This article is the result of a collaboration with Japanese publishing partner Nikkei. You can find Nikkei’s investigation here.

Earlier this year, a man and a woman stood trial in a New York courtroom on charges related to the illicit drugs trade. They had been arrested as part of an undercover sting by the US Drug Enforcement Administration (DEA) after more than 200 kilograms of precursor chemicals used to make the synthetic opioid fentanyl were shipped from China to the US. It was enough to make 25 million deadly doses of the drug, authorities said. 

The Chinese nationals were also accused of conspiring to import tonne-quantities of fentanyl precursors to the US, where tens of thousands of people die from opioid overdoses every year. After a two-week trial, a Manhattan jury found the pair guilty of conspiracy to import fentanyl precursors and conspiracy to commit money laundering. 

Qingzhou “Bruce” Wang, 36, and Yiyi “Chiron” Chen, 32, worked for Hubei Amarvel Biotech (AmarvelBio), a chemical firm based in the Chinese city of Wuhan. They were arrested in 2023 after being lured from China to Fiji as part of a DEA operation and subsequently extradited to the US. The case marked the first time US authorities prosecuted Chinese company executives for trafficking fentanyl precursors.

But court documents showed there may be links to another East Asian country. Bellingcat was contacted by the Japanese newspaper Nikkei, which was investigating AmarvelBio’s connection to Japan, suspecting the country was being used as a command post for the cross-border smuggling operation. 

Nikkei was looking into Xia Fengzhi, a Chinese man referred to in the New York legal proceedings as “the boss in Japan”. It had found an individual by that name who was listed as the owner of a Chinese company selling raw chemical materials called Fushikai Trading Co Ltd, which according to Nikkei was active under the brand name “Firsky”. A website for Firsky China included a certificate for Fushikai Trading with the same identification code seen on Fushikai’s corporate records. The company, according to its website, was a wholly owned subsidiary of Firsky Co. Ltd., which was registered in Nagoya, an industrial city in central Japan. 

Nikkei pulled the corporate records for Firsky in Japan, which showed Xia headed the company. Records obtained by Nikkei also showed that the Chinese company’s supervisor was listed as Qingzhou Wang, the same name as one of the two AmarvelBio executives convicted in the US.

Nikkei asked Bellingcat’s financial investigations team to leverage its expertise in open source research to independently verify the Japanese company’s connection to AmarvelBio. Our investigation uncovered evidence showing the two companies are not only part of the same international smuggling network – they are effectively one and the same. This is how we did it.

The Japan Connection

Linking AmarvelBio and Firsky through domain records was not possible because both websites were registered through a provider that uses privacy protection, which conceals personal details from the public. However, information obtained by US law enforcement can become public during court proceedings.

CourtListener’s Advanced RECAP Search is a free tool operated by the non-profit Free Law Project that allows users to search millions of federal court documents made available through the Public Access to Court Electronic Records (PACER) service. 

A CourtListener search for “amarvelbio.com” returned multiple results, including an exhibit from the federal case against AmarvelBio. This contained subpoenaed domain registration data, which showed that convicted AmarvelBio employee Yiyi “Chiron” Chen registered a number of domains, including for AmarvelBio, its “sister company” Wuhan Wingroup, and Firsky (in both China and Japan).

Another domain (firskytech.com) that was not included in the documents available on CourtListener was registered months after Chen’s 2023 arrest and remains online as of publication. This website lists an address in Wuhan and describes itself as a wholly Japanese-owned supplier of “high purity” chemical intermediates. While its registration details remain private, the contact email listed on the site uses the domain for Firsky China – “firsky-cn.com” – which was registered by Chen and is therefore linked to the network.

Bellingcat also found Chen’s personal gmail address in the source code in archives of three websites (here, here and here) that were in both the subpoenaed registration records and a list of 12 domains US authorities seized after linking them to AmarvelBio, further corroborating her involvement.

Additional domain links between AmarvelBio and the Japanese iteration of Firsky were identified in archived advertisements from the darknet marketplace Breaking Bad, which were found via leak aggregator intelx.io. The chemicals ads were posted under AmarvelBio’s rebranded name, AmarvelTech, following the Chinese company’s indictment in 2023. 

Some of the ads led to whrchem.com – one of the 12 websites seized by the DEA. Domain records discovered via intelx.io revealed that whrchem.com was controlled by two email accounts, one of which used the domain for Firsky Japan – “firsky-jp.com”. The same email is also listed as an “author” on an archive of whrchem.com.

Bellingcat’s analysis of AmarvelBio and Firsky’s profiles, advertisements and salespeople uncovered further links between the two companies, including recycled phone numbers, photographs, watermarks, company bios and compliance certificates that could not be verified.

Searches for Firsky on the Breaking Bad forum returned an existing profile for a salesperson called “Cindy”, whose contact website was listed as bmkpmkbdo.com. A 2024 archive of the site displays Cindy’s WhatsApp number which, searches show, had previously been used in an AmarvelBio advertisement posted on Breaking Bad. 

Firsky has a seller profile with more than 350 active listings on the e-commerce platform ChemicalBook. But in one ad, under descriptions of the company, Firsky is interchangeably described as AmarvelBio.

While many Firsky ads included stock images branded with its watermark, some products advertised by Firsky were clearly branded as AmarvelBio and displayed the “Hubei Amarvel Biotech Co., Ltd” watermark. One Firsky website and AmarvelBio’s ChemicalBook profile both displayed an image of the same factory.

AmarvelBio also has a ChemicalBook seller’s profile and displays a certificate (though “Amarvel” appears to be misspelled “Amarbel”) claiming to show it passed a third party quality inspection. An image of a certificate bearing an identical report number and date, but with Firsky listed under “company name”, was found on one of Firsky’s websites. Under the “General Comments” section, both the Amarvel and Firsky certificates contain a reference to “Huibei Amarbel Biotech Co., Ltd., located in Wuhan”.

The company said to have issued the certificates, SGS-CSTC Standards Technical Services Co. Ltd., told Bellingcat it was unable to verify the documents because they were incomplete.

Earlier this year, Bellingcat and the Estonian outlet Postimees investigated the online sale of nitazene opioids from Chinese suppliers. It found that entities involved in selling the super-strength drugs also used Russian Doll-like setups involving multiple companies sharing the same contact details, salespeople, advertisements and website layouts.

‘Room for Exploitation’

Illicit fentanyl sourced from China and Mexico has fueled the most lethal drug crisis in America’s history. The synthetic opioid is 50 times more potent than heroin – a dose as small as 2mg can be lethal. While fatalities have declined in recent years, the opioid epidemic killed more than 100,000 people between February 2022 and January 2023, and overdose remains the leading cause of death for Americans aged 18 to 44. 

The US government this year imposed tariffs on China aimed at putting pressure on Beijing to stem the flow of fentanyl precursor chemicals into the country. In June, China added two fentanyl precursors to the list of controlled substances in what it described as an initiative to fulfill UN drug control obligations, reflecting its “attitude of actively participating in global drug governance”. At least one of these precursors has been advertised by AmarvelBio and its affiliated companies, including some listings that remain online on third-party trading websites. 

Takehiro Masutomo, a Tokyo-based journalist and the author of Run Ri: Tracing the Footsteps of Chinese Elites Escaping to Japan, has written extensively about the new wave of immigration to Japan by Chinese people, who now make up that largest group of foreign residents in the country. He told Bellingcat that Japan was an attractive destination not only because of its proximity to China, cultural ties, and the relative ease with obtaining long-term residential status via business routes, but also because there were fewer regulatory barriers. He said this left “room for exploitation” by criminals. 

“It’s really easy to set up a company here, and everything is cheap compared with other global cities. That’s the main reason,” Takehiro said. “I have been interviewing a lot of newly arrived Chinese people here, and I came across some people, including criminals. Japan may face a potential increase in financial crimes, including money laundering, involving individuals from China.” 

Nikkei reported that Japan may have been chosen as a base because it is not widely associated with trafficking fentanyl precursors and therefore less likely to have shipments inspected. While Firsky has been liquidated in Japan, Nikkei said AmarvelBio’s network continues to operate in China. The whereabouts of Xia Fengzhi, described in US court documents as “the boss in Japan”, remain unknown.

In response to a question on the Breaking Bad forum about the case against AmarvelBio in 2023, a user tagged as an “AmarvelBio Vendor” said US sanctions have “no effect” on Chinese companies. “The only thing they can do is blocking [sic] our website,” they said. “This is no pain to us, we will build a lot of new websites”.

Xia Fengzhi did not respond to requests for comment from Nikkei. Lawyers for Wang and Chen, who are due to be sentenced this month, did not respond to requests for comment as of publication.

---

George Katz and Connor Plunkett contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.

The post A Chinese Fentanyl Smuggling Network’s Footprints in Japan appeared first on bellingcat.

Armed and masked men leaping out of unmarked vehicles. Latino men taken from their places of work or while waiting for the bus. Street vendors roughly tackled to the ground and forcefully held down. 

Since early June, the streets of Los Angeles have borne witness to frequent and aggressive immigration raids that have seen people suspected of being undocumented migrants detained. Some have been rapidly deported.

Between June 6 and June 22 alone, the Department of Homeland Security (DHS) reportedly arrested 1,618 people for deportation from LA and the surrounding areas of Southern California. This averages out at about 95 people a day, and arrests and deportations have continued in the period since. 

Those numbers represent an increase over the months prior and appear to be in line with reports of apparent White House directives to up immigration-related arrests.

Bellingcat worked with our partners at Evident Media and CalMatters to gather and document social media and online footage of as many of the LA raids as possible.

We collected videos of just over 100 incidents starting on June 6, picking out sightings and what appear to be recurring trends and tactics used by officers. A full list of the incidents can be seen and downloaded here.

The footage shows officers from agencies including US Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE), which operate under DHS, arresting people in public spaces, in places of work and outside residences. In some cases, it was unclear what agency officers were with due to a lack of clear identification.

In others, officers can be seen using significant force to detain people. In most cases officers keep their faces covered, concealing their identity. Unmarked vehicles were also used on numerous occasions. 

The raids bear similarities to incidents previously investigated by Bellingcat, CalMatters and Evident Media in California. Earlier this year, agents from the El Centro Border Patrol Sector travelled over 300 miles from the US southern border to the city of Bakersfield to take part in what they said were targeted raids to apprehend immigrants with “criminal records”. 

However, just how targeted that mission was became a point of significant tension, with rights and labour groups claiming it was anything but. Of 78 people arrested, only one had been flagged for prior removal. 

In April, a federal judge issued a preliminary injunction in the wake of the Bakersfield raids barring Border Patrol from conducting warrantless raids in California’s Eastern District, stating that “you just can’t walk up to people with brown skin and say, ‘Give me your papers.’”

The American Civil Liberties Union (ACLU) and other industry and rights groups last week requested a similar injunction be put in place in California’s Central District, which includes Los Angeles. 

The head of the El Centro unit, Gregory Bovino, is now in charge of the operations across Los Angeles. Agents from his El Centro Border Patrol unit have also appeared in videos of raids in LA neighbourhoods seen by Bellingcat. Bovino even appeared at a raid involving hundreds of officers in LA’s MacArthur Park on July 7.

To be clear, it is not possible to know exactly what transpired in every incident captured in our dataset. The vast majority of videos only offer snapshots of what occurred as most raids relied on the element of surprise. Witnesses, therefore, often did not appear to start recording until raids were under way. Similarly, many of the raids captured were in public spaces such as in parking lots or at strip malls. Others did occur at private residences, but incidents are more likely to be captured in places where more members of the general public are likely to be present, such as on busy thoroughfares. This is likely reflected in the data. 

Judging by the number of people detained in LA over the last few weeks, the videos also only capture a portion of all the incidents that have actually taken place. Despite that, the available videos suggest a few trends that may offer clues as to the tactics being deployed by agents across the city. 

From Pasadena to Long Beach, and from Playa Vista to Baldwin Park, incidents have been recorded across LA. Some have even stretched beyond Los Angeles County, with raids recorded in Oxnard, Santa Ana and Fontana.  

With billions in new funding heading for ICE operations in the near future, some believe what has happened in Los Angeles could be just the start of an even bigger immigration crackdown across the US. President Donald Trump also appeared to suggest as much in a June 16 Truth Social post, stating that he wanted to expand detention and deportation efforts to other cities like Chicago and New York.

Raids at Work

A striking number of videos showed people being arrested at what appeared to be their places of work. These included arrests at car washes, food stands and swap meets.

