#FactCheck -Scripted Video of Pre-Wedding Roka at Metro Station Misleads Users
Executive Summary
A video is going viral on social media showing a woman performing a pre-wedding ritual called “Roka” for a couple at a metro station. Many users are sharing the clip believing it to be a real incident. CyberPeace found in its research that the viral claim is false. The video is actually scripted.
Claim:
An Instagram user posted the video on February 7, 2026, with the caption, “A mother performed her son’s Roka with his girlfriend at a metro station.”

Fact Check:
To verify the claim, we conducted a reverse image search using Google Lens on screenshots from the viral video. We found the same video was first uploaded on February 5, 2026, by an Instagram account named “chalte_phirte098.” The profile belongs to digital content creator Aarav Mavi, who regularly posts relationship and breakup-related videos.

Although the viral clip does not include any disclaimer stating that it is scripted, an older video posted by the creator on December 16, 2025, clarifies that his content is based on real-life stories shared by people but is filmed using professional actors. Several similar staged videos are also available on his profile on Instagram.

Conclusion:
Our research clearly shows that the viral video claiming to show a pre-wedding Roka ceremony at a metro station is not real. It was created by a content creator for entertainment purposes. Therefore, the claim circulating on social media is misleading.
Related Blogs

In the vast, uncharted territories of the digital world, a sinister phenomenon is proliferating at an alarming rate. It's a world where artificial intelligence (AI) and human vulnerability intertwine in a disturbing combination, creating a shadowy realm of non-consensual pornography. This is the world of deepfake pornography, a burgeoning industry that is as lucrative as it is unsettling.
According to a recent assessment, at least 100,000 deepfake porn videos are readily available on the internet, with hundreds, if not thousands, being uploaded daily. This staggering statistic prompts a chilling question: what is driving the creation of such a vast number of fakes? Is it merely for amusement, or is there a more sinister motive at play?
Recent Trends and Developments
An investigation by India Today’s Open-Source Intelligence (OSINT) team reveals that deepfake pornography is rapidly morphing into a thriving business. AI enthusiasts, creators, and experts are extending their expertise, investors are injecting money, and even small financial companies to tech giants like Google, VISA, Mastercard, and PayPal are being misused in this dark trade. Synthetic porn has existed for years, but advances in AI and the increasing availability of technology have made it easier—and more profitable—to create and distribute non-consensual sexually explicit material. The 2023 State of Deepfake report by Home Security Heroes reveals a staggering 550% increase in the number of deepfakes compared to 2019.
What’s the Matter with Fakes?
But why should we be concerned about these fakes? The answer lies in the real-world harm they cause. India has already seen cases of extortion carried out by exploiting deepfake technology. An elderly man in UP’s Ghaziabad, for instance, was tricked into paying Rs 74,000 after receiving a deep fake video of a police officer. The situation could have been even more serious if the perpetrators had decided to create deepfake porn of the victim.
The danger is particularly severe for women. The 2023 State of Deepfake Report estimates that at least 98 percent of all deepfakes is porn and 99 percent of its victims are women. A study by Harvard University refrained from using the term “pornography” for creating, sharing, or threatening to create/share sexually explicit images and videos of a person without their consent. “It is abuse and should be understood as such,” it states.
Based on interviews of victims of deepfake porn last year, the study said 63 percent of participants talked about experiences of “sexual deepfake abuse” and reported that their sexual deepfakes had been monetised online. It also found “sexual deepfake abuse to be particularly harmful because of the fluidity and co-occurrence of online offline experiences of abuse, resulting in endless reverberations of abuse in which every aspect of the victim’s life is permanently disrupted”.
Creating deepfake porn is disturbingly easy. There are largely two types of deepfakes: one featuring faces of humans and another featuring computer-generated hyper-realistic faces of non-existing people. The first category is particularly concerning and is created by superimposing faces of real people on existing pornographic images and videos—a task made simple and easy by AI tools.
During the investigation, platforms hosting deepfake porn of stars like Jennifer Lawrence, Emma Stone, Jennifer Aniston, Aishwarya Rai, Rashmika Mandanna to TV actors and influencers like Aanchal Khurana, Ahsaas Channa, and Sonam Bajwa and Anveshi Jain were encountered. It takes a few minutes and as little as Rs 40 for a user to create a high-quality fake porn video of 15 seconds on platforms like FakeApp and FaceSwap.
The Modus Operandi
These platforms brazenly flaunt their business association and hide behind frivolous declarations such as: the content is “meant solely for entertainment” and “not intended to harm or humiliate anyone”. However, the irony of these disclaimers is not lost on anyone, especially when they host thousands of non-consensual deepfake pornography.
