months of fighting. However, the junta has continued to carry out airstrikes in civilian areas, according to reports. As Richard Horsey, Senior Adviser on Myanmar at Crisis Group, previously told Bellingcat, the junta often bombs areas it has lost so people have nothing left to return to.

Images show that large parts of Indaw were destroyed last year. Source: Google Earth Pro Imagery

Attacks During Burmese New Year

The military regime reportedly carried out airstrikes on monasteries over the four-day Thingyan or Burmese New Year festival from April 13 to 16. According to data compiled by an independent news site, The Irrawaddy, at least 23 civilians were killed in these attacks.

In one of the monastery attacks, six people were reportedly killed and 20 others injured. Bellingcat geolocated the aftermath of the reported strike. This was in Kan Ni village in Kawkareik Township in Kayin, one of the southernmost states of the country.

Despite Widespread Violations, Junta Extends Ceasefire

The Myanmar military has now extended the ceasefire to April 30 in a move to “expedite relief and rebuilding efforts”, but reports say that aid is being restricted. “The SAC is weaponising humanitarian assistance,” Surachanee Sriyai, interim director at the Center for Sustainable Humanitarian Action to Displaced Ethnic Communities, told Bellingcat, explaining that aid is not reaching areas that aren’t under the SAC’s control. An analysis by the BBC in November last year reported that the military only has full control of 21% of Myanmar’s territory. 

Sriyai noted that while the earthquake has drawn some attention to Myanmar, the country has already been in critical need of aid due to the prolonged armed conflict. Meanwhile, bombings persist even during the extended ceasefire period.

Members of Bellingcat’s Global Authentication Project, including Afton Knox, Nicole Kiess, Stéphanie Ladel, Timothy B and Max F. Wan contributed research to this piece. Interactive map by Miguel Ramalho.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here and YouTube here.

The post Open Sources Show Myanmar Junta Airstrike Damages Despite Post-Earthquake Ceasefire appeared first on bellingcat.