In one incident on June 22 at Bubble Bath Hand Car Wash in Torrance, numerous agents can be seen swarming the facility and approaching blue-shirted employees. One bystander told local broadcaster ABC7 Eyewitness News that she was able to stop the arrest of an employee by advising him not to answer questions. However, others were roughly handled by agents, some of whom appeared to be wearing ballistic armour and carrying guns.

Emmanuel Karim, the manager of Bubble Bath Hand Car Wash – who can be seen in the video angrily remonstrating with agents asking them “what are you doing here?” – told Bellingcat in a phone call that  officers did not provide warrants or identification. 

He had previously told the media that two of his workers were taken during the raid.

In total, our dataset documented 12 raids that appeared to specifically target car washes, including one that hit the same car wash twice. Industry group CLEAN Carwash Worker Center, however, has documented a much higher number. As of July 4, they told Bellingcat they had information detailing raids in at least 55 carwash locations, with some experiencing multiple raids over the month of June. CLEAN said they had documented at least 96 arrests, including of both carwash workers and customers.

Another video from June 8 in Westchester showed a street vendor wrestled to the ground and surrounded by agents near his stall with their weapons drawn. 

In another case on June 22, street food vendor Celina Ramirez clung to a tree as federal officers pulled up and arrested her outside a Home Depot in the Ladera Heights neighbourhood. A bystander told ABC7 Eyewitness News that officers did not provide identification as to who they were, nor did they provide a warrant. While some wore Border Patrol identification, there were also plain clothes officers. All appeared to be masked.

The nature of such arrests has led some to claim that officers are racially profiling workers they may pass at the likes of street food stalls while also targeting businesses they assume will have a high proportion of Latino workers, such as car washes. 

The ACLU lawsuit describes a “systematic pattern” where “individuals with brown skin are approached or pulled aside by unidentified federal agents, suddenly and with a show of force, and made to answer questions about who they are and where they are from”. 

Such practices, where agents do not identify themselves or explain why an individual is being arrested are “contrary to federal law”, the ACLU lawsuit states.

Bellingcat asked DHS about the claims within the ACLU lawsuit as well as incidents at car washes and with the street vendors in Westchester and Ladera Heights. DHS did not comment specifically on the Westchester and Ladera Heights incidents. They also did not respond to the owner’s claims that agents did not provide a warrant or identification when they raided the Bubble Bath Hand Car Wash in Torrance. 

But in an email sent after this article was initially published DHS Assistant Secretary, Tricia McLaughlin, responded to details in the ACLU lawsuit, stating that: “DHS targets have nothing to do with an individuals’ skin colour. What makes someone a target is if they are in the United States illegally. These types of disgusting smears are designed to demonise and villainise our brave ICE law enforcement. ”.

McLaughlin added: “DHS enforcement operations are highly targeted, and officers do their due diligence. We know who we are targeting ahead of time. If and when we do encounter individuals subject to arrest, our law enforcement is trained to ask a series of well-determined questions to determine status and removability.”

Strip Malls and Home Depot Parking Lots

On June 16, a video of a bystander questioning two ICE agents handcuffing and arresting a man in LA county’s Hacienda Heights was shared online. The man said his name is Leo Torres and when the bystander questioned whether the agents had a warrant for his arrest they replied: “This is a public place, we don’t need a warrant.”

Torres was picked up outside an area that appears to be a strip mall. Our dataset showed 25 incidents at such facilities. But raids were captured on video most regularly near outlets of one brand in particular. 

In total, incidents were recorded outside or close to 17 different Home Depots – a common place for day labourers to pick up materials for their work or to pick up work itself.

For example, in a video captured on June 19 an agent in a Border Patrol uniform can be seen chasing a man in the parking lot of a Home Depot in Burbank. 

In another incident on June 22, a man was pinned to the ground in a Home Depot parking lot in Gardena. Signs displaying prices of items for sale can be seen at the start of the video that match the font used at Home Depot locations.

In another incident on June 9, video footage uploaded from multiple angles showed officers running after and questioning a man near a Home Depot in Huntington Park. The footage also showed other officers chasing others who were nearby.

While it was not possible to identify the vast majority of the people detained in the videos gathered, the raids at Home Depots bear a striking similarity to the Bakersfield operation conducted by El Centro Border Patrol earlier this year. 

Back then, eight of just over 50 videos gathered by Bellingcat, Evident and CalMatters appeared to take place in Home Depot parking lots.  

Bellingcat asked DHS if agents had been targeting Home Depots without necessarily having warrants for people they expected to encounter there but did not receive a direct response on this question.

Masked and Unmarked

Identifying who or, indeed, what agency is carrying out a particular raid in the videos collected is not a simple task. Many agents wear masks or keep facial features covered, concealing their identity.

Because it is often unclear who these agents are, many videos show bystanders asking agents for identification, a warrant, a badge number or who they are with. In one video on June 23 at a Home Depot in Inglewood, an officer is asked for his badge number by a bystander who is filming a man being taken away. The officer briefly flashes his badge before dashing into the back of a car that speeds away.

Similarly, officers can be seen wearing plain clothes instead of uniforms in many videos, thus making it difficult to ascertain which agency they belong to.

Some have warned that the heavy use of masks and shielding of identity makes it easier for fraudsters or imposters to pretend to be federal officers or law enforcement to commit crimes. There have already been a number of cases where this has happened in the last month, including in Philadelphia, New York and Los Angeles. However, acting ICE Director, Ted Lyons, has said officers are covering their identity to protect themselves and their families from harassment.

A new bill being proposed called the “No Secret Police Act” would require local, state, and federal officers from covering their faces during operations in California. 

Unmarked vehicles are also regularly seen being used by arresting officers in videos. Bellingcat was able to identify several instances where the same unmarked cars appeared in separate videos in different parts of the city. The cars were identifiable by their number plates. 

Other vehicles being used by officers, including Border Patrol vehicles that bear individual identifying numbers, could also be seen in multiple videos.

In an emailed response to questions sent after this article was initially published, a DHS spokesperson said: “When our heroic law enforcement officers conduct operations, they clearly identify themselves as law enforcement while wearing masks to protect themselves from being targeted by highly sophisticated gangs like Tren de Aragua and MS-13, criminal rings, murderers, and rapists.”

Use of Force and Intimidation

Several videos in the dataset appear to show significant force being used by agents.

A number of incidents featured heavily armed or aggressive officers. Agents can be seen carrying rifles, handguns, and wearing military wear, from camouflage uniforms to helmets and ballistic vests.

One notable instance was the June 16 raid at the Sante Fe Springs Swap Meet that reportedly saw dozens of agents, many of whom were heavily armed, raid a popular swap meet where families were in attendance. Border Patrol filmed this raid and posted a video on their Instagram account. The video shows a number of officers carrying weapons, wearing protective gear, preparing for the raid and walking through the swap meet. A sign which reads “Family Fun Live Music Shopping” can be seen in the video. The raid reportedly resulted in the arrest of two individuals. Businesses there have since complained that the raids have put people off from coming back.

In another incident on June 29, video footage showed the arrest of two men on a street in Santa Ana. Agents appeared to use batons on both men as they lay on the ground. An eye witness stated that agents used pepper spray after one of the men was already on the floor. Federal officials later told local news outlet, KTLA, that one of the arrested men was a Mexican national present in the US illegally, although they did not detail how officers first engaged with the two men or if they were individuals known to law enforcement. The same officials also said to KTLA that officers were attacked by “a violent mob” protesting the detainments before all suspects were arrested. 

Other incidents showed officers pointing guns at a man trying to escape in a car and another who was trying to take a photo of a federal agent’s licence plate. One man could be seen with blood pouring from his head after officers smashed his car window and dragged him from his vehicle in another incident captured in the dataset.

On June 24, during an ICE raid in the Fashion District in Los Angeles, agents from multiple agencies were seen tackling a man, Luis Hipolito, pushing him on top of a curb. A video shows one officer put an arm around his neck as multiple agents pile on top of him and appear to punch the back of his legs. Moments later, he begins convulsing on the ground. 

Hipolito is a US citizen and was apparently filming the arrests of street vendors in the area. As reported by the LA Times, officers ordered Hipolito to leave the scene. When he did not, an officer sprayed him in the face with a substance, the LA Times reported. Video shows Hipoloito swinging his arm in response but it is not clear in the video if his hand connected with the officer. He is being charged with assault for allegedly punching an agent before he was tackled and wrestled to the ground. Hipolito’s family has since said that he did not intentionally touch the agent and that he had been blinded by what they said was pepper spray to his face. They said it was a natural reaction to being unable to see after being pepper sprayed. The LA Times reported that DHS Assistant Secretary Tricia McLaughlin had said the actions of Hipolito and another US citizen had “kept ICE law enforcement from arresting the target illegal alien of their operation.”

There have been numerous reports of US citizens being detained by ICE. In one June 12 incident, a video showed a US citizen being chased and detained by Border Patrol before being eventually let go. Before leaving, however, one of the officers asks: “Why did you run?”

While it is not clear if the only reason they sought to detain this individual was because he ran, that would seem to align with a promotional video published on the Customs and Border Protection YouTube page where an officer can be heard saying, “If they run, we go”.

In response to questions from Bellingcat about whether force used by officers was always proportional or if there were instances where any had gone too far, DHS responded after this article was initially published. McLaughlin said that agents are trained to “use the minimum amount of force necessary to resolve the situation in a manner that prioritises the safety of the public and our officers”. 

She added: “Resisting arrest places those being arrested, the agents, and the community at risk. Law enforcement is now facing a nearly 700 percent increase in assaults while carrying out enforcement operations. But this will not deter [Customs and Border Protection] – we will continue enforcing the law and protecting American communities.”

---

This article was updated on Wednesday July 9, 2025, to include responses from the Department of Homeland Security which were received after initial publication time.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.

The post Masked, Armed and Forceful: Finding Patterns in Los Angeles Immigration Raids appeared first on bellingcat.

Content warning: This story discusses non-consensual deepfake nude imagery.

On the surface, Crushmate appeared to be one of many artificial intelligence “girlfriend” or “companion” apps. Its multiple websites said it specialised in “crafting the AI girl of your dreams”, and on Google and Apple’s app stores, it was described as an “AI chat product designed to provide users with a comprehensive emotional support and communication experience”. 

But ads linked to the app on popular social media platforms showed it was offering an entirely different service – making nonconsensual nude images of real women.

Meta announced last week that it was suing Joy Timeline HK Limited (“Joy Timeline”), the Hong Kong-based company it said was behind a group of deepfake “nudifying” apps under “CrushAI”, which include Crushmate. This was following a 404 Media report in January that CrushAI had bought thousands of ads on Instagram and Facebook, using multiple fake Facebook profiles to evade Meta’s moderators. 

However, a Bellingcat investigation has uncovered two additional companies in Hong Kong and mainland China – Soul friendship HK Limited (“Soul friendship”) and Wuhan Ruisen Zhuoxin Network Technology Co., Ltd (“Wuhan Ruisen”) – that appear to have links to these apps. 

The CrushAI ads showed women, including celebrities and influencers, having their clothes artificially removed using deepfake technology. They led to pages prompting users to upload photos of people and “erase clothes” off them. 

404 Media’s report prompted Illinois Senator Dick Durbin to write to Meta CEO Mark Zuckerberg about CrushAI’s advertising on Meta’s platforms, in a letter pointing out that “the generation and dissemination of nonconsensual, deepfake intimate imagery are acts of abuse and violations of privacy that inflict lasting harm on victims”. 

Asked about the two other companies Bellingcat has linked to CrushAI, Meta said it was looking into them and would take action, including legal action, as necessary if it found violations of its policies. The company also said they will continue to take the necessary steps against other advertisers who abuse their platform.

Soul friendship was the listed developer of Crushmate on the Apple App Store, while Wuhan Ruisen filed an application for a US federal trademark related to the Crushmate brand last year. Documents supporting Wuhan Ruisen’s trademark application suggest that the app earned more than US$45,000 in subscriptions between December 2023 and July last year. 

The legal filing, which Meta provided to Bellingcat, shows that the social media giant is seeking an injunction to prevent Joy Timeline from placing ads related to nudify apps on its platforms. It is also claiming US$289,200 in damages, including costs it said it incurred for investigating and removing ads for the CrushAI apps, to respond to public and regulators’ queries in relation to the ads and to take enforcement action against Joy Timeline.

