The kompromat DeLorean

11 July 2022

– How to hide the source of a defamation campaign against investigative journalist Emilia Șercan

Everything started the 16th of February when an anonymous Facebook message was sent to investigative journalist Emilia Șercan warning her that five personal pictures taken almost 20 years ago were uploaded to adult websites. After the journalist contacted the police to report the theft of the photos and violation of privacy, she discovered that evidence provided to the police (a screenshot of the Facebook message) was published on a website in the Republic of Moldova.

The personal photos of Romanian investigate journalist Emilia Șercan were published by the Moldovan website realitateadinmoldova{.}md on 17th of February 2022 but when the journalist tried to investigate who was behind the leak, the Romanian police pointed to the “ghost” site patrianoastra[.]com as the original source. Four days after the pictures were published on the Moldovan site, the Romanian police produced a 29 pages document describing the timeline of events and framing the website patrianoastra[.]com as the site that first published the screenshot and the pictures, and placing the time of publication to the 17th of February 2022 at 5:45am.

At the time of this writing, the website patrianoastra{.}com is no longer online as the site was brought down the second week of March 2022. The pictures used in the libel article are currently online on another website, namely realitateadinmoldova{.}net.

Qurium has collected multiple sources of forensics evidence with the objective to determine what the original source of the leaked screenshot and pictures is and who is behind the websites. This report presents how the evidence were collected and our findings.

Qurium can conclude that the official police report, suggesting that the screenshot and pictures were initially uploaded to the website patrianoastra{.}com, is incorrect. Our investigation suggests that patrianoastra{.}com was likely used to conceal the real source of the distribution of the materials. Instead, the original source of the leaked images was the Moldovan site realitateadinmoldova{.}md. Once the Moldovan article was put offline, the pictures but not the screenshot were re-published by realitateadinmoldova{.}net.

Who is Emilia Șercan?

Emilia Sercan is an investigative journalist specialized in plagiarism in doctoral dissertations. During the past seven years, she has exposed around 50 individual cases of plagiarism in doctoral dissertations of top Romanian politicians, including the current Prime Minister, ministers, politicians, intelligence generals, army generals, police quaestors, professors, prosecutors, and judges. Her articles are mainly published in Romanian while some of them have been translated to English. Clearly, Emilia is a well known journalist and a thorn in the eye of the power elite in Romania.

The ghost site: Patrianoastra[.]com

The police investigation claimed that patrianoastra{.}com was the original source of the leaked pictures. The website was registered with Namecheap in April 2020.

Domain Name: PATRIANOASTRA.COM
Registry Domain ID: 2510499443_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2022-04-05T18:59:45Z
Creation Date: 2020-04-03T05:58:11Z

Qurium obtained a complete backup copy of the website, and looked into the sources of the articles and their timestamps.

Full download of the “patrianoastra” website and its articles

All articles on the website are harvested from a few online sources. We identified references to the following websites as sources:

www.digi24.ro 
www.digisport.ro 
www.elle.ro 
www.agerpres.ro 
www.sport.ro 
stirileprotv.ro 
www.realitatea.net 
www.ziare.com 
www.antena3.ro

Finding: The website did not produce any original content but obtained most of the content from external sources.

Using dumps from calls to the JSON API of WordPress, Qurium could analyze the content of the articles and searched for the regular expression “Sursa:” (source) and extracted all references to the Sources of the articles. We verified that the articles with the text “Sursa:” were indeed verbatim copies of articles published by other websites.

JSON Dump of one article via WordPress API.

We looked into how frequent the articles were posted and saw that the editor of the website (asdzxcqwe123/Patriot) was posting around 3-5 articles per month, and did not post more than two articles per day, the days he published content.

We extracted the time when each of the articles was posted and noticed that just before the site was put offline, no less than 11 articles were posted in February 2022, which represents 10% of the total number of articles we collected since its start in April 2020.

