Hello world,
as many of you may already be aware, there is an ongoing spam attack by a person claiming to be Nicole.
It is very likely that these images are part of a larger scale harassment campaign against the person depicted in the images shared as part of this spam.
Although the spammer claims to be the person in the picture, we strongly believe that this is not the case and that they’re only trying to frame them.
Starting immediately, we will remove any images depicting “Nicole” and information that may lead to identifying the real person depicted in those images to prevent any possible harassment.
This includes older posts and comments once identified.
We also expect moderators to take action if such content is reported.
While we do not intend to punish people posting this once, not being aware of the context, we may take additional actions if they continue to post this content, as we consider this to be supporting the harassment campaign.
Discussion that does not include the images themselves or references that may lead to identifying the real person behind the image will continue to be allowed.
If you receive spam PMs please continue reporting them and we’ll continue working on our spam detections to attempt to identify them early before they reach many users.
Streisand effect dude. 🤦♂️
This is some small internet bullshit i’m here for
Oh, I think I got one of those. It’s that girl with the bong, right?
Yes, but there are a few pictures around from all of it
Glad to see there’s effort being taken to stop this, as someone who’s been harassed in a similar way on here it really kind of bugs me that people are making light of this or assume that the original person is the one doing this. Impersonation is frighteningly easy on the Fediverse and I really wish they’d add some kind of verification in Lemmy like they do in Mastodon to try and minimize the impact of it.
About damn time. The joke has run it’s course a long time a ago and if these posts are victimizing an individual they most definitely need to be stopped.
I broke up with her for this reason.
She ghosted me. Never replied to any attempts at communication. I’m done.
I gotta give it to you guys. The foresight to prevent a disaster is 10/10. Top tier. Well done.
Foresight? This has been going on for several months.
I took the comment as sarcasm. lol
It’s pretty obvious …
What’s scary is how many people just accepted that some woman wanted to randomly spam thousands of pictures with her smoking weed.
Maybe they’re used to onlyfans bots.
That would make since if any of the pictures were selfies and not random screen grabs off a webcam
You forgot this
/sto be honest, this should have been done way earlier.
You know it had not even crossed my mind until this post but on hindsight it makes perfect sense.
Still glad you’re doing it now!
I saw a theory a while back that the IPs which receive the various images get logged allowing the recipients accounts to be tied to an IP and possibly even a physical address based on the timeframe it was sent. Is that a real concern or just conspiracy, do you think?
I find it difficult to believe there are enough fediverse users not using a VPN at all times to make that effort worthwhile.
most people don’t. the only device I have that runs a VPN 24/7 is a laptop that seeds
I use a VPN on everything else if I’m doing something sketchy thougheveryone should be more like me :3
yeah that’s fair, I probably should use it more but it’s just kinda annoying
That appears to be a baseless conspiracy theory.
Except for the gore pms, I believe all the images have been uploaded to Lemmy instances or Imgur, which means that the uploader has no way to track IPs accessing those images. The gore images were uploaded to another service that at least on the surface appears to be another regular image hoster that wouldn’t expose IP access logs to uploaders.
I don’t think its baseless given that anyone can set up their own Lemmy instance to host the PM’d images.
Gore wait wtf where does gore come in, is that if you play along with the ctfish?
A day or two ago, someone spammed out a picture of a murdered body with the standard Fediverse Chick copypasta. That seemed to freak people out; the nicoled community locked down, this thread happened, etc.
The gore photo seems to be a second actor/copycat. The Nicole spammer either came from their own instances or opened accounts very shortly before spamming, the gore photo, and a following anime style picture done in red-on-white saying “Do you like insanity?” seem to come from accounts that were made 2 years ago.
Oh damn. Don’t know how I missed that bit of drama. Thanks
The instance domains I’ve seen involved so far at least weren’t set up specifically for this purpose at least. Most of the URLs were pointing to established services and not different per recipient.
While I can’t rule out that individual users may have received a different URL in an attempt to extract their IP and information about their browser, this at least does not appear to have been done in a larger scale.
Thank you for your work managing the spam waves!
part of a larger scale harassment campaign against the person depicted
Oh boy that’s horrible, if true I hope she has reported it to police, and they can help her.
This is a copy+paste of a comment I left on the Nicole@feddit.org mod post after the recent incident with the gruesome picture(s?):
“I think if Lemmy doesn’t have the infrastructure to defend against attacks like these which are presumptively conducted by one bad actor, then it doesn’t have the infrastructure to defend against wealthy organizations when our communities do get big enough to be noticed by them.