The complaint stated that Joy Timeline placed over 87,000 violating ads on Facebook and Instagram as of February this year, mainly targeting users in the US, Canada, Australia, Germany and the UK.

In response to Bellingcat’s queries, a Crushmate representative said that the app had permanently shut down but had “very briefly relied on the support of many third-party partners” in the early stages of its business. 

On the relationship between CrushAI and Joy Timeline as well as the two other companies the representative said that “since the project has now ended and the team no longer exists, I’m unfortunately unable to verify whether the company you mentioned in your email was one of our former partners”. 

Soul friendship, Joy Timeline and Wuhan Ruisen did not respond to multiple requests for comment on their relationships with each other or with CrushAI.

Joy Timeline

Like other notorious AI nudify apps, CrushAI appears to own multiple websites with the same domain name (“crushmate”) but different extensions such as .site .net .vip and .us. Bellingcat found at least 23 domains that used the Crushmate name, all of which are no longer accessible. These were mostly registered on two days in April and July 2024. We also found other sites with identical homepage layouts and content to Crushmate, with similar domains like “Crushai”, “crushh”, “crrru”, “crushx” and “crush1”. 

Using Domain Tools, we were able to link these sites – and more – through an identical Google Analytics Tag, which is used to track website traffic.

While nearly every one of these websites had their WHOIS registration info redacted for privacy, one was not, and it was registered to Joy Timeline.

Our search on Whoxy, a reverse WHOIS search tool, found 158 domains registered publicly to Joy Timeline at the time of publication. Only one carried the Crushmate name, but 28 more had almost identical layouts and also appeared to be deepfake “nudify” apps. 

For example, archived versions of the main pages of two of these domains, “sparkaifun [dot] online” and “chatnplay [dot] online”, were identical to the home page and “clothing eraser” pages on CrushAI’s sites.

It is possible that there are more similar web domains that did not show up in our searches, as domain registrants can also choose to redact their information. Other active domains owned by Joy Timeline, according to publicly accessible domain information, include homepages for other “AI chat” apps, photo editing apps and mobile games, among others.

On Hong Kong’s Companies Registry, Joy Timeline’s director was listed as a person called Zhang Xiao, who holds a Chinese passport. 

The company was registered with 100 shares issued at a total value of HK$100 (US$12.80). Zhang Xiao was listed in the company documents as owning 90 of these shares, while another Chinese national, Zhang Shiwei, owns 10. 

Zhang Shiwei is the director of Soul friendship, which Bellingcat’s investigation has also linked to the CrushAI apps. 

Soul friendship

Although Crushmate is no longer available on Google’s Play Store and Apple’s App Store, archived versions of its app listings on both of these stores led us to Soul friendship, another Hong Kong-based company.

Crushmate’s developer on Google’s Play Store from September 2024, based on a cached version of the page, was listed as “LipLip Team”. Our online searches of LipLip Team showed that it had another app listed on the Play Store called “LipLip – Live Video Chat&Meet”, which appeared to be a chatting app. 

Bellingcat could not find any company called “LipLip Team” registered in Hong Kong, where LipLip-Chat’s archived X bio stated that the app is based. 

But the URL of LipLip’s page from the developer’s archived Google Play Store profile, based on both indexed copies of the Google Play Store listing and LipLip’s X bio, included the ID “hk.soulfriendship.chat” – our first clue that another company was involved. 

On the Google Play Store, the app ID which makes up part of the URL is based on the package name of an app, which uniquely identifies the app across the Play Store. The package name could be set to anything, as long as it is not used by any other app on the Play Store. 

However, in this case, it happens to closely match the name of Soul friendship, the Hong Kong-based developer that published both Crushmate and LipLip-Chat on the Apple App Store.

We were able to find more information on Soul friendship by viewing LipLip-Chat’s Apple App Store listing as it would appear from a country within the European Union. 

Due to the EU’s Digital Services Act, Apple is legally required to verify and display more detailed information for traders distributing apps in the EU than in other jurisdictions. 

This includes developers’ Data Universal Numbering System (DUNS) number – a nine-digit number key for uniquely identifying companies worldwide – as well as contact information such as their address, phone number and email address. 

Even from outside of the EU, it is easy to view this information by tweaking the country code in the URL of the web-based App Store listing. 

For example, the developer information visible on the US app store listing for LipLip-Chat only shows Soul friendship’s name. But simply changing the country code from “us” to “nl” (the Netherlands’ country code) reveals the company’s DUNS Number, address, phone number and email address:

The address listed for Soul friendship, in the commercial district of Wan Chai, Hong Kong, is the same one on Joy Timeline’s domain name registration records. This address is also listed as belonging to one of the 6,900 or so Trust or Company Service Providers (TCSPs) in Hong Kong which are authorised to provide, among other corporate services, a registered business or office address.

Documents from the Companies Registry in Hong Kong show that Zhang Shiwei is Soul friendship’s listed director.

Although they have different names and directors, Soul friendship’s and Joy Timeline’s shareholders are the same and there are multiple overlaps in how the two companies operate. 

Like Joy Timeline, Soul friendship was registered with 100 shares issued at a total value of HK$100. In a mirror of the arrangement for Joy Timeline, Zhang Shiwei, the director of Soul friendship, owns 90 of Soul friendship’s shares while Zhang Xiao, the director of Joy Timeline, owns 10 shares. 

In addition to their common TCSP-linked address in Wan Chai, both companies used the same registered office address in Kwun Tong, an industrial and business area in Hong Kong, on their business filings. This is the address of another TCSP, which serves as the company secretary for both of these businesses.

Searches for Soul friendship and Joy Timeline online did not turn up much, except websites under their names that used identical templates. Neither website mentioned Crushmate or CrushAI, and both said on their “About Us” page that they were founded in 2022 and provided “IT consulting and software development services”. 

Wuhan Ruisen Zhuoxin Network Technology 

To complicate things even further, Bellingcat found two US federal trademark applications filed for Crushmate by a mainland Chinese company, Wuhan Ruisen, in August 2024. The first application, in the category of “Advertising, Business, and Retail Services”, was rejected on the grounds that the company did not provide sufficient evidence of using the Crushmate mark in commerce. 

The second one, in “Computer and Software Products and Electrical and Scientific Products”, was officially registered with the trademark office on April 29, 2025. The documents filed for federal trademark applications are publicly accessible through the United States Patent and Trademark Office (USPTO)’s website. 

In their trademark applications, Wuhan Ruisen provided “specimens”, which are samples of how their trademark is used in commerce. These included screenshots of both Crushmate’s Google Play Store and Apple App Store listings – showing LipLip team and Soul friendship HK as the app developers – as well as screenshots of their website. 

John Halski, a US-based lawyer whose practice focuses on trademark and copyright, told Bellingcat that it is possible for a company to include samples or specimens in their trademark application from a different company through a third party licence. 

However, Halski said that whether multiple company names in an application would be questioned depended on the examiner.

“The [trademark] examiner has the discretion to ask: ‘You sent me this specimen showing that party XYZ is using it and you claim that your name is ABC’. Then they may ask, ‘is this under a licence arrangement?’”

Anyone may file an application for a trademark, whether or not they own it, but other parties may oppose the application – such as if they are claiming to be the original owners of the trademark – within 30 days after it is published. Wuhan Ruisen’s application for the Crushmate trademark was published on March 11 this year, and successfully registered without opposition on April 29.

The application documents included a screenshot that appeared to show a Stripe payment dashboard, with 4,563 successful payments. All of the visible payments were for US$9.99, which was the weekly cost of a VIP subscription to Crushmate on the US site at the time the application was submitted. 

Assuming the only payments recorded by the dashboard were for these subscriptions, this would imply that by the time of the application being submitted in August last year, Crushmate had earned at least US$45,584.37 in subscriptions. It is unclear what the exact timeframe captured by the screenshot of this dashboard was, although the application states that the first use of the trademark was Dec. 25, 2023. 

Another screengrab included in the application, also apparently from Crushmate’s Stripe dashboard, showed a breakdown of the locations of Crushmate’s paying customers. This view on Stripe’s dashboard displays the “tax thresholds” for each state in the US and shows whether the income generated has reached taxable status. The screengrab indicated that Crushmate had paying customers across the US, with the most transactions from Kentucky and Utah. 

Based on documents from China’s official business registry which match the company’s name in Chinese and address, Wuhan Ruisen was established in March 2021 with a registered capital of 10 million Chinese yuan (US$1.38 million). 

We are not naming the legal representative of Wuhan Ruisen, listed in these documents, as the exact relationship between this company and CrushAI is still unclear. The legal representative’s name does not appear on Soul friendship or Joy Timeline’s business registration records in Hong Kong. 

A search for the company’s name on China’s Internet Content Provider licence database shows that it registered for five different domain names. Only one was accessible as of June. This site, which describes the Wuhan company as a “professional software development company” focusing on the development of desktop and mobile software, lists a number of apps supposedly developed by the company. None of the CrushAI apps were among them.

Some of the apps on this page have a close resemblance to software by foreign developers. For example, the first app on the page is an AI translator called “DeepL”, which is also the name of an AI translation app by a German startup that does not currently offer paid plans in mainland China. 

On third-party consumer service platform Heimao Tousu, there were more than 40 complaints between October 2023 and March 2025 about the company. Most said they paid between 29 and 69 yuan (US$4 to US$9.50) to download software they believed to be genuine, only to discover the products were fake or did not work. When they asked for refunds, they were ignored.

Wuhan Ruisen did not respond to multiple emails requesting for comment, and when we called the phone number listed on its website, we got an automated message stating that the number dialled was invalid.

Taking It Down

Crushmate’s X profile and a US domain site carrying its name was accessible until April. That same month, the US Take It Down Act, which criminalises the distribution of non-consensual deepfake pornography at the federal level, passed. It was signed into law in May, and Crushmate’s X profile was deleted sometime that month. 

At time of publication, all 23 of the Crushmate domains, the additional nudify-related domains owned by Joy Timeline, and the other CrushAI domains appear to be either offline or display an “under maintenance” notice after users register and log in. 

When Bellingcat reached out to a support email listed on several Crushmate websites, an unnamed individual responded. 

This person said the decision to shut down operations and disband the team actually took place “several months” before the introduction of the Take It Down Act.

“Since then, this inbox has remained inactive,” they said. 

The person emailing us did not explain why they were replying from an inactive account, or respond to subsequent questions about who they were or what their role in Crushmate or CrushAI was.

Joy Timeline has purchased domains as recently as May 14, but none of these appear to be nudify sites or currently hosting content.

---

Featured image credit: Reihaneh Golpayegani / Telling Tales / Licensed by CC-BY 4.0

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.

The post Meta’s Suit Against Hong Kong Firm Was Just the Beginning – More Companies Linked to CrushAI ‘Nudify’ Apps appeared first on bellingcat.

Bellingcat Investigator Peter Barth, who grew up in Texas, researched and reported this story in collaboration with the Texas Observer.

William “Bill” Asher Richardson Jr. pulled into the driveway of his upscale Corpus Christi home late on a Sunday night at the end of summer. The wealthy Texas oilman was unloading his Winnebago RV as his wife and stepson walked inside. Their housekeeper, watching through the front window, saw them first: two men, armed with sawed-off shotguns and wearing jumpsuits, running toward Richardson from the shadows.

Without a word, they fired four shells of No. 4 buckshot, sending 45 pellets into Richardson’s head, neck, chest, and arms. The shooters were gone as quickly as they arrived, fleeing in a getaway car. Richardson’s wife tried to call for help, but the phone line had been cut. Her son ran to fetch a neighbouring doctor. It was too late. Richardson, 40, died sprawled on his driveway.

Richardson’s murder on Aug. 1, 1971, remains unsolved.

Clicking on a note will take you to the relevant chapter of the story. You can return to this pinboard at any time by clicking Return to intro.

---

The case is one of an overwhelming number of unsolved homicides in the United States. The Murder Accountability Project (MAP) counts almost 346,000 cold cases of homicide between 1965 and 2023—likely an undercount since many homicides from the earlier decades are excluded and not all police departments report to the FBI Uniform Crime Reporting Program, on which MAP is based.

Clearance rates for US homicides—generally defined as the percentage of cases closed via arrest or the death of a suspect, or ruled to be justifiable—have been declining for years.

