Cybersecurity · Monday, 6 July 2026
01 · Briefing · what happened
Scammers cloned two footballers with AI — and the trail ends at a shell company you can't sue
Fake betting apps used AI-generated video and forged BBC stories to make Bruno Fernandes and Jude Bellingham look like partners. The operators sit offshore, behind shell companies, beyond reach.
Key takeaways
- Scammers used AI-generated video and a forged BBC story to make two star footballers look like partners of illegal betting apps they never agreed to promote.
- The scam works by borrowing a person's credibility instead of a password — you check a bank, but you don't check a footballer's business, so the familiar face is the whole con.
- The operators can be reached from inside the UK but are legally untouchable — registered offshore behind shell companies with no findable owner, so the harm is real and accountability lands nowhere.
Two of the world’s most famous footballers were turned into fake advertisements this week — and neither of them agreed to anything. Illegal online casinos hijacked the identities of Manchester United’s Bruno Fernandes and Real Madrid’s Jude Bellingham, dressing up fake endorsements with forged news articles, doctored photos, and AI-generated video, to trick their fans into signing up
What happened
An unlicensed betting operator called QH88 built a promotion around Fernandes as its supposed ambassador
How the trick worked
The core of it is a deepfake — media generated or altered by AI to show a real person saying or doing something they never did. QH88 loops an AI-generated video of Fernandes on its main site. A Norwegian outlet had one such clip analysed frame by frame; an expert spotted the tell-tale signs — blurred details, tiny continuity slips, generic faces — but the report notes those flags would be invisible to a casual viewer
The scam works because it borrows something you already trust. Not a password, not a brand logo — a person. You don’t verify a footballer’s business the way you’d verify a bank; the face is the credential. And the fake BBC story adds a second borrowed trust: a name-brand news source you don’t think to double-check.
Why nobody can stop it
Here is the part that matters more than the video. Nightwin can be reached and registered from inside the United Kingdom without a VPN — yet no “Nightwin” appears in the Great Britain Gambling Commission’s register of licensed operators
The one place it is licensed is Curaçao, a longtime offshore haven, where it was launched by a company incorporated only in May 2024
The pattern, again — with a real face
This is the third recent variation on one theme: a scam that rents credibility you already extend. Last week it was fake Aldi websites selling air conditioners that don’t exist — sophisticated replicas built to fool heatwave shoppers acting fast, uncovered by the security firm Kaspersky
Elsewhere
Flipper Devices, maker of the popular Flipper Zero — a small, legal hacking-and-testing gadget now with more than a million users — said full-time development of its firmware is over, and future work will lean on community contributions vetted through public voting
02 · Lesson · why it matters
When the harm is real but there's no one to sue
Some scams don't hide the crime — they hide the criminal, building the operation so that whoever you'd hold responsible is impossible to find.
The video is not the clever part
It is tempting to look at a scam like this and fix on the technology. A fake video of a footballer, generated by AI, good enough that an ordinary viewer wouldn’t catch the blurred edges and generic faces an expert can. That feels like the frontier — the new thing to be afraid of.
But the video is the cheap part. Convincing forgeries of famous people have existed as long as advertising has stolen their photos. The AI just lowers the cost and raises the polish. Impressive, yes. Decisive, no.
The clever part is downstream, and it is not technical at all. It is legal, geographic, and boring. It is the office building in Willemstad.
Who do you call?
Walk through what a victim actually faces. You signed up to a betting app because a footballer you trust seemed to endorse it. Later you realise it was fake. Now what?
You can’t complain to the footballer — he was a victim too, his face stolen. You can’t complain to the regulator, because the operator isn’t registered with your regulator; it can be reached from your country, but it doesn’t exist in your country’s records. You go looking for the company. It’s incorporated offshore, licensed in a jurisdiction chosen precisely because the owner’s name is protected there. Its address is a building that “houses corporate-services firms acting as trustees for thousands of opaque businesses.” The trail ends. There is no person on the other end of any letter you could send.
The reporting on this landed on a single line: you can’t sue ghosts. That’s the design. The forgery gets you in the door; the shell company means that once you’re through it, there is no door to knock on going the other way.
The harm is real — the responsibility is engineered away
This is the pattern worth carrying, and it runs far past betting apps.
A great deal of modern harm is not hidden. Everyone can see it. The fake ads were on Instagram. The app was downloadable in Britain. The video loops on a public website. Nothing about the crime is secret. What’s hidden — deliberately, structurally, expensively — is the responsible party.
You see the same move in other places once you know its shape. A product harms people, but it was made by a subsidiary that dissolves and reincorporates. A pollutant enters a river, but the plant is leased through three holding companies. A voice on the phone drains a pension, routed through a country with no extradition treaty. In each case the injury is concrete and the injurer is a fog. The energy hasn’t gone into hiding the act. It’s gone into making sure that when you follow the thread back, it dissolves in your hand.
Trust runs one way; accountability is supposed to run the other
Here is the connection most people miss. Trust and accountability are supposed to be two ends of the same rope.
You extend trust forward — you believe the endorsement, you enter your card details, you download the app. In a working system, accountability runs backward along the same rope: if the trust was betrayed, you can pull on it and reach whoever betrayed it. A licensed operator has an address, a regulator, a name on a register. The rope holds in both directions.
These scams cut the rope at the far end. They keep everything that makes you extend trust forward — the famous face, the news-brand story, the polished app — and remove everything that would let accountability travel back. You’re invited to pull as hard as you like. The rope isn’t attached to anything.
You are closer to this than the footballer is
It’s easy to read this as a story about celebrities, and file it away. It isn’t.
The footballer loses the use of his own face for a few weeks until the ads come down. The person who actually loses money is a fan — someone who trusted a familiar face the way we all trust familiar faces, because checking everything twice is not how anyone gets through a day. The whole system of borrowed credibility exists because that trust is normal, reasonable, and usually right.
And the structure that protects the scammer — offshore incorporation, nominee owners, jurisdictions that sell anonymity — is not a hacker’s trick. It is a legal architecture that exists in daylight, used by plenty of businesses that never touch a footballer’s face. The scam didn’t invent the ghost. It rented one, from a market that keeps ghosts in stock.
So the useful question the next time something feels off is not only is this real? It is if this goes wrong, is there anyone I could reach? A real operator will have an answer. A well-built scam will have a face where the answer should be, and nothing behind it.
That gap — between how visible the harm is and how invisible the responsibility is — is not a flaw the scammers are working around. It is the thing they built.
03 · Lab · your turn
Pull On The Rope
Rehearse judging an offer by whether anyone is reachable if it goes wrong, not by how trustworthy its face looks.
04 · Hope · carry this
The reason these scams work is that trusting a familiar face is normal, reasonable, and usually right — that instinct isn't the flaw, it's what lets people live and deal with each other at all. Learning to ask one more question, quietly, doesn't cost us that; it just puts a floor under it.
More from Cybersecurity
Across the beats