Request Demo Start Free Trial
AI-Powered Celebrity Impersonation Scams: A Threat Intelligence Report by RedHunt Labs

AI-Powered Celebrity Impersonation Scams: A Threat Intelligence Report by RedHunt Labs

Introduction

A new wave of AI-powered investment scams is targeting Indian users on Facebook and Instagram, luring them with fake celebrity endorsements and deepfake interviews. Ads featuring figures like Nirmala Sitharaman, Sadhguru, and Neha Kakkar promote fraudulent schemes, directing users to counterfeit news websites mimicking The Times of India, IndiaTime, and NDTV. These sites claim celebrities have built fortunes using exclusive investment strategies, persuading victims to deposit ₹21,000 into fake platforms.

This is part of a growing trend; 63,000 investment scams were reported in India in just four months of 2024. Victims are suffering huge financial losses, with 48% losing over ₹50,000. In a recent case, a woman from Faridabad lost ₹7 crore to a similar scam.

Fraudsters exploit Facebook’s ad review system, using short-lived campaigns, deceptive links, and AI-generated content to evade detection. Despite efforts by tech giants, Meta removed 2 million scam-linked accounts, and WhatsApp banned 6.6 million fraudulent accounts in India.

In this report, RedHunt Labs’ threat intelligence team maps out the entire scam infrastructure, exposing the tactics, deception techniques, and financial impact of these operations. By exposing these fraud schemes, RedHunt Labs aims to equip stakeholders to develop stronger countermeasures to protect potential victims from AI-driven cyber threats.

Table of Contents

  1. Introduction
  2. The Role of AI in Fueling the Scam
  3. Fabricating Entire Scenarios
  4. How are these Scams Distributed
  5. How do they evade Facebook’s Ad Review?
  6. What Domain Infrastructure is used, and what Evasion Techniques are implemented
  7. Who do they target? – Targeted Audience & Reach
  8. Fake News Articles and Media Impersonation
    1. → Is this being done on mass, or is it a one-off instance?
  9. Fake News Articles leading to Fake Investment Platforms
  10. What Payment Infrastructure is used to collect money?
  11. This is not just limited to Facebook Ads
    1. → Medium Blog Pages
    2. → Compromised website with injected HTML Code
    3. → SEO Manipulation and Social Engineering
  12. Summary
  13. Proactive Brand Protection: The RedHunt Labs Approach
  14. Recommendations
  15. Appendix

The Role of AI in Fueling the Scam

At the core of this scam is deepfake technology, used to create hyper-realistic, fabricated videos of well-known personalities. Scammers use AI-powered tools to clone a person’s voice from publicly available clips, allowing them to synthesize new audio that sounds completely authentic, complete with the target’s unique tone and intonation.

This fake audio is then paired with manipulated video. Using generative AI, fraudsters alter real interview footage or news clips of celebrities and political leaders. The AI perfectly syncs their lip movements to the fraudulent audio track, creating a seamless and highly believable video where a trusted figure appears to make an endorsement or announcement they never did.

Fabricating Entire Scenarios

These AI tools are used to construct entire fraudulent narratives from scratch. Scammers engineer fake interview scenes where celebrities appear to be revealing their “secret to wealth” to an interviewer, lending powerful credibility to the scam.

Similarly, they stage deepfake media appearances, creating videos where political leaders seem to be announcing new, government-backed investment schemes designed to help ordinary citizens. This tactic preys directly on the public’s trust in official institutions. The ease of access to these AI tools allows for the rapid, mass production of such convincing content, enabling scammers to launch widespread disinformation campaigns with minimal effort, which is why these scams have become so pervasive.

How are these Scams Distributed

This scam begins with fraudulent advertisements on Facebook and Instagram, strategically designed to manipulate emotions and lure users into a web of deception. Scammers operate under multiple advertiser names, including NewsToday, Indianews, and others (Ref: Appendix), leveraging AI-generated content to fabricate fake news featuring prominent Indian figures. These ads redirect victims to counterfeit news websites impersonating India’s leading media outlets, such as NDTV and India Today.

Three sponsored advertisements from 'NewsToday' promoting a fraudulent financial project targeting Indian users, claiming high returns on investment.
A series of active advertisements on social media, showcasing a financial investment scheme with claims of high returns and featuring images of individuals who appear to be presenting the offer.
Ads featuring celebrities/political figures

How do they evade Facebook’s Ad Review?

