This page is designed to gather a timeline of the Doppelganger operation with a few elements collected from different reports. This page goes beyond the single Doppelganger operation and also brings together additional knowledge about other operations (RRN, WarOnFakes, Ukraine Inc) allegedly led by the same operators, namely Russian companies Struktura and Social Design Agency (SDA/ASP).
We would like to thank all stakeholders who have worked on this topic and made their findings public to understand the overall operation better.
If you feel we’ve missed some key reporting that should appear here, please contact us.
Last update: 30 October 2024
To this date, this resource page is mainly based on:
- August 2022: T-Online report
- August 2022: Sueddeutsche Zeitung
- September 2022: EU DisinfoLab report
- September 2022: Qurium report
- September 2022: Meta report
- September 2022: DFR Lab report
- June 2023: Viginum report (RRN campaign)
- August 2023: Graphika report (NATO)
- October 2023: Reset report (Network of Facebook pages)
- November 2023: The Insider report
- November 2023: Communication from the French Ministry of Foreign Affairs
- November 2023: Report from the GEC (Activity in South America)
- December 2023: Report from Recorded Future on Obfuscation Infrastructure
- January 2024: Report from the Guardian (Focus on Germany)
- February 2024: Report from Qurium (links with Operation Matriochka)
- April 2024: Report from the Washington Post
- April 2024: Report from AI Forensics (Meta Ads abuse)
- April 2024: Opening of formal proceedings against Meta by the Europen Commission
- May 2024: Report from Correctiv (Obfuscation infrastructure – PQ Hosting)
- May 2024: Report from Sekoia (Obfuscation infrastructure)
- May 2024: Report from EU DisinfoLab on the assessment of responses against the Doppelganger campaign
- May 2024: Updated report from Meta on Doppelganger threat actor
- May 2024: Updated report on Meta ads by AI Forensics and CheckFirst
- May 2024: OpenAI report on the use of Generative AI in Doppelganger campaign
- June 2024: Report on Operation Overload, by CheckFirst and Reset.Tech
- June 2024: Report on Operation Matriochka, by Viginum
- June 2024: Report on coordinated inauthentic behaviour on X and on additional presence of the operation on YouTube and Tiktok, by the German Ministry of Foreign Affairs
- June 2024: Report on the involvement of Argon Labs, by ISD
- June 2024: technical report on Doppelganger on European Elections, by EEAS.
- July 2024: Technical report from Qurium on the role of Aeza host and other European companies in providing infrastructure to the Doppelganger operation
- July 2024: Report from Correctiv detailing Qurium’s findings. Additional elements show coordination of multiple teams through the use of Vkontakte groups.
- July 2024: Report from Harfang Lab on new doppelganger assets (new impersonated media and targets)
- August 2024: Reports from Bavarian Intelligence on the infrastructure, more attribution pattern to Russia as well as estimated impact of the campaign.
- August 2024: Quarterly update of Meta’s threat report with a specific Doppelganger section.
- September 2024: Affidavit of US Department of Justice providing new details on internal organisation, goals and TTPs of the Doppelganger operation
- September 2024: Report on document leaks of SDA activities in disinformation campaigns, by Vsquare, Radio Svoboda, Sueddeutsche Zeitung, NDR-WDR.
- October 2024: UK sanctions against Doppelganger stakeholders
- November 2024: Reports from Qurium and Correctiv about the use of Kehr, a cloaking service redirecting traffic to bypass content moderation of platforms.
1. Intro
Since at least February 2022, a multi-faceted online information operation originating from Russia has targeted multiple countries worldwide. Regarding the content side, the operation mainly aims to:
- undermine support for Ukraine following Russia’s aggression by demonising the Ukrainian government and accusing it of Nazism and corruption;
- sow divisions within countries supporting Ukraine, claiming that supporting Ukraine financially and implementing sanctions on Russia are ultimately failing strategies that only hurt civil society.
The campaign has also been pivoting towards spreading disinformation on international events such as Paris Olympic Games.
The EU DisinfoLab team working on the investigation decided to name the campaign Doppelganger for its regular use of fake clones of legitimate websites (both from media organisations and public institutions).
Over time, it seems the overall campaign is wider than Doppelganger pattern, yet the name is mostly attributed to side operations.
The campaign and its avatars are also known as:
- RRN (Recent Reliable News), an anonymous news media organisation that serves as a content repository for most of the operation;
- Matriochka, a side-operation consisting of sedimenting fake media videos into multi-layered social media accounts;
- Overload, a continuation of the Matriochka operation, specifically targeting journalists and media organisations;
- Storm-1099 / Storm-1679, the code names given by Microsoft for these actors.
