Unmasking MrDeepFakes: Canadian Pharmacist Linked to World’s Most Notorious Deepfake Porn Site
This article is the result of a collaboration with TjekDet, Denmark’s fact-checking media outlet, Danish newspaper Politiken, and the Canadian Broadcasting Corporation.
Warning: This article discusses non-consensual sexually explicit content from the start.
MrDeepFakes billed itself as the “largest and most user-friendly” platform for celebrity deepfake pornography. The website, which was visited millions of times every month, hosted almost 70,000 explicit and sometimes violent videos, which had collectively been viewed more than 2.2 billion times.
They show mostly famous women whose faces have been inserted into hardcore porn with artificial intelligence – and without their consent.
In the background, an active community of more than 650,000 members shared tips on how to generate this content, commissioned custom deepfakes, and posted misogynistic and derogatory comments about their victims.
Source: MrDeepFakes
For years, the website has been shrouded in mystery, existing in a legal grey area and concealing the identity of those who control it. Until now.
Bellingcat, in collaboration with Danish outlets Tjekdet, Politiken and the Canadian Broadcasting Corporation (CBC), has conducted an investigation to reveal the identity of a key administrator behind MrDeepFakes.
David Do is a 36-year-old Canadian pharmacist who, based on open source information, lives an unassuming and respectable life in the suburbs outside of Toronto. Photos and videos posted online show him with family, friends and colleagues. The university graduate has a well-paying job in a public hospital and drives a new Tesla.
But Do has been living a double life: in secret, he is the most prominent figure identified to have had control over the administration of MrDeepFakes. He was also an influential member of its growing online community, producing his own deepfake porn and assisting users who want to make their own.
Online posts show Do is a technically minded individual with a long-standing interest in creating and distributing adult content, and provide an insight into efforts to obfuscate his identity.
We identified Do by cross-referencing data from massive credential leaks, which are publicly available via breach databases. A series of burner emails, IP addresses, repeated usernames, and a unique password reveal a more than decade-long digital trail that allowed researchers to link him to MrDeepFakes.
Bellingcat, Tjekdet, Politiken and CBC have sent Do multiple requests for comment since late March but did not receive a response as of publication. Last month, the CBC hand-delivered correspondence to Do setting out the findings of this investigation, but he declined to comment.
Shortly after, Do’s Facebook page and the social media accounts of some family members were deleted. Do then travelled to Portugal with his family, according to reviews posted on Airbnb, only returning to Canada this week.
On Sunday, the MrDeepFakes site was shut down. “A critical service provider has terminated service permanently,” a notice on the platform says. “We will not be relaunching. Any website claiming this is fake.”
CBC approached David Do again on Monday but he refused to answer questions about his involvement with MrDeepFakes. “I don’t want to be recorded please,” he said. “I have to go. I’m busy right now.”
What is Deepfake Porn?
Deepfake pornography is the use of artificial intelligence to create non-consensual, sexually explicit images and videos. Research shows that 99 per cent of victims are women.
Actress Jenna Ortega, singer Taylor Swift and politician Alexandria Ocasio-Cortez are among some of the high-profile victims whose faces have been superimposed into hardcore pornographic content.
But the technology is also being used on people who are not in the public eye.
A 2024 survey found that at least one in nine high school students knew of someone who had used AI technology to make deepfake pornography of a classmate and The New York Times has reported that schools across the US were dealing with incidents of teenagers making deepfakes of their female classmates.
Adam Dodge, from EndTAB (End Technology-Enabled Abuse), said it was becoming easier to weaponise technology against victims. “In the early days, even though AI created this opportunity for people with little-to-no technical skill to create these videos, you still needed computing power, time, source material and some expertise. And now you need very little of those things,” he said.
“It is literally point-and-click violence against women. Some of these apps only require one photo of the target, and you, on the app, literally use your finger to drag the woman’s face into a video and then just release it and AI does the rest, editing that victim into the photo. And then you press play and it now appears that the victim from the photo is engaging in sex acts.”