To bypass Facebook’s automated review system, fraudsters employ a combination of technical manipulations and rapid ad cycling:

  • Fake Amazon Links: Ads display Amazon.in as the hyperlink to appear legitimate, but clicking redirects users to scam websites.
  • Short Ad Lifespan: Ads are live for 10-12 hours before being replaced with new ones, making detection difficult.
  • Hijacked Advertiser Accounts: Some of these scam ads originate from accounts previously used for travel content and other content, repurposed for fraud.
Screenshot of a Facebook page for 'NewsToday', featuring a profile picture of a fish and a background of green trees. The page shows the number of likes and followers, along with sections for posts, about, reviews, and photos.
One such Facebook profile of an advertiser.

What Domain Infrastructure is used, and what Evasion Techniques are implemented

  • Through analysis of WHOIS registration data, we uncovered that a significant cluster of these scam domains were registered within a short window in a coordinated effort.
  • Use of Reputable Keywords: Incorporating terms such as “india,” “live,” “news,” and “today” to align with well-known news organizations.
  • Consistent TLD Usage: Preferring the “.top” & “xyz” TLD, likely due to its affordability and the higher availability of desired domain names.
  • Hosting Multiple Websites on a Single IP: Using a single server to host numerous scam domains enabling easier management, cost savings, and rapid replacement if one site is taken down.
  • Scammers are maintaining a pool of active domains and regularly switch between those domains to ensure uninterrupted operation and evade detection.

Who do they target? – Targeted Audience & Reach

  • Primary Target: Indian users, with occasional expansion to Southeast Asia.
  • Emotional Manipulation: Ads use clickbait headlines like “Heartbreaking news for Sadhguru” or “Say goodbye to Neha Kakkar” to evoke urgency.
  • AI-Generated Fake Images: Arrested or beaten celebrities create shock value.
  • Localized Appeal: Approximately 80% of the analyzed ads were written in local Indian languages to maximize engagement and build regional trust.
  • False Political Endorsements: Use political leaders, such as claims that the Prime Minister or Finance Minister created special financial projects for Indians, to build trust and legitimacy for scams.

As of August 12, 2025, new scam ads continue emerging daily, each targeting different celebrities and high-profile individuals in India.

A Facebook ad promoting a fraudulent investment scheme, featuring a 'Sponsored' label from NewsToday. The ad claims users can invest ₹21,000 and receive ₹1,500,000 in the first month, accompanied by a manipulative image of an interviewer and a celebrity.
Ad with its advertiser and activity status

Fake News Articles and Media Impersonation

Once users click on these deceptive Facebook and Instagram ads, they are redirected to counterfeit news articles impersonating trusted Indian media outlets (Ref: Appendix). These fraudulent websites replicate the branding, layout, and typography of platforms like NDTV, India Today, The Times of India, and others, making them appear authentic.

→ Is this being done on mass, or is it a one-off instance?

RedHunt Labs’ analysis of 50+ fake news articles revealed a standardized format used repeatedly across multiple websites and scam ads. These fake reports typically follow the same template, with only minor modifications:

  • AI-generated celebrity images inserted into fabricated interviews.
  • Names of interviewers and celebrities swapped while keeping the structure intact.
  • Consistent tone and style, reinforcing the illusion of legitimacy.

This uniform approach indicates a well-coordinated, large-scale campaign aimed at maximizing reach while minimizing content creation efforts. The persistence of these scams across multiple domains suggests an organized fraud network that continuously refines its tactics to evade detection.