[Nicole@feddit.org]’s history underscores how the messaging system in particular needs a massive overhaul; using image recognition as a filter for messages like Lemmy.World does for image posts (with options for NSFW that isn’t NSFL?), preventing images (and URLs? or only allowing white-listed sites?) from being sent within the first message sent between users (unless a box is ticked?), not showing message recipients images until they are directly opened, and preventing the de-anonymizing of message recipients should be made first priority for the next patch.”
Well, I for example develop an automod (which is available to everyone) which includes advanced stuff like scanning images in the content, scanning the text itself, detecting similarity between two images etc. This all in an efficient reactive manner using database level webhooks.
There is the infrastructure for that, it’s being developed and refined with every new kind of attack that’s happening. As every other platform does, whether they’re commercial or open.
I got that DM as well. And then it disappeared. I think my instance’s admins saw it spammed and mass deleted it.
Dont render images in private message (#3043)
https://join-lemmy.org/news/2025-04-08_-_Lemmy_Release_v0.19.11
Ah very cool. A recent update too. Thanks.
unfortunately we can’t just apply the update quickly, as this introduces sending emails on rejected applications. we already send rejection emails separately and with custom text, while the text implemented in the update is currently not configurable.
i’ll see if we can deploy updated lemmy-ui without updating lemmy already this weekend, but i need to check if there were any api changes first, as we’d then have to backport them to lemmy first.
we’ve already applied the security patch about 2 weeks ago.
Thank you!
Yes. As you can see, a few large instances like lemm.ee, lemmy.ca and others have already updated: https://fedidb.org/software/lemmy?version=0.19.11
Hopefully others will follow soon
Reddthat.com updated as well… dunno how big our instance is, in comparison, but I didn’t know the update dealt with embedded images in PM’s. I appreciate the info!
What does the “MAU” stat mean? “‘Something’ Active Users”?
Monthly active users
They are absolutely right. The quiet part of this is almost certainly that these DMs were being used to collect IPs from users using tracking links, and this is generally a big vulnerability in the fediverse many people seem unwilling to meaningfully confront.
Honestly I think the easiest thing would be to not allow images or embedding at all in PMs and perhaps display a warning message when clicking links “you are leaving [instance name]…”
Analyzing potentially lots of text and images in an effort to “guarantee” safety of users is likely a sisyphusian endeavour that is bound to fail - and furthermore also has privacy issues (namely that “private” messages aren’t private at all)
For anyone not clicking the link, but wondering what this reply means… it’s a link to the user’s comment (right below, within this comment chain) about a lemmy update
I was confused for a sec and probably would’ve skipped over all of the context because I didn’t continue reading first (and I hesitate to click links randomly), so maybe someone else with no attention span will benefit as well
"Lemmy update v0.19.11 provides ‘Dont render images in private message’
Not every instance is updated to this version, but it should stop the current method of spam (if updated). I’m wordy, I know; but maybe it’ll help someone
not allow images or embedding at all in PMs
I’d add — as someone who was concerned about and posted on the possibility that the aim of the spammer was exposing the IP address associated with the receivers’s username — that even if this wasn’t the aim from this event, it could be in some future event.
I don’t think that disallowing inline images in direct messages will eliminate spam problems, even efforts of this sort, as it’d still be possible for a spammer to spam messages with indirect links to images hosted elsewhere. But it would help avoid leaking IP addresses of the receiving user.
Or at least disallowing inline images in direct images by default. I can imagine maybe someone enabling them on some kind of a private, decoupled-from-the-wider-Fediverse instance on an intranet or whatnot, but I really don’t think that this is something that nearly any instance should actually permit.
For anti-spam efforts, I think that there are a variety of potential partial solutions. No complete fixes, but some:
-
Rate-limiting the comment frequency on new accounts. IIRC, Reddit used this tactic. It does create some issues for (legitimate) use of throwaway accounts in anonymous posts, but there’s no legitimate reason for a new account to blast hundreds of messages an hour, I think. This might already be present, but if not, it’d be a good start. This can be defeated by generating new accounts for each new message or batch of.
-
Rate-limiting new account creation from a given IP address, if not already present. An attacker could defeat this via use of a commercial VPN, and if too low, it could create issues for some commercial VPNs.
-
Hashing of messages to red-flag identical messages being posted en masse. As best I could tell, the spammer here was posting many identical messages. This can be defeated by a spammer having software slightly modify each message.
-
Fuzzy-hashing of messages to red-flag almost identical messages being posted en masse. This can be defeated via text generation methods that are carefully tailed to the fuzzy hashing mechanism to modify messages such that each fuzzy-hashes to a different message.