Dodge said the MrDeepFakes site had grown since 2008 and added features that were typically used by regular businesses to promote an air of legitimacy. “ It’s incredible and I’m incredulous that the site has been allowed to survive this long,” he told Bellingcat.
“This is sexual violence, and it’s as harmful as any other form of sexual violence in our opinion. I’ve talked to mental health professionals who work with rape and trauma survivors, and they analogise it to a woman who is sexually assaulted while unconscious or drugged, and it’s filmed, and then they have to watch it later.
“They have no memory of this happening to them. But the simple act of watching it is deeply traumatic and that’s what this technology manufactures. And the permanency and the public nature of it are the two, I would argue, most powerfully traumatic things that victims often experience.”
Governments around the world are scrambling to tackle the scourge of deepfake pornography, which continues to flood the internet as technology advances. In Canada, the distribution of non-consensual intimate images is illegal, but this is not widely applied to deepfakes. Canadian. Prime Minister Mark Carney pledged to pass a law criminalising the production and distribution of non-consensual deepfakes during his federal election campaign.
In the US, legislation varies by state, with about half having laws against deepfake pornography. The US Congress last month passed the Take it Down Act, which criminalises the distribution of non-consensual deepfake pornography at the federal level. President Donald Trump is expected to sign the bill into law.
The EU does not have specific laws prohibiting deepfakes but has announced plans to call on member states to criminalise the “non-consensual sharing of intimate images”, including deepfakes. Member states will not enact these laws until 2027. In the UK, it is already an offence to share non-consensual sexually explicit deepfakes, and the government has announced its intention to criminalise the creation of these images. Australia passed new laws to combat sexually explicit deepfakes last year.
‘Fake It Till You Make It’
The identity of the person or people in control of MrDeepFakes has been the subject of media interest since the website emerged in the wake of a ban on the “deepfakes” Reddit community in early 2018.
But the porn site’s hosting providers have bounced around the globe and premium memberships can be bought with cryptocurrency, which have made it virtually impossible to trace ownership.
Source: MrDeepFakes
Adam Dodge, the founder of EndTAB (End Technology-Enabled Abuse), said MrDeepFakes was an “early adopter” of deepfake technology that targets women. He said it had evolved from a video sharing platform to a training ground and marketplace for creating and trading in AI-powered sexual abuse material of both celebrities and private individuals.
“Our digital world is really good at empowering people who want to do harm by allowing them to remain anonymous while simultaneously making it almost impossible for victims to unmask them,” he said.
In January, Bellingcat, in collaboration with the German YouTube channel STRG_F, examined the companies behind two apps used for creating deepfakes that it advertised prominently on its homepage.
For this investigation, researchers conducted a forensic analysis of the forums on MrDeepFakes’ website. The forums are a virtual marketplace where members commission deepfakes and trade tips on making videos with the same technology that is used for creating revenge porn.
Videos posted to the tube site are described strictly as “celebrity content”, but forum posts included “nudified” images of private individuals. Forum members referred to victims as “bitches”and “sluts”, and some argued that the womens’ behaviour invited the distribution of sexual content featuring them. Users who requested deepfakes of their “wife” or “partner” were directed to message creators privately and communicate on other platforms, such as Telegram.
A search of the forums returned two accounts for MrDeepFakes “staff members”. One joined in March 2019 and is also listed as a “moderator”. The other joined in February 2018 and is also listed as an “administrator” (two additional administrator accounts, created in 2018 and 2021, were not listed as staff members, and one now-defunct account previously tagged as staff and moderator was created in the year after the site was set up).
Therefore, the focus of this investigation was the oldest account in the forums, with a user ID of “1” in the source code, which was also the only profile found to hold the joint titles of staff member and administrator. The long-time handle used by this account was “dpfks”.