Finding: The website was posting an average of 3-5 articles per month during almost two years. In February 2022, 11 articles were posted. Hence, there was a sudden increase of articles posted in February 2022, just before the site was taken offline.

Qurium created a database that included the date of publication of each of the articles and the source included in each publication.

Database with the articles and their sources

When parsing the sources of the articles, we noticed that two groups of articles that did not contain the text “Sursa“. The first group of articles were 16 articles dated 2020-04-09, one week after the domain was registered. These articles were likely posted on the site to bootstrap the initial content.

After the bootstrapping and for almost two years, all articles contained the text “Sursa” until the 17th of February 2022…

The second group of articles that did not contain the text “Sursa” were articles published 17-26 of February 2022. The article containing the stolen pictures of Emilia Șercan is marked with our internal ID: de0ebd970a7b8e9bc89c7a2f8219cd2a and happens to be the second article out of 8 without any reference to the Source of the material.

Articles posted to build a new timeline.

List of articles that did not contain any reference to a “Source” since May 2020.

Finding: During almost two years, Patrianoastra[.]com always included a reference to the “Source/Sursa” of the articles that they republished with the exception of all articles posted from the 17th of February 2022.

Qurium decided to further investigate the eight articles without sources, and found some interesting patterns:

Articles include the famous ^M that corresponds to an editor using a Windows machine that has “Cut and paste” the article into a Linux server.
All articles include the HTML text <p>published on Feb ##,2022 at ##:##<p> (Notice the non capitalization of the word published).
We reviewed the WordPress theme and plugins of the site, and could conclude that is no piece of code that creates the entry “published on…”. This “publication time” entry was added manually by the editor when creating the articles.

The editor of these eight articles made an special effort to:

Not include any reference to the Source of the articles and
Manually include a time of publication to each entry, which was hard-coded in the HTML of the article itself.

Hardcoded time of the article including the time of the day (05:45)

Finding: The last eight articles published on patrianoastra[.] com were specially edited to include the date of publication hardcoded in the HTML of the article and not to include any “Sursa/Source” to the origin of the information.

Qurium looked into the timestamps of the pictures included in the article “dezvaluiri-explozive-din-romania-ce-ascunde-emilia-sercan” ID:de0ebd970a7b8e9bc89c7a2f8219cd2a in order to determine if the article really was published the 17th of February 2022 at 5:45 AM as mention in the article (hard coded) and supported by the Romanian police.

Qurium could reconfirm the findings of Bitdefender, a Romanian cybersecurity technology company that initially investigated the case, that the metadata of the images reveal that they have been uploaded the 18th of February 2022.

“Modified Time” Metadata of the uploaded images from the images in both websites.

identify -verbose 8faa9999-3646-49e8-b25e-1368df06c545.jpg |grep "date:modify" date:modify: 2022-02-18T10:14:53+00:00

Finding: Metadata from the images included in the article, indicates that the pictures were uploaded on 18th of February 2022 and not the 17th as the hard-coded HTML code suggests.

realitateadinmoldova[.]net

At the time of writing, the domain realitateadinmoldova[.]net is currently hosting the personal stolen pictures and a defamation article.

The domain is registered in the name of Prestige Media PHG SRL, that has Bertalan-Pacuraru Alexandra-Beatrice as ~~administrator~~ main shareholder (Alexandra is the daughter of Maricel Păcuraru, the shadow owner of Realitatea Plus/Realitatea Media SA).

Qurium also looked at similar domain names starting with realitatea###[.net|.ro|.md], and found the following list of domains:

realitateadinjustitie.net
realitateadinpsd.net
realitateadintecuci.net
realitateadinpnl.net
realitateadincalarasi.ro
realitateadinaur.net
realitateadinspania.net
realitateadingermania.net
realitateadinmoldova.net
realitateadinapp.net
realitateasportiva.net
realitateadebraila.net
realitateafinanciara.net
realitateadecraiova.net
realitateademures.net

DNS servers of the domains show that many of the domains share common DNS servers in Clouldflare (cruz|guss).

