#FactCheck - AI Artwork Misattributed: Mahendra Singh Dhoni Sand Sculptures Exposed as AI-Generated
Executive Summary:
A recent claim going around on social media that a child created sand sculptures of cricket legend Mahendra Singh Dhoni, has been proven false by the CyberPeace Research Team. The team discovered that the images were actually produced using an AI tool. Evident from the unusual details like extra fingers and unnatural characteristics in the sculptures, the Research Team discerned the likelihood of artificial creation. This suspicion was further substantiated by AI detection tools. This incident underscores the need to fact-check information before posting, as misinformation can quickly go viral on social media. It is advised everyone to carefully assess content to stop the spread of false information.

Claims:
The claim is that the photographs published on social media show sand sculptures of cricketer Mahendra Singh Dhoni made by a child.




Fact Check:
Upon receiving the posts, we carefully examined the images. The collage of 4 pictures has many anomalies which are the clear sign of AI generated images.

In the first image the left hand of the sand sculpture has 6 fingers and in the word INDIA, ‘A’ is not properly aligned i.e not in the same line as other letters. In the second image, the finger of the boy is missing and the sand sculpture has 4 fingers in its front foot and has 3 legs. In the third image the slipper of the boy is not visible whereas some part of the slipper is visible, and in the fourth image the hand of the boy is not looking like a hand. These are some of the major discrepancies clearly visible in the images.
We then checked using an AI Image detection tool named ‘Hive’ image detection, Hive detected the image as 100.0% AI generated.

We then checked it in another AI image detection named ContentAtScale AI image detection, and it found to be 98% AI generated.

From this we concluded that the Image is AI generated and has no connection with the claim made in the viral social media posts. We have also previously debunked AI Generated artwork of sand sculpture of Indian Cricketer Virat Kohli which had the same types of anomalies as those seen in this case.
Conclusion:
Taking into consideration the distortions spotted in the images and the result of AI detection tools, it can be concluded that the claim of the pictures representing the child's sand sculptures of cricketer Mahendra Singh Dhoni is false. The pictures are created with Artificial Intelligence. It is important to check and authenticate the content before posting it to social media websites.
- Claim: The frame of pictures shared on social media contains child's sand sculptures of cricket player Mahendra Singh Dhoni.
- Claimed on: X (formerly known as Twitter), Instagram, Facebook, YouTube
- Fact Check: Fake & Misleading
Related Blogs