Meanwhile, online crowdsourcing efforts have sprung up to tackle cold cases including Uncovered, with almost 50,000 unsolved murder and missing persons cases, and Solve the Case, a nonprofit founded by Aaron Benzick, a detective with the Plano Police Department. “You highlight these cases, and people come forward,” Benzick told Bellingcat. “Even if that doesn’t happen, just organising these cases helps law enforcement.” 

In 2023, the Corpus Christi Police Department (CCPD), with two detectives on its cold case squad, began reviewing 100 unsolved homicide cases dating back to April 1970—including Richardson’s. But the city has refused to release nearly all of its files.

Bellingcat has independently uncovered new information about the murder that’s never been made public. In a years-long open source review of Richardson’s murder conducted in collaboration with the Texas Observer, the outlets examined digitised newspapers, online archives, genealogy services, and declassified FBI records. The outlets also filed public record requests with local and state law enforcement agencies, the FBI, and the National Archives and Records Administration (NARA). 

Two men, including one who did prison time for a prior murder, were charged with Richardson’s death but not convicted. The outlets’ investigation fleshes out the failed case against those two individuals and contributes new details to the public record of what happened the night Richardson was killed—including the possible identity of a getaway driver. The investigation also reveals alleged links between Richardson’s social circle and organised crime and some evidence of another potential participant in the crime.

The findings illuminate violent collisions between jet-setting Southern playboys at the highest rungs of the social ladder and the murky criminal underworld that gripped Texas in the 1960s and ’70s. Public records shed light on this peculiar clash of worlds, though enormous Freedom of Information Act (FOIA) request backlogs, the loss of historical documents, and the unwillingness of law enforcement agencies to release all files make the full story elusive. Crucially, many players with firsthand knowledge—the witnesses, the alleged accomplices or killers, victims, police, lawyers, reporters, and family members—are either dead or unwilling to speak.

Richardson’s colourful life in a landed South Texas oil and ranching family was illuminated in older articles like “The Death of a Sportsman,” a 1971 feature published in the San Antonio Express and News. But, other than a single chapter in a 1997 book about a Texas Ranger, there are few recent media reports on the unsolved 1970s murder.

Family members have described the young Richardson as a troublemaker who attended three different high schools before dropping out. By age 20, he had joined the US Marine Corps and fought in the Korean War, where he was wounded and later decorated for his service.

His father, William Asher Richardson Sr., had founded the Richardson Petroleum Company. Richardson Jr. built his own company, Richardson Petroleum Enterprises, Inc. He spent weekends playing high-stakes poker, attending prestigious shooting tournaments, and on fishing trips in the Gulf of Mexico. He flew around in a customised P-51 Mustang fighter plane to manage his oil business.

Tragedy struck in 1963 when Richardson’s father, having fallen into financial strain, died by suicide. Lynn Richardson, Bill’s daughter and William’s granddaughter who was only six at that time, remembers hearing about her grandfather’s death. “A little boy came to the house with a grocery order for US$11, and he was so broke that he couldn’t pay that so he went upstairs and shot himself,” she told Bellingcat. Eight years later, her father was murdered in his Corpus Christi driveway. “It’s been really tragic. … They say there are generational curses. There’s just been a lot of violence in our family.”

In his final years of life, Bill Richardson’s oil business dried up, and in 1969 he filed for bankruptcy, owing about $3.3 million (around $28.7 million today). Roughly half of those debts were owed to 125 unsecured creditors, lenders that have no right to a borrower’s assets if they declare bankruptcy. Some were his enemies, business associates later told investigators. 

Richardson turned to the sport of Columbaire-style pigeon shooting for income. A bloodsport popular in Spain, Mexico, and Argentina, it involves a skilled thrower—a columbaire—pitching live birds that are difficult for the shooter standing behind him to hit. Richardson was named one of the sport’s best shooters and was three times selected to represent America by its governing body.

Chapter 1: The Murder of a Texas Oilman

A previously unreleased offence report, obtained by Bellingcat in response to an information request, and an interview with a friend of the Richardsons conducted by Bellingcat add texture to newspaper narratives of the chaotic minutes before and after the murder.

Richardson lived with his family in a new four-bedroom house with a Mediterranean-style courtyard in Country Club Estates, an upscale neighbourhood in Corpus. On the night of Aug. 1, 1971, Richardson’s housekeeper, Mary Chavez, was helping the family settle in after a pigeon shoot in McAllen, Texas. 

A stranger had called the Richardsons’ house to ask when the family would return, Chavez later told authorities, and she and others had seen suspicious-looking men around the neighbourhood. Police, who found a packet of cigarettes and empty beer cans in bushes near Richardson’s house, theorised that the gunmen had been lying in wait.

Around 11 p.m., Richardson and his 11-year-old stepson James LaBarba were unpacking their motor home when Chavez, from a front window of the house, saw two men running across the lawn with shotguns. Both were wearing baseball caps and sunglasses. She later described one as tall and lanky, the other as shorter and heavyset.

After the first shot, James turned and saw the men firing sawed-off shotguns at his stepfather. The coroner later logged 45 entry wounds. Investigators described the murder as a “professional killing.”

Bellingcat interviewed one of the first people to arrive at the crime scene, Chip Hogan, the son of Bill’s close friend and fellow pigeon shooter Roger Hogan, who was a teenager at the time. He and his father had accompanied Bill and his family on the trip to McAllen and had just arrived at their home after leaving Richardson’s house when the phone rang.

When shown possible suspects’ photographs, Chavez allegedly pointed to two men from Fort Worth: Odis Thomas Hammond and Sam Mena. Both of them were arrested for the killing.

Hammond was a career criminal with an arrest record for burglary and a reputation with police for promoting prostitution. Richardson was the third person Hammond had been accused of killing, according to a Bellingcat review of Texas Department of Public Safety electronic records and detailed reports obtained through public information requests.

A June 10, 1957, WBAP-TV newsreel showing Hammond (right) giving the Fort Worth Assistant District Attorney a statement on killing his friend in self-defence the day before. Source: NBC 5/KXAS Television News Collection (AR0776), University of North Texas Special Collections.

Hammond confessed to killing a friend and fellow pimp in a shootout outside a bar in Fort Worth in 1957, but he was never prosecuted after a witness failed to appear. Two years later, he was convicted of the 1959 murder of a Houston car salesman during an armed robbery. But, surprisingly, Hammond had done little prison time: He was sentenced to 30 years in 1962 but was paroled in April 1971. 

Hammond had reportedly been arrested more than 60 times in Fort Worth when he was nearly killed by a woman who shot him in the stomach at a bar in 1958. He and two others also had been accused of opening fire on a man during a failed 1959 Midland robbery. In response to a FOIA request from Bellingcat, NARA released a 20-page FBI file on Hammond from a White-Slave Traffic Act (Mann Act) investigation in 1959, detailing FBI agents’ unsuccessful efforts to locate a woman they believed Hammond had trafficked out of state.

Sam Mena also had a significant criminal history, including arrests for burglary and robbery, and a 1959 jail escape, newspaper articles and records show. While jailed for Richardson’s murder, Mena allegedly tried to use a cellmate to recruit a contract killer to kill Richardson’s housekeeper before she could testify as a witness against him and Hammond. According to Corpus Christi police officers’ testimony, the contract killer was “Tommy” Gibbs.

But a cellmate tipped off police to the plot. Detectives were watching Chavez’s house when Gibbs drove to Corpus Christi shortly after Mena’s arrest. Police followed, and Gibbs apparently abandoned the plan. Six weeks later, Gibbs was shot to death in Fort Worth. His murder remains unsolved.

Despite all of the allegations about Hammond and Mena neither man was ultimately convicted of the notorious Corpus Christi killing.

Chapter 2: The Suspects—and Their Getaway Driver

“Tommy” Gibbs, the would-be hitman, had another never-before-published connection to Richardson’s murder: Police suspected he had been the getaway driver, according to Gibbs’ homicide file, which Bellingcat obtained from the Parker County Sheriff’s Office.

Gibbs was a professional underworld operator who used multiple names, according to an analysis of newspaper reports, birth and death certificates, census data, prison records, and a prisoner-run newspaper. His real name was Paul Adams Gibbs, and he used the aliases George Edward Thomas and Tommy Gibbs. A former Marine wounded at Tarawa, Gibbs was arrested in 1944 for stealing a car and, by 1950, was serving a prison term for theft.

In 1951, he and two associates were arrested for beating and robbing a man, then throwing him out of a car. Gibbs was later detained in Dallas as part of a nationwide sweep of drug traffickers and did time for armed robbery. He’s described as an “alleged hitman” in the 1997 book by author Lee Paul about Jim Peters, a Texas Ranger who worked on the Richardson case.

Gibbs himself died mysteriously only months after failing to carry out a hit on Richardson’s housekeeper, one of the witnesses to the murder. On Nov. 14, 1971, a deer hunter in a wooded area near the town of Weatherford stumbled across a man in a suit and tie lying in a pool of blood. Police believed Gibbs had been executed and that his body had been dragged there from the trunk of a car. He’d been shot six times in the face, with a cheek wound delivered at such close range it caused gunpowder burns.

The Parker County sheriff’s newly released files on his homicide include a handwritten investigator’s note that says: “Tommy Gibbs. Lived at 232 Ridgeway, Azle (Texas) with Sam Mena who pimps and in jail in Corpis [sic] for shooting down Bill Richardson with Odis Hammond. Also in jail. Gibbs was susp. to have been driving the car.”

Some journalists speculated that Gibbs’ death was tied to a feud between members of the so-called Dixie Mafia, a loosely knit group of underworld crime figures that operated in Texas and other Southern states. Curiously, only two weeks before his murder, Gibbs had been shot in the leg but told authorities the injury was self-inflicted.

Jesse Sublett, author of two books about the Texas underworld of the 1960s and 70s said the Dixie Mafia was not structured like other crime gangs: “From the outside, ‘Dixie Mafia’ was a conceit, a marketing term so that law enforcement and the media could conceptualize the problem and sort of identify their approach to dealing with what was basically a criminal subculture of loosely associated people who tended to live outside the law.”

Police officials never revealed that they suspected Gibbs had been an accomplice in Richardson’s murder. By the time of the trial, he was already dead.

Chapter 3:  The Failed Murder Trial

Odis Hammond was tried for Richardson’s murder on Aug. 21, 1972. Hammond’s lawyer moved successfully to have his client tried separately from Mena because, he argued, the evidence against Mena—which included statements he’d arranged for Gibbs to kill Richardson’s housekeeper—could harm Hammond’s case. 

The prosecution called witnesses who placed Hammond near Richardson’s hotel in McAllen during the shooting competition and later at Richardson’s home on the night of the murder. A hotel clerk recalled that Hammond told her he’d made the 500-mile drive to McAllen from Fort Worth in a car customised to run on both butane and gasoline. Chavez and LaBarba, Richardson’s stepson, both identified him as one of the killers.

But then the case against them fell apart.

Hammond’s defence attorney questioned how witnesses could have seen the men clearly in the dark. He also called an FBI firearms expert, who testified that spent shells from the scene could not have come from the type of shotgun LaBarba claimed to have seen the killers fire. 

The court blocked prosecutors’ attempts to show similarities between Richardson’s killing and a 1959 murder for which Hammond had been convicted. In that case, Hammond and an accomplice gunned down a Houston car salesman in his apartment. Hammond was paroled months before Richardson’s murder.

Other witnesses testified that Hammond had been in Fort Worth the weekend of the murder. One woman claimed she’d spent the night with him there. Hammond was found not guilty and walked out of court before the handcuffs he’d been wearing for trial had been unlocked, wearing sunglasses, and a smile on his face. (By 1977, he was arrested again for robbing a pharmacy in Dallas: He appeared to be wearing a wig when he pulled out a pistol, swiped narcotics, and escaped on foot with an accomplice from the 1959 Houston murder, records show.)

Nueces County prosecutors, having failed to convict Hammond, never prosecuted Mena for Richardson’s murder. But, as a felon, Mena also had been convicted of illegal possession of a handgun and did time in prison. By 1974, he was accused of accepting a contract to kill Tarrant County District Attorney Tim Curry, a plot that failed. 

Ten years later, Mena, then 49, was arrested in Houston, this time for dealing cocaine to an undercover policeman. The police report, obtained by Bellingcat, describes Mena sporting a moustache, an all-denim “Canadian tuxedo”, and carrying a loaded .38 revolver.

Both Mena and Hammond spent the rest of their lives in and out of prison before dying in the 1990s. Neither ever confessed to Richardson’s murder. 

