This story was produced in partnership with Agence France-Presse (AFP).

In a field near the small town of Bezymenne in southern Ukraine, Viktoria Shynkar carefully picks out a narrow path through the overgrown grass in front of her. 

This small corridor of farmland in Mykolaiv Oblast will be checked for the presence of landmines and explosive ordnance. 

If clear, Shynkar – a 36-year-old who worked as a hairdresser before Russia’s full-scale invasion in February 2022 – will move forward and create another space of the same size.

While she enjoys spending her days outside, it remains painstaking and dangerous work.

Shynkar and her colleagues, who work for the demining charity the Halo Trust, uncovered 243 TM-62 Soviet-designed anti-tank mines left by the Russian army in a neighbouring field.

A chunky and intimidating 32-centimetres in diameter and 13-cm-wide, the TM-62 contains 7.5 kilos of TNT and can puncture a tank if triggered. 

The presence of landmines and other unexploded ordnance is a significant issue in Ukraine, impacting civilians and Ukraine’s agricultural industry – a major employer and source of income to the country.

Data Challenges

Numerous bodies have sought to calculate the impact of landmines on Ukraine since the onset of Russia’s full invasion.

Established by the Ministry of Defence, the country’s National Mine Action Centre (NMAC) has produced a map that highlights areas it confirms as hazardous, are suspected of being hazardous as well as those that have been cleared or checked for hazards. It can be seen here and in the image below.

The information is collated from over 80 demining groups operating in the country, which employ people like Shynkar. They collect data from the field and share it with the NMAC who upload it to this map made using the IMSMA platform produced by the Geneva International Centre for Humanitarian Demining.

Support Bellingcat

Your donations directly contribute to our ability to publish groundbreaking investigations and uncover wrongdoing around the world.

Donate

Yet the data the NMAC map contains, while significant, is only partial. 

For example, it only creates a picture for the Ukrainian side of the front line, and just parts of it at that, with an area 20 kilometres from the frontline inaccessible to demining groups. Those same demining groups are also not operating in Russian-controlled regions, making the overall picture even less clear.

Furthermore, just because an area may be noted as not being impacted in landmine datasets doesn’t mean that it is not at risk from mines or other explosive ordnance that may not have detonated on impact. Some may simply not have been found yet.

Waiting for Demining Groups To Visit

This is a concern for Ihor Kniazev, a farmer from the town of Dovhen’ke in Kharkiv Oblast. He complains to AFP that he has been waiting a long time for demining groups to visit. “Every year, they promise ‘tomorrow, tomorrow, we will clear all the fields’,” he says.

Kniazev says that he undertook the dangerous task of clearing his own fields with a metal detector. “Everyone clears mines themselves, absolutely everyone,” he insists. He even says that he ran over a mine in his tractor and was lucky not to be injured.

An interactive map shows the area around Dovhen’ke overlaid with data from Ukraine’s National Mine Action Centre (NMAC). Areas shaded red depict confirmed hazardous areas, according to NMAC data. Areas shaded yellow depict suspected hazardous areas, according to NMAC data. Data source here. Areas coloured light green on the map depict agricultural land as defined by Ukraine’s Ministry of Agriculture crop map tool. Data source here. Map credit: Logan Williams and Galen Reich/Bellingcat.

While Kniazev found that his land was indeed contaminated, his predicament highlights an important issue in demining in Ukraine and for farmers returning to areas that were previously occupied or near lines of contact.

While some areas are clearly identified as being mined, there remains uncertainty around those that are only suspected of being mined.

Several experts AFP and Bellingcat spoke to warned of the economic damage that could arise from suspicions that turn out to be incorrect. As a 2024 UN Development Programme report stated, areas suspected of being contaminated but not actually contaminated are either left alone or subjected to the same lengthy clearance process at what can be significant cost.

Such land could otherwise be used to grow crops and help reestablish returning farmers. Ukraine remains a huge food exporter despite the war, ensuring the issue is significant beyond its borders.

Some farmers AFP spoke to highlighted the complexity of trying to figure out which areas were contaminated and which were not.

When Detectors Become Useless

In the town of Kamyanka in Kharkiv Oblast, Victor and Larisa Sysenko talk about their gratitude to a team from the Fondation Suisse de Déminage (FSD) who helped clear their land with the help of a specialist demining machine. “There were lots of explosions under that machine,” recalled Larisa. 

Many of the mines were PFM-1 anti-personnel mines, which are more sensitive than anti-tank mines and can be deadly if stepped on by people. The Sysenkos have also had to deal with the danger of unexploded shells, remnants of a Ukrainian assault on retreating Russian troops in 2022 that remained burrowed in the soft soil without exploding.

However, in a selection of other fields nearby, it was a different story as FSD deminers found only three explosive remnants after a long and time-consuming search. 

One of the FSD team told AFP that the metal contamination in these fields was “so immense that our detectors became useless, constantly beeping”. Of the thousands of metal fragments detected, the vast majority proved non-explosive.

An interactive map shows the area around Kamyanka overlaid with data from Ukraine’s National Mine Action Centre (NMAC). Areas shaded red depict confirmed hazardous areas, according to NMAC data. Areas shaded yellow depict suspected hazardous areas, according to NMAC data. Data source here. Areas coloured light green on the map depict agricultural land as defined by Ukraine’s Ministry of Agriculture crop map tool. Data source here. Map credit: Logan Williams and Galen Reich/Bellingcat.

A few hundred miles to the west in the town of Korobchyne, Mykola Pereverzev describes building a remote-controlled tractor to try and activate all of the mines laid in around 200 hectares of fields present there.

Pereverzev, who works for an agricultural firm, describes the tractor being blown up and building another as the first was beyond repair.

