From CEO Impersonation to Deposits: Anatomy of a Fake-News Investment Scam Campaign

When a CEO is impersonated in a fake news story, the first instinct inside many organisations is to treat it as a communications problem.

That is too narrow.

What Cyberoo observed in late April was not simply a misleading article, an embarrassing headline, or a single phishing page. It was a coordinated scam funnel built to turn borrowed trust into registrations and, ultimately, deposits.

The headlines varied. The page styling varied. The public figures varied.

The operating model did not.

In this case, the campaign used media-themed pages, references to the Commonwealth Bank of Australia and its CEO, well-known Australian public figures, and a downstream trading platform to create a believable path from curiosity to conversion. What matters is not only that the content was false. What matters is how repeatable, scalable, and adaptive the whole system appeared to be.

That is the real lesson for banks, brands, and executive teams.

Click to view full size

What we observed

Between 21 and 29 April 2026, Cyberoo observed three related variant families tied to this activity.

Two of them used ABC-themed page styling. One used 9News-themed page styling.

Across those variants, Cyberoo observed the following:

• On 21 April, around 100 domains were being used to support approximately 800 URLs referencing either the CBA brand or its CEO across the first two variants.
• After those assets were flagged, many of the domains previously resolving to 185.7.78.18 were updated around 22 April and began resolving to 91.238.181.243.
• By 24 April, many of the earlier domains had been disrupted, and only 36 of the original 100 were still supporting operational websites.
• By 28 April, Cyberoo observed 51 active domains supporting approximately 408 URLs tied to the refreshed ABC-themed variants.
• By 29 April, that number had climbed again to 64 active domains supporting approximately 512 URLs.
• In parallel, a separate 9News-themed variant tied to 185.7.78.3 grew from 168 domains / 504 URLs on 22 April to 188 domains / 564 URLs by 29 April.
• Taken together, the active infrastructure observed on 29 April totalled 252 domains supporting approximately 1,076 URLs referencing the bank or its CEO.

That is not a one-off fake page.

That is campaign-scale deployment.

This was not one story. It was a reusable deployment kit.

One of the clearest indicators that this activity was coordinated is the arithmetic of the URL structure.

Variant 1 used an ABC-themed page with the headline:

This variant used 7 distinct URL suffixes.

Variant 2 also used an ABC-themed page, with the headline:

This variant used 1 distinct URL suffix.

Together, those two ABC-themed variants repeatedly produced 8 URLs per domain. That is why the numbers line up so cleanly:

• 100 domains → ~800 URLs
• 51 domains → ~408 URLs
• 64 domains → ~512 URLs

Variant 3 used a 9News-themed page with the headline:

This variant used 3 distinct URL paths, which explains the second pattern:

• 168 domains → ~504 URLs
• 188 domains → ~564 URLs

This is an important operational signal.

It suggests the actors were not manually improvising each page. They appear to have been deploying a repeatable scam kit with fixed path structures, reusable templates, and interchangeable branding surfaces. In other words, the campaign did not need fresh creativity every time. It needed only enough new domains, enough new headlines, and enough public trust signals to keep the funnel moving.

That is what industrialised scam infrastructure looks like in practice.

Click to view full size

The headline was not the most important signal

The media branding and public figures made the campaign believable.

They were not the deepest signal.

The deeper signal was the coordination beneath the page.

Three things stand out.

1. The infrastructure shifted after pressure

The first ABC-themed cluster was initially observed on 185.7.78.18. After those assets were raised, many were updated to resolve to 91.238.181.243.

That matters because it shows operational continuity under pressure. The threat actors did not need to reinvent the campaign. They only needed to move part of the infrastructure and keep the templates alive.

This is one reason partial takedown does not always end a scam campaign. It can reduce exposure. It does not necessarily remove the operator's ability to regenerate.

2. The monetisation layer changed across all variants

Initially, the observed variants promoted a trading platform named Cove Investholm.

Around 28 April, the variants were updated to promote Pilbara Bondmere instead.

That coordinated swap is one of the strongest signs that the campaign should be treated as a shared operation rather than a collection of isolated pages.

The media wrapper changed. The headlines changed. The platform changed. But the underlying funnel logic remained consistent.

That is a useful lesson for defenders. If detection is tied too tightly to a single headline, a single celebrity, or a single brand phrase, it will miss the more stable relationship between content, infrastructure, and monetisation.

3. The campaign appears broader than one bank or one country

Mark's observations also point to a wider campaign family spanning Australian and New Zealand themes.

Cyberoo first encountered a related pattern while working to disrupt news-updated.sbs, a fake Radio New Zealand-style site impersonating the Westpac NZ CEO. The supplied social media screenshot also indicates that malicious social promotion was being used to drive people into that funnel.