NAME SERVER - DOMAIN
cruz.ns.cloudflare.com. realitateadebraila.net.
cruz.ns.cloudflare.com. realitateadecraiova.net.
cruz.ns.cloudflare.com. realitateadinapp.net.
cruz.ns.cloudflare.com. realitateadinaur.net.
cruz.ns.cloudflare.com. realitateadingermania.net.
cruz.ns.cloudflare.com. realitateadinjustitie.net.
cruz.ns.cloudflare.com. realitateadinmoldova.net.
cruz.ns.cloudflare.com. realitateadinpnl.net.
cruz.ns.cloudflare.com. realitateadinpsd.net.
cruz.ns.cloudflare.com. realitateadinspania.net.
cruz.ns.cloudflare.com. realitateafinanciara.net.
cruz.ns.cloudflare.com. realitateademures.net.
guss.ns.cloudflare.com. realitateademures.net.
guss.ns.cloudflare.com. realitateadebraila.net.
guss.ns.cloudflare.com. realitateadecraiova.net.
guss.ns.cloudflare.com. realitateadinapp.net.
guss.ns.cloudflare.com. realitateadinaur.net.
guss.ns.cloudflare.com. realitateadingermania.net.
guss.ns.cloudflare.com. realitateadinjustitie.net.
guss.ns.cloudflare.com. realitateadinmoldova.net.
guss.ns.cloudflare.com. realitateadinpnl.net.
guss.ns.cloudflare.com. realitateadinpsd.net.
guss.ns.cloudflare.com. realitateadinspania.net.
guss.ns.cloudflare.com. realitateafinanciara.net.
guss.ns.cloudflare.com. realitateasportiva.net.
guss.ns.cloudflare.com. realitateademures.net.

clint.ns.cloudflare.com. realitateadinmoldova.md.
martha.ns.cloudflare.com. realitateadinmoldova.md.

ns1.romarg.com. realitateadincalarasi.ro.
ns2.romarg.com. realitateadincalarasi.ro.
ns3.romarg.com. realitateadincalarasi.ro.
ns4.romarg.com. realitateadincalarasi.ro.

Using Domain Stats, Qurium managed to link multiple of these domains to a common Google Adsense code: Adsense pub-6981729263127207.

Historical data of the domain names place the domain names inside the network 77.81.101[.]0/24 where also the domain realitatea.net is hosted.

 route:          77.81.101.0/24
 descr:          CompactView MP SRL
 origin:         AS60408
 mnt-by:         CompactView-MNT
 created:        2015-12-03T11:24:50Z
 last-modified:  2019-12-09T18:34:25Z
 source:         RIPE

Qurium performed requests for the domain realitateadinmoldova[.]net in that network and found the website hosted in the IP address 77.81.101[.]116 behind Cloudflare CDN.

Finding: realitateadinmoldova[.]net is hosted in the IP address 77.81.101[.]116 behind Cloudflare CDN.

We looked up the company CompactView MP SRL and found Cosmin Sorin Pacuraru as main owner of the company, which was consistent with information in RIPE object CP12799-RIPE.

A social media account of the director includes a reference to his role as Administrator of Realitatea[.]net

Information from the Company Register in Romania reveals that Cosmin Pacuraru is shareholder in following companies: Romanian Premium Security SRL, PHG International Security SRL and Global Network System SRL.

Finding: The article that republished the stolen pictures the 20th of June is hosted inside Realitatea/Global Network System’s infrastructure with the provider CompactView MP SRL. Both companies include Cosmin Sorin Pacuraru as shareholder.

When investigating all domains registered in the name of Prestige Media PHG, we discovered three domain names sharing ownership data: testpentru{.}site, partidulrealitatea{.}net and partidulrealitatea{.}com

The domain name testpentru{.}site owned by Prestige Media PHG (Moldova) has an interesting history of hosting information. The website shares hosting location with several sites of RealitateaTV.

