#FactCheck-Fake Claim Links White House Dinner Shooting Suspect to ‘Indian Wife’; Viral Images Likely AI-Generated
Executive Summary
After reports identifying Cole Thomas Allen as the accused in the shooting incident at the White House Correspondents’ Association (WHCA) dinner, several Pakistani propaganda-linked social media accounts began circulating a new claim alleging that the suspect’s wife is an Indian woman named Priyanka Rao. Users shared a photo purportedly showing Cole Thomas Allen with Priyanka Rao, along with an alleged Indian passport in her name. One user posted the image with the caption: “31-year-old Cole Thomas Allen with his Indian wife Priyanka Rao. Why do they always have three names?”
However, research by the CyberPeace Research Wing found the claim to be fake. The viral passport and accompanying image appear to be AI-generated.
Claim:
Social media users claimed that Cole Thomas Allen, accused in the WHCA dinner shooting, is married to an Indian woman named Priyanka Rao.

Fact Check:
During the research, multiple inconsistencies were found in the viral passport image, strongly indicating it is fabricated. A close review of the document revealed several obvious errors commonly seen in AI-generated content. For instance, in the “Nationality” field, the name “Cole Thomas Allen” was written instead of a country name. Such a basic mistake would not appear in any genuine government-issued passport.
The Hindi text on the document was also highly inaccurate and unnatural. Examples included:
- “राष्ट्रीयता” misspelled as “राष्ट्रीयाय”
- “जन्मतिथि” replaced with meaningless text
- “जन्म स्थान” incorrectly written
- “Issue” mistranslated as unrelated wording
- “Date of Expiry” left untranslated in Hindi format
Further analysis using an AI detection tool indicated that the viral passport image had a 69 percent probability of being AI-generated.

Conclusion:
The claim that WHCA dinner shooting accused Cole Thomas Allen has an Indian wife named Priyanka Rao is fake. The viral passport and image being shared online are likely AI-generated and part of a misinformation campaign.
Related Blogs
.webp)
Introduction
Cyber slavery has emerged as a serious menace. Offenders target innocent individuals, luring them with false promises of employment, only to capture them and subject them to horrific torture and forced labour. According to reports, hundreds of Indians have been imprisoned in 'Cyber Slavery' in certain Southeast Asian countries. Indians who have travelled to South Asian nations such as Cambodia in the hopes of finding work and establishing themselves have fallen victim to the illusion of internet slavery. According to reports, 30,000 Indians who travelled to this region on tourist visas between 2022 and 2024 did not return. India Today’s coverage demonstrated how survivors of cyber slavery who have somehow escaped and returned to India have talked about the terrifying experiences they had while being coerced into engaging in cyber slavery.
Tricked by a Job Offer, Trapped in Cyber Slavery
India Today aired testimonials of cyber slavery victims who described how they were trapped. One individual shared that he had applied for a well-paying job as an electrician in Cambodia through an agent in Delhi. However, upon arriving in Cambodia, he was offered a job with a Chinese company where he was forced to participate in cyber scam operations and online fraudulent activities.
He revealed that a personal system and mobile phone were provided, and they were compelled to cheat Indian individuals using these devices and commit cyber fraud. They were forced to work 12-hour shifts. After working there for several months, he repeatedly requested his agent to help him escape. In response, the Chinese group violently loaded him into a truck, assaulted him, and left him for dead on the side of the road. Despite this, he managed to survive. He contacted locals and eventually got in touch with his brother in India, and somehow, he managed to return home.
This case highlights how cyber-criminal groups deceive innocent individuals with the false promise of employment and then coerce them into committing cyber fraud against their own country. According to the Ministry of Home Affairs' Indian Cyber Crime Coordination Center (I4C), there has been a significant rise in cybercrimes targeting Indians, with approximately 45% of these cases originating from Southeast Asia.
CyberPeace Recommendations
Cyber slavery has developed as a serious problem, beginning with digital deception and progressing to physical torture and violent actions to commit fraudulent online acts. It is a serious issue that also violates human rights. The government has already taken note of the situation, and the Indian Cyber Crime Coordination Centre (I4C) is taking proactive steps to address it. It is important for netizens to exercise due care and caution, as awareness is the first line of defence. By remaining vigilant, they can oppose and detect the digital deceit of phony job opportunities in foreign nations and the manipulative techniques of scammers. Netizens can protect themselves from significant threats that could harm their lives by staying watchful and double-checking information from reliable sources.
References
- CyberPeace Highlights Cyber Slavery: A Serious Concern https://www.cyberpeace.org/resources/blogs/cyber-slavery-a-serious-concern
- https://www.indiatoday.in/india/story/india-today-operation-cyber-slaves-stories-of-golden-triangle-network-of-fake-job-offers-2642498-2024-11-29
- https://www.indiatoday.in/india/video/cyber-slavery-survivors-narrate-harrowing-accounts-of-torture-2642540-2024-11-29?utm_source=washare

Executive Summary:
A viral post on X (formerly twitter) shared with misleading captions about Gautam Adani being arrested in public for fraud, bribery and corruption. The charges accuse him, his nephew Sagar Adani and 6 others of his group allegedly defrauding American investors and orchestrating a bribery scheme to secure a multi-billion-dollar solar energy project awarded by the Indian government. Always verify claims before sharing posts/photos as this came out to be AI-generated.

