News From Our Ongoing Investigation Into the Doppelganger Operation

What Is the Doppelganger Operation?

The Doppelganger campaign, a Russian FIMI (foreign information manipulations and interference) operation identified in September 2022, aims to undermine support for Ukraine and promote Russian narratives. It clones media and government websites and amplifies content on social media. Meta linked it to Russian companies Struktura and Social Media Agency in December 2022, leading to EU sanctions. Further investigations revealed fake sites targeting various audiences, including French, English, and German speakers. The campaign’s persistent efforts highlight its strategy to exploit political and social vulnerabilities while expanding its network globally.

Reset Tech’s research and OSINT team has been monitoring Doppelganger’s activities on X and Meta’s Facebook from the beginning. Below are updates on our latest investigations and relevant findings.

October 2024 Update: Doppelganger on X—New Investigation Coming Coon

July 2024 Update: Doppelganger Enters an Exciting New Phase; X Misses the Mark

Reset Tech’s research team has been monitoring the recent developments of the Doppelganger operation on X. In June 2024, we noticed a surge in activity involving a distinct tactic: hijacking trending hashtags to boost video content that promotes typical pro-Kremlin narratives.

Since June 3, a network of 250 anonymous, inauthentic accounts has been activated on X to amplify Kremlin-aligned narratives, a new phase in the ongoing Doppelganger campaign on the platform.

These accounts belong to several distinct clusters, each exhibiting markers of coordinated behavior such as content similarities, simultaneous activation, and shared branding. Some accounts are newly created assets; others are older accounts repurposed for the campaign. The accounts post content in German, French, English, Turkish, and Russian. The current phase of the campaign may be running parallel in other languages. Earlier in 2024, we identified clusters of accounts posting similar content in Hebrew and Arabic.

A distinctive characteristic of the campaign is its circular nature, with activity occurring during the workweek. The accounts are activated in batches, posting for a period before becoming silent, while other accounts are repurposed for subsequent periods.

The accounts hijack trending hashtags to promote their content. They often use hashtags unrelated to their political messages, such as those linked to the Euro 2024 football championship. This tactic aims to increase the organic visibility of the content.

A new aspect of the operation involves the use of verified accounts. In this campaign phase, 119 verified X accounts, accounting for 47 percent of the network, have been identified. This raises serious concerns about the platform’s monetization practices and the potential misuse of its verified status to amplify coordinated disinformation efforts. This is particularly relevant in light of the European Commission having just issued preliminary findings of non-compliance with the Digital Services Act (DSA), pointing out that “there is evidence of motivated malicious actors abusing the ‘verified account’ to deceive users.”

The active network is likely more significant than 250 accounts. These accounts belong to a larger ecosystem of assets that were either used in past iterations of the Doppelganger campaign or are currently latent but could be used in the future. We identified over 6,500 such accounts.

Download assets