Takedowns: Olympic Edition

Lumen has identified new signs of a coordinated and potentially automated fraudulent DMCA takedown campaign relating to articles about a Russian Olympian.

Building on work done by past Lumen team members and documented in previous Lumen blog posts, the evidence presented here sheds light on previously unreported tactics that may be used in attempts to suppress unfavorable information.

- - -

This all started when I got interested in what kind of websites were being targeted for fraudulent takedown requests.

Sometimes these allegedly infringing sites were reputable news outlets in other countries, but others seemed like spammy blogs, and sometimes the line was less clear. I wondered: were there some sites on the more reputable side — niche news outlets, blog — that were being consistently targeted?

Starting with a set of notices previously identified by Lumen team members as likely fraudulent, I identified several examples of sites whose articles had already been targeted in multiple takedown requests and searched for more examples of those sites in the Lumen database.

This landed me in an entirely new place. The notices I had initially been looking at were largely from the previous year or two, but I found one particularly intriguing notice from the last week. When I looked a little deeper, I realized that many of the newer notices targeted links where the content was about a single person: a Russian Olympian. When I then searched her full name in Lumen, I found tens of thousands of requests, all from 2024. Sampling a few of these new requests, I found tell-tale signs of likely fraudulence, as I will explain. From there I turned my attention to this new reputation management campaign.

Suspicious Consistency

Section 512(c)(3) of the Digital Millennium Copyright Act describes a way in which copyright holders, whether corporate or people, can request that online material allegedly copying their work be taken down by the host of the material. They can also send requests to Google or other search engines asking for the removal of links to the content from its search results ("de-indexing"). Lumen compiles and aggregates these requests and makes them available for independent research.

For example, a media company like Disney might send a DMCA request to Google so that websites for pirating Avengers: Endgame don’t appear in search results when a user looks up how to watch that movie. But as Lumen, law professors, journalists, and other researchers have documented, there are those who attempt to misuse this system, using fraudulent takedown requests to make unfavorable or critical content — from investigations of corruption to defamatory spam websites — disappear from the internet, or at least become much more difficult to find. In some cases, individuals or organizations send tens of thousands of these fraudulent requests.

As I was sifting through this latest pile of suspicious requests, I noticed something odd about them. Typical DMCA takedown requests include a few key components: who’s sending the request, what country they’re sending it from, a link to the supposed original work, and a list of links to the works that allegedly copied the original. But requests can also optionally include descriptions, which typically offer some additional details of what the sender wants de-indexed from Google Search results and why.

I was looking at a notice sent by “Brandy Adkins” (reproduced above). The description of this notice begins with the line “Contact is made regarding the unauthorized reproduction of an original article.” Something about the phrasing struck me, and then I realize I had seen that exact description, with its memorably awkward phrasing, in previous notices. I next searched for the whole thing — multiple sentences including punctuation — and found over 7,000 exact matches. Not only that, almost all of them appeared to be requests relating to the same Russian Olympian.

This was really weird. I decided to look through a sample of the 100 most recent notices relating to the Olympian to see if all the requests about her were using the same description. What I found was perhaps even stranger: not only were some of these notices reusing the “contact is made” description, but others were reusing a few variants on that same description. These variants each made roughly the same points, but with different phrasing. Moreover, nine of these exact description variants seemed to account for most of those within the Russian Olympian-related notices in the past few months.

The repetition of these nine descriptions is far from accidental or uncorrelated. Each exact description variant appears in between 7100 and 7400 notices — though this number is growing daily. All nine descriptions first appeared in Lumen notices on the same day (February 14, 2024), and all continue to appear in requests. Moreover, the vast majority of the requests using these descriptions appear to be related to the Russian Olympian. Searching for the exact descriptions along with her name, I found that almost 60,000 requests relating to articles about her use one of the nine description variants.

Questionably Cosmopolitan

But what makes this consistent repetition suspect? After all, many media companies have partially automated their DMCA processes in response to the immensity of online movie and television pirating. Might not this batch of duplicate descriptions represent a mere use of templates as part of a legitimate attempt to combat an online smear campaign?

Not quite. Despite having the same descriptions, many of the notices were purportedly sent by dozens (if not hundreds) of different individuals, each from multiple different locations.

Take “Brandy Adkins,” who turned out to be one of the most prolific senders. This supposed person has sent over 2,000 notices since Feb. 14, 2024. The last day they have sent any notices as of this writing was June 27th, on which they sent 160 total notices. On June 24, 2024, Brandy Adkins was listed as the sender for 14 notices. Each notice related to the Russian Olympian, and each notice used one of the nine repeated descriptions. Despite those similarities, the requests supposedly originated from 13 different jurisdictions — including Moldova, Nicaragua, Vietnam, and the disputed territory of Western Sahara.

Other requests bearing the same descriptions (just on June 24) supposedly came from senders such as “Renee Gray” in the Pitcairn Islands, “Douglas Weatherman” in French Polynesia, and “Chad Gray” from Belize.

Either there are 13 different Brandy Adkins in 13 different places across the globe who all happened to submit DMCA takedown requests about the same topic and on the same day as many others from yet more countries, all using the exact same language as the multiple Brandy Adkins — or something more sketchy is going on.

A more striking aspect of this flood of related requests is that in some of the duplicate descriptions, the supposed senders claim to have written the original article (“I’m writing to inform you of an original article authored by me,” one begins). In any individual notice, this is fine — individual copyright owners often send their own DMCAs — but it becomes suspicious when multiple senders claim to have written the same article — a frequent occurrence in this data set. This means either all of these senders co-wrote the article, or most if not all of the notices are fraudulent.

Even more questionable is when the supposed “original article” appears in the list of allegedly infringing URLs in other notices from the same sender. Sometimes (as shown below), different articles on the same website appear as both the “original” and within the list of “infringing” links within the same notice, including one by Brandy Adkins.

A Concerted Campaign

Here’s an alternative, perhaps more plausible explanation for these details. On Feb. 14, some individual or organization began a coordinated effort to remove certain potentially damaging information about the Russian Olympian from the web. Perhaps that information is true and the result of investigative journalism. Perhaps it is defamatory lies spread as part of a malicious smear campaign. Or possibly both. Regardless, the effort to remove that information involves sending tens of thousands of slightly different, but mostly identical notices from dozens of countries and fake senders, but with just a handful of possible descriptions. It’s not hard to imagine a simple bot programmed to send a set number of notices each day, rotating through duplicate descriptions, sender names, and countries (low-cost task workers might be doing the same thing).

This campaign may even be related to the previous sets of seemingly fraudulent notices documented on this blog: some of the websites listed as hosting the “original” article in the recent notices are listed in other, older notices as allegedly infringing websites hosting articles about a certain Russian oligarch.

This is just one possible explanation, but it fits the evidence much better than the idea that all these common details happened at random and that all of these DMCAs are completely legitimate. The new patterns explained here suggest a broader potential ecosystem of automated campaigns and fraudulent takedown-for-hire systems aimed at suppressing online information.

---
Hewson Duffy is a 2024 summer intern at BKC/ASML