Claim:
An image circulating of public arrest after a US court accused Gautam Adani and executives of bribery.
Fact Check:
There are multiple anomalies as we can see in the picture attached below, (highlighted in red circle) the police officer grabbing Adani’s arm has six fingers. Adani’s other hand is completely absent. The left eye of an officer (marked in blue) is inconsistent with the right. The faces of officers (marked in yellow and green circles) appear distorted, and another officer (shown in pink circle) appears to have a fully covered face. With all this evidence the picture is too distorted for an image to be clicked by a camera.


A thorough examination utilizing AI detection software concluded that the image was synthetically produced.
Conclusion:
A viral image circulating of the public arrest of Gautam Adani after a US court accused of bribery. After analysing the image, it is proved to be an AI-Generated image and there is no authentic information in any news articles. Such misinformation spreads fast and can confuse and harm public perception. Always verify the image by checking for visual inconsistency and using trusted sources to confirm authenticity.
- Claim: Gautam Adani arrested in public by law enforcement agencies
- Claimed On: Instagram and X (Formerly Known As Twitter)
- Fact Check: False and Misleading
.webp)
Introduction
In today’s cybersecurity landscape, ransomware has emerged as one of the most significant and rapidly growing cyber threats. What began as attacks carried out by individual hackers has evolved into a highly organised criminal enterprise, with groups operating through structured business models and global networks. The emergence of The Gentlemen ransomware group reflects this transformation, demonstrating how modern threat actors can quickly expand their operations and target organisations across multiple sectors. Their rise highlights the increasing sophistication of ransomware campaigns and the growing challenges faced by organisations in defending against them. The attribution of the group's administrator to an identified individual in Izhevsk, Russia, provides a valuable lens through which to examine three interconnected developments: the maturation of ransomware-as-a-service (RaaS) business models, the inherent operational security (OPSEC) weaknesses that emerge over the course of cybercriminal careers, and the geopolitical environments that enable such actors to operate with relative impunity. Together, these dynamics illustrate the industrialisation of modern cybercrime.
The Industrialisation of Ransomware-as-a-Service
The remarkable rapid rise of The Gentlemen is impossible without discussing the maturation of ransomware-as-a-service (RaaS). RaaS systems utilize network intrusion experts as affiliates who conduct networks intrusions and secure access in exchange for a cut of the total ransoms paid, while a core group builds and maintains the ransomware framework itself. Although Reveton, one of the earliest Raas providers, can be credited with bringing early iterations of RaaS to fruition in 2012, the potential scale was truly evident in the mid-2020s. By 2025 it was estimated that there were over 100 active ransomware gangs operating; this proliferation is the direct result of the franchise-like system, which has lowered the barriers to entry for cybercrime.
The marketplace surrounding RaaS is intensely competitive, and this is clearly exemplified in the business structure of The Gentlemen: while many of the top ransomware groups provide an 80/20 profit share (with the majority of the profit going to the affiliates), The Gentlemen has an exceptionally profitable 90/10 split (affiliates keep 90% of the profit share) for affiliates, likely to draw experienced operators away from their rivals given recent decreases in victim willingness to pay and corresponding increases in the incentives RaaS platforms are required to offer.
The operational efficiency of the group is representative of a successful enterprise. They attack vulnerable internet-facing VPNs and firewalls and generally complete the network encryption within a matter of hours, leaving defenders with very little time to respond, as confirmed by Check Point Software, a renowned cybersecurity vendor.
Additionally, PRODAFT reports that the administrator of The Gentlemen, known by the alias Zeta88 (previously known as Hastalamuerte), directly provides affiliates with SSL VPN credentials, often obtained through brutal force attacks or their own private leaked databases, indicating an unusually high level of vertical integration for RaaS groups.
AI as a Force Multiplier in Ransomware Development
A particularly significant aspect of the Hastalamuerte case is PRODAFT's finding that the administrator employs artificial intelligence to develop and maintain ransomware, support associated tooling, and assist post-exploitation operations. This reflects a broader trend observed across the 2025–2026 threat landscape, where AI has increasingly lowered the capability threshold for participation in organised cybercrime. Researchers have documented its role in automating stages of intrusion, accelerating malware development cycles, and simplifying the maintenance of malicious infrastructure. These capabilities have been leveraged by both nation-state actors and criminal enterprises.