The land is eventually being used again, and Pereverzev is putting down herbicides in the soil to sow sunflowers. 

But doubts remain about what may lie beneath.

“Soldiers have the saying that you can pass through one place normally five times, and blow up on the sixth time. Even professionals blow up, so what about us? We are just an agriculture company,” he says.

An interactive map shows the area around Korobchyne overlaid with data from Ukraine’s National Mine Action Centre (NMAC). Areas shaded red depict confirmed hazardous areas, according to NMAC data. Areas shaded yellow depict suspected hazardous areas, according to NMAC data. Data source here. Areas coloured light green on the map depict agricultural land as defined by Ukraine’s Ministry of Agriculture crop map tool. Data source here. Map credit: Logan Williams and Galen Reich/Bellingcat.

Falling Exports

Unsurprisingly, Ukraine’s agricultural exports have been severely impacted since the onset of Russia’s full invasion.

The country’s Agriculture Minister, Vitaliy Koval, told AFP that “grain production has dropped from 84 million tons in 2021 to 56 million tons.”.

He continued: “Ukraine has 42 million hectares of agricultural land, including arable land. On paper, we can cultivate 32 million hectares. But available, non-contaminated, non-occupied land? 24 million hectares.”

“When we come to Brussels (to prepare Ukraine’s future EU membership), they show us an infographic saying we have 42 million hectares. But the reality, unfortunately, is 24 million,” Koval said. 

Not all of this is down to the presence of landmines or explosive ordnance, of course. Other factors also contribute to agricultural output. These include land being located in areas of ongoing fighting, farm equipment being destroyed or farmers joining the armed forces, fleeing to safety or not returning.

Yet landmines remain a significant part of the mix.

Koval’s office stated that just over 123,000 km² of land still needs to be assessed for the presence of landmines or explosives. That is a huge area, almost the same size as Greece, much of which remains inaccessible along the 1,500 km frontline. 

In terms of agricultural areas that are accessible and have been assessed thus far, however, 14,200 hectares was defined by the Ministry of Agriculture as being contaminated. As of May 2025, 11,800 hectares of this area had been cleared, the ministry said.

To be clear, though, these figures don’t take into account areas that remain suspected of being contaminated or the large frontline area that is currently inaccessible to demining groups, all of which will need to be assessed at some point in the future. If Ukraine was to withdraw from the Ottawa Convention on anti-personnel mines, as it said it would last week, this likely would add another layer of complexity to future demining efforts. Russia never signed the 1997 convention and several of Ukraine’s neighbors have recently signaled they may leave the treaty as well.

Making Choices

Paul Heslop is Programme Manager for Mine Action at the UN Development Programme in Ukraine. Like all experts who were interviewed for this article, he is cautious about making precise estimations as to the scale of the landmine issue given the length of the frontline and the many unknowns that remain in a country at war.

Yet he acknowledges to AFP that it is significant, with likely millions of mines or unexploded shells in the ground in Ukraine.

But he adds that by organising and being strategic about which areas are prioritised for assessment, land that is of the most importance can potentially be put back to productive use first. 

The most contaminated land will fall within the area closest to the frontline, he told AFP. Just beyond that, there is still an area that is still significantly impacted, although less intensely, he adds. Within this area “you have got critical infrastructure, bridges, power lines, power plants … transformers, schools, hospitals. They need to be cleared first,” he says.

By way of example, Heslop points to farming areas north of Kyiv or between the Ukrainian capital and Kharkiv that were occupied in the early days of the war. “A lot of that land has now been assessed as not contaminated … or the areas that were contaminated have now been cleared.”

Still, some areas – especially along the current front line area – will be being assessed for a long time, he acknowledges.

Pete Smith is another prominent hand in the demining game. 

He oversees the work of the Halo Trust and their 1,500 staff in Ukraine. Like Heslop, he recognises the scale of the challenge, suggesting Ukraine may be the most mined country in the world. But he also sees hope in new technological solutions that may quicken the pace of demining. 

Speaking to AFP, he said: “We are able to innovate and bring technology such as satellite imagery, drone imagery, all helping us just to drill down to identify where those pockets of concentration of landmines and explosive ordnance are.”

He describes analysts looking at drone and satellite images “pixel by pixel” to locate mines and employing AI algorithms to aid the search. Yet while enthused by such developments, Smith adds: “It’s not an industrial process yet.” 

“We’re getting low-level benefits,” he adds. “But I think it is that area where we will continue to grow.”

For the time being, those out in the field, like Viktoria Shynkar, will continue the job of demining Ukraine.

As of May 31, 2025, she had been with the Halo Trust for a year. It’s a position she feels comfortable in despite the danger that comes with the job.

“Not once have I regretted [taking on the work], not at all,” she says. “I like the job very much. Because there are many good people here, and I feel like I’m resting at work.”

On top of that, the impact of what she is doing gives her satisfaction.

“There’s a lot of contamination … and farmers can’t work, can’t grow crops,” she says. 

“We really need this, so I want to help however I can, so that our country can prosper.”

Eoghan Macguire, Gyula Csák, Logan Williams and Galen Reich contributed to this report for Bellingcat.

Boris Bachorz reported for AFP with contributions from Yulia Surkova, Kseniia Tomchik and Oleksii Obolensky.

Editor’s note: This article was updated on July 2, 2025, to include the name of the Fondation Suisse de Déminage.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Twitter here and Mastodon here.

The post Ukraine’s Contaminated Land: Clearing Landmines With Rakes, Tractors and Drones appeared first on bellingcat.

This article is the result of a collaboration with TjekDet, Denmark’s fact-checking media outlet, Danish newspaper Politiken, and the Canadian Broadcasting Corporation (CBC). Watch CBC’s documentary here. 

