Dark Ops Undercovered: Episode II – Eliminalia


WHAT’S HIDING BEHIND THE FAKE DMCA COMPLAINTS?

In the last months, one of Qurium’s research questions has been to understand how the domains registered by Eliminalia have been used to remove content from Google search results. Our first quick finding was to see that hundreds of their domains were copying articles from legitimate news media in an automatic fashion, skipping the content that their clients found uncomfortable. Two of Qurium’s hosted websites were used by the clones, that pulled new stories from the media sites several times per hour.

By February 2021, Qurium knew that Eliminalia was copying and back-dating articles to file DMCA complains since at least 2017 but it was unclear if the “clones” had been used for the same purpose.

Enadwords.com: one of the first domains used for fake DMCA Complaints in 2018

In order to find out, we took the list of domain names registered by Eliminalia as an input of the research API provided by Lumen. The Lumen Database is a project of the Berkman Klein Center for Internet & Society at Harvard University that studies cease and desist letters concerning online content.

The first results were very revealing, some of the fake domain names used to clone websites were also present in the Lumen database!

Searching for the domain in “All Fields” in Lumen DB

The Lumen API does not allow searches by URL (at least we have not figure out how to do it!) so we wrote a fancy Python script to find the cases using the “All Fields” search field.

The result of our searches is that from the 300 domain names registered by Eliminalia to clone media websites, at least 16 of them have been used to file fake DMCA complains to Google.

The following 16 URLs have been used to clone legit media sites, back-date articles and later file fake DMCA complains to Google:

  1. diariobucaramanga.co
  2. noticiasneiva.co
  3. noticiaspasto.co
  4. san-andres.co
  5. chinatimestw.com
  6. informaciondura.com
  7. libertytimestw.com
  8. noticiascandela.co
  9. noticias-mundo.com
  10. noticiasneiva.co
  11. noticias-politica.com
  12. notizieveneto.it
  13. prensa-directa.com
  14. taiwan24h.com
  15. todaydailytw.com
  16. ultima-hora.com

Once we could confirm that some websites had been used to file fake DMCAs, we simply used the public access to the Lumen database to retrieve the description of each case.

What topics do the DMCA complaints concern?

According to Eliminalia, they offer to “rebuild your future by deleting unwanted and erroneus information and help guarantee your right to anonimity” (yes, their tagline includes two misspellings). Sounds fair as long as we speak about personal blunders, but is it OK to erase content dealing with corrupted politicians, financial fraud, environmental scandals?

Eliminalia’s tagline.

This is a summary of the DMCA cases we found in the Lumen database:

  • 92 legal complaints and requests for removal of online materials from May 2019 to March 2021.
  • The cases are associated to the following countries:
    • Taiwan (26) – started in late November 2020
    • Spain (17)
    • Venezuela (16)
    • Italy (12)
    • Mexico (8)
    • Colombia (5)
    • Chile (3)
    • United Kingdom (2)
    • Argentina (1)
    • Angola (1)
    • India (1)
  • 72% of the complaints have their articles still online.
  • 37% of the total number of complaints are targeting content hosted in blogspot.com.
  • DMCA seems to mostly target articles hosted at blogspot.com.
  • 38% of the blogspot.com websites have the content removed or their website is no longer reachable.

The main six thematic areas of the DMCA complaints are:

  1. Business and financial fraud in the sectors of food, education and health. Critical articles talking about fraudulent job offers/interviews, Universities or academies not delivering their services, bad surgeries including patients deaths.
  2. Cases of corruption: Articles about inflated contracts, money laundry, hidden bank accounts in Switzerland.
  3. Cases of sexual abuse or harassment.
  4. Reporting of connections with mafias or organized crime.
  5. Environmental impact: Articles covering the environmental impact of construction companies or land ownership.
  6. Human rights violations

Upon review of 78 of the 92 cases that are still online, we found that half of the cases are related to different forms of business and financial corruption, that in many cases have resulted in a legal sentence.

Another large group of articles relate to investigations of organized crime and the connections to different mafia groups.

Use of Safe Creative to register fake copyright ownership

During the research we discovered that Eliminalia used Safe Creative to falsely register Copyright ownership of articles in order to file DMCA complaints later on.

Examples of fake DMCA cases

The following two cases are examples of the categories environmental impact and human right violations.

Case 1: The land stolen by Banana producers

Several DMCA cases are related to investigations into environmental issues such as the banana production in Colombia released by Ciper Chile and El Diario.ES.

In 2020, the fake domain noticias-mundo.com was used to create a clone of an investigation published by CiperChile back in 2017. The clone website back-dated its publication and filed a fake DMCA complain in January 2020.

The case is registered in Lumen with ID 19997993.

Lumen case 19997993.

Case 2: Doctors’ involvement in torture programs

In December 2019, the clone website ultima-hora.com was used to try to remove an article from the Radio Universidad de Chile that included the list of doctors involved in tortures during the Pinochet’s dictatorship.

Despite that the domain ultima-hora.com was registered by Eliminalia in April 2019, an article with date 2013-08-18 was created to file a DMCA complaint against the article from the Radio Universidad de Chile. The case is registered in Lumen with ID 19738319.

Lumen Case 19738319
Original article from 2013.
The clone website (Ultima-hora) used to file fake DMCA case.

How to reproduce our findings?

Any researcher using public available tools can reproduce our findings following these simple steps:

STEP 1: FIND ELIMINALIA IP RANGE

Obtain the IP ranges used by Eliminalia to host the fake domains from Censys.

STEP 2: FIND ELIMINALIA DOMAINS

Obtain the domain names hosted in the range 62.244.51.52 – 62.244.51.57 from RiskIQ.

STEP3: OBTAIN LIST OF FAKE DMCA CASES

Use the Lumen search engine search with the fake domain names.

STEP 4: OBTAIN DETAILED DMCA CASE FILES

Obtain the full details for each DMCA case by providing your e-mail address.

STEP 5: REVIEW AND ANALYZE

Review the results, classify the articles by country, thematic area, date of submission, etc.