A suspicious advertisement featuring a fake endorsement from an individual posing as Narendra Modi, promoting a fraudulent investment platform, with screenshots showcasing fabricated testimonials and a misleading financial offer.
Fake News Article ComponentDescriptionExample
Clickbait HeadlineSensational headlines are designed to grab attention and lure users into clicking.“Shocking! Kapil Sharma’s Secret to Instant Wealth Exposed in Leaked Interview!”
Fabricated Endorsement by Political Leader for Scam Trading PlatformFalse claims that a well-known political figure promotes a trading platform promising unrealistic returns, using fabricated quotes to build trust and lure victims.“Narendra Modi, the man all of India knows, has come up with a platform that makes it a reality.”
Fake Scarcity and Urgency Tactics with Fabricated TestimonialsFalse claims of limited availability, rising prices, and quick profits, combined with made-up customer testimonials to pressure readers into joining a scam.“Only 500 places left and the price is rising to ₹150,000 soon. I thought it was a scam, but now I have ₹552,177 in my account!”
Fabricated User Testimonials and Comments SectionA fake comments section with fabricated user profiles and stories claiming rapid earnings, purchases, and successful withdrawals to create social proof and convince readers that the scam platform is legitimate.“Users in the comments claim they earned tens of thousands of rupees within days, bought cars, or withdrew money successfully, presenting the scam as a proven way to make fast profits.”

Fake News Articles leading to Fake Investment Platforms

From the fake news article, the victim will be made to click on a URL of the Fake investment platform, which the scammers have included as endorsed by the celebrities and other prominent figures in the fake news article.

Screenshot of a fake news article featuring Sadhguru discussing a fraudulent investment program, with text highlighting a deceptive registration process for a scam trading platform.

Upon clicking the link, the user will be directed to a Fake sign-up page of the Fake investment platform hosted in that same domain as the news article. 

A fraudulent investment platform webpage promoting the Unitrade DCX trading scheme, showcasing possible earnings and a registration form on a computer screen, with an emphasis on unrealistic financial gains.

As mentioned in the fake news article interview, the platform prompts the user that “the customer executive will contact through your mobile number”.

A thank you page displaying the message 'Thanks! Your application has been received and processed!' with two cartoon characters shaking hands in a colorful background.

A day after completing the registration, as part of the investigation, a RedHunt Labs analyst received a call from an international number. The caller immediately asked, “Did you register on the Quantum AI trading platform?” They attempted to extract personal details and insisted that we open a new demat account. When pressed by the analyst, to reveal the actual platform behind their operation, they finally disclosed the name of an app – EZInvest – which, alarmingly, was available on the Google Play Store.

Screenshot of the EZInvest scam mobile trading application page from the Google Play Store, showcasing features, user ratings, and download statistics.

After a day, we noticed a change in the website. The name of fake investment platform sign-up pages are getting changed frequently, both in the title of the page and in the content of the fake news article. E.g.: Unitrade DCX, Bharat Coincore, NeuraNorth AI.

Screenshot showing fake news articles from various sources, including The Indian Express, and advertisements for fraudulent investment platforms like Unitrade DCX 2025 and NeuraNorth AI.

RedHunt Labs extended its investigation by searching these platform names present on the sign-up page. And we have identified that these sites are a generic template and are being used to scam people in various regions by analyzing the titles. By pivoting from the initial domains and analyzing shared hosting infrastructure and registration patterns, RedHunt Labs identified a network of over 1,000 interconnected fraudulent websites, both active and dormant.

After registering on the finally redirected Fake investment platform URL, the victim will be requested to invest a minimum amount of ₹17,000 or ₹21,000 to ‘activate’ their accounts.

What Payment Infrastructure is used to collect money?

  • UPI Transfers (Google Pay, Paytm, PhonePe)
  • Direct Bank Transfers (Indian & international accounts)

Usage of various Indian and international accounts strongly emphasizes that this scam is not only targeting India but worldwide as well.

This is not just limited to Facebook Ads

→ Medium Blog Pages

The scammers don’t limit themselves to Facebook ads. They also exploit trusted platforms to lend credibility to their schemes. For instance, we found fake trading bots being promoted through impersonated Medium blog pages, complete with fabricated articles endorsing the scam. 

Screenshot of a fake Medium article titled 'AI Trading Bot Makes Up To $38,000 in 5 Days, Beating Professional Traders' featuring statistics and growth chart related to the bot's performance.

Compromised website with injected HTML Code

In addition, multiple legitimate websites, unrelated to trading were compromised and injected with malicious HTML code. This injected content redirected visitors or embedded promotional banners, effectively turning safe websites into unwitting vehicles for the fraud.

A webpage showcasing a fake trading platform called 'Immediate Edge' with a colorful logo at the top, filled with misleading claims about cryptocurrency trading.