The trajectory of Hastalamuerte is especially illustrative. Cybersecurity Forum posts during 2019-2020 depict a hacker who is fairly novice at fundamental penetration testing procedures. A subsequent emergence as the operator of a top-tier ransomware-as-a-service operation indicates that AI-assisted development may be responsible for dramatically reducing the skill level and time necessary to create a successful criminal enterprise in cyberspace. The evolution of these tools should make the route from novice forum user to accomplished ransomware operator more attainable for a wider array of perpetrators in the future.
The OPSEC Paradox: How Cybercriminals Leave a Trail
The attribution of Hastalamuerte's identity by researchers from Intel 471, Flashpoint, and Constella Intelligence demonstrates the effectiveness of modern open-source and commercial intelligence methodologies. A forum registration traceable to an IP address from Izhevsk, Russia linked a Protonmail address, which linked to an Apple account, a GitHub profile, a Telegram handle, a Russian phone number, and finally to a 36 year old marketing professional named Alexander Andreevich Yapaev who was also living in Izhevsk. Investigators did not use an advanced capability in their attribution, but rather a simple OPSEC mistake of consistently reusing credentials. Every username and email address and every phone number creates a linkage between disparate data points, eventually building into a real-world persona.
It has also come out in the forum discussion that while training for a penetration testing course in 2020, Hastalamuerte displayed the kind of inexperience that a novice would display in traceable, recorded fashion to intelligence databases. It's an example of a broader rule about attribution; attacker mistakes provide the most value. With Russians the lack of apparent consequences may contribute to a lack of need to maintain tight OPSEC from the start.
The Russian Safe Haven: Conditional Impunity and Its Limits
Yapaev's base in Izhevsk is emblematic of the geostrategic situation that has allowed Russian cybercriminality to prosper. Security researchers routinely label Russia's policy as one of "controlled impunity," where the cybercriminality directed at foreign entities is ignored or implicitly condoned, while that directed at Russian interests will prompt a law enforcement response. This constitutes what has been called a "managed market" rather than an "unconditional sanctuary," where many of the named defendants could and likely will continue their illegal enterprise with little fear of reprisal, provided that they do not threaten the interests of the Russian state and do not attempt to move their operations outside of Russian control.
Yet this protection is neither absolute nor permanent. In May 2024, the transnational Operation Endgame campaign highlighted the growing global appetite for damaging the cybercrime ecosystem rooted in Russia. Russian authorities did indeed pursue and seize some assets and operators, but arrests seem largely confined to the lower-rung facilitators of these attacks (hosting providers and payment services), and it seems higher-end ransomware operators continue to evade scrutiny. Selective enforcement thus further bolsters the perception that protection is accorded according to strategic value, not legal standards. For operators such as Hastalamuerte, who possess no publicly documented intelligence connections, growing attribution capabilities, and sustained international pressure may gradually erode the security traditionally associated with operating from within Russia.
Attribution as a Deterrence Instrument
The public identification of Alexander Andreevich Yapaev as Hastalamuerte/Zeta88 shows the continued struggle with the utility of attribution in situations where immediate prosecution is not feasible. Its utility is far more extensive than simply an ability to make an arrest. Functionally, public naming forces a perpetrator into an open evidentiary space and can lead to alterations in their operational habits and effectiveness. Strategically, attribution provides future leverage for sanctions, indictments, financial restrictions, or extradition if the target can leave their safe haven country. The logic behind US rewards programs (paying up to $10 million for the capture and conviction of ransomware operators) relies on this principle. The analytical insight provided by the case cannot be understated either. Hastalamuerte's trajectory from a relative amateur forum participant on Nulled and Raidforums in 2019 to leading a significant ransomware operation by 2026 offers an invaluable look into the career progression of a cyber criminal. It confirms one of the lessons learned through deterrence and attribution: pseudonymity is not everlasting, and many years of OPSEC failures can be pieced together to establish a real-world identity.
Conclusion
The Gentlemen incident is emblematic of the three broad themes that currently characterise cyber warfare: ransomware-as-a-service through innovative competition, common OPSEC failures that enable attribution, and a new, conditional regime of protection for Russian cybercriminals. The obvious defense lesson: increasing attack surfaces require stronger identity, behavioural monitoring, and intelligence capacities. The policy lesson: effective attribution is still an essential tool for comprehension, deterrence, and disruption in an increasingly industrialised environment of criminals supporting each other's operations in ransomware-as-a-service.
References
- https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentlemen/
- https://www.recordedfuture.com/
- https://www.vectra.ai/topics/ransomware-as-a-service
- https://www.trmlabs.com/es/resources/blog/new-disruption-opportunities-in-the-evolving-ransomware-ecosystem