As fake porn content and its consumers surge, deepfake porn sites are rushing to forge collaborations with generative AI service providers and have integrated their interfaces for enhanced interoperability. The promise and potential of making quick bucks have given birth to step-by-step guides, video tutorials, and websites that offer tools and programs, recommendations, and ratings.
Nearly 90 per cent of all deepfake porn is hosted by dedicated platforms that charge for long-duration premium fake content and for creating porn—of whoever a user wants, and take requests for celebrities. To encourage them further, they enable creators to monetize their content.
One such website, Civitai, has a system in place that pays “rewards” to creators of AI models that generate “images of real people'', including ordinary people. It also enables users to post AI images, prompts, model data, and LoRA (low-rank adaptation of large language models) files used in generating the images. Model data designed for adult content is gaining great popularity on the platform, and they are not only targeting celebrities. Common people are equally susceptible.
Access to premium fake porn, like any other content, requires payment. But how can a gateway process payment for sexual content that lacks consent? It seems financial institutes and banks are not paying much attention to this legal question. During the investigation, many such websites accepting payments through services like VISA, Mastercard, and Stripe were found.
Those who have failed to register/partner with these fintech giants have found a way out. While some direct users to third-party sites, others use personal PayPal accounts to manually collect money in the personal accounts of their employees/stakeholders, which potentially violates the platform's terms of use that ban the sale of “sexually oriented digital goods or content delivered through a digital medium.”
Among others, the MakeNude.ai web app – which lets users “view any girl without clothing” in “just a single click” – has an interesting method of circumventing restrictions around the sale of non-consensual pornography. The platform has partnered with Ukraine-based Monobank and Dublin’s BetaTransfer Kassa which operates in “high-risk markets”.
BetaTransfer Kassa admits to serving “clients who have already contacted payment aggregators and received a refusal to accept payments, or aggregators stopped payments altogether after the resource was approved or completely freeze your funds”. To make payment processing easy, MakeNude.ai seems to be exploiting the donation ‘jar’ facility of Monobank, which is often used by people to donate money to Ukraine to support it in the war against Russia.
The Indian Scenario
India currently is on its way to design dedicated legislation to address issues arising out of deepfakes. Though existing general laws requiring such platforms to remove offensive content also apply to deepfake porn. However, persecution of the offender and their conviction is extremely difficult for law enforcement agencies as it is a boundaryless crime and sometimes involves several countries in the process.
A victim can register a police complaint under provisions of Section 66E and Section 66D of the IT Act, 2000. Recently enacted Digital Personal Data Protection Act, 2023 aims to protect the digital personal data of users. Recently Union Government issued an advisory to social media intermediaries to identify misinformation and deepfakes. Comprehensive law promised by Union IT minister Ashwini Vaishnav will be able to address these challenges.
Conclusion
In the end, the unsettling dance of AI and human vulnerability continues in the dark web of deepfake pornography. It's a dance that is as disturbing as it is fascinating, a dance that raises questions about the ethical use of technology, the protection of individual rights, and the responsibility of financial institutions. It's a dance that we must all be aware of, for it is a dance that affects us all.
References
- https://www.indiatoday.in/india/story/deepfake-porn-artificial-intelligence-women-fake-photos-2471855-2023-12-04
- https://www.hindustantimes.com/opinion/the-legal-net-to-trap-peddlers-of-deepfakes-101701520933515.html
- https://indianexpress.com/article/opinion/columns/with-deepfakes-getting-better-and-more-alarming-seeing-is-no-longer-believing/

Executive Summary
An image showing Prime Minister Narendra Modi and Leader of Opposition in the Lok Sabha and Congress MP Rahul Gandhi standing face to face inside Parliament is going viral on social media. Several users are sharing the image claiming that the photograph was taken during the ongoing Budget Session, suggesting a direct face-off between the two leaders inside Parliament. However, research conducted by the CyberPeacehas found that the viral claim is false. The image in question is not real but has been generated using Artificial Intelligence (AI). The AI-generated image is now being shared on social media with a misleading claim.
Claim
A Facebook user named Madhu Davi shared the viral image on January 30, 2026, with the caption: “If this photo is from today and the Budget Session, it is commendable. RAGA Zindabad.”
(Archived version of the post available here.)
- https://www.facebook.com/photo/?fbid=759145877237871&set=a.110639115421887
- https://perma.cc/N2XD-TZ32?type=image