→ SEO Manipulation and Social Engineering

Our Open-Source Intelligence (OSINT) investigation revealed a coordinated content campaign, including AI-generated YouTube videos and fake Reddit discussions, and fabricated blog posts to manipulate search engines and social media. They create fake reviews with clickbait titles and post scripted discussions on forums like Reddit. These articles include fake bank statements, doctored screenshots, and SEO tactics like keyword hijacking and backlink manipulation to ensure these scams rank high on Google, tricking victims into believing they are real.

Summary

The surge of AI-driven celebrity impersonation crypto scams in India underscores the pressing need for heightened vigilance and proactive measures. These scams, leveraging advanced technologies to create convincing deepfakes and counterfeit endorsements, have led to significant financial losses among unsuspecting individuals.

The adaptability and sophistication of these fraudulent schemes pose substantial challenges to both users and digital platforms. Scammers’ adeptness at evading detection necessitates continuous advancements in security protocols and user education.

Proactive Brand Protection: The RedHunt Labs Approach

The rise of AI-driven scams demonstrates that waiting for a threat to impact you is no longer a viable strategy. At RedHunt Labs, we believe in proactive brand protection, a methodology designed to stay ahead of bad actors. Our approach, which produced the findings in this report, is built on three key pillars:

  1. Detect: We leverage a combination of AI-powered tools and human expertise to cast a wide net, identifying potential threats in real-time. This includes monitoring for brand impersonations, counterfeit websites, fraudulent social media ads, and unauthorized use of executive likenesses.
  2. Analyze: We go beyond simple alerts. Our team analyzes the tactics, techniques, and procedures (TTPs) of fraudulent actors to understand the full scope of a campaign. This intelligence, as seen in our breakdown of the scam’s domain infrastructure, is crucial for effective and lasting remediation.
  3. Remediate: We manage the entire lifecycle of a threat, from detection to takedown. We work with platforms, registrars, and hosting providers to dismantle fraudulent campaigns, ensuring that your brand’s integrity is restored and your customers are protected.

This research exemplifies our commitment to transforming brand monitoring from a passive activity into an active defense.

To combat this escalating threat, a collaborative effort is essential. Social media platforms must enhance their monitoring systems, and users must remain vigilant. RedHunt Labs remains committed to uncovering and dissecting these fraudulent networks as part of our core brand protection mission. For organizations looking to defend against similar impersonation and digital fraud, it is crucial to implement a proactive brand monitoring strategy.

Recommendations

Based on our findings, RedHunt Labs strongly recommends that Platforms like Facebook, Instagram, and Google Ads should enhance the monitoring systems, strengthen the verification process to eradicate these kinds of scams and frauds. People should be very careful and informed about the current news and scams that are happening, and report any suspicious activities to the relevant platforms and authorities immediately. 

Appendix

CategoryNames
Facebook Advertisers (5)NеwsТоdау, News Today, Patriciaq Hallu, Indіаnnеws, Earl Peters
Celebrities impersonated (30)Narayana Murthy, Nirmala Sitharaman, Sudha Murty, Neha Kakkar, Anant Ambani, Rahul Kanwal, Guy Sebastian, Matt Shirvington, Jakub Prachar, Honza Dědek, Kuba Wojewódzki, Wojciech Cejrowski, Tara Brown, Penny Wong, İrem Helvacıoğlu, Ahmet Mümtaz Taylan, Sofie Linde, Heidi Frederikke, Melissa Grelo, Sandie Rinaldo, Espen Fiveland, Jakob Ingebrigtsen, Florent Pagny, Gilles Bouleau, Guy A. Lepage, Charles Lafortune, Anders Lund Madsen, Mette Bluhme Rieck, Miranda Kerr, Sadhguru
Scam Trading Platforms (19)Unitrade DCX, Immediate Bumex +7, Secret Ledger AI, Immediate Renova 9.0, ArbiVise, SmartBit Boost, AvogexBit App, Avotexum App, Bit 2.0 ePrex, Bit +7 ePrex, Bit +700 ePrex, Bit Alrex +9000, Bit ePrex 10, Bitcoin 600 ePrex, Bitcoin Ai Diamox, Bitcoin ePrex Pro, Bitcoin V7 Bumex, BitLax Smart, Zenfable Rise

Leave a Reply

Your email address will not be published. Required fields are marked *