Warning: This article discusses non-consensual sexually explicit content from the start.

MrDeepFakes billed itself as the “largest and most user-friendly” platform for celebrity deepfake pornography. The website, which was visited millions of times every month, hosted almost 70,000 explicit and sometimes violent videos, which had collectively been viewed more than 2.2 billion times.

They show mostly famous women whose faces have been inserted into hardcore porn with artificial intelligence – and without their consent.

In the background, an active community of more than 650,000 members shared tips on how to generate this content, commissioned custom deepfakes, and posted misogynistic and derogatory comments about their victims.

For years, the website has been shrouded in secrecy, existing in a legal grey area and concealing the identity of those who control it. Until now.

Bellingcat, in collaboration with Danish outlets Tjekdet, Politiken and the Canadian Broadcasting Corporation (CBC), has conducted an investigation to reveal the identity of a key administrator behind MrDeepFakes.

David Do is a 36-year-old Canadian pharmacist who, based on open source information, lives an unassuming and respectable life in the suburbs outside of Toronto. Photos and videos posted online show him with family, friends and colleagues. The university graduate has a well-paying job in a public hospital and drives a new Tesla.

But Do has been living a double life: in secret, he is the most prominent figure identified to have had control over the administration of MrDeepFakes. He was also an influential member of its growing online community, producing his own deepfake porn and assisting users who want to make their own.

Online posts show Do is a technically minded individual with a long-standing interest in creating and distributing adult content, and provide an insight into efforts to obfuscate his identity.

We identified Do by cross-referencing data from massive credential leaks, which are publicly available via breach databases. A series of burner emails, IP addresses, repeated usernames, and a unique password reveal a more than decade-long digital trail that allowed researchers to link him to MrDeepFakes.

Bellingcat, Tjekdet, Politiken and CBC have sent Do multiple requests for comment since late March but did not receive a response as of publication. Last month, the CBC hand-delivered correspondence to Do setting out the findings of this investigation, but he declined to comment.

Shortly after, Do’s Facebook page and the social media accounts of some family members were deleted. Do then travelled to Portugal with his family, according to reviews posted on Airbnb, only returning to Canada this week.

On Sunday, the MrDeepFakes site was shut down. “A critical service provider has terminated service permanently,” a notice on the platform says. “We will not be relaunching. Any website claiming this is fake.”

CBC approached David Do again on Monday but he refused to answer questions about his involvement with MrDeepFakes. “I don’t want to be recorded please,” he said. “I have to go. I’m busy right now.”

Update: David Do is on leave from his position as a hospital pharmacist, his employer confirmed on May 13, while an internal investigation is underway. Separately, the Ontario College of Pharmacists has said it is “taking immediate steps to look into this matter further and determine the necessary actions we need to take to protect the public”.

‘Fake It Till You Make It’

The identity of the person or people in control of MrDeepFakes has been the subject of media interest since the website emerged in the wake of a ban on the “deepfakes” Reddit community in early 2018.

But the porn site’s hosting providers have bounced around the globe and premium memberships can be bought with cryptocurrency, which have made it virtually impossible to trace ownership.

Support Bellingcat

Your donations directly contribute to our ability to publish groundbreaking investigations and uncover wrongdoing around the world.

Donate

Adam Dodge, the founder of EndTAB (End Technology-Enabled Abuse), said MrDeepFakes was an “early adopter” of deepfake technology that targets women. He said it had evolved from a video sharing platform to a training ground and marketplace for creating and trading in AI-powered sexual abuse material of both celebrities and private individuals.

“Our digital world is really good at empowering people who want to do harm by allowing them to remain anonymous while simultaneously making it almost impossible for victims to unmask them,” he said.

In January, Bellingcat, in collaboration with the German YouTube channel STRG_F, examined the companies behind two apps used for creating deepfakes that it advertised prominently on its homepage.

For this investigation, researchers conducted a forensic analysis of the forums on MrDeepFakes’ website. The forums are a virtual marketplace where members commission deepfakes and trade tips on making videos with the same technology that is used for creating revenge porn.

Videos posted to the tube site are described strictly as “celebrity content”, but forum posts included “nudified” images of private individuals. Forum members referred to victims as “bitches”and “sluts”, and some argued that the womens’ behaviour invited the distribution of sexual content featuring them. Users who requested deepfakes of their “wife” or “partner” were directed to message creators privately and communicate on other platforms, such as Telegram.

A search of the forums returned two accounts for MrDeepFakes “staff members”. One joined in March 2019 and is also listed as a “moderator”. The other joined in February 2018 and is also listed as an “administrator” (two additional administrator accounts, created in 2018 and 2021, were not listed as staff members, and one now-defunct account previously tagged as staff and moderator was created in the year after the site was set up).

Therefore, the focus of this investigation ​was the​ oldest account in the forums, with a user ID of “1” in the source code, which was also the only profile found to hold the joint titles of staff member and administrator. The long-time handle used by this account was “dpfks”.

Researchers began by analysing the profile. The dpfks bio contained little identifying information, but an archive from 2021 shows the account had posted 161 videos which had amassed more than five million views. It earned the badge of “Verified Video Creator”.

Forum posts document dpfks’ involvement as a creator and leader in the community. Archives show dpfks posted an in-depth guide to using software that creates deepfake porn, published website rules and content guidelines, advertised for volunteers to work as moderators, and gave technical advice to users. 

Dpfks’ posts carried the tagline: “Fake it till you make it.”

In a 2019 archive, in replies to users on the site’s chatbox, dpfks said they were “dedicated” to improving the platform. “There is a reason why we are the biggest deepfake site. I care about the community and teaching others.