Researchers began by analysing the profile. The dpfks bio contained little identifying information, but an archive from 2021 shows the account had posted 161 videos which had amassed more than five million views. It earned the badge of “Verified Video Creator”.
Forum posts document dpfks’ involvement as a creator and leader in the community. Archives show dpfks posted an in-depth guide to using software that creates deepfake porn, published website rules and content guidelines, advertised for volunteers to work as moderators, and gave technical advice to users.
Dpfks’ posts carried the tagline: “Fake it till you make it.”
In a 2019 archive, in replies to users on the site’s chatbox, dpfks said they were “dedicated” to improving the platform. “There is a reason why we are the biggest deepfake site. I care about the community and teaching others.
“I don’t think other site owners care enough to make their own deepfakes, and keep uptodate [sic] with it. My first few deepfakes were s**t too, the more you make, the better you get.”
David Do’s Links to MrDeepFakes
Legitimate online platforms take measures to protect users’ personal information but data breaches are common and can affect anyone, from the average user to senior US government officials. In this case, data breaches allowed researchers to link email accounts that had been reused across porn sites, warez (pirated content) forums and server admin platforms to a key operator of MrDeepFakes.
Central to the findings was one email account – dpfkscom@gmail.com – that was used in the “Contact Us” link on the footer of MrDeepFakes’ official forums in archives from 2019 and 2020.
Using breached data, researchers linked this Gmail address to the alias “AznRico”. This alias appears to consist of a known abbreviation for “Asian” and the Spanish word for “rich” (or sometimes “sexy”). The inclusion of “Azn” suggested the user was of Asian descent, which was confirmed through further research. On one site, a forum post shows that AznRico posted about their “adult tube site”, which is a shorthand for a porn video website.
The AznRico alias was frequently associated with a personal Hotmail address in David Do’s full name, which appeared in leaks alongside this username 22 times. Researchers also uncovered a cryptocurrency trading account for AznRico that later changed its username to “duydaviddo”.
The analysis showed that the MrDeepFakes Gmail address was used to register a profile on a separate porn website. This profile used a unique 11-character password which was also used across other accounts, including a profile on the Ashley Madison dating website that was registered with Do’s personal Hotmail address. A search of the unique password in breach databases returned 17 results linked to other email addresses that included Do’s full name.
Further searches of Do’s Hotmail account led to more leaks that displayed his date of birth. The Hotmail account was also linked to a residential address in Ontario, which public records show is the location of a house owned by Do’s parents. This email was also used to register a Yelp account for a user named “David D” who lives in the Greater Toronto Area.
Do has never publicly acknowledged operating MrDeepFakes, but a single email address published by the porn site formed the basis of a digital trail that led to usernames, passwords and other email accounts which overlap with his personal and professional data since 2008.
Pirated Movies to Deepfake Porn
David Do keeps a low profile under his own name, but photos of him have been published on the social media accounts of his family and employer. He also appears in photos and on the guest list for a wedding in Ontario, and in a graduation video from university.
Do’s Airbnb profile displayed glowing reviews for trips in Canada, the US and Europe (Do and his partner’s Airbnb accounts were deleted after CBC approached him on Monday). His home address, as well as the address of his parents’ house, have both been blurred on Google Street View, a privacy feature that is available on request.
In the late 2000s, while studying at university, Do was involved in the creation of Xinoa (xinoa.net), a warez forum. Do’s personal Hotmail address, which includes his full name, is visible in source code as an admin contact for the site, archives from 2008 show.
The profile page “ddo” is tagged as the “Root Admin” and “Xinoa Owner”, and lists a date of birth matching that of Do. The profile includes download links to television shows, one of which was accompanied by a comment about “exam week” in 2009, when Do was studying at university. This username is also similar to Do’s Instagram profile (“ddo.jpg”), a link to which was included in the bio section of his Facebook account under the name “Doh Dave”. Both social media accounts have been deleted.