Fact Check:
To verify the viral claim, we first conducted a keyword search on Google to check whether any credible media outlet had reported such an incident during the Budget Session. However, no news reports supporting the claim were found. We then performed a reverse image search using Google Lens, but this too did not yield any reliable media reports or evidence confirming the authenticity of the image. This raised suspicion that the image might be AI-generated. To further verify, the image was analysed using the AI detection tool Hive Moderation. The tool indicated a probability of over 99 per cent that the image was generated using Artificial Intelligence.

Conclusion
CyberPeace research confirms that the image being circulated with the claim that Prime Minister Narendra Modi and Rahul Gandhi came face to face during the Budget Session is fake. The viral image has been created using AI and is being shared with a false and misleading narrative.
.webp)
Introduction
In today’s cybersecurity landscape, ransomware has emerged as one of the most significant and rapidly growing cyber threats. What began as attacks carried out by individual hackers has evolved into a highly organised criminal enterprise, with groups operating through structured business models and global networks. The emergence of The Gentlemen ransomware group reflects this transformation, demonstrating how modern threat actors can quickly expand their operations and target organisations across multiple sectors. Their rise highlights the increasing sophistication of ransomware campaigns and the growing challenges faced by organisations in defending against them. The attribution of the group's administrator to an identified individual in Izhevsk, Russia, provides a valuable lens through which to examine three interconnected developments: the maturation of ransomware-as-a-service (RaaS) business models, the inherent operational security (OPSEC) weaknesses that emerge over the course of cybercriminal careers, and the geopolitical environments that enable such actors to operate with relative impunity. Together, these dynamics illustrate the industrialisation of modern cybercrime.
The Industrialisation of Ransomware-as-a-Service
The remarkable rapid rise of The Gentlemen is impossible without discussing the maturation of ransomware-as-a-service (RaaS). RaaS systems utilize network intrusion experts as affiliates who conduct networks intrusions and secure access in exchange for a cut of the total ransoms paid, while a core group builds and maintains the ransomware framework itself. Although Reveton, one of the earliest Raas providers, can be credited with bringing early iterations of RaaS to fruition in 2012, the potential scale was truly evident in the mid-2020s. By 2025 it was estimated that there were over 100 active ransomware gangs operating; this proliferation is the direct result of the franchise-like system, which has lowered the barriers to entry for cybercrime.
The marketplace surrounding RaaS is intensely competitive, and this is clearly exemplified in the business structure of The Gentlemen: while many of the top ransomware groups provide an 80/20 profit share (with the majority of the profit going to the affiliates), The Gentlemen has an exceptionally profitable 90/10 split (affiliates keep 90% of the profit share) for affiliates, likely to draw experienced operators away from their rivals given recent decreases in victim willingness to pay and corresponding increases in the incentives RaaS platforms are required to offer.
The operational efficiency of the group is representative of a successful enterprise. They attack vulnerable internet-facing VPNs and firewalls and generally complete the network encryption within a matter of hours, leaving defenders with very little time to respond, as confirmed by Check Point Software, a renowned cybersecurity vendor.
Additionally, PRODAFT reports that the administrator of The Gentlemen, known by the alias Zeta88 (previously known as Hastalamuerte), directly provides affiliates with SSL VPN credentials, often obtained through brutal force attacks or their own private leaked databases, indicating an unusually high level of vertical integration for RaaS groups.
AI as a Force Multiplier in Ransomware Development
A particularly significant aspect of the Hastalamuerte case is PRODAFT's finding that the administrator employs artificial intelligence to develop and maintain ransomware, support associated tooling, and assist post-exploitation operations. This reflects a broader trend observed across the 2025–2026 threat landscape, where AI has increasingly lowered the capability threshold for participation in organised cybercrime. Researchers have documented its role in automating stages of intrusion, accelerating malware development cycles, and simplifying the maintenance of malicious infrastructure. These capabilities have been leveraged by both nation-state actors and criminal enterprises.
The trajectory of Hastalamuerte is especially illustrative. Cybersecurity Forum posts during 2019-2020 depict a hacker who is fairly novice at fundamental penetration testing procedures. A subsequent emergence as the operator of a top-tier ransomware-as-a-service operation indicates that AI-assisted development may be responsible for dramatically reducing the skill level and time necessary to create a successful criminal enterprise in cyberspace. The evolution of these tools should make the route from novice forum user to accomplished ransomware operator more attainable for a wider array of perpetrators in the future.