Chip Hogan, the son of Richardson’s friend, told Bellingcat that he was asked to identify a man in a police lineup who was seen in the crowd at the pigeon shooting tournament in the days before Richardson’s murder. He also recounted a car briefly following Richardson, Jerry LaBarba and his father as they drove home in their separate cars on the day of the murder.

When shown photos of Hammond, Mena, and Gibbs, Chip Hogan told Bellingcat, “Hammond is familiar, the vision I have of him, his hair was combed, and I was thinking his hair colour was a lot lighter actually, more on the blonde side. He could have had his hair dyed or I’m completely wrong on his hair at that time”.

While the Corpus Christi police identified those two men as hired killers, prosecutors admitted to being at a loss for who had contracted them or the motive. Later, more leads arose from the seemingly unrelated murder investigation of yet another wealthy Texan.

Chapter 4: Another Corpus Millionaire Killed—and Chained to a Block of Concrete

On June 6, 1972, almost a year after Richardson’s murder, a corpse washed ashore on Mustang Island, across the causeway from the mainland portion of Corpus Christi. A fisherman was shocked to find the corpse chained by the neck to a concrete block.

The police quickly identified the dead man as 32-year-old George Randolph “Randy” Farenthold, a local millionaire whom Texas Monthly called “a playboy euphemistically described as a ‘sportsman’”. Farenthold had befriended Richardson through the high-stakes gambling and pigeon-shooting scenes. (He was the stepson of Francis “Sissy” Farenthold, a prominent state legislator.)

Randy Farenthold was also a key government witness: He’d been scheduled to testify in a federal fraud trial against four men accused of swindling $100,000 from him in an elaborate scheme involving the purchase of Treasury notes the men claimed were owned by the Mafia. His murder came weeks before the trial was due to start. Without the key witness, the case collapsed. 

Two of the men accused of defrauding Farenthold, Bruce Lusk Bass III and Tharel Smith, were partners in a Corpus Christi construction firm. Bass was part of the same pigeon-shooting and gambling clique as Richardson and Farenthold. (“Richardson was involved with bookmaking,” a Corpus Christi police captain told reporters. “Farenthold was hanging around with the same people.”)

A break in the Farenthold murder case came when Robert “Little Bob” Walters, a man in prison for helping with a jailbreak, agreed to testify against Bass. Walters told a grand jury that he helped Bass and Smith dispose of Farenthold’s body after the two had kidnapped and fatally beaten and strangled him.

Walters also testified that Bass had confessed to being a participant in Richardson’s murder. It’s unclear if Walters knew more, since the rest of his grand jury statement remains under seal. In many other cases, so-called “jailhouse snitch” testimony has also often proven unreliable.

Portions of Walters’ grand jury statement are found in the book about Ranger Jim Peters and in newspaper articles. According to Walters, Bass was furious with Richardson because he thought he was being pushed out of a high-stakes gambling operation the two participated in. After pigeon shoots and on private jet flights to the Bahamas, this exclusive circle allegedly placed bets of up to $50,000 ($388,000 today) on games of dice.

According to Walters’ statement, Bass called him on Aug. 1, 1971, and said he planned to kill Richardson later that day. After Richardson’s murder, Walters said Bass asked him to dispose of a shotgun and he threw parts of it into a storm drain and into Oso Creek near Corpus Christi. Despite a search of Oso Creek, authorities never found any evidence to support his allegations. 

Bass pleaded no contest to Farenthold’s murder and was sentenced to 16 years on June 20, 1977. Smith, his business partner, also implicated by Walters, was never charged and died of a heart attack in 1985. Neither was ever charged in the Richardson murder.

Lynn Richardson, Bill’s daughter, told Bellingcat her father knew Bass well. “He was a pigeon shooter. They were all in the pigeon shoots together,” she said. “Bruce Bass was actually a pretty good shooter.” A 1964 photo published in the Corpus Christi newspaper showed Bass and Richardson shaking hands after a tournament.

She recalled an incident at a hotel following a pigeon shoot in McAllen in the early ’60s when, as a young child, she jokingly pushed an apparently drunk Bass into the pool. Her father quickly jumped in, pulled up Bass, and scolded his daughter.

Bass was released from prison in 1983 after serving only six years for murdering Farenthold; a year later he was seriously wounded in a shooting in a Jackson, Mississippi, motel bar.

Two months later, on the 12th anniversary of Farenthold’s body washing ashore, Bass argued with the owner of a Corpus Christi club and was gunned down in the parking lot. The shooting death was ruled a case of self-defence.

Chapter 5: Alleged Organised Crime Connections

Bass and others in Richardson’s inner circle had alleged ties to organised crime, according to newly uncovered documents—including FBI records posted online and documents provided to Bellingcat via FOIA requests.

In July 1966, five years before the Richardson murder, FBI investigators raided the offices of Kress Manufacturing Company in Tulsa, Oklahoma. The owner, Jack Edward Kress, was wanted on gambling and conspiracy charges issued in Biloxi, Mississippi, a centre of Dixie Mafia activity. Kress Manufacturing had been producing and distributing illegal gambling equipment, including loaded dice and altered playing cards, which were being shipped nationwide. FBI investigators on the case looked at two Texans: Bruce Bass and James “Jerry” LaBarba.

Bass and LaBarba were Richardson’s friends and shooting companions. LaBarba was also the ex-husband of Richardson’s wife—and the father of Richardson’s stepson, the young man who had witnessed his murder.

FBI documents released for LaBarba and Bass include a mysterious account of a violent incident, involving illegal gambling, years before Richardson’s murder. On Dec. 23, 1967, two Portland, Texas, policemen spotted a car stopped along Highway 181 at about 2:30 a.m. Five men were in and around the car, including two in the front seats near loaded pistols. A man in the backseat was bleeding from a head wound that he attributed to “a slight misunderstanding and scuffle.” 

All five were arrested, and a search of the car turned up nearly 800 sets of dice, some described as “crooked,” along with handwritten lists of Louisiana nightclubs. While the FBI redacted the names, the report’s inclusion in LaBarba’s FBI file suggests he may have been one of them, and the presence of an inventory of the confiscated dice in Bass’ FBI file suggests he was another.

Defence attorneys for Hammond claimed during the Richardson murder trial that LaBarba had told them he knew who had really committed Richardson’s murder. LaBarba separately testified that he had tried to protect his son by telling “lots of people” that James saw nothing on the night Richardson was killed. In an apparent reference to Randy Farenthold’s murder only two months earlier, LaBarba told the court this was because “It seems like witnesses have a real hard time staying alive in Corpus Christi”. (LaBarba died in 2009 and his son James died in 2018.)

An unnamed informant told an FBI agent in 1972 that Jerry LaBarba and Tharel Smith, Bruce Bass’ business partner and alleged accomplice in Farenthold’s murder, had been working as “money men” for a prominent Dallas nightclub owner, Anthony “Tony” Francis Caterine. Caterine was an associate of Jack Ruby, another Dallas nightclub owner who gunned down JFK assassin Lee Harvey Oswald in 1963. Caterine was investigated by the FBI for racketeering and links to infamous New Orleans Cosa Nostra boss Carlos Marcello. (The FBI informant was identified only as HO 1994-PC. Their relationship with the FBI was ultimately terminated for “being unproductive.”)

However, his allegations line up with other FBI documents released under Bellingcat’s FOIAs, which connect Bass and Jerry LaBarba to gambling and suggest that Richardson’s friends and associates were involved in gambling and racketeering both before and after his death.

A final tantalising line of inquiry into the criminal intrigue surrounding Richardson, Bass, LaBarba, and their pigeon-shooting and dice-rolling associates concerns a “Georgia banker” briefly mentioned in newspaper reports and the book about Jim Peters, the Texas Ranger. (Peters is dead, and any reports he may have written on the Richardson case have not been released.)

The banker, Lamar Hill, frequently chartered planes in the 1970s to Texas, Las Vegas, and the Caribbean, reportedly to gamble with friends. In 1973, Hill was convicted in a massive embezzlement case, after stealing more than $4.6 million (about $34 million today) from his bank over 21 years. When asked by reporters how he’d spent it, Hill replied: “I just don’t know. … That’s a hell of a lot of money.”

In Paul’s book, the author asserts that Peters claimed Richardson and Bass belonged to the same secretive gambling circle as a man who fits Hill’s description: “an influential banker in Georgia … prosecuted for embezzlement.” Paul wrote that the banker “testified that it was his practice to fly a bunch of gambling members to the Bahamas, and they would gamble on his plane, spend a couple of days in the sun, and fly back.”

Loose Ends: Police Files Likely Contain More Clues

It is likely that law enforcement agencies’ files hold more clues that could help solve Richardson’s murder. The FBI, for instance, has more than 12,000 pages and more than two hours of audio recordings related to Bellingcat’s request for records on Bruce Bass. But it released only 29 pages.

The waiting period to receive all of these files, a spokesman said, is six-and-a-half years. And the FBI has more files on Tharel Smith and Jerry LaBarba, too. 

The CCPD, which told Bellingcat it was reviewing the Richardson case “to determine whether it can/should be considered ‘closed’,” likely holds the most relevant cache of documents. Bellingcat and the Texas Observer have argued to the Nueces County district attorney that those documents should be released in the public interest—but the outlets are still waiting for a response.

Anyone with information regarding the unsolved homicide of William “Bill” Asher Richardson, Jr. is strongly encouraged to contact the Corpus Christi Police Department’s Robbery/Homicide Unit at 361-996-2840. Callers wishing to remain anonymous can submit tips through Crime Stoppers at 361-888-TIPS (361-888-8477) or online using the Crime Stoppers App.

---

Peter Barth is an investigator at Bellingcat whose work focuses on organised crime. Contact him at peter@bellingcat.com.

Gyula Csák, Lise Olsen, Beau Donelly, and Tristan Lee contributed research for this article. Interactive graphic by Logan Williams. Illustrations by Ann Kiernan, audio clips by Charlotte Maher and Merel Zoet.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.

The post Pigeon Shoots and Hitmen: New Leads in a Texas Oilman’s Cold Case appeared first on bellingcat.

Arrest warrants issued for ringleaders after investigation by police in Europe and North America

European and North American cybercrime investigators say they have dismantled the heart of a malware operation directed by Russian criminals after a global operation involving British, Canadian, Danish, Dutch, French, German and US police.

International arrest warrants have been issued for 20 suspects, most of them living in Russia, by European investigators while indictments were unsealed in the US against 16 individuals.

Continue reading...

© Photograph: Andrew Brookes/Getty Images/Image Source

© Photograph: Andrew Brookes/Getty Images/Image Source

This article is the result of a collaboration with TjekDet, Denmark’s fact-checking media outlet, Danish newspaper Politiken, and the Canadian Broadcasting Corporation (CBC). Watch CBC’s documentary here. 

Warning: This article discusses non-consensual sexually explicit content from the start.

MrDeepFakes billed itself as the “largest and most user-friendly” platform for celebrity deepfake pornography. The website, which was visited millions of times every month, hosted almost 70,000 explicit and sometimes violent videos, which had collectively been viewed more than 2.2 billion times.

They show mostly famous women whose faces have been inserted into hardcore porn with artificial intelligence – and without their consent.

In the background, an active community of more than 650,000 members shared tips on how to generate this content, commissioned custom deepfakes, and posted misogynistic and derogatory comments about their victims.

For years, the website has been shrouded in secrecy, existing in a legal grey area and concealing the identity of those who control it. Until now.

Bellingcat, in collaboration with Danish outlets Tjekdet, Politiken and the Canadian Broadcasting Corporation (CBC), has conducted an investigation to reveal the identity of a key administrator behind MrDeepFakes.

David Do is a 36-year-old Canadian pharmacist who, based on open source information, lives an unassuming and respectable life in the suburbs outside of Toronto. Photos and videos posted online show him with family, friends and colleagues. The university graduate has a well-paying job in a public hospital and drives a new Tesla.

But Do has been living a double life: in secret, he is the most prominent figure identified to have had control over the administration of MrDeepFakes. He was also an influential member of its growing online community, producing his own deepfake porn and assisting users who want to make their own.

Online posts show Do is a technically minded individual with a long-standing interest in creating and distributing adult content, and provide an insight into efforts to obfuscate his identity.

We identified Do by cross-referencing data from massive credential leaks, which are publicly available via breach databases. A series of burner emails, IP addresses, repeated usernames, and a unique password reveal a more than decade-long digital trail that allowed researchers to link him to MrDeepFakes.