“I don’t think other site owners care enough to make their own deepfakes, and keep uptodate [sic] with it. My first few deepfakes were s**t too, the more you make, the better you get.”

David Do’s Links to MrDeepFakes

Pirated Movies to Deepfake Porn

David Do keeps a low profile under his own name, but photos of him have been published on the social media accounts of his family and employer. He also appears in photos and on the guest list for a wedding in Ontario, and in a graduation video from university.

Do’s Airbnb profile displayed glowing reviews for trips in Canada, the US and Europe (Do and his partner’s Airbnb accounts were deleted after CBC approached him on Monday). His home address, as well as the address of his parents’ house, have both been blurred on Google Street View, a privacy feature that is available on request.

In the late 2000s, while studying at university, Do was involved in the creation of Xinoa (xinoa.net), a warez forum. Do’s personal Hotmail address, which includes his full name, is visible in source code as an admin contact for the site, archives from 2008 show.

The profile page “ddo” is tagged as the “Root Admin” and “Xinoa Owner”, and lists a date of birth matching that of Do. The profile includes download links to television shows, one of which was accompanied by a comment about “exam week” in 2009, when Do was studying at university. This username is also similar to Do’s Instagram profile (“ddo.jpg”), a link to which was included in the bio section of his Facebook account under the name “Doh Dave”. Both social media accounts have been deleted.

An account on an internet marketing forum was registered using a Xinoa administrator email address, breach data shows. That account was linked to an IP address owned by the University of Waterloo, where Do earned degrees in biomedical science in 2010 and pharmacy in 2014, according to Rocketreach.

The 2015 Ashley Madison data breach shows user “ddo88” registered on the dating site with Do’s Hotmail address and was listed as an “attached male seeking females” in Toronto. They described themselves as being of Asian ethnicity, 173 cm tall and weighing 66 kg. The breached profile was linked to a Toronto-based address and also contained a date of birth, which matches Do’s birth date in public records.

Xinoa would become the springboard for a more sophisticated operation.

In February 2018, when Do was working as a pharmacist, Reddit banned its almost 90,000-strong deepfakes community after introducing new rules prohibiting “involuntary pornography”. In the same week, MrDeepFakes’ predecessor site dpfks.com was launched, according to an archived changelog.

An analysis of the now-defunct domain shows the two sites share Google analytics tags and back-end software – as well as a forum admin who used the handle “dpfks”. Archives from 2018 and 2019 show the two sites redirecting or linking to each other. In a since-deleted MrDeepFakes’ forum post, dpfks confirms the link between the two sites and promises the new platform is “here to stay”.

“MrDeepFakes.com was formerly dpfks.com and we opened our doors shortly after the Reddit ban,” the 2018 post said. “I know joining a new forum or community feels like starting fresh, and starting over, but the community is small, and all the important players will stick together. I promise to keep this community running as long as I can, so that the deepfake community does not have to scramble and relocate again.”

Later in 2018, in a post on Voat, a defunct online message board similar to Reddit, dpfks said they “own and run” MrDeepFakes. In response to another user, dpfks refers to their life outside of operating a porn website. “I just got home from my day job,” the post said, “now back to this!” Some of dpfks’ earliest posts on Voat were deepfake videos of internet personalities and actresses. One of dpfks’ first posts on the MrDeepFakes’ forums was a link to a deepfake video of video game streamer Pokimane.

Other targets included the American politician Alexandria Ocasio-Cortez, for whom dpfks shared a folder containing more than 6,000 images that could be used to create deepfake pornography. Before it shut down this week, MrDeepFakes hosted 125 graphic videos tagged with Ocasio-Cortez that had collectively received more than 5.3 million views. After discovering she had been transposed into a deepfake porn video last year, Ocasio-Cortez told Rolling Stone that “digitizing violent humiliation” was akin to physical rape and sexual assault. 

Another target of dpfks was American YouTube personality Gibi_ASMR, who gained popularity online with her ASMR (Autonomous Sensory Meridian Response) videos. Dpfks created and shared pornographic deepfakes of the YouTuber on the MrDeepFakes forums. In a statement published by EqualityNow in 2021, she said: “They’re running this business, profiting off my face doing something that I didn’t consent to, like my suffering is your livelihood. It made me really mad, but again, there was nothing I could do so I just had to leave it.”

In 2018, dpfks posted a two minute deepfake video of an Academy Award-winning American actress with the description: “[Name omitted] doesn’t do porn, but in this fake video she is completely naked with her legs spread in the air. Watch her face … while she struggles to take it.”

Forum posts under various aliases match those found in breaches linked to Do or the MrDeepFakes Gmail address. They show this user was troubleshooting platform issues, recruiting designers, writers, developers and search engine optimisation specialists, and soliciting offshore services.

The username “AznRico” was commonly associated with Do’s email account and could be found across several postings online. In 2009, years before MrDeepFakes was launched, this now-banned user posted to an internet marketing forum discussing online money-making techniques, including the monetisation of video traffic.

AznRico also posted on an auto lighting forum in 2009 to ask for advice about fixing headlights for a car in Canada – a 2006 Mitsubishi Lancer Ralliart. In another thread on the same forum, AznRico uploaded several images of the car, one of which was archived and contained metadata indicating that it was captured on a Sony Ericsson K850i.

In 2008, on a separate forum, AznRico said he had this model phone and posted about troubleshooting the device (that forum was subject to a data breach exposing David Do’s personal Hotmail address and unique password).