The actors identified and running this operation are Struktura and Social Design Agency (also known as ASP), two Russian companies. ISD also identifies Argon Labs as another Russian company that could be involved in the operation.
Doppelganger amplification techniques have not been used only with Doppelganger-related content. The networks of fake accounts and the obfuscated infrastructure have been used to amplify other pro-Russian operations, such as InfoRos assets, but also authentic news/opinion pieces from legitimate stakeholders. Reports have also shown Portal Kombat’s intermediary role in redistributing similar content.
At this stage, no verifiable elements suggest all these efforts are centrally coordinated. We advise caution on reports suggesting any centralization of such efforts.
2. Tactics
Doppelganger has mostly used the following tactics to disseminate its operation:
1. Content production
a) Clones of media websites
Most of Doppelganger’s public-facing operations consisted of developing websites impersonating established news organisations. Such impersonations have targeted Le Monde, The Guardian, Ansa, Der Spiegel, and Fox News. These impersonations were run through typosquatting on alternative domain names. The operations targeted specifically underrated registrars such as .ltd, .online, or .foo.
The stories, often written in poor language, were all aligned with the narratives described earlier. Content production also included the production of fake videos mimicking the graphic design of original outlets.
b) Clones of government websites
Similarly to what happened with established news organisations, Doppelganger impersonated public authorities and international organisations. The most known examples are an impersonation of the French Ministry of Foreign Affairs, the Interior Ministry of the German federal government or even NATO itself. The tactics to impersonate these stakeholders correspond to those mentioned in the previous section, with the use of typosquatting of legitimate domain names on alternative DNS registrars.
Content-wise, the campaign focused on announcing fake governmental measures, like the establishment of a tax to support Ukraine, the doubling of all military budgets or prevention campaigns against alleged imported Ukrainian criminality.
c) Anti-Ukrainian websites
Another part of the operation consisted of the development of anti-Ukrainian websites. This content specifically targeted Ukrainian President Volodymyr Zelensky through a series of animated cartoons. These cartoons depict the Ukrainian leader, his family and the Ukrainian government as corrupted, blindly obeying a made-up international conspiracy kabbal, and murdering his own citizens.
d) Pro-Russian websites
Additionally, the operation also consisted of the development and maintenance of pro-Russian websites. One of these websites, called ‘War On Fakes’, was established closely after the new invasion of Ukraine. Mimicking fact-checking content, it was designed to counter facts on the Ukrainian defence against this invasion.
Soon after, in the spring of 2022, another website called ‘RRN’ was set up, sharing the same infrastructure. Initially labelled as ‘Reliable Russian News’, it was renamed ‘Recent Reliable News’ without any explanation. This website, still active to this date, aligned with Russian propaganda narratives attacking the West on a regular basis.
This website also hosts content and video interviews of known pro-Russian Western stakeholders. A video interview of French MEP Thierry Mariani was removed from the website after France called out the Russian origin of RRN in June 2023.
e) Potential hybrid operations
Early November 2023, blue Stars of David – a symbol that could be interpreted as either pro- or anti-Israeli – appeared on buildings in Paris, followed by images spreading fast on social media, fuelling controversy and confusion. The French state’s technical and operational service responsible for protection against foreign digital interference, VIGINUM, detected the involvement of a network of over a thousand bots on X, affiliated with RRN.
In its Q2 2024 Threat report, Meta exposed a distinct CIB network which claims to have been hired by Russian intelligence to “participate” in the Stars of David operation in Paris. This network, attributed to individuals formerly associated with other CIB networks of Russian Information Operations (most notably the Internet Research Agency), did participate in other hybrid operations in Moldova, Poland and France.
2. Distribution of disinformation
a) Amplification through comments of fake personas/accounts on Meta/X
One of the first distribution techniques of the Doppelganger operation has been the use of fake profiles on Meta. One avatar of this technique is what has been called the ‘German Odettes’, a network of profiles all named ‘Odette’ and allegedly working for Netflix. This network systematically pushed the Doppelganger content directly on the comment section of established Facebook pages. The technique was designed to directly engage with regular Facebook users with less exposure than an established asset like a Facebook page itself.
Part of the operation also used inauthentic distribution on X through networks of fake accounts. These accounts, operated in a coordinated way, pushed Doppelganger assets to their audience as well as replying to tweets in a similar modus operandi to the one seen on Meta.
b) Amplification on other platforms
Working documents from Struktura obtained by the Washington Post showed that Doppelganger operators have been weekly reporting on the operation’s performance. Dashboards show that narratives and engagement are monitored across platforms, including Facebook, YouTube, Telegram and TikTok.