Bellingcat, Tjekdet, Politiken and CBC have sent Do multiple requests for comment since late March but did not receive a response as of publication. Last month, the CBC hand-delivered correspondence to Do setting out the findings of this investigation, but he declined to comment.

Shortly after, Do’s Facebook page and the social media accounts of some family members were deleted. Do then travelled to Portugal with his family, according to reviews posted on Airbnb, only returning to Canada this week.

On Sunday, the MrDeepFakes site was shut down. “A critical service provider has terminated service permanently,” a notice on the platform says. “We will not be relaunching. Any website claiming this is fake.”

CBC approached David Do again on Monday but he refused to answer questions about his involvement with MrDeepFakes. “I don’t want to be recorded please,” he said. “I have to go. I’m busy right now.”

Update: David Do is on leave from his position as a hospital pharmacist, his employer confirmed on May 13, while an internal investigation is underway. Separately, the Ontario College of Pharmacists has said it is “taking immediate steps to look into this matter further and determine the necessary actions we need to take to protect the public”.

What is Deepfake Porn?

Deepfake pornography is the use of artificial intelligence to create non-consensual, sexually explicit images and videos. Research shows that 99 per cent of victims are women.

Actress Jenna Ortega, singer Taylor Swift and politician Alexandria Ocasio-Cortez are among some of the high-profile victims whose faces have been superimposed into hardcore pornographic content. 

But the technology is also being used on people who are not in the public eye. 

A 2024 survey found that at least one in nine high school students knew of someone who had used AI technology to make deepfake pornography of a classmate and The New York Times has reported that schools across the US were dealing with incidents of teenagers making deepfakes of their female classmates.

Adam Dodge, from EndTAB (End Technology-Enabled Abuse), said it was becoming easier to weaponise technology against victims. “In the early days, even though AI created this opportunity for people with little-to-no technical skill to create these videos, you still needed computing power, time, source material and some expertise. And now you need very little of those things,” he said.

“It is literally point-and-click violence against women. Some of these apps only require one photo of the target, and you, on the app, literally use your finger to drag the woman’s face into a video and then just release it and AI does the rest, editing that victim into the photo. And then you press play and it now appears that the victim from the photo is engaging in sex acts.”

Dodge said the MrDeepFakes site had grown since 2008 and added features that were typically used by regular businesses to promote an air of legitimacy. “ It’s incredible and I’m incredulous that the site has been allowed to survive this long,” he told Bellingcat.

“This is sexual violence, and it’s as harmful as any other form of sexual violence in our opinion. I’ve talked to mental health professionals who work with rape and trauma survivors, and they analogise it to a woman who is sexually assaulted while unconscious or drugged, and it’s filmed, and then they have to watch it later.

“They have no memory of this happening to them. But the simple act of watching it is deeply traumatic and that’s what this technology manufactures. And the permanency and the public nature of it are the two, I would argue, most powerfully traumatic things that victims often experience.”  

Governments around the world are scrambling to tackle the scourge of deepfake pornography, which continues to flood the internet as technology advances. In Canada, the distribution of non-consensual intimate images is illegal, but this is not widely applied to deepfakes. Canadian. Prime Minister Mark Carney pledged to pass a law criminalising the production and distribution of non-consensual deepfakes during his federal election campaign.

In the US, legislation varies by state, with about half having laws against deepfake pornography. The US Congress last month passed the Take it Down Act, which criminalises the distribution of non-consensual deepfake pornography at the federal level. President Donald Trump is expected to sign the bill into law. 

The EU does not have specific laws prohibiting deepfakes but has announced plans to call on member states to criminalise the “non-consensual sharing of intimate images”, including deepfakes. Member states will not enact these laws until 2027. In the UK, it is already an offence to share non-consensual sexually explicit deepfakes, and the government has announced its intention to criminalise the creation of these images. Australia passed new laws to combat sexually explicit deepfakes last year.

‘Fake It Till You Make It’

The identity of the person or people in control of MrDeepFakes has been the subject of media interest since the website emerged in the wake of a ban on the “deepfakes” Reddit community in early 2018.

But the porn site’s hosting providers have bounced around the globe and premium memberships can be bought with cryptocurrency, which have made it virtually impossible to trace ownership.

Adam Dodge, the founder of EndTAB (End Technology-Enabled Abuse), said MrDeepFakes was an “early adopter” of deepfake technology that targets women. He said it had evolved from a video sharing platform to a training ground and marketplace for creating and trading in AI-powered sexual abuse material of both celebrities and private individuals.

“Our digital world is really good at empowering people who want to do harm by allowing them to remain anonymous while simultaneously making it almost impossible for victims to unmask them,” he said.

In January, Bellingcat, in collaboration with the German YouTube channel STRG_F, examined the companies behind two apps used for creating deepfakes that it advertised prominently on its homepage.

For this investigation, researchers conducted a forensic analysis of the forums on MrDeepFakes’ website. The forums are a virtual marketplace where members commission deepfakes and trade tips on making videos with the same technology that is used for creating revenge porn.

Videos posted to the tube site are described strictly as “celebrity content”, but forum posts included “nudified” images of private individuals. Forum members referred to victims as “bitches”and “sluts”, and some argued that the womens’ behaviour invited the distribution of sexual content featuring them. Users who requested deepfakes of their “wife” or “partner” were directed to message creators privately and communicate on other platforms, such as Telegram.

A search of the forums returned two accounts for MrDeepFakes “staff members”. One joined in March 2019 and is also listed as a “moderator”. The other joined in February 2018 and is also listed as an “administrator” (two additional administrator accounts, created in 2018 and 2021, were not listed as staff members, and one now-defunct account previously tagged as staff and moderator was created in the year after the site was set up).

Therefore, the focus of this investigation ​was the​ oldest account in the forums, with a user ID of “1” in the source code, which was also the only profile found to hold the joint titles of staff member and administrator. The long-time handle used by this account was “dpfks”.

Researchers began by analysing the profile. The dpfks bio contained little identifying information, but an archive from 2021 shows the account had posted 161 videos which had amassed more than five million views. It earned the badge of “Verified Video Creator”.

Forum posts document dpfks’ involvement as a creator and leader in the community. Archives show dpfks posted an in-depth guide to using software that creates deepfake porn, published website rules and content guidelines, advertised for volunteers to work as moderators, and gave technical advice to users. 

Dpfks’ posts carried the tagline: “Fake it till you make it.”

In a 2019 archive, in replies to users on the site’s chatbox, dpfks said they were “dedicated” to improving the platform. “There is a reason why we are the biggest deepfake site. I care about the community and teaching others.

“I don’t think other site owners care enough to make their own deepfakes, and keep uptodate [sic] with it. My first few deepfakes were s**t too, the more you make, the better you get.”

David Do’s Links to MrDeepFakes

Pirated Movies to Deepfake Porn

David Do keeps a low profile under his own name, but photos of him have been published on the social media accounts of his family and employer. He also appears in photos and on the guest list for a wedding in Ontario, and in a graduation video from university.

Do’s Airbnb profile displayed glowing reviews for trips in Canada, the US and Europe (Do and his partner’s Airbnb accounts were deleted after CBC approached him on Monday). His home address, as well as the address of his parents’ house, have both been blurred on Google Street View, a privacy feature that is available on request.

In the late 2000s, while studying at university, Do was involved in the creation of Xinoa (xinoa.net), a warez forum. Do’s personal Hotmail address, which includes his full name, is visible in source code as an admin contact for the site, archives from 2008 show.

The profile page “ddo” is tagged as the “Root Admin” and “Xinoa Owner”, and lists a date of birth matching that of Do. The profile includes download links to television shows, one of which was accompanied by a comment about “exam week” in 2009, when Do was studying at university. This username is also similar to Do’s Instagram profile (“ddo.jpg”), a link to which was included in the bio section of his Facebook account under the name “Doh Dave”. Both social media accounts have been deleted.

An account on an internet marketing forum was registered using a Xinoa administrator email address, breach data shows. That account was linked to an IP address owned by the University of Waterloo, where Do earned degrees in biomedical science in 2010 and pharmacy in 2014, according to Rocketreach.

The 2015 Ashley Madison data breach shows user “ddo88” registered on the dating site with Do’s Hotmail address and was listed as an “attached male seeking females” in Toronto. They described themselves as being of Asian ethnicity, 173 cm tall and weighing 66 kg. The breached profile was linked to a Toronto-based address and also contained a date of birth, which matches Do’s birth date in public records.

Xinoa would become the springboard for a more sophisticated operation.

In February 2018, when Do was working as a pharmacist, Reddit banned its almost 90,000-strong deepfakes community after introducing new rules prohibiting “involuntary pornography”. In the same week, MrDeepFakes’ predecessor site dpfks.com was launched, according to an archived changelog.

An analysis of the now-defunct domain shows the two sites share Google analytics tags and back-end software – as well as a forum admin who used the handle “dpfks”. Archives from 2018 and 2019 show the two sites redirecting or linking to each other. In a since-deleted MrDeepFakes’ forum post, dpfks confirms the link between the two sites and promises the new platform is “here to stay”.

“MrDeepFakes.com was formerly dpfks.com and we opened our doors shortly after the Reddit ban,” the 2018 post said. “I know joining a new forum or community feels like starting fresh, and starting over, but the community is small, and all the important players will stick together. I promise to keep this community running as long as I can, so that the deepfake community does not have to scramble and relocate again.”

Later in 2018, in a post on Voat, a defunct online message board similar to Reddit, dpfks said they “own and run” MrDeepFakes. In response to another user, dpfks refers to their life outside of operating a porn website. “I just got home from my day job,” the post said, “now back to this!” Some of dpfks’ earliest posts on Voat were deepfake videos of internet personalities and actresses. One of dpfks’ first posts on the MrDeepFakes’ forums was a link to a deepfake video of video game streamer Pokimane.

Other targets included the American politician Alexandria Ocasio-Cortez, for whom dpfks shared a folder containing more than 6,000 images that could be used to create deepfake pornography. Before it shut down this week, MrDeepFakes hosted 125 graphic videos tagged with Ocasio-Cortez that had collectively received more than 5.3 million views. After discovering she had been transposed into a deepfake porn video last year, Ocasio-Cortez told Rolling Stone that “digitizing violent humiliation” was akin to physical rape and sexual assault. 

Another target of dpfks was American YouTube personality Gibi_ASMR, who gained popularity online with her ASMR (Autonomous Sensory Meridian Response) videos. Dpfks created and shared pornographic deepfakes of the YouTuber on the MrDeepFakes forums. In a statement published by EqualityNow in 2021, she said: “They’re running this business, profiting off my face doing something that I didn’t consent to, like my suffering is your livelihood. It made me really mad, but again, there was nothing I could do so I just had to leave it.”

In 2018, dpfks posted a two minute deepfake video of an Academy Award-winning American actress with the description: “[Name omitted] doesn’t do porn, but in this fake video she is completely naked with her legs spread in the air. Watch her face … while she struggles to take it.”

Forum posts under various aliases match those found in breaches linked to Do or the MrDeepFakes Gmail address. They show this user was troubleshooting platform issues, recruiting designers, writers, developers and search engine optimisation specialists, and soliciting offshore services.

The username “AznRico” was commonly associated with Do’s email account and could be found across several postings online. In 2009, years before MrDeepFakes was launched, this now-banned user posted to an internet marketing forum discussing online money-making techniques, including the monetisation of video traffic.

AznRico also posted on an auto lighting forum in 2009 to ask for advice about fixing headlights for a car in Canada – a 2006 Mitsubishi Lancer Ralliart. In another thread on the same forum, AznRico uploaded several images of the car, one of which was archived and contained metadata indicating that it was captured on a Sony Ericsson K850i.

In 2008, on a separate forum, AznRico said he had this model phone and posted about troubleshooting the device (that forum was subject to a data breach exposing David Do’s personal Hotmail address and unique password).

Public records obtained by CBC confirm that Do’s father is the registered owner of a red 2006 Mitsubishi Lancer Ralliart. While Do’s parents’ house is now blurred on Google Maps, the car is visible in the driveway in two images from 2009, and in Apple Maps imagery from 2019. CBC confirmed the car was still at the house last week.

In 2011, on a freelance job board, AznRico asked for help building a video streaming plugin. This profile also listed that the user was based in the same Ontario city where Do’s parents’ home is located. In 2018 – the same year MrDeepFakes was launched – AznRico asked for advice to fix slow load times on their porn site, which they said received about 15,000 to 20,000 visitors a day. Breach data shows this account was linked to Do’s personal Hotmail address.