-
A mechanism to permit an account to share blacklists of IP or message hashes and trigger removal of messages on other instances, preferably associated with a specific identifier or account. This permits any other instances to leverage antispam work by one instance; if I want to trust a given antispam admin or bot on lemmy.world, I can. Let an instance admin review and override such removals, maybe. It creates abuse potential for malicious use or inadvertent false positives spanning instances, but I think that it’s necessary to avoid having each instance fight its own lonely antispam battles. Otherwise, new and personal instances risk being buried by a deluge of direct message spam. The same mechanism, if exposed to users and not just instance admins, would also permit for subscribable content filters for people who don’t want to see content of a given sort (e.g. profanity or pornographic content of a particular sort or whatever, not just spam), which is another issue.
Fortunately, as far as I see as a user, we’re not yet at the point that there is much spam on here yet, so this isn’t yet a serious problem. Maybe it’ll never happen, if the userbase never grows much. But if the userbase gets considerably bigger, increasingly-problematic spam will inevitably follow.
-
Yeah it seemed funny at first but the longer this went on the creepier it got as we all realized this isn’t just a catfish.
Whoever is doing this to the actual person in the photos is a terrible human being and should go climb under a rock for the rest of their lives.
Agreed. When the images started to change it got really creepy.
Did I miss something? What image changes and why do people think she is a victim instead of some spammer? Got like 5 of the DMs myself but they weren’t anything bad.
I’ve seen several different images and there was a video on peertube. All of them look like content from a hacked webcam.
Oh I was thinking she was some cam girl trying to contact for money or scam.
Yeah, that’s what I thought from the very first DM I received. It looks like Shea totally unaware a picture was taken of her. Surely, if this were real, “Nicole” would use a more flattering picture to potential friends.
It got super creepy when more shots of this women were released of her doing activities that no one would ever take a photo of themselves doing. Then the last photo was released separately of a NSFW don’t read if you are not in a place to read gore/graphic/assault
Tap for spoiler
Real photo of a dead woman who looks like Nicole in a morgue body bag with her flesh peeled off and her face beaten. It’s unlikely that this disturbing turn is real but it was horrific for people who received this last spam. That is what triggered the ultimate ban on all images (since this is most likely a psychopathic copycat). :(
It’s just creepy because in every other obvious scam like this for the last 10 years they use the same single picture of the same person on everyone. Now suddenly there are dozens of different pictures, all clearly of the same woman, going to different people.
Sorry if this isn’t the right place to ask, but are you able to confirm whether admins have reported this to the police?
Even if violence hasn’t been perpetrated, the harassment is still a crime surely.
I don’t know if others have, I only know that we (Lemmy.World, Fedihosting Foundation) have not reported it to the police.
I don’t have high hopes that the police would be able to do anything about this. For the harassment against the person shown in the images, that would likely have to be reported by them directly for the police to take that up.
For random online spam, as in harassment of fediverse users receiving the PMs, that seems like it would be an extremely low priority for police. It’s also likely fairly difficult to impossible to follow up on, considering that the person sending the PMs most likely used a VPN to access these accounts.Would it even be realistic to know the right place to report it to? Just because the messages say Toronto doesn’t necessarily mean the victim is in Toronto, and reporting it to the wrong place at most probably just means wasting resources in one location and coming no closer to stopping the harassment. Is there anything from a national group like the RCMP, FBI, or INTERPOL to help in a case like this?
There’s a video of her eating food in the shopping centre where whe works. You can find it on google Street view.
I’m not a fan of LEO, BUT at the same time doing nothing should not be an option. What I mean by that is that Johnny Law should still be contacted and a report filed (at the very least). Even if they do not follow up on it, that’s on them and not us (the fediverse).
Anyone asking you to file a report with police has likely never had to file a police report. They don’t even want to file reports for things that actually happened directly to you, if they can convince you out of it lol.
Agreed. At least here in the US, you’d have more chance of winning the lottery than getting a cop to care about this issue without the person directly involved reporting it. And even then it would be a crapshoot.
The right cop will care about it, but the right cop doesn’t work for your city and so you don’t have any way to contact them.
Hmm.
The people receiving the spam are not being harassed, obviously.
The woman depicted is very likely the target of harassment.
Sharing the images depicting violence is tantamount to a threat of violence.
As admins, you’re not just witnesses but the stewards of a community and the representatives of many thousands of people in this matter.
Pre-empting what the police will do is not a reason not to report. You don’t know what they will do. They might do nothing at you would have wasted 15 minutes. On the other hand perhaps Nicole has been trying to get a restraining order against some creep but has been unable to due to lack of evidence.
The woman depicted is very likely the target of harassment.
Agreed, but there is no proof of this. We also don’t know their true identity to check with them directly.