Public records obtained by CBC confirm that Do’s father is the registered owner of a red 2006 Mitsubishi Lancer Ralliart. While Do’s parents’ house is now blurred on Google Maps, the car is visible in the driveway in two images from 2009, and in Apple Maps imagery from 2019. CBC confirmed the car was still at the house last week.

In 2011, on a freelance job board, AznRico asked for help building a video streaming plugin. This profile also listed that the user was based in the same Ontario city where Do’s parents’ home is located. In 2018 – the same year MrDeepFakes was launched – AznRico asked for advice to fix slow load times on their porn site, which they said received about 15,000 to 20,000 visitors a day. Breach data shows this account was linked to Do’s personal Hotmail address.

In one forum post from January 2020, user “dj01039” complains that PayPal had limited their “stealth account”, which was used to “sell virtual goods” (PayPal was intermittently available as a payment option on MrDeepFakes). The username dj01039 matches the abbreviation of an email address (davidjames01039@gmail.com) that was linked to a PayPal donation button on MrDeepFakes in December 2019. 

In June 2020, on another forum, a user with the same alias (who later changed it to “ac2124”) said their stealth account had been permanently closed and wanted to know about front companies that could accept payments on their behalf. The user described themself as the “webmaster of an adult tube site” who takes a cut from creators who post original porn videos, and also earns revenue from running ads. By December 2020, ac2124 said their website was earning between $4,000 and $7,000 a month.

Breach data also links the MrDeepFakes Gmail to an account on support forums for Kernel Video Sharing (KVS), a commercial content management system, where user “mongoose657” (formerly dj01039) sought help managing a video tube site. The discussions, from 2021 to 2024, were consistent with backend issues encountered when running a large website: storage solutions, ticket system failures, and outsourcing development work.

On the adult webmaster forum GoFuckYourself.com in 2020, dpfks (subsequently changed to “mjmango”) enquired about anonymous debit cards, which were advertised as allowing users to withdraw cash or pay for purchases anonymously. In 2021, mjmango responded to another user’s enquiry about how to monetise tube sites.

In another forum, ac2124 enquired about countries to form an offshore company and expressed concern about “know your customer” checks, which are used by the banking sector to confirm the identity of their customers. In a 2020 post, ac2124 said they had decided to make a “dummy site/front” for their adult site and enquired about online payment processing and “safe funds storage”.

In 2022, ac2124 sought advice for a Canadian citizen who operates an “adult niche website” and asked about “a company setup that focuses on privacy”. The post said: “At a bare minimum, this person shouldn’t be listed on any public registrar (as director, shareholder, UBO, etc). Open to using nominees, opening trusts, etc. What are some setups, or jurisdictions that should be looked into?” This user also asked specifically about setting up a company in the British Virgin Islands or Cayman Islands, both secrecy jurisdictions.

In late 2023, mjmango left positive feedback for an adult graphic designer below a post from the designer containing a MrDeepFakes logo. “Purchased another logo recently. As always great communication and allowed multiple re-edits,” the comment said. In March 2024, ac2124 posted about delays accessing a service that creates a “proxy” for a “high-risk website” so it can process transactions from the online payment processor, Stripe.

In April 2024, Dutch outlet Algemeen Dagblad (AD) reportedly made contact with the owner of MrDeepFakes, who was anonymised in their subsequent reporting. AD reported that this person claimed to have sold the website, but did not provide any evidence to support this claim. Our investigation could not confirm whether the site was ever sold, and if so when. 

David Do did not respond to multiple requests for comment about his involvement with MrDeepFakes.

Correction: This story initially said the AznRico post about the K850i phone was from 2009, when it was 2008. The article was updated on May 8 to reflect this.

Ross Higgins, Connor Plunkett, Beau Donelly, George Katz, Kolina Koltai and Galen Reich contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.

The post Unmasking MrDeepFakes: Canadian Pharmacist Linked to World’s Most Notorious Deepfake Porn Site appeared first on bellingcat.

This article is the result of a collaboration with The Sunday Times. You can find their corresponding piece here.

On the last Friday in December, a German businessman in his mid-40s allegedly met a small aircraft on a dusty runway in remote Western Australia. The following evening in Perth, seven hours’ drive south, he and another man were arrested and charged with trafficking a commercial quantity of a controlled drug.

Police said a search of their hotel rooms uncovered 200kg of cocaine, packed in suitcases in single one-kilogram blocks, along with night vision goggles, aviation equipment and a hardware cryptocurrency wallet.

It was the culmination of a three-month Australian Federal Police (AFP) investigation codenamed “Operation Mirkwood”. Authorities estimated the street value of the drugs to be AUD $65 million and AFP Inspector Chris Colley said an “organised crime syndicate” was likely responsible for the scheme.

The German businessman was Oliver Andreas Herrmann, a 44-year-old champion marathon runner and the director of multiple companies with diverse interests spanning various jurisdictions.

Herrmann and the other man who was charged are due to face court again in May. They have not yet entered a plea and the presumption of innocence applies. Herrmann, who has no known convictions, had not responded to multiple requests for comment as of publication. 

The Sunday Times reported in January that Herrmann has “close financial ties” to Christy Kinahan, the 67-year-old founder of the eponymous international drug cartel who is wanted by authorities around the world. Last month it reported that Herrmann “acted as Kinahan’s representative on the ground” in Indonesia and quoted a source who said Herrmann once introduced him to the cartel leader.

“Kinahan was Oliver’s boss,” the source told The Sunday Times. “He was afraid of him. Kinahan was always shouting at him.” 

Bellingcat and The Sunday Times have previously reported on the US-sanctioned Kinahan Organised Crime Group, using Kinahan’s own Google Maps profile to plot his movements over five years and identify the cartel leader’s business associates.