An account on an internet marketing forum was registered using a Xinoa administrator email address, breach data shows. That account was linked to an IP address owned by the University of Waterloo, where Do earned degrees in biomedical science in 2010 and pharmacy in 2014, according to Rocketreach.
The 2015 Ashley Madison data breach shows user “ddo88” registered on the dating site with Do’s Hotmail address and was listed as an “attached male seeking females” in Toronto. They described themselves as being of Asian ethnicity, 173 cm tall and weighing 66 kg. The breached profile was linked to a Toronto-based address and also contained a date of birth, which matches Do’s birth date in public records.
Xinoa would become the springboard for a more sophisticated operation.
In February 2018, when Do was working as a pharmacist, Reddit banned its almost 90,000-strong deepfakes community after introducing new rules prohibiting “involuntary pornography”. In the same week, MrDeepFakes’ predecessor site dpfks.com was launched, according to an archived changelog.
An analysis of the now-defunct domain shows the two sites share Google analytics tags and back-end software – as well as a forum admin who used the handle “dpfks”. Archives from 2018 and 2019 show the two sites redirecting or linking to each other. In a since-deleted MrDeepFakes’ forum post, dpfks confirms the link between the two sites and promises the new platform is “here to stay”.
“MrDeepFakes.com was formerly dpfks.com and we opened our doors shortly after the Reddit ban,” the 2018 post said. “I know joining a new forum or community feels like starting fresh, and starting over, but the community is small, and all the important players will stick together. I promise to keep this community running as long as I can, so that the deepfake community does not have to scramble and relocate again.”
Later in 2018, in a post on Voat, a defunct online message board similar to Reddit, dpfks said they “own and run” MrDeepFakes. In response to another user, dpfks refers to their life outside of operating a porn website. “I just got home from my day job,” the post said, “now back to this!” Some of dpfks’ earliest posts on Voat were deepfake videos of internet personalities and actresses. One of dpfks’ first posts on the MrDeepFakes’ forums was a link to a deepfake video of video game streamer Pokimane.
Other targets included the American politician Alexandria Ocasio-Cortez, for whom dpfks shared a folder containing more than 6,000 images that could be used to create deepfake pornography. Before it shut down this week, MrDeepFakes hosted 125 graphic videos tagged with Ocasio-Cortez that had collectively received more than 5.3 million views. After discovering she had been transposed into a deepfake porn video last year, Ocasio-Cortez told Rolling Stone that “digitizing violent humiliation” was akin to physical rape and sexual assault.
Another target of dpfks was American YouTube personality Gibi_ASMR, who gained popularity online with her ASMR (Autonomous Sensory Meridian Response) videos. Dpfks created and shared pornographic deepfakes of the YouTuber on the MrDeepFakes forums. In a statement published by EqualityNow in 2021, she said: “They’re running this business, profiting off my face doing something that I didn’t consent to, like my suffering is your livelihood. It made me really mad, but again, there was nothing I could do so I just had to leave it.”
In 2018, dpfks posted a two minute deepfake video of an Academy Award-winning American actress with the description: “[Name omitted] doesn’t do porn, but in this fake video she is completely naked with her legs spread in the air. Watch her face … while she struggles to take it.”
Forum posts under various aliases match those found in breaches linked to Do or the MrDeepFakes Gmail address. They show this user was troubleshooting platform issues, recruiting designers, writers, developers and search engine optimisation specialists, and soliciting offshore services.
The username “AznRico” was commonly associated with Do’s email account and could be found across several postings online. In 2009, years before MrDeepFakes was launched, this now-banned user posted to an internet marketing forum discussing online money-making techniques, including the monetisation of video traffic.
AznRico also posted on an auto lighting forum in 2009 to ask for advice about fixing headlights for a car in Canada – a 2006 Mitsubishi Lancer Ralliart. In another thread on the same forum, AznRico uploaded several images of the car, one of which was archived and contained metadata indicating that it was captured on a Sony Ericsson K850i.