Introduction
On June 2nd, 2026, even as thousands of Class 12 students across the nation flocked to submit re-evaluation and verification applications on the CBSE’s newly rolled-out On-Screen Marking (OSM) portal, a decidedly different kind of visitor had logged in an attacker carrying automation scripts, botnet traffic, and malicious intentions to either shut the system down or steal its contents. The attack, which CBSE then openly reported on its official X account, flooded the portal with 1.5 million hits in two minutes and sent over a lakh unauthorized file access attempts.
Understanding the Attack Architecture: The Two-Pronged Operation
The CBSE cyberattack was actually not a single exploit but rather a layered, orchestrated attack. The attack can be understood in two prongs:
- The DoS Attack:Firstly, attackers initiated a large-scale DoS (Denial of Service) attack, producing approximately 1.5 million requests in 120 seconds, or approximately 12,500 per second, in order to saturate the server. By overloading the systems with bogus requests, the attackers sought not just to disable the site but also to throw off security personnel from their primary task of stabilizing the portal during its launch period.
The File Probing: These attacks usually include the following methods:
- Path Traversal Attacks - Attackers will attempt to navigate outside of the current directory by supplying inputs such as "../../etc/passwd" in URL parameters or in a file upload.
- Forced Browsing / Directory Enumeration - An attacker may have used tools to attempt to find vulnerable files and directories like answer sheets, exam scans, student identification documents, and admin-related files by systematically guessing names.
- API Endpoint Fuzzing: If any REST or GraphQL API was present for the portal, the attacker may have tried sending a various number of inputs to parameters to attempt to retrieve records, find IDORs, or escalate privileges.
- Session Token Harvesting - For high-load environments, some systems may use insecure session management. Attackers would attempt to predict or guess the token to hijack another student's or administrator's session.
Why Are Educational Portals High-Value Targets?
Here's why the Indian education sector is an attractive target for cyber-attacks:
- Concentrated PII: Millions of students are present on these education portals, and their data (names, birth dates, Aadhaar linkage information, parents' details, address, education profiles, etc.) is of the highest value on the dark web and can be used for identity theft, financial fraud, credential reuse, and targeting.
- Low Investment Relative to the Data Value: The education system is chronically under-invested in cybersecurity. Many of these systems were built for a function/scale, rather than security by design, and are highly vulnerable.
- High-Pressure Launches: Launching a massive, public-facing system like the CBSE OSM verification site that needs to service millions of students on day 1 often requires time constraints that preclude proper penetration testing, stress testing, security auditing, or staged deployment; these launches often launch with numerous known security flaws.
- Large Attack Surface: The education ecosystem is comprised of many integrated systems, APIs, cloud instances, third-party systems, and authentication infrastructure. Each dependency increases the overall attack surface and provides multiple potential avenues to compromise these systems, such as IDOR, API abuse, or credential-based attacks.
- Geopolitical Motivation: Following the Op Sindoor attack in 2025, there was a significant increase in public institutions targeted by cyber-attacks with prolonged DDoS against critical systems. Highly visible, public-facing student portals catering to more than 35 million students make a tantalizing target for both nation-state attackers and hacktivist groups to cause disruption or gather intelligence.
The CBSE's Response
A balanced perspective on CBSE's public response is necessary:
- The portal did not go down and served about 14000 users at any point during the attack and had over 28000 successful submissions by 10pm June 2nd.
- In real-time, sessions are continuously being optimized for the students, and session timeouts are being extended.
- Management was on top of the situation and maintained good communication through social media.
To withstand a sustained attack volume of roughly 12,500 requests per second, CBSE would surely need more than one security control implemented on its infrastructure. In all probability, rate limiting was the primary reason it could sustain this attack volume by limiting the requests from an IP or client over a certain period of time and automatically aborting requests from systems sending automated data. This, coupled with perhaps load balancing, will distribute the attack across several systems, none of which will have become bottlenecks. Finally, it is possible that traffic could have also been routed via a Content Delivery System (CDN) or dedicated DDoS mitigation service capable of detecting and cleaning requests of malicious code before they even reach the origin servers.
Technical Recommendations
It is not sustainable for India's exam infrastructure to continue operating in a post-breach, patching-in mode forever. The systems need to embrace Privacy By Design (PBD) as an integral part of their DNA. Here are suggestions for short-term hardening and long-term resilience:
- Deploy a zero-trust file access architecture: Each request to access any file should be authenticated, authorized using role-based access control (RBAC), and logged in an immutable audit trail. Direct access to file paths should not be permissible; rather, pre-signed, time-limited tokens are recommended to control file access.