Other artifacts/assets are visible on the German Ministry of Foreign Affairs report.
c) Buying ads with networks of fake Facebook pages
A constant tactic used by Doppelganger operators has been the use of the Meta advertisement platform. Through the use of thousands of Facebook pages, Doppelganger operations targeted Facebook users with the content they produced. Such amplification was made through ‘burner’ accounts, which are disposable assets used only for one advertisement and then abandoned.
d) Dissimulation/ OpSec
The operation has implemented specific operational security measures to obfuscate its nature. These included, for instance, geofencing, a setting that allows restricting content visibility for specific users. For instance, a French web user could not see the content restricted to German users.
The operation also used multiple redirection URLs to circumvent the restrictions set up by platforms like Meta on Doppelganger domain names. Part of this obfuscation infrastructure has been exposed.
3. Reach / impact
The impact of the Doppelganger operation should be considered cautiously. The assessments can only be partial and reflect the data made available by stakeholders, which is restricted. For more about this and how Russian propaganda is building its communications strategy on the over-coverage of the alleged success of such operations, we recommend reading Thomas Rid’s article on this topic.
Data obtained and communicated publicly by Bavarian intelligence show the following distribution of campaigns and clicks. This data covers a period from May 2023 to July 2024, for only 2 servers identified. The initial period of February 2022 to May 2023 is, therefore, not represented, neither probably all campaigns ran in the monitored period.
On a total of 7983 campaigns and 828 842 clicks (average of 103 clicks per campaign):
- Main countries impact
- Germany, 2250 campaigns, 250 061 clicks (30,17%)
- France, 2245 campaigns, 249 481 clicks (30,1%)
- The United States, 1024 campaigns, 180 521 clicks (21,78%)
- Ukraine, 1339 campaigns, 148 777 clicks (17,95%)
- Israël, 221 campaigns, (No detailed figures)
- Poland, 118 campaigns, (No detailed figures)
- Italy, 89 campaigns, (No detailed figures)
- Latvia, (Observed in 2022 but no figures)
- The United Kingdom, (Observed in 2023 but no figures)
In September 2022, Meta announced that around 105,000 USD were invested in advertisements on their platform. Since then, studies have shown that thousands of ads have still been pushed and moderated by the platform. At this stage, no updated public communication has been made by Meta on this matter.
In Q2 2024: Meta claims that “Since [their} last update in May, [they] have also detected and removed over 5,000 accounts and Pages. In August 2024, Meta announces that more than 6000 threat indicators have been detected on this operation and published on Github. The quasi-totality (96%) of these indicators concerns redirection domains blocked by the platform.
- Main organisations cloned:
- Media organisations (online versions of well-established newspapers)
- French Ministry of Public Affairs
- German Ministry of Interior
- NATO
- Platforms used:
- Instagram (advertisement for Instagram users only)
- X
- Dailymotion
4. Attribution
In December 2022, Meta attributed the operation to two Russian companies: Struktura and Social Media Agency. In June 2023, VIGINUM (the French service countering digital foreign interference) confirmed these elements.
In November 2023, an ongoing investigation on the ‘Star of David’ hybrid operation is looking into the involvement of additional individuals. French authorities attributed the amplification of this hybrid operation to the Doppelganger/RRN network.
In November 2023, the US State Department also attributed to the same two Russian companies and their managers an information operation targeting Latin America.
There are still unresolved questions about the operational ties between the Doppelganger operation and other like-minded information Operations such as Matriochka or Overload.
Multiple investigations showed that the Doppelganger operation used several European and global companies as intermediaries/service providers, for instance, on geofencing solutions, hosting solutions, or direct domain name acquisition.
5. Responses
EU DisinfoLab has provided a first assessment of measures being taken against Doppelganger campaign on 5 main criteria:
- Situational awareness
- Impact on malign actors’ capabilities
- Triggering new responses
- Attribution
- Deterrence
Following exposure, multiple media outlets have announced to open legal complaints for impersonation (Le Monde, Süddeutche Zeitung, and 20 minutes, at the best of our knowledge).
In July 2023, Struktura and Social Media Agency companies, and some individuals running them were placed on the EU Sanction List. According to the Council of the EU, “All those designated are subject to an asset freeze and EU citizens and companies are forbidden from making funds available to them. Natural persons are additionally subject to a travel ban, which prevents them from entering or transiting through EU territories.”
In March 2024, the same companies have been added to the United States’ Treasury sanction list.
Also, in October 2023, after a ruling of the World Intellectual Property Office (WIPO), the French government could seize the domain name impersonating the French Ministry of Foreign Affairs (diplomatie.gouv[.]fm). The ruling concluded that NameCheap, which was responsible for selling this domain name to an individual, should return the domain to the French government.
Since then, similar decisions have restituted doppelganger domain names to legitimate owners.