Sharing the images depicting violence is tantamount to a threat of violence.
The images did not depict violence directly, it was a gory image of a dead person. They were very likely sent by a copycat not involved in the original harassment campaign and intended to fuck up fediverse users more than anything else. They did not appear to imply any kind of threat.
you would have wasted 15 minutes
This would require a lot more than 15 minutes to file a proper report. First we have to collect all relevant information that we have available and compile them in a format that can be submitted. Once we have this information we have to identify a police department to report this to. We are legally based in NL, as that’s where our non-profit Fedihosting Foundation is located. I’m based in Germany, so it would also be an option to report it here. The depicted person is claimed to be in Canada, so maybe this should be reported to a police department over there. Or maybe to all of them.
All of this would easily add up to 2 hours or more if you want to do it properly and not just look for 3 online forms to write “hey there is someone sending spam”.
If this was a paid job and I was doing this during working hours I wouldn’t mind, but all the time I spend here is taken out of my personal time, the same as with anyone else on our team, and also the same you’ll see with most other fediverse instances.perhaps Nicole has been trying to get a restraining order against some creep but has been unable to due to lack of evidence.
If we receive a request for information from (real) law enforcement we’ll be more than happy to provide relevant data, but doing this for the (perceived low) chance of that somehow being linked from a random police report is a fairly high time investment as described above.
Respectfully, I don’t share your assessment of the seriousness of the crime. You seem to be weighing the question of whether someone has been harassed or intimidated from the perspective of a “reasonable third party”. However, I suspect that the law assigns considerable weight to the question of whether the victim feels intimidated or harassed. For example, you’re correct that sharing the gore image is not a direct threat of violence, however I feel certain that the woman depicted in the earlier images taken from the live stream would feel concerned for their safety.
I would also like to clarify one aspect of which you may not be aware. It’s very easy to confirm the woman’s place of work beyond any reasonable doubt, with images she has posted to other platforms.
I understand that it’s unreasonable to say that you specifically or any admins of lemmy.world or any other instance should give up hours of your free time to make a police report.
However, as others in this thread have suggested this incident underlines the limited protections lemmy has against this type of attack and it seems likely that we will see a lot more.
I also respectfully disagree regarding the likelihood that reporting this crime could be useful. It’s not a question of “somehow being linked from a random police report”. If the victim ever does contact the police, which seems very likely to me, it’s extraordinarily likely that a report from lemmy would be identified as being related.
It’s not my intention to berate you personally over this, and as I mentioned above I acknowledge that it’s unreasonable to expect you personally to take action in this specific case. I am however concerned that Lemmy’s federated nature is not well suited to addressing this type of risk to members of our community.
This would require a lot more than 15 minutes to file a proper report…. All of this would easily add up to 2 hours or more…
Tell you what: log the time it takes, and I will personally pay you $60/hour for your time to make a proper report.
And no, I’m not being sarcastic.
I have spam in my email. Should I report that to the police as well?
There just isn’t enough for regular police to go on, without even considering jurisdiction. Cooperating with authorities is fine, but there’s not really anyone to proactively reach out to about this.
Yes. If you run an email server and one of the accounts has been used to perpetrate a harassment campaign including threats of violence then obviously you should report that.
Haha what fantasy land do you live in where that helps anything?
Actually smartass, it’s called Australia. We have laws specifically to address this exact situation. I have made police reports in my time, and can assure you that the police would take a campaign of this scale very seriously.
What of the recent NSFW/gore images that were shared? Has that been reported to authorities?
Not expecting police to solve it, but at least it would be on their radar.
we looked into it, we currently believe that to be a copycat not related to the other pms.
the lemmy.world account involved in that was most certainly compromised from an unrelated data breach and all connections originated from IPs linked to an anonymization service, so there’s also not much to follow up on.
we will reconsider this if it happens again.
Thank you, as someone who looked into this I am glad to see this being taken seriously. The real Nicole is for sure a victim and does not deserve to be doxxed and made into a meme.
I can’t wait for the future 4 hour video deep dive into Nicole history and lore.
Question is, is it going to be made by Whang or Nexpo?
Count Dankula’s madlasses
Neither. Hopefully someone like wendigoon or oki’s weird stories. Someone a bit more investigative and less semsationalistic than nexpo.
I’ve been lurking in ALL for about a week pretty consistently having now completely abandoned the alternatives and I’m not sure I saw the image in question. In fact, I’m pretty sure I didn’t. So, those of you worried about the image… many of us, I presume, didn’t even see it. Anyway… glad to see there is a process to deal with miscreance and glad to know it works!
They were sent via direct messages so you just didn’t happen to get a DM from them.