- Implement a multi-layered DDoS mitigation architecture: A combination of network edge traffic scrubbing (CDNs & DDoS mitigation services) along with rate limiting at the application layer via WAF is necessary. An Anycast-based multi-PoP architecture and pre-provisioning scrubbing capacity may further increase resiliency
- Conduct pre-launch penetration testing and red teaming exercises: Penetration testing with OWASP Top 10 audits, API security reviews, and load-based penetration testing should be conducted by CERT-In empanelled auditors prior to the launch of the examination. The red team exercise should simulate blended DoS and file-probing attacks.
- Secure Payments: The secure payment surface should support PCI-DSS Level 1 certified payments and tokenisation and employ velocity checks against automated abuse and support 3D Secure 2.0 (3DS2) on card payments.
- Implement SOC: Security operations centers (SOCs) should have real-time access to CERT-In threat feeds and ISAC intelligence, allowing them to act quickly on emerging attack vectors before anything malicious can be exploited.
- Encryption: Students' data should be encrypted with AES-256; keys should be stored separately in a Hardware Security Module (HSM) system and not co-located with the data storage system. Student data must also support the data minimisation principle, while storing it should be encrypted with AES-256 and keys should be stored securely in HSM.
- Monitoring: 24/7 SOC monitoring, ongoing vulnerability scanning on all pipelines, anomalous detection baselining, and frequent tabletop exercises for cyber resilience at 24x7 and post-examination activities.
Beyond the Breach: Governance, Accountability, and the Growing Cyber Threat to India's Education Sector
The CBSE attack is merely one example of a wider truth, a truth that extends beyond an isolated security event and highlights security as not only an issue of governance but of national security. Although it was during a period in which there was considerable change in leadership within the CBSE (some officials had been removed from their positions), and although it may be impossible to prevent administrative change, security vulnerability is an inherent risk when it cannot be ensured that the new incumbents have had knowledge transferred from the previous administration in terms of system design, vendor management, configuration, and incident response procedures. It has become apparent that a requirement for digital system governance must be considered to be just as serious a requirement as an academic and administrative governance requirement.
The attack is also indicative of a wider problem, and in 2025 there were in excess of 265 million cyber-attacks, and increasingly, critical infrastructure is being attacked by all manner of actors, including criminals, hacktivists, and state-sponsored groups. Educational institutions offer a prime target due to the amount of personal data held within their systems and the historically low security investment they tend to have. Worldwide trends that support the similar narrative of "data of immense value protected by under-resourced programs" (universities hit by ransomware and mass student data breaches included) are being constantly illustrated. For an examining body of tens of millions of students, cybersecurity cannot be an afterthought and needs to be clearly addressed within the governance and risk-management framework of the institution and, therefore, become a fundamental pillar of public trust.
Conclusion
The June 2026 cyberattack on the CBSE's OSM portal both illustrated the advancing capabilities of today's threat actors and highlighted the critical role cyber resilience must play in India's education sector. A high-volume DoS attack combined with over 100,000 file access attempts indicates a concerted and strategic operation both for disruption and the opportunity for data theft. Though the CBSE's infrastructure did hold, the attack should not offer comfort. Educational institutions are responsible for a significant amount of sensitive personal data, and they are major targets to state-sponsored and financially motivated attackers. Attacks are bound to continue. It is essential that cybersecurity become a fundamental pillar of the governance and trustworthiness of education and not a technical afterthought.
References
- CBSE Official Statement on Cyberattack, X (formerly Twitter), @cbseindia29, June 2, 2026.
- Indian Express, "CBSE OSM Row: Portal attack was a 'coordinated, two-pronged operation' says cybersecurity expert," June 3, 2026.
- Srinivas L, Joint MD & Joint CEO, 63SATS Cybertech (subsidiary of 63 moons technologies limited), was quoted in Indian Express, June 3, 2026.
- The Federal, "CBSE re-evaluation portal faces cyberattack, records 1.5 million hits in two minutes," June 2, 2026. https://thefederal.com
- CERT-In (Indian Computer Emergency Response Team), Empanelled Security Auditor Framework. https://www.cert-in.org.in
- OWASP Top 10 Web Application Security Risks, 2021 edition. https://owasp.org/www-project-top-ten/
- National Institute of Standards and Technology (NIST), Zero Trust Architecture (SP 800-207), August 2020. https://doi.org/10.6028/NIST.SP.800-207
- Indian Express, "What CBSE ignored: Its own panel found glitches in dry run, said delay OSM by a year," June 3, 2026.
- Asianet Newsable, "CBSE Class 12 re-evaluation portal withstands major DoS cyberattack," June 2, 2026. https://newsable.asianetnews.com

