Hello world,

as many of you may already be aware, there is an ongoing spam attack by a person claiming to be Nicole.

It is very likely that these images are part of a larger scale harassment campaign against the person depicted in the images shared as part of this spam.

Although the spammer claims to be the person in the picture, we strongly believe that this is not the case and that they’re only trying to frame them.

Starting immediately, we will remove any images depicting “Nicole” and information that may lead to identifying the real person depicted in those images to prevent any possible harassment.
This includes older posts and comments once identified.

We also expect moderators to take action if such content is reported.

While we do not intend to punish people posting this once, not being aware of the context, we may take additional actions if they continue to post this content, as we consider this to be supporting the harassment campaign.

Discussion that does not include the images themselves or references that may lead to identifying the real person behind the image will continue to be allowed.

If you receive spam PMs please continue reporting them and we’ll continue working on our spam detections to attempt to identify them early before they reach many users.

  • Angry_Autist (he/him)@lemmy.world
    0·
    7 days ago

    So you have all the limitless time and energy to address this stupid spam post but you can’t prevent the rise of authoritarian bots and powermods on lemmy.world?

    • Foofighter@discuss.tchncs.de
      0·
      7 days ago

      I guess limitless time and energy would be needed to identify authoritarian bots because it’s much harder compared to identifying a person in an image. Should nothing be done because the larger problem can’t be solved at the current time?

        • Foofighter@discuss.tchncs.de
          0·
          6 days ago

          First: you people? Who are “we”, are unable to identify such contents / opinions? Second: I’m not talking about people identifying content and filtering it, I am talking about automated systems. Do you think that they are filtering Nicole’s by looking at each and every picture?

          • Angry_Autist (he/him)@lemmy.world
            0·
            6 days ago

            ‘You’ are everyone in existence not me who apparently have a hard time distinguishing authoritarian jargon.

            I’m not sure where opinions come into this, are you a bot?

            If I can do it, an automated system can do it. Twitter already had it but they didn’t roll it out because it ‘false flagged’ a bunch of repugnican politicians as fascist back in 2015 GUESS WHAT THEY WERE FUCKING ON THE MONEY!

            I get it, you’re a terminally online shitstirrer that isn’t getting enough attention. Well I can guarantee this is the last post you’ll be getting any of that from me.

            • Foofighter@discuss.tchncs.de
              0·
              6 days ago

              You are absolutely incapable of judging the complexity of the tasks at hand. a) Calculating a hash of every uploaded image, comparing it against a blocklist, and extending the blocklist as needed b) validating each each post to distinguish truth from lie, facts from imagination and on top of that judging whether the presentation opinion fits in a moral/ethical framework of which a computer has no concept of.

              A computer is a machine that calculates stuff. It “emulates a brain” to appear smart. A brain is a biological machine that is good in pattern detection and expression, which emulates a computer to do math to appear smart.

              If you think an automated system can do it because you can do it, please spend your apparent infinit resources and time in implementing it rather than wasting your valuable time online insulting others who actually do something.

            • Grimy@lemmy.world
              0·
              6 days ago

              you’re a terminally online shitstirrer that isn’t getting enough attention

              I’m seriously impressed you are accusing the other person of doing this. Reread your comments and take a hard look at the vibe you are giving off.

  • null_dot@lemmy.dbzer0.comEnglish
    0·
    8 days ago

    Sorry if this isn’t the right place to ask, but are you able to confirm whether admins have reported this to the police?

    Even if violence hasn’t been perpetrated, the harassment is still a crime surely.

    • MrKaplan@lemmy.worldEnglish
      0·
      8 days ago

      I don’t know if others have, I only know that we (Lemmy.World, Fedihosting Foundation) have not reported it to the police.

      I don’t have high hopes that the police would be able to do anything about this. For the harassment against the person shown in the images, that would likely have to be reported by them directly for the police to take that up.
      For random online spam, as in harassment of fediverse users receiving the PMs, that seems like it would be an extremely low priority for police. It’s also likely fairly difficult to impossible to follow up on, considering that the person sending the PMs most likely used a VPN to access these accounts.

      • dohpaz42@lemmy.worldEnglish
        0·
        8 days ago

        I’m not a fan of LEO, BUT at the same time doing nothing should not be an option. What I mean by that is that Johnny Law should still be contacted and a report filed (at the very least). Even if they do not follow up on it, that’s on them and not us (the fediverse).

      • CarbonatedPastaSauce@lemmy.worldEnglish
        0·
        8 days ago

        Agreed. At least here in the US, you’d have more chance of winning the lottery than getting a cop to care about this issue without the person directly involved reporting it. And even then it would be a crapshoot.

