Counterspine Counterspine
Blog Defense

DMCA abuse detection: how to spot a fake takedown in 2026

A practical, evidence-based guide to detecting fraudulent DMCA notices. The eight patterns we look for, the tools that surface them, and what to do once you're sure a takedown is bogus.

DP

Adrià Pérez

· 12 min read

DMCA notices are the duct tape of the open web. They are also one of the easiest legal instruments to weaponize. In 2024, Google alone won a default judgment against two operators in the Northern District of California for using 65 fake Google accounts to file thousands of fraudulent notices targeting more than 117,000 third-party URLs. Lumen Research Fellow Shreya Tewari documented 33,988 fraudulent "back-dated article" notices targeting 550+ domains. Reputation-management firms are openly selling DMCA abuse as a service for $500–$5,000 per takedown.

If you are a publisher, an SEO, an affiliate operator, or a journalist, the question is not whether you will be hit by a bogus DMCA. It is whether you will catch it in time to do anything about it.

This post walks through the eight abuse patterns we have built detectors for inside Counterspine, the public signals that surface them, and the playbook for responding once you're sure a notice is fake.

Why DMCA abuse works

The mechanics of the DMCA notice-and-takedown process were designed for a 1998 internet of small content sites and a handful of search engines. Two design choices made it abuse-prone from day one:

  1. Liability flows to the recipient, not the sender. Hosts and search engines have a strong incentive to delist first and ask questions later, because acting "in good faith" on a notice grants safe harbor under §512(g)(1). Sending a fraudulent notice carries §512(f) liability, but enforcement is rare.
  2. Identity verification is minimal. Google explicitly does not require proof of identity from notice senders. A drive-by abuser can file a notice claiming to be Taylor Swift, and the burden falls on the recipient to investigate.

The default-action asymmetry, combined with the fact that DMCA submissions count as a Google ranking signal under the 2012 Pirate Update, has made the notice form an irresistible weapon for negative SEO, reputation management, and competitor sabotage.

The eight patterns we detect

Inside Counterspine, every ingested notice runs through eight detector services. Each emits a confidence score and an evidence blob. Notices that cross a combined threshold get flagged for human review and trigger alerts to the affected workspace.

1. Back-dated source articles

This was the technique Tewari uncovered in her Lumen research. The attacker copies the target article verbatim, posts it on a low-quality domain (often a recently registered one), and back-dates the timestamp. They then file a DMCA against the original, claiming the original is the infringer.

Signals: WHOIS-vs-claimed-publication-date mismatch, archive.org first-seen later than claimed publication, missing or templated bylines, identical body text on a high-authority domain that predates the claimed source, recent domain registration of the alleged source.

Real-world incidence: 33,988 notices identified by Tewari in a single research dataset, predominantly targeting Lithuanian, Ukrainian, and Russian news outlets via the fake source domain today-news.press.

2. Mass fake-account filings

A single operator opens dozens of free-mail accounts and uses them to flood targets with notices, hoping recipients triage on volume.

Signals: clusters of senders with similar email patterns, identical body text, sequential filing timestamps, identical IP geolocation, formatting fingerprints (whitespace, punctuation, header order).

Real-world incidence: Google's November 2023 lawsuit against Nguyen Van Duc and Pham Van Thien alleged 65 fake Google accounts filing thousands of notices. The default judgment in October 2024 confirmed the pattern.

3. Reputation-firm patterns

A handful of reputation-management vendors are responsible for an outsized share of takedowns against critical journalism and review sites. Their notices share recognizable boilerplate, often with broken English and a templated assertion of copyright over republished public-record content.

Signals: sender name in our reputation-firm catalogue (currently 47 known firms), boilerplate-match score above 0.85 against our corpus, target URLs heavily skewed toward review sites, news, and personal blog posts.

Real-world incidence: Techdirt has documented dozens of cases since 2018; a 2026 case involved a fake "law firm" sending demand letters on behalf of a sketchy SEO firm, which Techdirt covered in April 2026.

4. AI-drafted boilerplate

Since late 2023, abusers have used LLMs to scale notice production. The drafts are grammatically correct but share lexical and structural fingerprints across senders.

Signals: perplexity scores on body text, repeated turn-of-phrase across notionally distinct senders ("It has come to our attention that..."), sentence-length distributions matching known LLM output, absence of stylistic idiosyncrasy across hundreds of notices.

The sender claims to represent a principal whose registered copyrights do not cover the targeted work. This was the heart of the MFB Fertility v. Action Care Mobile Veterinary Clinic (N.D. Ill., April 2024) ruling, which held that submitters must consider whether material is even copyrightable before filing — creating new "head-in-the-sand" willful-blindness liability.

Signals: USCO copyright registration database lookup against the claimed principal, correlation of registered work titles with the targeted URL content.

6. Frequency anomalies

Spikes in filing rate against a single target domain, often coordinated with content publication or competitor product launches.

Signals: time-series anomaly detection on per-domain filing rate, correlation with public events (publication dates, competitor news cycles), cross-recipient coordination.