In one forum post from January 2020, user “dj01039” complains that PayPal had limited their “stealth account”, which was used to “sell virtual goods” (PayPal was intermittently available as a payment option on MrDeepFakes). The username dj01039 matches the abbreviation of an email address (davidjames01039@gmail.com) that was linked to a PayPal donation button on MrDeepFakes in December 2019. 

In June 2020, on another forum, a user with the same alias (who later changed it to “ac2124”) said their stealth account had been permanently closed and wanted to know about front companies that could accept payments on their behalf. The user described themself as the “webmaster of an adult tube site” who takes a cut from creators who post original porn videos, and also earns revenue from running ads. By December 2020, ac2124 said their website was earning between $4,000 and $7,000 a month.

Breach data also links the MrDeepFakes Gmail to an account on support forums for Kernel Video Sharing (KVS), a commercial content management system, where user “mongoose657” (formerly dj01039) sought help managing a video tube site. The discussions, from 2021 to 2024, were consistent with backend issues encountered when running a large website: storage solutions, ticket system failures, and outsourcing development work.

On the adult webmaster forum GoFuckYourself.com in 2020, dpfks (subsequently changed to “mjmango”) enquired about anonymous debit cards, which were advertised as allowing users to withdraw cash or pay for purchases anonymously. In 2021, mjmango responded to another user’s enquiry about how to monetise tube sites.

In another forum, ac2124 enquired about countries to form an offshore company and expressed concern about “know your customer” checks, which are used by the banking sector to confirm the identity of their customers. In a 2020 post, ac2124 said they had decided to make a “dummy site/front” for their adult site and enquired about online payment processing and “safe funds storage”.

In 2022, ac2124 sought advice for a Canadian citizen who operates an “adult niche website” and asked about “a company setup that focuses on privacy”. The post said: “At a bare minimum, this person shouldn’t be listed on any public registrar (as director, shareholder, UBO, etc). Open to using nominees, opening trusts, etc. What are some setups, or jurisdictions that should be looked into?” This user also asked specifically about setting up a company in the British Virgin Islands or Cayman Islands, both secrecy jurisdictions.

In late 2023, mjmango left positive feedback for an adult graphic designer below a post from the designer containing a MrDeepFakes logo. “Purchased another logo recently. As always great communication and allowed multiple re-edits,” the comment said. In March 2024, ac2124 posted about delays accessing a service that creates a “proxy” for a “high-risk website” so it can process transactions from the online payment processor, Stripe.

In April 2024, Dutch outlet Algemeen Dagblad (AD) reportedly made contact with the owner of MrDeepFakes, who was anonymised in their subsequent reporting. AD reported that this person claimed to have sold the website, but did not provide any evidence to support this claim. Our investigation could not confirm whether the site was ever sold, and if so when. 

David Do did not respond to multiple requests for comment about his involvement with MrDeepFakes.

Correction: This story initially said the AznRico post about the K850i phone was from 2009, when it was 2008. The article was updated on May 8 to reflect this.

---

Ross Higgins, Connor Plunkett, Beau Donelly, George Katz, Kolina Koltai and Galen Reich contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.

The post Unmasking MrDeepFakes: Canadian Pharmacist Linked to World’s Most Notorious Deepfake Porn Site appeared first on bellingcat.

In early January, agents from the El Centro division of US Customs and Border Protection (CBP) descended on the central Californian city of Bakersfield and the surrounding Kern County as part of “Operation Return to Sender”. The unit said the mission was highly targeted and aimed to apprehend immigrants with criminal records. 

Yet exactly how targeted the mission was has become a point of significant tension, with rights and labour groups claiming it was anything but.

El Centro sector, which is based in the southern United States border city of the same name, said the operation resulted in the arrest of 78 people. Most were Mexican nationals and many had lived in the US for decades. According to a lawsuit, 40 people were deported after the operation. Some were removed from the US within days of being arrested.

The raids – which saw officers operating at gas stations, a Latino shopping market and during traffic stops – shocked many in Bakersfield. They were also unique given they were carried out by CBP officers, rather than by Immigration and Customs Enforcement (ICE), many hundreds of miles from the southern border. 

Bellingcat worked with our partners at Evident and CalMatters, two US-based nonprofit newsrooms, to build a picture of the raids from available social media footage. We analysed close to 90 videos and geolocated just over 50 of them, highlighting 24 unique spots where CBP units were operating during the mission.

Evident and CalMatters also visited El Centro and spoke to border agents, including the unit’s leader.

While they claimed to have a targeted list of people they wanted to arrest, CBP documents obtained by Evident and CalMatters appear to reveal that there was no prior knowledge of criminal or immigration history for 77 of the 78 people arrested. Only one had been flagged for prior removal, suggesting that the rest had been captured after chance encounters or stops by border agents. 

Gregory Bovino, the head of the El Centro CBP sector, said that any immigrants that agents encounter during the course of their work can expect to be arrested given they have already broken the law simply by entering the US.

CBP units conducting an operation so far in land (more than 320 miles from El Centro and the border with Mexico as well as over 100 miles of the California coast) was also something that Bovino suggested could continue further north in California.

But groups like the Americans for Civil Liberties Union (ACLU) have vowed to fight such tactics, telling Evident and CalMatters that they are a violation of constitutional rights and an overreach by CBP.

Bree Bernwanger, Senior Staff Attorney at the ACLU for northern California said that there is some authority for CBP to make immigration arrests. But Bernwagner added that the incidents in Bakersfield and the surrounding area were not “rooted in law”. 

“There’s a limit on their ability to arrest people without a warrant. They have to figure out if they’re a flight risk first. That means asking them about their community ties. It means trying to figure out are they going to escape, or are they just going to go home and live with their families,” Bernwagner said.

The ACLU has since asked for a temporary injunction to halt CBP units using such tactics.

But for those deported in the Bakersfield operation, it is already too late.

“Their families, their homes are left behind, and the community is devastated. That is not public safety”, Bernwanger said.

Watch the full Evident documentary here and read CalMatters’ version of the story here.

---

Sergio Olmos and Wendy Fry reported this story for CalMatters. Kevin Clancy reported for Evident.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here and YouTube here.

The post US Border Patrol Called Raid 300 Miles From Border ‘Targeted’. Open Source Evidence Suggests Otherwise appeared first on bellingcat.

This article is the result of a collaboration with The Sunday Times. You can find their corresponding piece here.

On the last Friday in December, a German businessman in his mid-40s allegedly met a small aircraft on a dusty runway in remote Western Australia. The following evening in Perth, seven hours’ drive south, he and another man were arrested and charged with trafficking a commercial quantity of a controlled drug.

Police said a search of their hotel rooms uncovered 200kg of cocaine, packed in suitcases in single one-kilogram blocks, along with night vision goggles, aviation equipment and a hardware cryptocurrency wallet.

It was the culmination of a three-month Australian Federal Police (AFP) investigation codenamed “Operation Mirkwood”. Authorities estimated the street value of the drugs to be AUD $65 million and AFP Inspector Chris Colley said an “organised crime syndicate” was likely responsible for the scheme.

The German businessman was Oliver Andreas Herrmann, a 44-year-old champion marathon runner and the director of multiple companies with diverse interests spanning various jurisdictions.

Herrmann and the other man who was charged are due to face court again in May. They have not yet entered a plea and the presumption of innocence applies. Herrmann, who has no known convictions, had not responded to multiple requests for comment as of publication. 

The Sunday Times reported in January that Herrmann has “close financial ties” to Christy Kinahan, the 67-year-old founder of the eponymous international drug cartel who is wanted by authorities around the world. Last month it reported that Herrmann “acted as Kinahan’s representative on the ground” in Indonesia and quoted a source who said Herrmann once introduced him to the cartel leader.

“Kinahan was Oliver’s boss,” the source told The Sunday Times. “He was afraid of him. Kinahan was always shouting at him.” 

Bellingcat and The Sunday Times have previously reported on the US-sanctioned Kinahan Organised Crime Group, using Kinahan’s own Google Maps profile to plot his movements over five years and identify the cartel leader’s business associates.

That investigation revealed that the normally elusive crime boss – known as the “Dapper Don” – posted hundreds of reviews under the alias Christopher Vincent, disclosing his precise locations across three continents, including in Dubai where he lives in hiding. Bellingcat contacted Kinahan but did not receive a response.

We have now conducted an open source analysis of Herrmann’s online footprint to build a picture of the man Australian authorities accuse of trafficking drugs last Christmas. The findings paint a portrait of an avid runner and international businessman who is more accustomed to poolside video conferences than an alleged drug drop in the Australian desert.

This investigation has traced Herrmann to locations associated with the cartel. These include a building in South Africa that Kinahan reviewed on his Google Maps profile, and to the Zimbabwean capital of Harare the day before a conference that the Irish drug lord said he attended.

It also sheds light on the complex network of international firms linked to Herrmann, either directly or through his associates. One of these firms shares an address with a company that reportedly received payments ultimately destined for Christy Kinahan.

Racing Around The World

Oliver Herrmann is a German national who has referred to Munich as his “home city”. He is also a South African resident, according to the AFP, and reportedly travels on a Swiss passport. Herrmann gave his nationality as Swiss in company documents filed in Singapore, while in registration documents in the UK he said he was German. He has listed his country of residence as Indonesia and Singapore.

Corporate records indicate that Herrmann has been involved at senior levels with companies active in the fields of fintech, mining and consulting. Until recently Herrmann was on the executive board of a German “international raw materials company” whose parent company, according to its website, is to be listed on the Düsseldorf Stock Exchange. The company told Bellingcat in February that Herrmann was removed from his board position after it learned about the allegations in Australia and said he no longer had any role with the organisation.

Herrmann’s Instagram account is set to private but he has a public profile on Strava, a fitness app used for recording exercise that often includes GPS-tracked routes (see Bellingcat’s Strava activity map guide here).

An acclaimed runner who won the 2016 Munich Marathon, Herrmann regularly logged his runs on Strava. Photos posted to the account confirm he is the same person pictured in an Australian media report about his court appearance in January over the alleged drug bust.

Herrmann’s Strava account has logged more than 2,500 activities in 29 countries across Europe, Asia, Africa, South America and the Middle East between 2013 and 2023. He has also posted at least 130 photos documenting his extensive travels. They show a dedicated athlete who appears to enjoy a jet-setting lifestyle, with many featuring scenic and tropical locations.

Herrmann’s Strava account shows that, like Kinahan, he has frequently traveled to Zimbabwe. An analysis of Herrmann’s runs shows he logged almost 500 activities in Harare between February 2018 and May 2022. Meanwhile, Kinahan posted 25 Google reviews in Harare between June 2019 and September 2021.

In one of these reviews, the leader of the transnational organised crime syndicate said he spent four nights at the Amanzi Lodge hotel for a “business networking conference” that was hosted by two companies. The conference ran from October 8 to 11, 2019, according to one of the company’s social media accounts. In two photos posted online, an individual with similar features to Kinahan is seen at the event.

On October 7, the day before the conference began, Herrmann logged a run just 5.5 km from the venue where Kinahan said he stayed. Herrmann’s 2019 Strava activity in Harare suggests he spent time close to this location, near the city’s affluent suburb of Borrowdale, with dozens of runs starting and ending on the same residential road. After October 7, Herrmann’s next Strava run was recorded three days later in Dublin, Ireland.

Two of Herrmann’s runs from 2021 and 2022 take place in downtown Dubai, about 250 meters and 550 meters from the office of a sanctioned company that the US government said is owned or controlled by Christy Kinahan’s son, Daniel Kinahan.

The 2021 run starts and ends outside a five-star hotel where Daniel Kinahan was photographed. The photo in the since-deleted tweet, which was the subject of media coverage at the time, was posted three days after Herrmann’s Strava run and geotagged to Dubai. A reverse image search shows that the picture of Daniel Kinahan was taken inside the Dubai hotel.

Herrmann’s Strava profile also displays information about his business activities. A 2018 post, captioned “Office view in ZIM”, includes a photo of an open document on a laptop screen. Titled “Mining Project Teaser”, the document touts the attractiveness of Zimbabwe’s “open for business” policy for foreign investors.

On the header is “Gemini Global Pte Ltd”, a Singapore-based company of which Herrmann is the director and secretary, according to corporate records. Herrmann reportedly filed a police complaint after Gemini lent US $500,000 for an Indonesian mining project that failed in the early 2010s. More than two dozen runs logged by Herrmann begin and end at the registered address for the Singapore company.