This is a critical point.

The same operating model can move across:

• media brands
• bank brands
• CEOs and public figures
• countries
• storylines
• platform names

That is why simple brand monitoring is not enough. The actors are not loyal to one narrative. They are loyal to a conversion model.

Click to view full size

This campaign worked by transferring trust, not by inventing trust

The most effective scams often do not create credibility from nothing.

They borrow it.

In this campaign, trust appears to have been transferred across multiple layers:

• from a familiar media style to a fake article
• from a recognisable public figure to a false endorsement or confrontation
• from the bank's brand and executive authority to a sense of legitimacy
• from that legitimacy to a registration flow on a trading platform

That is what makes this kind of scam especially dangerous for executive teams.

If a CEO is impersonated, the organisation is not only facing brand misuse. It may be serving as the trust anchor in a live acquisition funnel.

The CEO is the emotional trigger. The media brand is the credibility wrapper. The bank is the anchor. The platform is the monetisation layer.

One campaign can use all four at once.

Why this matters if your CEO is being impersonated

If a client contact needs to explain the seriousness of this issue internally, this is the point to make:

CEO impersonation in scam media pages is not a vanity issue. It is a customer-conversion problem.

That distinction matters.

A reputational issue is usually discussed in terms of embarrassment, misinformation, or public perception.

A scam funnel is different. It is designed to create action:

• clicks
• registrations
• contact capture
• deposits
• repeated payment pressure

Once that is clear, the response model changes as well.

The right question is no longer, “Can we get this one page removed?”

The right questions become:

• How many related assets are live right now?
• Which domains, paths, and platforms are connected?
• Is traffic also being driven through social channels?
• Has the monetisation platform changed across the cluster?
• Is the activity isolated, or is it part of a larger campaign family?
• How quickly can evidence move from detection to disruption?

That is where many organisations still struggle.

Why reporting alone is not enough

This case also shows why reporting on its own is too weak a control.

A report may tell you that a suspicious article exists. It does not tell you whether that article is one page or one page family. It does not tell you how many sibling domains are live, whether the infrastructure has already shifted to a new host, whether the same operator is using a different public figure elsewhere, or whether the downstream platform has already changed.

That is why explainable verification matters in practice.

Executives, fraud teams, brand teams, and communications teams do not need a vague label saying “this is malicious”. They need a usable explanation:

• what is being impersonated
• how the story is structured
• what evidence links the variants together
• where the victim journey goes next
• what action should happen now

That is also why a closed-loop scam response matters. Cases like this do not fit neatly into one silo. They move across verification, infrastructure analysis, takedown coordination, evidence capture, and internal reporting.

From a Cyberoo perspective, that is the real operating model.

What stronger defence looks like

A stronger response to campaigns like this usually has five parts.

First, early signal capture

Many of these scams are first encountered by customers, analysts, or public users, not by internal bank controls. Public-facing verification and reporting channels matter because they often provide the earliest signs that a new lure is already live.

Second, explainable verification

The organisation needs more than detection. It needs a way to verify suspicious assets and explain why they matter in operational terms. That is the bridge between uncertainty and action.

Third, campaign-level scam intelligence

This is where the deeper value sits.

Defenders need to see the campaign as a connected system, not a queue of unrelated URLs. In this case, the shared platform swap, repeated URL ratios, infrastructure movement, limited registrar pool, and cross-border narrative reuse all point to campaign-level coordination.

Fourth, multi-channel disruption

The fake site is only one part of the problem. If traffic is being driven through social promotion, if the same funnel appears across multiple domains, or if the platform layer remains live after one page is removed, single-point takedown is not enough.

This is why multi-channel disruption matters.

Fifth, evidence and reporting for SPF-era expectations

For organisations operating under, or preparing for, the logic of the Scams Prevention Framework, this kind of campaign touches several obligations at once:

• prevent exposure where possible
• detect active scam infrastructure
• report with usable evidence
• disrupt quickly enough to reduce harm

That means the output cannot just be a threat alert. It needs to become evidence, timelines, and action history.

Final thought

The most useful way to understand this campaign is not as “fake news”.

It is better understood as a scam operating system built from modular parts:

• social distribution
• media impersonation
• executive trust hijacking
• rotating domains
• reusable URL structures
• replaceable trading platforms

That is why campaigns like this can look chaotic on the surface while remaining highly organised underneath.

If your CEO is being used in a false media story, the issue is already more serious than reputation alone. The organisation may be sitting inside a live scam funnel.

And if the response still treats each page as a standalone problem, the attackers keep the advantage.

Frequently Asked Questions