7. Foreign-jurisdiction laundering

Bad actors route notices through senders in jurisdictions where §512(f) enforcement is impractical, knowing the recipient may delist regardless of the underlying merit.

Signals: sender country distribution that disproportionately favors low-enforcement jurisdictions, mismatch between claimed principal location and sender location, pattern of identical filings across many sender identities tied to the same proxy infrastructure.

8. Impersonation of well-known senders

The sender name mimics a known legitimate filer (e.g., "Mr E Musk", "Taylor Swift Legal", "Universal Music Compliance Team") to add false authority.

Signals: fuzzy-match against celebrity/IP-holder names, mismatch between claimed sender and registered USCO agent, sender email domain inconsistent with claimed identity.

What the public data says

Most of these detectors run on data that is fully public. Here is where to look:

  • Lumen Database (lumendatabase.org) — researcher API ingests over 200,000 notices per week from Google, Meta, Reddit, Wikipedia, Vimeo, Medium, GitHub, and others. CC0 data; we use it as the baseline.
  • Google Transparency Report (transparencyreport.google.com) — bulk URL-level takedown data sent to Google Search. No official API, but bulk CSV downloads are available (intermittently).
  • EU DSA Transparency Database (transparency.dsa.ec.europa.eu) — daily JSONL dumps of statements of reasons across all EU platforms in scope. The most reliable source.
  • USCO Designated Agent Directory — registered DMCA agents and corresponding service providers.
  • CCB filings (ccb.gov) — Copyright Claims Board small-claims proceedings, including fraud allegations.
  • Federal court records via CourtListener — DMCA-related federal cases, including §512(f) enforcement actions.

A unified, queryable view across these is what we built Counterspine for. You can subscribe to alerts when a watched domain is targeted by any of them, score senders against the eight detectors above, and pull AI-drafted counter-notices when the abuse score crosses your tolerance threshold.

What to do once you're sure a notice is fake

The temptation, especially for site operators, is to rush a counter-notice. That is sometimes the right move. It is also the move with the most legal consequences — counter-notices include statutory consent to U.S. federal court jurisdiction and disclosure of your real name and physical address to the original sender. Read the §512(g)(3) requirements carefully.

A defensible response sequence:

  1. Preserve evidence. Screenshot the notice, the takedown action, archive.org snapshots of any back-dated source pages, WHOIS records of suspicious domains. Save everything before the abuser can clean up.
  2. Investigate the sender. Pull their full filing history from Lumen + Google Transparency. Look for the patterns above. If you find them, they go in your counter-notice as supporting evidence.
  3. Consider your jurisdiction. Counter-notices submit you to U.S. federal court jurisdiction. If you are not in the U.S. and have no U.S. assets, this may be a non-issue. If you do, talk to a lawyer first.
  4. File the counter-notice. Use a §512(g)(3)-compliant template. Counterspine drafts these from your evidence package and lets you edit before submitting; we never auto-file. Most platforms (Google, YouTube, Meta) have specific counter-notice forms; use those, not just email.
  5. Wait the statutory window. The original sender has 10–14 business days to file a federal lawsuit. If they do not, the platform must reinstate. If they do, you are in litigation.
  6. Consider §512(f) action. If the notice was knowingly materially false, you may have a §512(f) claim. Automattic v. Steiner (N.D. Cal. 2014) awarded ~$25,084 against a false-notice sender. Lenz v. Universal Music (9th Cir. 2016) confirmed fair-use must be considered before filing. MFB Fertility v. Action Care (N.D. Ill. 2024) extended liability to filers who failed to consider copyrightability.

What we will not help you do

We will not draft a takedown for you. We will not auto-submit a counter-notice on your behalf. We will not give you legal advice. Counterspine is a tool for the defense side of the takedown machine. You bring the judgment, the lawyer, and the final click; we bring the data, the patterns, and the draft.

TL;DR

DMCA abuse is structural, growing, and detectable. Six public data sources, eight detectable patterns, and a workflow that keeps a human in the loop will catch most of it. The takedown record is enormous and ugly, but it is also fully public. Use it.

If you want to skip the part where you build six pipelines yourself, start your free 14-day trial.

← Back to blog

Continue reading

Defense

How to file a DMCA counter-notice: a 2026 step-by-step guide

What §512(g)(3) actually requires, the consequences nobody tells you about (federal jurisdiction consent, identity disclosure), and a working template you can edit. Written for site operators, not lawyers.

Intelligence

Lumen Database explained: what's in it, how to query it, and why it matters

67 million notices. 10 billion URLs. Two hundred thousand new entries every week. Lumen is the largest public record of internet takedown notices ever assembled — and most people don't know it exists. Here's how it works.

Compliance

EU DSA Article 16 compliance for SMB platforms in 2026

What Article 16 of the Digital Services Act actually requires, what the €120M X fine taught us, and how to ship a compliant notice-and-action workflow without a six-figure consulting bill.

Take back control
of your takedown surface

Set up your first watched domain in 60 seconds. See every notice ever filed against it. Catch the next one in under 5 minutes.

Start free 14-day trial Talk to founders