        • bluGill@fedia.io
          0·
          8 days ago

          The right cop will care about it, but the right cop doesn’t work for your city and so you don’t have any way to contact them.

      • null_dot@lemmy.dbzer0.comEnglish
        0·
        8 days ago

        Hmm.

        The people receiving the spam are not being harassed, obviously.

        The woman depicted is very likely the target of harassment.

        Sharing the images depicting violence is tantamount to a threat of violence.

        As admins, you’re not just witnesses but the stewards of a community and the representatives of many thousands of people in this matter.

        Pre-empting what the police will do is not a reason not to report. You don’t know what they will do. They might do nothing at you would have wasted 15 minutes. On the other hand perhaps Nicole has been trying to get a restraining order against some creep but has been unable to due to lack of evidence.

        • DefectiveFoundation@lemmy.world
          0·
          8 days ago

          I have spam in my email. Should I report that to the police as well?

          There just isn’t enough for regular police to go on, without even considering jurisdiction. Cooperating with authorities is fine, but there’s not really anyone to proactively reach out to about this.

          • null_dot@lemmy.dbzer0.comEnglish
            0·
            8 days ago

            Yes. If you run an email server and one of the accounts has been used to perpetrate a harassment campaign including threats of violence then obviously you should report that.

        • MrKaplan@lemmy.worldEnglish
          0·
          8 days ago

          The woman depicted is very likely the target of harassment.

          Agreed, but there is no proof of this. We also don’t know their true identity to check with them directly.

          Sharing the images depicting violence is tantamount to a threat of violence.

          The images did not depict violence directly, it was a gory image of a dead person. They were very likely sent by a copycat not involved in the original harassment campaign and intended to fuck up fediverse users more than anything else. They did not appear to imply any kind of threat.

          you would have wasted 15 minutes

          This would require a lot more than 15 minutes to file a proper report. First we have to collect all relevant information that we have available and compile them in a format that can be submitted. Once we have this information we have to identify a police department to report this to. We are legally based in NL, as that’s where our non-profit Fedihosting Foundation is located. I’m based in Germany, so it would also be an option to report it here. The depicted person is claimed to be in Canada, so maybe this should be reported to a police department over there. Or maybe to all of them.

          All of this would easily add up to 2 hours or more if you want to do it properly and not just look for 3 online forms to write “hey there is someone sending spam”.
          If this was a paid job and I was doing this during working hours I wouldn’t mind, but all the time I spend here is taken out of my personal time, the same as with anyone else on our team, and also the same you’ll see with most other fediverse instances.

          perhaps Nicole has been trying to get a restraining order against some creep but has been unable to due to lack of evidence.

          If we receive a request for information from (real) law enforcement we’ll be more than happy to provide relevant data, but doing this for the (perceived low) chance of that somehow being linked from a random police report is a fairly high time investment as described above.

          • dohpaz42@lemmy.worldEnglish
            0·
            8 days ago

            This would require a lot more than 15 minutes to file a proper report…. All of this would easily add up to 2 hours or more…

            Tell you what: log the time it takes, and I will personally pay you $60/hour for your time to make a proper report.

            And no, I’m not being sarcastic.

          • null_dot@lemmy.dbzer0.comEnglish
            0·
            8 days ago

            Respectfully, I don’t share your assessment of the seriousness of the crime. You seem to be weighing the question of whether someone has been harassed or intimidated from the perspective of a “reasonable third party”. However, I suspect that the law assigns considerable weight to the question of whether the victim feels intimidated or harassed. For example, you’re correct that sharing the gore image is not a direct threat of violence, however I feel certain that the woman depicted in the earlier images taken from the live stream would feel concerned for their safety.

            I would also like to clarify one aspect of which you may not be aware. It’s very easy to confirm the woman’s place of work beyond any reasonable doubt, with images she has posted to other platforms.

            I understand that it’s unreasonable to say that you specifically or any admins of lemmy.world or any other instance should give up hours of your free time to make a police report.

            However, as others in this thread have suggested this incident underlines the limited protections lemmy has against this type of attack and it seems likely that we will see a lot more.

            I also respectfully disagree regarding the likelihood that reporting this crime could be useful. It’s not a question of “somehow being linked from a random police report”. If the victim ever does contact the police, which seems very likely to me, it’s extraordinarily likely that a report from lemmy would be identified as being related.

            It’s not my intention to berate you personally over this, and as I mentioned above I acknowledge that it’s unreasonable to expect you personally to take action in this specific case. I am however concerned that Lemmy’s federated nature is not well suited to addressing this type of risk to members of our community.

      • jqubed@lemmy.world
        0·
        8 days ago

        Would it even be realistic to know the right place to report it to? Just because the messages say Toronto doesn’t necessarily mean the victim is in Toronto, and reporting it to the wrong place at most probably just means wasting resources in one location and coming no closer to stopping the harassment. Is there anything from a national group like the RCMP, FBI, or INTERPOL to help in a case like this?

