- There are multiple accounts on Facebook and Telegram advertising false documents. Some of these accounts are specialized just on false documents, while other accounts offer a multitude of criminal services from human smuggling to false documents, false currency etc.; Most accounts are specialized to a certain category of documents (e.g. travel documents), but there are some, albeit fewer, who offer a wider category (e.g. identity documents, birth certificates, study documents, driving licenses)
- These accounts can be often recognized by key words in the account name [passport] [visa] [travel] [identity] [immigration services]; these often appear in both English/French and the language of the members of the criminal entity (e.g. Persian, Arabic)
- Profile pictures of these accounts often include images of multiple identity documents (passports, birth certificates, driving license) or travel documents (e.g. Schengen visa).
- On Facebook, such pages often identity themselves as companies, which offer either [travel services] or [consultancy] or [legal assistance for working/studying abroad].
- Approximately 75% of the content of such accounts are photos/videos showcasing their products and only 25% or less is text. Therefore, it is important that both text and multimedia content is analysed.
- There are several steps to such an analysis:
- An analysis of the account information & trying to match it to similar accounts on the same platform and/or on other platforms to understand the magnitude of the operation and its network
- An analysis of the content to try to understand the services provided, the client base, the technology employed.
- In the case of Telegram accounts, the analysis of the account information can include the following steps:
- Analysing the general information & history of changes; it can happen that initially the owner of the account, lacking experience, would have provided more identifiable information which as they became aware of LEA activities would have removed. However, this information is still available, and it can include contact information (e.g. phone numbers, names of other accounts).
- Accounts of larger operations normally have multiple accounts on the same platform, which are used as back-up and which include slight name variations (a changed vowel, an added number); they also have accounts under the same/or similar name across different platforms
- The different accounts across platforms do not always perform the same role; it is often the case that the Telegram is the main ‘business’ account, accounts on Instagram, Facebook are only there to advertise services.
The Analysis Circle
- For the analysis of content, we propose the use of the model shown to the bellow.
- The analysis should answer the following questions:
- What types of documents are being offered?
- What countries are frequently mentioned?
- What tools are being used for erasing and/or re-printing information on documents?
- What industries are these tools used? Where can they be bought and how much do they cost?
- What tools are being used for checking the information on the documents?
- What tools are being used for reading identity information on these documents?
- What is the modus operandi?
- Where are the original documents coming from and how have they been obtained
- How and where are the documents delivered?
- What is the cost of the different documents and how is payment made?
- On what routes have these false documents being successfully used? Which airports? Which airlines? Which other types of means of transport (e.g. bus, train)?
- How do the owners of the Telegram account obtain testimonials of use?
- What are the recommended uses of such documents by the owners of the account?
Are these documents real? Three modus operandi were identified so far:
- Type 1: Original document (probably stolen) – either customer resembles photo or photo is replaced – most expensive
- Type 2: Original document with information page replaced – 2nd most expensive
- Type 3: Document produced from scratch – least expensive
Where are the documents coming from? There are two modus operandi identified so far:
- Type 1: Stolen documents, probably while original owners were in transit
- Type 2: Bulk collection (probably sold by original owners to criminal organisations)