In 2009, on a separate forum, AznRico said he had this model phone and posted about troubleshooting the device (that forum was subject to a data breach exposing David Do’s personal Hotmail address and unique password).
Public records obtained by CBC confirm that Do’s father is the registered owner of a red 2006 Mitsubishi Lancer Ralliart. While Do’s parents’ house is now blurred on Google Maps, the car is visible in the driveway in two images from 2009, and in Apple Maps imagery from 2019. CBC confirmed the car was still at the house last week.
In 2011, on a freelance job board, AznRico asked for help building a video streaming plugin. This profile also listed that the user was based in the same Ontario city where Do’s parents’ home is located. In 2018 – the same year MrDeepFakes was launched – AznRico asked for advice to fix slow load times on their porn site, which they said received about 15,000 to 20,000 visitors a day. Breach data shows this account was linked to Do’s personal Hotmail address.
In one forum post from January 2020, user “dj01039” complains that PayPal had limited their “stealth account”, which was used to “sell virtual goods” (PayPal was intermittently available as a payment option on MrDeepFakes). The username dj01039 matches the abbreviation of an email address (davidjames01039@gmail.com) that was linked to a PayPal donation button on MrDeepFakes in December 2019.
In June 2020, on another forum, a user with the same alias (who later changed it to “ac2124”) said their stealth account had been permanently closed and wanted to know about front companies that could accept payments on their behalf. The user described themself as the “webmaster of an adult tube site” who takes a cut from creators who post original porn videos, and also earns revenue from running ads. By December 2020, ac2124 said their website was earning between $4,000 and $7,000 a month.
Breach data also links the MrDeepFakes Gmail to an account on support forums for Kernel Video Sharing (KVS), a commercial content management system, where user “mongoose657” (formerly dj01039) sought help managing a video tube site. The discussions, from 2021 to 2024, were consistent with backend issues encountered when running a large website: storage solutions, ticket system failures, and outsourcing development work.
On the adult webmaster forum GoFuckYourself.com in 2020, dpfks (subsequently changed to “mjmango”) enquired about anonymous debit cards, which were advertised as allowing users to withdraw cash or pay for purchases anonymously. In 2021, mjmango responded to another user’s enquiry about how to monetise tube sites.
In another forum, ac2124 enquired about countries to form an offshore company and expressed concern about “know your customer” checks, which are used by the banking sector to confirm the identity of their customers. In a 2020 post, ac2124 said they had decided to make a “dummy site/front” for their adult site and enquired about online payment processing and “safe funds storage”.
In 2022, ac2124 sought advice for a Canadian citizen who operates an “adult niche website” and asked about “a company setup that focuses on privacy”. The post said: “At a bare minimum, this person shouldn’t be listed on any public registrar (as director, shareholder, UBO, etc). Open to using nominees, opening trusts, etc. What are some setups, or jurisdictions that should be looked into?” This user also asked specifically about setting up a company in the British Virgin Islands or Cayman Islands, both secrecy jurisdictions.
In late 2023, mjmango left positive feedback for an adult graphic designer below a post from the designer containing a MrDeepFakes logo. “Purchased another logo recently. As always great communication and allowed multiple re-edits,” the comment said. In March 2024, ac2124 posted about delays accessing a service that creates a “proxy” for a “high-risk website” so it can process transactions from the online payment processor, Stripe.
In April 2024, Dutch outlet Algemeen Dagblad (AD) reportedly made contact with the owner of MrDeepFakes, who was anonymised in their subsequent reporting. AD reported that this person claimed to have sold the website, but did not provide any evidence to support this claim. Our investigation could not confirm whether the site was ever sold, and if so when.
David Do did not respond to multiple requests for comment about his involvement with MrDeepFakes.
Ross Higgins, Connor Plunkett, Beau Donelly, George Katz, Kolina Koltai and Galen Reich contributed to this article.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.