        • null_dot@lemmy.dbzer0.comEnglish
          0·
          8 days ago

          There’s a video of her eating food in the shopping centre where whe works. You can find it on google Street view.

      • ArtificialHoldings@lemmy.world
        0·
        8 days ago

        Anyone asking you to file a report with police has likely never had to file a police report. They don’t even want to file reports for things that actually happened directly to you, if they can convince you out of it lol.

      • null_dot@lemmy.dbzer0.comEnglish
        0·
        8 days ago

        Actually smartass, it’s called Australia. We have laws specifically to address this exact situation. I have made police reports in my time, and can assure you that the police would take a campaign of this scale very seriously.

  • Squorlple@lemmy.worldEnglish
    0·
    8 days ago

    This is a copy+paste of a comment I left on the [email protected] mod post after the recent incident with the gruesome picture(s?):

    “I think if Lemmy doesn’t have the infrastructure to defend against attacks like these which are presumptively conducted by one bad actor, then it doesn’t have the infrastructure to defend against wealthy organizations when our communities do get big enough to be noticed by them.

    [[email protected]]’s history underscores how the messaging system in particular needs a massive overhaul; using image recognition as a filter for messages like Lemmy.World does for image posts (with options for NSFW that isn’t NSFL?), preventing images (and URLs? or only allowing white-listed sites?) from being sent within the first message sent between users (unless a box is ticked?), not showing message recipients images until they are directly opened, and preventing the de-anonymizing of message recipients should be made first priority for the next patch.”

    • Iceblade@lemmy.world
      0·
      8 days ago

      Honestly I think the easiest thing would be to not allow images or embedding at all in PMs and perhaps display a warning message when clicking links “you are leaving [instance name]…”

      Analyzing potentially lots of text and images in an effort to “guarantee” safety of users is likely a sisyphusian endeavour that is bound to fail - and furthermore also has privacy issues (namely that “private” messages aren’t private at all)

      • tal@lemmy.todayEnglish
        0·
        8 days ago

        not allow images or embedding at all in PMs

        I’d add — as someone who was concerned about and posted on the possibility that the aim of the spammer was exposing the IP address associated with the receivers’s username — that even if this wasn’t the aim from this event, it could be in some future event.

        I don’t think that disallowing inline images in direct messages will eliminate spam problems, even efforts of this sort, as it’d still be possible for a spammer to spam messages with indirect links to images hosted elsewhere. But it would help avoid leaking IP addresses of the receiving user.

        Or at least disallowing inline images in direct images by default. I can imagine maybe someone enabling them on some kind of a private, decoupled-from-the-wider-Fediverse instance on an intranet or whatnot, but I really don’t think that this is something that nearly any instance should actually permit.

        • tal@lemmy.todayEnglish
          0·
          8 days ago

          For anti-spam efforts, I think that there are a variety of potential partial solutions. No complete fixes, but some:

          • Rate-limiting the comment frequency on new accounts. IIRC, Reddit used this tactic. It does create some issues for (legitimate) use of throwaway accounts in anonymous posts, but there’s no legitimate reason for a new account to blast hundreds of messages an hour, I think. This might already be present, but if not, it’d be a good start. This can be defeated by generating new accounts for each new message or batch of.

          • Rate-limiting new account creation from a given IP address, if not already present. An attacker could defeat this via use of a commercial VPN, and if too low, it could create issues for some commercial VPNs.

          • Hashing of messages to red-flag identical messages being posted en masse. As best I could tell, the spammer here was posting many identical messages. This can be defeated by a spammer having software slightly modify each message.

          • Fuzzy-hashing of messages to red-flag almost identical messages being posted en masse. This can be defeated via text generation methods that are carefully tailed to the fuzzy hashing mechanism to modify messages such that each fuzzy-hashes to a different message.

          • A mechanism to permit an account to share blacklists of IP or message hashes and trigger removal of messages on other instances, preferably associated with a specific identifier or account. This permits any other instances to leverage antispam work by one instance; if I want to trust a given antispam admin or bot on lemmy.world, I can. Let an instance admin review and override such removals, maybe. It creates abuse potential for malicious use or inadvertent false positives spanning instances, but I think that it’s necessary to avoid having each instance fight its own lonely antispam battles. Otherwise, new and personal instances risk being buried by a deluge of direct message spam. The same mechanism, if exposed to users and not just instance admins, would also permit for subscribable content filters for people who don’t want to see content of a given sort (e.g. profanity or pornographic content of a particular sort or whatever, not just spam), which is another issue.