That investigation revealed that the normally elusive crime boss – known as the “Dapper Don” – posted hundreds of reviews under the alias Christopher Vincent, disclosing his precise locations across three continents, including in Dubai where he lives in hiding. Bellingcat contacted Kinahan but did not receive a response.

We have now conducted an open source analysis of Herrmann’s online footprint to build a picture of the man Australian authorities accuse of trafficking drugs last Christmas. The findings paint a portrait of an avid runner and international businessman who is more accustomed to poolside video conferences than an alleged drug drop in the Australian desert.

This investigation has traced Herrmann to locations associated with the cartel. These include a building in South Africa that Kinahan reviewed on his Google Maps profile, and to the Zimbabwean capital of Harare the day before a conference that the Irish drug lord said he attended.

It also sheds light on the complex network of international firms linked to Herrmann, either directly or through his associates. One of these firms shares an address with a company that reportedly received payments ultimately destined for Christy Kinahan.

Racing Around The World

Oliver Herrmann is a German national who has referred to Munich as his “home city”. He is also a South African resident, according to the AFP, and reportedly travels on a Swiss passport. Herrmann gave his nationality as Swiss in company documents filed in Singapore, while in registration documents in the UK he said he was German. He has listed his country of residence as Indonesia and Singapore.

Corporate records indicate that Herrmann has been involved at senior levels with companies active in the fields of fintech, mining and consulting. Until recently Herrmann was on the executive board of a German “international raw materials company” whose parent company, according to its website, is to be listed on the Düsseldorf Stock Exchange. The company told Bellingcat in February that Herrmann was removed from his board position after it learned about the allegations in Australia and said he no longer had any role with the organisation.

Herrmann’s Instagram account is set to private but he has a public profile on Strava, a fitness app used for recording exercise that often includes GPS-tracked routes (see Bellingcat’s Strava activity map guide here).

An acclaimed runner who won the 2016 Munich Marathon, Herrmann regularly logged his runs on Strava. Photos posted to the account confirm he is the same person pictured in an Australian media report about his court appearance in January over the alleged drug bust.

Herrmann’s Strava account has logged more than 2,500 activities in 29 countries across Europe, Asia, Africa, South America and the Middle East between 2013 and 2023. He has also posted at least 130 photos documenting his extensive travels. They show a dedicated athlete who appears to enjoy a jet-setting lifestyle, with many featuring scenic and tropical locations.

Herrmann’s Strava account shows that, like Kinahan, he has frequently traveled to Zimbabwe. An analysis of Herrmann’s runs shows he logged almost 500 activities in Harare between February 2018 and May 2022. Meanwhile, Kinahan posted 25 Google reviews in Harare between June 2019 and September 2021.

In one of these reviews, the leader of the transnational organised crime syndicate said he spent four nights at the Amanzi Lodge hotel for a “business networking conference” that was hosted by two companies. The conference ran from October 8 to 11, 2019, according to one of the company’s social media accounts. In two photos posted online, an individual with similar features to Kinahan is seen at the event.

On October 7, the day before the conference began, Herrmann logged a run just 5.5 km from the venue where Kinahan said he stayed. Herrmann’s 2019 Strava activity in Harare suggests he spent time close to this location, near the city’s affluent suburb of Borrowdale, with dozens of runs starting and ending on the same residential road. After October 7, Herrmann’s next Strava run was recorded three days later in Dublin, Ireland.

Two of Herrmann’s runs from 2021 and 2022 take place in downtown Dubai, about 250 meters and 550 meters from the office of a sanctioned company that the US government said is owned or controlled by Christy Kinahan’s son, Daniel Kinahan.

The 2021 run starts and ends outside a five-star hotel where Daniel Kinahan was photographed. The photo in the since-deleted tweet, which was the subject of media coverage at the time, was posted three days after Herrmann’s Strava run and geotagged to Dubai. A reverse image search shows that the picture of Daniel Kinahan was taken inside the Dubai hotel.

Herrmann’s Strava profile also displays information about his business activities. A 2018 post, captioned “Office view in ZIM”, includes a photo of an open document on a laptop screen. Titled “Mining Project Teaser”, the document touts the attractiveness of Zimbabwe’s “open for business” policy for foreign investors.

On the header is “Gemini Global Pte Ltd”, a Singapore-based company of which Herrmann is the director and secretary, according to corporate records. Herrmann reportedly filed a police complaint after Gemini lent US $500,000 for an Indonesian mining project that failed in the early 2010s. More than two dozen runs logged by Herrmann begin and end at the registered address for the Singapore company.

Other locations logged on Strava appear to be linked to companies Herrmann is involved in, suggesting his frequent travel may be business-related. Some runs explicitly mention an office, including one in Singapore in 2015 and three in Dublin in 2016.

Herrmann is listed on Crunchbase as the chief financial officer of defunct Irish fintech, Leveris Limited, which reportedly collapsed in 2021 with debts of €38 million. Records from Ireland’s Companies Registration Office show he was also a director of the company. Herrmann has logged Strava runs in Minsk and Prague, other cities where Leveris had business connections.

Running Mate

A series of companies involved in trade, real estate and corporate finance appear to be linked to Herrmann’s domestic partner. This woman was identified through an analysis of social media posts. In the comments of an Instagram post about his Munich Marathon win, several users tagged the woman’s account. Herrmann’s Strava profile also follows a user by the same name, and includes a photo of him with an identical-looking woman during a run in France.

An analysis of the woman’s Strava account shows that multiple runs logged in different countries over six years match where Herrmann’s GPS-tracked routes start and finish. She is tagged as a companion in at least one run recorded on Herrmann’s profile.