Introduction
AI has revolutionized the way we look at growing technologies. AI is capable of performing complex tasks in fasten time. However, AI’s potential misuse led to increasing cyber crimes. As there is a rapid expansion of generative AI tools, it has also led to growing cyber scams such as Deepfake, voice cloning, cyberattacks targeting Critical Infrastructure and other organizations, and threats to data protection and privacy. AI is empowered by giving the realistic output of AI-created videos, images, and voices, which cyber attackers misuse to commit cyber crimes.
It is notable that the rapid advancement of technologies such as generative AI(Artificial Intelligence), deepfake, machine learning, etc. Such technologies offer convenience in performing several tasks and are capable of assisting individuals and business entities. On the other hand, since these technologies are easily accessible, cyber-criminals leverage AI tools and technologies for malicious activities or for committing various cyber frauds. By such misuse of advanced technologies such as AI, deepfake, and voice clones. Such new cyber threats have emerged.
What is Deepfake?
Deepfake is an AI-based technology. Deepfake is capable of creating realistic images or videos which in actuality are created by machine algorithms. Deepfake technology, since easily accessible, is misused by fraudsters to commit various cyber crimes or deceive and scam people through fake images or videos that look realistic. By using the Deepfake technology, cybercriminals manipulate audio and video content which looks very realistic but, in actuality, is fake. Voice cloning is also a part of deepfake. To create a voice clone of anyone's, audio can be deepfaked too, which closely resembles a real one but, in actuality, is a fake voice created through deepfake technology.
How Deepfake Can Harm Organizations or Enterprises?
- Reputation: Deepfakes have a negative impact on the reputation of the organization. It’s a reputation which is at stake. Fake representations or interactions between an employee and user, for example, misrepresenting CEO online, could damage an enterprise’s credibility, resulting in user and other financial losses. To be protective against such incidents of deepfake, organisations must thoroughly monitor online mentions and keep tabs on what is being said or posted about the brand. Deepfake-created content can also be misused to Impersonate leaders, financial officers and officials of the organisation.
- Misinformation: Deepfake can be used to spread misrepresentation or misinformation about the organisation by utilising the deepfake technology in the wrong way.
- Deepfake Fraud calls misrepresenting the organisation: There have been incidents where bad actors pretend to be from legitimate organisations and seek personal information. Such as helpline fraudsters, fake representatives from hotel booking departments, fake loan providers, etc., where bad actors use voice clones or deepfake-oriented fake video calls in order to propose themselves as belonging to legitimate organisations and, in actuality, they are deceiving people.
How can organizations combat AI-driven cybercrimes such as deepfake?
- Cybersecurity strategy: Organisations need to keep in place a wide range of cybersecurity strategies or use advanced tools to combat the evolving disinformation and misrepresentation caused by deepfake technology. Cybersecurity tools can be utilised to detect deepfakes.
- Social media monitoring: Social media monitoring can be done to detect any unusual activity. Organisations can select or use relevant tools and implement technologies to detect deepfakes and demonstrate media provenance. Real-time verification capabilities and procedures can be used. Reverse image searches, like TinEye, Google Image Search, and Bing Visual Search, can be extremely useful if the media is a composition of images.
- Employee Training: Employee education on cybersecurity will also play a significant role in strengthening the overall cybersecurity posture of the organisation.
Conclusion
There have been incidents where AI-driven tools or technology have been misused by cybercriminals or bad actors. Synthetic videos developed by AI are used by bad actors. Generative AI has gained significant popularity for many capabilities that produce synthetic media. There are concerns about synthetic media, such as its misuse of disinformation operations designed to influence the public and spread false information. In particular, synthetic media threats that organisations most often face include undermining the brand, financial gain, threat to the security or integrity of the organisation itself and Impersonation of the brand’s leaders for financial gain.
Synthetic media attempts to target organisations intending to defraud the organisation for financial gain. Example includes fake personal profiles on social networking sites and deceptive deepfake calls, etc. The organisation needs to have the proper cyber security strategy in place to combat such evolving threats. Monitoring and detection should be performed by the organisations and employee training on empowering on cyber security will also play a crucial role to effectively deal with evolving threats posed by the misuse of AI-driven technologies.
References:
- https://media.defense.gov/2023/Sep/12/2003298925/-1/-1/0/CSI-DEEPFAKE-THREATS.PDF
- https://www.securitymagazine.com/articles/98419-how-to-mitigate-the-threat-of-deepfakes-to-enterprise-organizations
.webp)
Executive Summary:
A video is being shared on social media showing a man running rapidly in a river with water bottles tied to both his feet. Users are circulating the video claiming that the man is attempting to run on water using the support of the bottles. CyberPeace’s research found the viral claim to be false. Our research revealed that the video being shared on social media is not real but has been generated using artificial intelligence (AI).
Claim :
The claim was shared by a Facebook user on February 5, 2026, who wrote that a man was running on water using water bottles tied to his feet, calling it a unique attempt and questioning whether humans can run on water. Links to the post, its archived version, and screenshots are provided below.

Fact Check:
To verify the claim, we searched relevant keywords on Google but did not find any credible media reports supporting the incident. A closer examination of the viral video revealed several visual irregularities, raising suspicion that it may have been AI-generated. The video was then scanned using the AI detection tool Hive Moderation. According to the tool’s results, the video is 99 percent likely to be AI-generated.

Conclusion:
Our research confirms that the viral video does not depict a real incident and has been falsely shared as a genuine attempt to run on water.