Reset Tech Investigation


News From Our Ongoing Investigation Into the Doppelganger Operation


What Is the Doppelganger Operation?

The Doppelganger campaign, a Russian FIMI (foreign information manipulations and interference) operation identified in September 2022, aims to undermine support for Ukraine and promote Russian narratives. It clones media and government websites and amplifies content on social media. Meta linked it to Russian companies Struktura and Social Media Agency in December 2022, leading to EU sanctions. Further investigations revealed fake sites targeting various audiences, including French, English, and German speakers. The campaign’s persistent efforts highlight its strategy to exploit political and social vulnerabilities while expanding its network globally.

Reset Tech’s research and OSINT team has been monitoring Doppelganger’s activities on X and Meta’s Facebook from the beginning. Below are updates on our latest investigations and relevant findings.

December 2024 Update: Verified Disinformation: How X Profits From the Rise of a Pro-Kremlin Network

We investigated an expanding network of inauthentic accounts leveraging blue checkmarks to amplify pro-Kremlin propaganda. The network, which we ascribe to a distinct branch of Russia’s ongoing Doppelganger operation, has doubled in size in five months, weaponizing platform features while financially benefiting X. Verified Disinformation: How X Profits From the Rise of a Pro-Kremlin Network Our team has been monitoring this network since June 2024. Its tactics are new, but the problem is not: platforms—in this case, X—continue to profit from disinformation campaigns and fail to take sufficient action against them.

Key Findings:

  • The network disseminates propaganda in six languages, strategically exploiting X’s features, including trending hashtags and paid blue checkmarks to boost visibility.
  • Over five months, the network doubled to 530 accounts, generating at least 16,000 posts targeting EU audiences and promoting Kremlin narratives.
  • Unlike previous operations by Doppelganger, this network avoids external links and relies on AI-generated videos to keep content within the platform.
  • Despite clear markers of coordinated inauthentic behavior, 36 percent of these accounts remain active.

Platforms like X need a proactive approach to combat these ecosystems instead of enabling them through paid features.

For more details, download the full report here.

July 2024 Update: Doppelganger Enters an Exciting New Phase; X Misses the Mark

Reset Tech’s research team has been monitoring the recent developments of the Doppelganger operation on X. In June 2024, we noticed a surge in activity involving a distinct tactic: hijacking trending hashtags to boost video content that promotes typical pro-Kremlin narratives.

Since June 3, a network of 250 anonymous, inauthentic accounts has been activated on X to amplify Kremlin-aligned narratives, a new phase in the ongoing Doppelganger campaign on the platform.

These accounts belong to several distinct clusters, each exhibiting markers of coordinated behavior such as content similarities, simultaneous activation, and shared branding. Some accounts are newly created assets; others are older accounts repurposed for the campaign. The accounts post content in German, French, English, Turkish, and Russian. The current phase of the campaign may be running parallel in other languages. Earlier in 2024, we identified clusters of accounts posting similar content in Hebrew and Arabic.

A distinctive characteristic of the campaign is its circular nature, with activity occurring during the workweek. The accounts are activated in batches, posting for a period before becoming silent, while other accounts are repurposed for subsequent periods.

The accounts hijack trending hashtags to promote their content. They often use hashtags unrelated to their political messages, such as those linked to the Euro 2024 football championship. This tactic aims to increase the organic visibility of the content.

A new aspect of the operation involves the use of verified accounts. In this campaign phase, 119 verified X accounts, accounting for 47 percent of the network, have been identified. This raises serious concerns about the platform’s monetization practices and the potential misuse of its verified status to amplify coordinated disinformation efforts. This is particularly relevant in light of the European Commission having just issued preliminary findings of non-compliance with the Digital Services Act (DSA), pointing out that “there is evidence of motivated malicious actors abusing the ‘verified account’ to deceive users.”

The active network is likely more significant than 250 accounts. These accounts belong to a larger ecosystem of assets that were either used in past iterations of the Doppelganger campaign or are currently latent but could be used in the future. We identified over 6,500 such accounts.

Download assets