Three videos posted to the woman’s now-deleted Instagram account show a man strongly resembling Herrmann during a hike at Cape Town’s Table Mountain, visiting Mapungubwe National Park, and on a game drive with two boys near Lake Kariba. Photos also show a boat trip and a beach outing with several children in which a man with similar features to Herrmann is seen with his back to the camera. A photo posted to the woman’s Twitter account a decade ago also shows a man who resembles Herrmann.

The woman is also tagged in an Instagram post by a Thai mining magnate whose company is listed as a shareholder of the German company that recently removed Herrmann from its board. The Thai woman’s Instagram includes photos of Herrmann and his partner going back years, including during a 2022 “business trip” in Dubai.

The Corporate Web

An open source search identified a person with the same first and last name as Herrmann’s partner involved in three companies. Corporate records show she was listed as the owner of defunct Indonesian firm PT. Gemini Nusa Land, which was involved in real estate, and previously the director of another company, also headquartered in Indonesia.

The third company is South Africa-registered 247 Capital Group, where business data provider b2bhint.com lists her as a director. These details were verified through South Africa’s official registry. A generic-looking website for the firm says it is a leading “corporate finance group” staffed by “specialist capital raising managers”. The website’s contact section lists two addresses: one is a small house on Long Island, New York; the other is a high-rise building in Johannesburg called The Leonardo.

Herrmann’s Strava profile shows he has logged two morning runs ending directly outside The Leonardo, in April and May 2022. Kinahan has also been to The Leonardo: he wrote about visiting the building and posted photos of the interior in Google reviews from September 2021.

An analysis of 247 Capital’s website using ViewDNS, a tool that examines websites, determined that it shares an IP address with three other sites. There are multiple reasons why websites can share IP addresses and it does not necessarily mean they are related. In this case, however, there is evidence that 247 Capital may be linked to the other sites.

The first is for a US-based company called Ryba LLC; the second is for an Indonesia company called PT. Sukses Dagang Bersama (abbreviated to “SDB Trading” online); and the third is a placeholder for a web developer that designed the sites for 247 Capital, Ryba LLC, and PT. Sukses Dagang Bersama.

Herrmann’s partner had not responded to requests for comment as of publication. There is no suggestion that she is involved in illegal activity.

Ryba LLC

Last year, The Sunday Times reported that a company with a mailing address at the Trump Building was the recipient of two payments totalling US $850,000. It said the funds were lodged to a company account in South Dakota and the beneficiary was listed as Adam Wood, a known associate of Kinahan who attended a 2019 aviation conference in Egypt with the cartel leader. The newspaper said these payments were part of a series of international wire transfers totalling US $1.25 million of which Kinahan was the ultimate beneficiary.

Today, The Sunday Times reveals that the payments of US $850,000 were made to Ryba LLC.

Ryba LLC’s website lists its address as the Trump Building on Wall Street in New York. Companies with this name are registered in the US, but corporate records show that none are located in New York.

The phone number on Ryba LLC’s website was linked to a New York law firm via the crowd-sourced contact book app, TrueCaller. An online search for the firm shows it has an office in the Trump Building, and searches for the Long Island address listed on 247 Capital’s website returned a hit for a lawyer who works at this firm.

The Long Island address also appeared in a small-claims court record, which named the home owner as the lawyer who works in the Trump Building. A digital copy of the deed from the Nassau County Clerk shows the lawyer bought the house 25 years ago. Bellingcat called the Clerk’s office to confirm the deed was still current.

According to the lawyer’s bio, they are an “Anti Money Laundering Specialist” who works in wealth and tax planning, trust and estate administration, and asset protection. The lawyer and the firm had not responded to requests for comment as of publication. There is no suggestion that the lawyer or firm are involved in illegal activity.

Searches on LinkedIn for staff who work for Ryba LLC returned a result for an employee who lists their current role as a senior project finance manager at the company. Their previous position, according to the profile, was head of accounting at Leveris, the Irish company where Herrmann previously served as chief financial officer.

In the photo on Herrmann’s Strava account showing the mining proposal document, a meeting notification for the employee is visible in the top right of the laptop screen. The employee’s LinkedIn account is no longer online, but their details have been saved on RocketReach, a site that aggregates professional data from online platforms.

The employee had not responded to requests for comment as of publication. There is no suggestion that they are involved in illegal activity.

PT. Sukses Dagang Bersama

Bellingcat purchased the Indonesian corporate record for PT. Sukses Dagang Bersama. Its “commissioner” is listed as Conor Fennelly, Herrmann’s former business partner and one-time chief executive of Leveris.

However, Fennelly told Bellingcat that he had “never heard of” the Indonesian company and had “no knowledge” of its operations. He also said he had no business connection to Herrmann outside of Leveris and had not been in contact with him since the Irish tech firm collapsed in 2021.

After providing a copy of the Indonesian business documents showing his listing as commissioner, Fennelly said he “didn’t authorise this” or sign paperwork taking on any role at the company. He confirmed that his name, address and passport information on the document was accurate.

“Oliver and several others at Leveris would have had that,” he said. “The company was founded [in] 2021 and interestingly this is months after Leveris went under and months after my last contact with Oliver, assuming he is the reason my name appears here.”

Fennelly said he met Herrmann through an associate at Leveris in 2016, and that Herrmann subsequently invested in the company and became its chief financial officer. Fennelly found Herrmann to be “reliable, calm, competent and trustworthy”, he said, adding that news of his arrest in Australia came as a “complete shock”. Fennelly said he believed Herrmann had been living in Zimbabwe and training as a runner.

Corporate records also show that PT. Sukses Dagang Bersama was originally established in 2013 under a different name, Maksimum Jaya Segar. A person with the same first and last names to Herrmann’s partner is listed as a director of the company from December 2017 to November 2021. Her listed address is in a residential neighbourhood west of Jakarta, where Herrmann and his partner have logged dozens of runs.