          Fortunately, as far as I see as a user, we’re not yet at the point that there is much spam on here yet, so this isn’t yet a serious problem. Maybe it’ll never happen, if the userbase never grows much. But if the userbase gets considerably bigger, increasingly-problematic spam will inevitably follow.

        • MrShankles@reddthat.com
          0·
          8 days ago

          For anyone not clicking the link, but wondering what this reply means… it’s a link to the user’s comment (right below, within this comment chain) about a lemmy update

          I was confused for a sec and probably would’ve skipped over all of the context because I didn’t continue reading first (and I hesitate to click links randomly), so maybe someone else with no attention span will benefit as well

          "Lemmy update v0.19.11 provides ‘Dont render images in private message’

          Not every instance is updated to this version, but it should stop the current method of spam (if updated). I’m wordy, I know; but maybe it’ll help someone

    • Rikudou_Sage@lemmings.worldEnglish
      0·
      8 days ago

      Well, I for example develop an automod (which is available to everyone) which includes advanced stuff like scanning images in the content, scanning the text itself, detecting similarity between two images etc. This all in an efficient reactive manner using database level webhooks.

      There is the infrastructure for that, it’s being developed and refined with every new kind of attack that’s happening. As every other platform does, whether they’re commercial or open.

    • socsa@piefed.socialEnglish
      0·
      8 days ago

      They are absolutely right. The quiet part of this is almost certainly that these DMs were being used to collect IPs from users using tracking links, and this is generally a big vulnerability in the fediverse many people seem unwilling to meaningfully confront.

    • kamenLady.@lemmy.world
      0·
      4 days ago

      The same kind, that sends parents pictures of the corpse of their daughter in the car accident that killed her.

      They somehow got the pictures the police took on the accident site

      They kept sending these pictures to the parents, until they moved & changed their names.

    • sploosh@lemmy.world
      0·
      8 days ago

      I’m just guessing here, but maybe a rejected suitor? Or a person they’re beefing with? A mentally ill person who found these pictures and decided to direct their hate at them? People do all sorts of weird stuff for all sorts of weird reasons.

    • Captain Aggravated@sh.itjust.worksEnglish
      0·
      8 days ago

      My hypothesis is, someone’s trying to run a “Hey statistically lonely men on the internet, I’m allegedly a girl. Send me money in hopes of getting attention” scam, and they’re using the pictures of “Nicole” because that’s what they have at hand. I’m picturing a college classmate capturing college Zoom classes so they have several different pictures of the same girl. What others are attributing to sick malice I’m attributing to callous disregard.

  • Strawberry@lemmy.blahaj.zone
    0·
    8 days ago

    Considering the spammer has used so many different photos, and they all seem to be “in the moment” webcam photos, I suspect they may have webcam spyware on the victim’s computer

    • MrKaplan@lemmy.worldEnglish
      0·
      8 days ago

      with the content i’ve seen it gave me more of an impression of being captures of a live stream, but that’s just guessing

    • brucethemoose@lemmy.world
      0·
      8 days ago

      Could be completely AI generated with variations of the same person. But that doesn’t really matter, the spam needs to go.

    • Captain Aggravated@sh.itjust.worksEnglish
      0·
      8 days ago

      She looks to me like a college student attending an online class. Looks like it’s shot on a laptop’s built-in camera, lighting is whatever, she’s dressed casually and comfortably, facial expression is neutral or even bored…

      If you’re taking a college class via Zoom, can you see your classmates’ webcams?

      • Lime66@lemmy.world
        0·
        8 days ago

        Yes, almost always, if the professor requires you to have webcam on. AFAIK the whole meeting sees everyone who has webcam on.

      • evergreen@lemmy.world
        0·
        8 days ago

        Yes. Sometimes it is required to have your camera on. Even when it isn’t required, there are always some people who prefer to have theirs on for whatever reason.

  • slacktoid@lemmy.mlEnglish
    0·
    8 days ago

    I saw some disturbing pics of someone posing as Nicole. Reported it for gore, spam, Nicole.

  • .Donuts@lemmy.worldEnglish
    0·
    8 days ago

    What of the recent NSFW/gore images that were shared? Has that been reported to authorities?

    Not expecting police to solve it, but at least it would be on their radar.

    • MrKaplan@lemmy.worldEnglish
      0·
      8 days ago

      we looked into it, we currently believe that to be a copycat not related to the other pms.

      the lemmy.world account involved in that was most certainly compromised from an unrelated data breach and all connections originated from IPs linked to an anonymization service, so there’s also not much to follow up on.

      we will reconsider this if it happens again.

  • mechoman444@lemmy.world
    0·
    8 days ago

    About damn time. The joke has run it’s course a long time a ago and if these posts are victimizing an individual they most definitely need to be stopped.