The OPSEC Paradox: How Cybercriminals Leave a Trail
The attribution of Hastalamuerte's identity by researchers from Intel 471, Flashpoint, and Constella Intelligence demonstrates the effectiveness of modern open-source and commercial intelligence methodologies. A forum registration traceable to an IP address from Izhevsk, Russia linked a Protonmail address, which linked to an Apple account, a GitHub profile, a Telegram handle, a Russian phone number, and finally to a 36 year old marketing professional named Alexander Andreevich Yapaev who was also living in Izhevsk. Investigators did not use an advanced capability in their attribution, but rather a simple OPSEC mistake of consistently reusing credentials. Every username and email address and every phone number creates a linkage between disparate data points, eventually building into a real-world persona.
It has also come out in the forum discussion that while training for a penetration testing course in 2020, Hastalamuerte displayed the kind of inexperience that a novice would display in traceable, recorded fashion to intelligence databases. It's an example of a broader rule about attribution; attacker mistakes provide the most value. With Russians the lack of apparent consequences may contribute to a lack of need to maintain tight OPSEC from the start.
The Russian Safe Haven: Conditional Impunity and Its Limits
Yapaev's base in Izhevsk is emblematic of the geostrategic situation that has allowed Russian cybercriminality to prosper. Security researchers routinely label Russia's policy as one of "controlled impunity," where the cybercriminality directed at foreign entities is ignored or implicitly condoned, while that directed at Russian interests will prompt a law enforcement response. This constitutes what has been called a "managed market" rather than an "unconditional sanctuary," where many of the named defendants could and likely will continue their illegal enterprise with little fear of reprisal, provided that they do not threaten the interests of the Russian state and do not attempt to move their operations outside of Russian control.
Yet this protection is neither absolute nor permanent. In May 2024, the transnational Operation Endgame campaign highlighted the growing global appetite for damaging the cybercrime ecosystem rooted in Russia. Russian authorities did indeed pursue and seize some assets and operators, but arrests seem largely confined to the lower-rung facilitators of these attacks (hosting providers and payment services), and it seems higher-end ransomware operators continue to evade scrutiny. Selective enforcement thus further bolsters the perception that protection is accorded according to strategic value, not legal standards. For operators such as Hastalamuerte, who possess no publicly documented intelligence connections, growing attribution capabilities, and sustained international pressure may gradually erode the security traditionally associated with operating from within Russia.
Attribution as a Deterrence Instrument
The public identification of Alexander Andreevich Yapaev as Hastalamuerte/Zeta88 shows the continued struggle with the utility of attribution in situations where immediate prosecution is not feasible. Its utility is far more extensive than simply an ability to make an arrest. Functionally, public naming forces a perpetrator into an open evidentiary space and can lead to alterations in their operational habits and effectiveness. Strategically, attribution provides future leverage for sanctions, indictments, financial restrictions, or extradition if the target can leave their safe haven country. The logic behind US rewards programs (paying up to $10 million for the capture and conviction of ransomware operators) relies on this principle. The analytical insight provided by the case cannot be understated either. Hastalamuerte's trajectory from a relative amateur forum participant on Nulled and Raidforums in 2019 to leading a significant ransomware operation by 2026 offers an invaluable look into the career progression of a cyber criminal. It confirms one of the lessons learned through deterrence and attribution: pseudonymity is not everlasting, and many years of OPSEC failures can be pieced together to establish a real-world identity.
Conclusion
The Gentlemen incident is emblematic of the three broad themes that currently characterise cyber warfare: ransomware-as-a-service through innovative competition, common OPSEC failures that enable attribution, and a new, conditional regime of protection for Russian cybercriminals. The obvious defense lesson: increasing attack surfaces require stronger identity, behavioural monitoring, and intelligence capacities. The policy lesson: effective attribution is still an essential tool for comprehension, deterrence, and disruption in an increasingly industrialised environment of criminals supporting each other's operations in ransomware-as-a-service.
References
- https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentlemen/
- https://www.recordedfuture.com/
- https://www.vectra.ai/topics/ransomware-as-a-service
- https://www.trmlabs.com/es/resources/blog/new-disruption-opportunities-in-the-evolving-ransomware-ecosystem