Aircraft and International Trade

PT. Sukses Dagang Bersama was involved in the sale of an aircraft that was exported from the US to Africa last year, Federal Aviation Administration (FAA) records show. The FAA documents say the company bought the plane – a Beechcraft King Air 350 – in early 2024.

Flight tracking website ADS-B Exchange shows that the twin-turboprop aircraft arrived in Harare after the last leg of its journey on February 23, 2024. The ferry pilot who transported the aircraft posted images of the trip to Facebook, which were tagged in Harare on the same date. The plane has been active since its delivery, travelling to airports in Zimbabwe, South Africa and Botswana. Images from plane spotters in South Africa in April and May 2024 show the aircraft with Malawi registration number 7Q-YAO on its side.

Two days after the plane was delivered to Harare the pilot posted a photo of himself with three other men in front of the aircraft, captioned “Acceptance demo flight”. The pilot and one of these men have previously flown a different aircraft, a Pilatus PC-12, that has been associated with a Kinahan-linked company.

The US $850,000 payment to Ryba was linked to a dispute over the purchase of this aircraft, according to The Sunday Times.

The pilot posted a photo to Facebook before transporting the Pilatus PC-12 from South Africa to the US in 2022 after it was sold to an unrelated buyer. But three years earlier, the Pilatus PC-12 was pictured in a Twitter post by CVK Investments LLC, a company that Irish police said was associated with Kinahan.

The July 2019 post said CVK was investing in the aircraft for an “air ambulance joint-venture business in Africa”. The aircraft pictured in the post shows its serial number “342”, matching the plane in the pilot’s Facebook post. While an aircraft’s registration number can change, the serial number is assigned by the manufacturer and remains the same (see Bellingcat’s flight-tracking guide here).

The second man is an employee at Malawi’s aviation authority who is referenced in a Facebook photo as being one of the pilots during an August 2021 flight in the Kinahan-linked Pilatus PC-12.

The identity of the Malawi-registered plane was confirmed by its registration number at the time, “7Q-XRP”, visible on the control panel in the photo. The cockpit is identical to one pictured in a Google review posted by Kinahan a month later in September 2021.

The pilots had not responded to requests for comment as of publication. There is no suggestion that they are involved in illegal activity or that either of the planes has traveled to Australia.

PT. Sukses Dagang Bersama is also listed in publicly available import/export records for mining-related and narcotic products between countries including India, Nigeria, Peru, Turkey and Russia.

Records from import/export data provider 52wmb show that in one 2023 shipment from India to Nigeria, PT. Sukses Dagang Bersama is listed in the product description for a delivery of the narcotic “Pentazocine Injection”, an opioid used in medicine that is also reportedly misused and sold on the underground market in Nigeria.

Also listed in the product description field is another company, Turkoca Import Export Transit Co Ltd. This Korean-based company was sanctioned by the US in May 2022 for being part of an Iran-linked oil smuggling and money laundering network.

The product description usually contains information about the items being exported. A potential explanation for company names appearing in this section is that they are “notify parties”, which are entities such as buyers, suppliers and brokers who should be informed when the cargo arrives. PT. Sukses Dagang Bersama appears as a “notify party” in the product description for another shipment to Nigeria from a different Indian pharmaceutical company.

PT. Sukses Dagang Bersama is also listed in 2024 import records for shipments of accessories for heavy machinery to Turkey from a Peruvian company that makes mining equipment. In records from Dataontrade.com it also appears as an exporter of “spare parts” for similar machinery, this time from Turkey to Russia.

Oliver Herrmann had not responded to requests for comment as of publication. Herrmann’s lawyer said: “I am not instructed to comment on these matters.”

Emails to 247 Capital Group, Ryba LLC and PT. Sukses Dagang Bersama were not returned.

Australian Cocaine Charges

Oliver Herrmann and his co-accused, Australian man Hamish Scott Falconer, 48, appeared in Perth Magistrates Court in January. Both men have been charged with one count of trafficking a commercial quantity of cocaine.

Herrmann also faces four counts of failing to comply with an order, according to a report in The West Australian, while Falconer is also facing one count of possessing a controlled drug and one count of failing to comply with an order.

Local media reported that neither of the men applied for bail and no pleas were entered.

The Australian Federal Police said the men were arrested in Perth’s central business district on December 28 as part of an operation that began in October.

The AFP alleges that the men met at Perth Airport in November and drove to Kojonup Airport, about 250km south of Perth. Investigators said the pair departed Western Australia in the following days but later returned separately.

Falconer returned to Perth on December 26, according to police, where he hired a vehicle and transported multiple suitcases and jerry cans. Herrmann allegedly met a small aircraft at the Overlander Airstrip on December 27, returning to Perth and meeting Falconer the following day. Police said that the men bought more suitcases, before discarding them along with jerry cans in a shopping centre rubbish bin.

Police said a search of Falconer’s hotel room uncovered about 200kg of cocaine, in six suitcases, as well as electronic devices, night vision goggles and an airband VHF radio. They said they searched Herrmann’s hotel room and seized four empty suitcases, aviation navigational equipment, a hardware cryptocurrency wallet and other electronic devices.

Both men were charged with trafficking a commercial quantity of a controlled drug, which carries a maximum penalty of 25 years’ imprisonment.

Local media reported that Herrmann and Falconer are due to appear in court again in May. 

Connor Plunkett, Peter Barth and Beau Donelly contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.

The post Nowhere to Run: The Online Footprint of an Alleged Kinahan Cartel Associate appeared first on bellingcat.