Other locations logged on Strava appear to be linked to companies Herrmann is involved in, suggesting his frequent travel may be business-related. Some runs explicitly mention an office, including one in Singapore in 2015 and three in Dublin in 2016.

Herrmann is listed on Crunchbase as the chief financial officer of defunct Irish fintech, Leveris Limited, which reportedly collapsed in 2021 with debts of €38 million. Records from Ireland’s Companies Registration Office show he was also a director of the company. Herrmann has logged Strava runs in Minsk and Prague, other cities where Leveris had business connections.

Running Mate

A series of companies involved in trade, real estate and corporate finance appear to be linked to Herrmann’s domestic partner. This woman was identified through an analysis of social media posts. In the comments of an Instagram post about his Munich Marathon win, several users tagged the woman’s account. Herrmann’s Strava profile also follows a user by the same name, and includes a photo of him with an identical-looking woman during a run in France.

An analysis of the woman’s Strava account shows that multiple runs logged in different countries over six years match where Herrmann’s GPS-tracked routes start and finish. She is tagged as a companion in at least one run recorded on Herrmann’s profile.

Three videos posted to the woman’s now-deleted Instagram account show a man strongly resembling Herrmann during a hike at Cape Town’s Table Mountain, visiting Mapungubwe National Park, and on a game drive with two boys near Lake Kariba. Photos also show a boat trip and a beach outing with several children in which a man with similar features to Herrmann is seen with his back to the camera. A photo posted to the woman’s Twitter account a decade ago also shows a man who resembles Herrmann.

The woman is also tagged in an Instagram post by a Thai mining magnate whose company is listed as a shareholder of the German company that recently removed Herrmann from its board. The Thai woman’s Instagram includes photos of Herrmann and his partner going back years, including during a 2022 “business trip” in Dubai.

The Corporate Web

An open source search identified a person with the same first and last name as Herrmann’s partner involved in three companies. Corporate records show she was listed as the owner of defunct Indonesian firm PT. Gemini Nusa Land, which was involved in real estate, and previously the director of another company, also headquartered in Indonesia.

The third company is South Africa-registered 247 Capital Group, where business data provider b2bhint.com lists her as a director. These details were verified through South Africa’s official registry. A generic-looking website for the firm says it is a leading “corporate finance group” staffed by “specialist capital raising managers”. The website’s contact section lists two addresses: one is a small house on Long Island, New York; the other is a high-rise building in Johannesburg called The Leonardo.

Herrmann’s Strava profile shows he has logged two morning runs ending directly outside The Leonardo, in April and May 2022. Kinahan has also been to The Leonardo: he wrote about visiting the building and posted photos of the interior in Google reviews from September 2021.

An analysis of 247 Capital’s website using ViewDNS, a tool that examines websites, determined that it shares an IP address with three other sites. There are multiple reasons why websites can share IP addresses and it does not necessarily mean they are related. In this case, however, there is evidence that 247 Capital may be linked to the other sites.

The first is for a US-based company called Ryba LLC; the second is for an Indonesia company called PT. Sukses Dagang Bersama (abbreviated to “SDB Trading” online); and the third is a placeholder for a web developer that designed the sites for 247 Capital, Ryba LLC, and PT. Sukses Dagang Bersama.

Herrmann’s partner had not responded to requests for comment as of publication. There is no suggestion that she is involved in illegal activity.

Ryba LLC

Last year, The Sunday Times reported that a company with a mailing address at the Trump Building was the recipient of two payments totalling US $850,000. It said the funds were lodged to a company account in South Dakota and the beneficiary was listed as Adam Wood, a known associate of Kinahan who attended a 2019 aviation conference in Egypt with the cartel leader. The newspaper said these payments were part of a series of international wire transfers totalling US $1.25 million of which Kinahan was the ultimate beneficiary.

Today, The Sunday Times reveals that the payments of US $850,000 were made to Ryba LLC.

Ryba LLC’s website lists its address as the Trump Building on Wall Street in New York. Companies with this name are registered in the US, but corporate records show that none are located in New York.

The phone number on Ryba LLC’s website was linked to a New York law firm via the crowd-sourced contact book app, TrueCaller. An online search for the firm shows it has an office in the Trump Building, and searches for the Long Island address listed on 247 Capital’s website returned a hit for a lawyer who works at this firm.

The Long Island address also appeared in a small-claims court record, which named the home owner as the lawyer who works in the Trump Building. A digital copy of the deed from the Nassau County Clerk shows the lawyer bought the house 25 years ago. Bellingcat called the Clerk’s office to confirm the deed was still current.

According to the lawyer’s bio, they are an “Anti Money Laundering Specialist” who works in wealth and tax planning, trust and estate administration, and asset protection. The lawyer and the firm had not responded to requests for comment as of publication. There is no suggestion that the lawyer or firm are involved in illegal activity.

Searches on LinkedIn for staff who work for Ryba LLC returned a result for an employee who lists their current role as a senior project finance manager at the company. Their previous position, according to the profile, was head of accounting at Leveris, the Irish company where Herrmann previously served as chief financial officer.

In the photo on Herrmann’s Strava account showing the mining proposal document, a meeting notification for the employee is visible in the top right of the laptop screen. The employee’s LinkedIn account is no longer online, but their details have been saved on RocketReach, a site that aggregates professional data from online platforms.

The employee had not responded to requests for comment as of publication. There is no suggestion that they are involved in illegal activity.

PT. Sukses Dagang Bersama

Bellingcat purchased the Indonesian corporate record for PT. Sukses Dagang Bersama. Its “commissioner” is listed as Conor Fennelly, Herrmann’s former business partner and one-time chief executive of Leveris.

However, Fennelly told Bellingcat that he had “never heard of” the Indonesian company and had “no knowledge” of its operations. He also said he had no business connection to Herrmann outside of Leveris and had not been in contact with him since the Irish tech firm collapsed in 2021.

After providing a copy of the Indonesian business documents showing his listing as commissioner, Fennelly said he “didn’t authorise this” or sign paperwork taking on any role at the company. He confirmed that his name, address and passport information on the document was accurate.

“Oliver and several others at Leveris would have had that,” he said. “The company was founded [in] 2021 and interestingly this is months after Leveris went under and months after my last contact with Oliver, assuming he is the reason my name appears here.”

Fennelly said he met Herrmann through an associate at Leveris in 2016, and that Herrmann subsequently invested in the company and became its chief financial officer. Fennelly found Herrmann to be “reliable, calm, competent and trustworthy”, he said, adding that news of his arrest in Australia came as a “complete shock”. Fennelly said he believed Herrmann had been living in Zimbabwe and training as a runner.

Corporate records also show that PT. Sukses Dagang Bersama was originally established in 2013 under a different name, Maksimum Jaya Segar. A person with the same first and last names to Herrmann’s partner is listed as a director of the company from December 2017 to November 2021. Her listed address is in a residential neighbourhood west of Jakarta, where Herrmann and his partner have logged dozens of runs.

Aircraft and International Trade

PT. Sukses Dagang Bersama was involved in the sale of an aircraft that was exported from the US to Africa last year, Federal Aviation Administration (FAA) records show. The FAA documents say the company bought the plane – a Beechcraft King Air 350 – in early 2024.

Flight tracking website ADS-B Exchange shows that the twin-turboprop aircraft arrived in Harare after the last leg of its journey on February 23, 2024. The ferry pilot who transported the aircraft posted images of the trip to Facebook, which were tagged in Harare on the same date. The plane has been active since its delivery, travelling to airports in Zimbabwe, South Africa and Botswana. Images from plane spotters in South Africa in April and May 2024 show the aircraft with Malawi registration number 7Q-YAO on its side.

Two days after the plane was delivered to Harare the pilot posted a photo of himself with three other men in front of the aircraft, captioned “Acceptance demo flight”. The pilot and one of these men have previously flown a different aircraft, a Pilatus PC-12, that has been associated with a Kinahan-linked company.

The US $850,000 payment to Ryba was linked to a dispute over the purchase of this aircraft, according to The Sunday Times.

The pilot posted a photo to Facebook before transporting the Pilatus PC-12 from South Africa to the US in 2022 after it was sold to an unrelated buyer. But three years earlier, the Pilatus PC-12 was pictured in a Twitter post by CVK Investments LLC, a company that Irish police said was associated with Kinahan.

The July 2019 post said CVK was investing in the aircraft for an “air ambulance joint-venture business in Africa”. The aircraft pictured in the post shows its serial number “342”, matching the plane in the pilot’s Facebook post. While an aircraft’s registration number can change, the serial number is assigned by the manufacturer and remains the same (see Bellingcat’s flight-tracking guide here).

The second man is an employee at Malawi’s aviation authority who is referenced in a Facebook photo as being one of the pilots during an August 2021 flight in the Kinahan-linked Pilatus PC-12.

The identity of the Malawi-registered plane was confirmed by its registration number at the time, “7Q-XRP”, visible on the control panel in the photo. The cockpit is identical to one pictured in a Google review posted by Kinahan a month later in September 2021.

The pilots had not responded to requests for comment as of publication. There is no suggestion that they are involved in illegal activity or that either of the planes has traveled to Australia.

PT. Sukses Dagang Bersama is also listed in publicly available import/export records for mining-related and narcotic products between countries including India, Nigeria, Peru, Turkey and Russia.

Records from import/export data provider 52wmb show that in one 2023 shipment from India to Nigeria, PT. Sukses Dagang Bersama is listed in the product description for a delivery of the narcotic “Pentazocine Injection”, an opioid used in medicine that is also reportedly misused and sold on the underground market in Nigeria.

Also listed in the product description field is another company, Turkoca Import Export Transit Co Ltd. This Korean-based company was sanctioned by the US in May 2022 for being part of an Iran-linked oil smuggling and money laundering network.

The product description usually contains information about the items being exported. A potential explanation for company names appearing in this section is that they are “notify parties”, which are entities such as buyers, suppliers and brokers who should be informed when the cargo arrives. PT. Sukses Dagang Bersama appears as a “notify party” in the product description for another shipment to Nigeria from a different Indian pharmaceutical company.

PT. Sukses Dagang Bersama is also listed in 2024 import records for shipments of accessories for heavy machinery to Turkey from a Peruvian company that makes mining equipment. In records from Dataontrade.com it also appears as an exporter of “spare parts” for similar machinery, this time from Turkey to Russia.

Oliver Herrmann had not responded to requests for comment as of publication. Herrmann’s lawyer said: “I am not instructed to comment on these matters.”

Emails to 247 Capital Group, Ryba LLC and PT. Sukses Dagang Bersama were not returned.

Australian Cocaine Charges

Oliver Herrmann and his co-accused, Australian man Hamish Scott Falconer, 48, appeared in Perth Magistrates Court in January. Both men have been charged with one count of trafficking a commercial quantity of cocaine.

Herrmann also faces four counts of failing to comply with an order, according to a report in The West Australian, while Falconer is also facing one count of possessing a controlled drug and one count of failing to comply with an order.

Local media reported that neither of the men applied for bail and no pleas were entered.

The Australian Federal Police said the men were arrested in Perth’s central business district on December 28 as part of an operation that began in October.

The AFP alleges that the men met at Perth Airport in November and drove to Kojonup Airport, about 250km south of Perth. Investigators said the pair departed Western Australia in the following days but later returned separately.

Falconer returned to Perth on December 26, according to police, where he hired a vehicle and transported multiple suitcases and jerry cans. Herrmann allegedly met a small aircraft at the Overlander Airstrip on December 27, returning to Perth and meeting Falconer the following day. Police said that the men bought more suitcases, before discarding them along with jerry cans in a shopping centre rubbish bin.

Police said a search of Falconer’s hotel room uncovered about 200kg of cocaine, in six suitcases, as well as electronic devices, night vision goggles and an airband VHF radio. They said they searched Herrmann’s hotel room and seized four empty suitcases, aviation navigational equipment, a hardware cryptocurrency wallet and other electronic devices.

Both men were charged with trafficking a commercial quantity of a controlled drug, which carries a maximum penalty of 25 years’ imprisonment.

Local media reported that Herrmann and Falconer are due to appear in court again in May. 

---

Connor Plunkett, Peter Barth and Beau Donelly contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.

The post Nowhere to Run: The Online Footprint of an Alleged Kinahan Cartel Associate appeared first on bellingcat.