2020-04-21 15:38:28 -0000, 2022-02-20 03:06:30 -0000,srv2.realsites2.net. IN A 195.42.138.75, AS42094 REALITATEATV, RO, Romania
2020-08-10 03:01:01 -0000, 2021-01-09 16:23:19 -0000,www.testpentru.site. IN A 195.42.138.75, AS42094 REALITATEATV, RO, Romania
2018-07-11 19:57:33 -0000, 2018-08-29 09:33:01 -0000,www.realitateademures.net. IN A 195.42.138.72, AS42094 REALITATEATV, RO, Romania
2020-08-09 23:28:33 -0000, 2021-02-20 06:20:51 -0000,testpentru.site. IN SOA cruz.ns.cloudflare.com. dns.cloudflare.com. 2034830468 10000 2400 604800 3600,0,0

Social media also suggests that the website shares contact information with the other realitateade### sites. Most of the websites use the e-mail contact locale{@}realitatea.net.

Qurium also looked into the network prefix 195.42.138.0/23 and noticed that the prefix stopped being announced on the 27th May 2022 and websites were transferred to 77.81.101.0/24 and routed via Cloudflare CDN.

BGP Routing information for 195.42.138.0/23 indicates the prefix was no longer announced at the end of May 2022

route: 195.42.138.0/23
descr: REALITATEA MEDIA S.A.
origin: AS42094
mnt-by: REALITATEA-MNT
created: 2008-02-20T12:26:57Z
last-modified: 2008-02-20T12:26:57Z
source: RIPE

The original source: realitateadinmoldova[.]md

After receiving a harassment message about the stolen pictures via Facebook, Emilia Șercan reported the case to the police. A few hours later, the material was published at the website realitateadinmoldova[.]md dated February 17th, 14:51 PM.

Qurium has looked into domain registration of the domain realitateadinmoldova{.}md and found it associated to Realitatea-PHG SRL and Mihai Cristian (aka Cristian Rizea).

The website is hosted at IP address 66.29.143{.}36

Finding: realitateadinmoldova[.]md is hosted at IP address 66.29.143{.}36 and registered in the name of Realitatea-PHG SRL and Mihai Cristian (aka Cristian Rizea).

Maltego Graph of the forensic indicators

Conclusions

Qurium’s forensics investigation shows that the articles in the website patrianoastra{.}com published during the month of February 2022 were specially created with the text “published on Feb 17, at #:##” to tamper with the real time of publication. Analysis of the images of the article titled “dezvaluiri-explozive-din-romania-ce-ascunde-emilia-sercan” contained metadata information that indicates that the images were uploaded to the server the 18th of February and not the 17th as police report and the article suggests.

Timestamps in the metadata of the images found initially in the website realitateadinmoldova[.]md suggests that the article was originally uploaded to this website and not to patrianoastra{.}com. The domain realitateadinmoldova[.]md was registered in the name of Realitatea-PHG SRL and later on changed to Cristian Mihai (Rizea) in May 2022.

A second article, that still includes the stolen personal pictures,was published the 20th of June in the website realitateadinmoldova[.]net that is hosted in the IP address 77.81.101[.]116 behind Cloudflare CDN. The IP space is managed by CompactView MP SRL. The director of CompactView MP SRL is “Cosmin Sorin Pacuraru” that also acts as administrator of Global Network System, that develops the mobile app for RealitateaTV.

The evidence analyzed that includes the full backup copies of the involved websites suggests that the pictures were leaked to realitateadinmoldova[.]md to be later on redistributed by other websites including realitateadinmoldova[.]net. The official police investigation suggests that the pictures were initially uploaded to the website patrianoastra{.}com but the evidence found and analyzed during our investigation suggests that patrianoastra{.}com was likely used to conceal the real source of the distribution of the materials.

Appendix – Rebuilding a publishing timeline

The 20th of June 2022, an article including pictures of the journalist were redistributed, this is the timeline of the publication obtained by extracting the time from the “meta property article:published_time” of each of the sites.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.