This page is designed to gather a timeline of the Doppelganger operation with a few elements collected from different reports. This page goes beyond the single Doppelganger operation and also brings together additional knowledge about other operations (RRN, WarOnFakes, Ukraine Inc) allegedly led by the same operators, namely Russian companies Struktura and Social Design Agency (SDA/ASP).

We would like to thank all stakeholders who have worked on this topic and made their findings public to understand the overall operation better.

If you feel we’ve missed some key reporting that should appear here, please contact us.

Last update: 30 October 2024

To this date, this resource page is mainly based on:

1. Intro

Since at least February 2022, a multi-faceted online information operation originating from Russia has targeted multiple countries worldwide. Regarding the content side, the operation mainly aims to:

  • undermine support for Ukraine following Russia’s aggression by demonising the Ukrainian government and accusing it of Nazism and corruption;
  • sow divisions within countries supporting Ukraine, claiming that supporting Ukraine financially and implementing sanctions on Russia are ultimately failing strategies that only hurt civil society.

The campaign has also been pivoting towards spreading disinformation on international events such as Paris Olympic Games.

The EU DisinfoLab team working on the investigation decided to name the campaign Doppelganger for its regular use of fake clones of legitimate websites (both from media organisations and public institutions). 

Over time, it seems the overall campaign is wider than Doppelganger pattern, yet the name is mostly attributed to side operations.

The campaign and its avatars are also known as:

  • RRN (Recent Reliable News), an anonymous news media organisation that serves as a content repository for most of the operation;
  • Matriochka, a side-operation consisting of sedimenting fake media videos into multi-layered social media accounts;
  • Overload, a continuation of the Matriochka operation, specifically targeting journalists and media organisations;
  • Storm-1099 / Storm-1679, the code names given by Microsoft for these actors.

The actors identified and running this operation are Struktura and Social Design Agency (also known as ASP), two Russian companies. ISD also identifies Argon Labs as another Russian company that could be involved in the operation.

Doppelganger amplification techniques have not been used only with Doppelganger-related content. The networks of fake accounts and the obfuscated infrastructure have been used to amplify other pro-Russian operations, such as InfoRos assets, but also authentic news/opinion pieces from legitimate stakeholders. Reports have also shown Portal Kombat’s intermediary role in redistributing similar content.

At this stage, no verifiable elements suggest all these efforts are centrally coordinated. We advise caution on reports suggesting any centralization of such efforts.

2. Tactics

Doppelganger has mostly used the following tactics to disseminate its operation:

1. Content production

a) Clones of media websites

Most of Doppelganger’s public-facing operations consisted of developing websites impersonating established news organisations. Such impersonations have targeted Le Monde, The Guardian, Ansa, Der Spiegel, and Fox News. These impersonations were run through typosquatting on alternative domain names. The operations targeted specifically underrated registrars such as .ltd, .online, or .foo.

The stories, often written in poor language, were all aligned with the narratives described earlier. Content production also included the production of fake videos mimicking the graphic design of original outlets.

b) Clones of government websites

Similarly to what happened with established news organisations, Doppelganger impersonated public authorities and international organisations. The most known examples are an impersonation of the French Ministry of Foreign Affairs, the Interior Ministry of the German federal government or even NATO itself. The tactics to impersonate these stakeholders correspond to those mentioned in the previous section, with the use of typosquatting of legitimate domain names on alternative DNS registrars.

Content-wise, the campaign focused on announcing fake governmental measures, like the establishment of a tax to support Ukraine, the doubling of all military budgets or prevention campaigns against alleged imported Ukrainian criminality.

c) Anti-Ukrainian websites

Another part of the operation consisted of the development of anti-Ukrainian websites. This content specifically targeted Ukrainian President Volodymyr Zelensky through a series of animated cartoons. These cartoons depict the Ukrainian leader, his family and the Ukrainian government as corrupted, blindly obeying a made-up international conspiracy kabbal, and murdering his own citizens.

d) Pro-Russian websites

Additionally, the operation also consisted of the development and maintenance of pro-Russian websites. One of these websites, called ‘War On Fakes’, was established closely after the new invasion of Ukraine. Mimicking fact-checking content, it was designed to counter facts on the Ukrainian defence against this invasion.

Soon after, in the spring of 2022, another website called ‘RRN’ was set up, sharing the same infrastructure. Initially labelled as ‘Reliable Russian News’, it was renamed ‘Recent Reliable News’ without any explanation. This website, still active to this date, aligned with Russian propaganda narratives attacking the West on a regular basis.

This website also hosts content and video interviews of known pro-Russian Western stakeholders. A video interview of French MEP Thierry Mariani was removed from the website after France called out the Russian origin of RRN in June 2023.

e) Potential hybrid operations

Early November 2023,  blue Stars of David – a symbol that could be interpreted as either pro- or anti-Israeli – appeared on buildings in Paris, followed by images spreading fast on social media, fuelling controversy and confusion. The French state’s technical and operational service responsible for protection against foreign digital interference, VIGINUM, detected the involvement of a network of over a thousand bots on X, affiliated with RRN.

In its Q2 2024 Threat report, Meta exposed a distinct CIB network which claims to have been hired by Russian intelligence to “participate” in the Stars of David operation in Paris. This network, attributed to individuals formerly associated with other CIB networks of Russian Information Operations (most notably the Internet Research Agency), did participate in other hybrid operations in Moldova, Poland and France.

2. Distribution of disinformation

a) Amplification through comments of fake personas/accounts on Meta/X

One of the first distribution techniques of the Doppelganger operation has been the use of fake profiles on Meta. One avatar of this technique is what has been called the ‘German Odettes’, a network of profiles all named ‘Odette’ and allegedly working for Netflix. This network systematically pushed the Doppelganger content directly on the comment section of established Facebook pages. The technique was designed to directly engage with regular Facebook users with less exposure than an established asset like a Facebook page itself.

Part of the operation also used inauthentic distribution on X through networks of fake accounts. These accounts, operated in a coordinated way, pushed Doppelganger assets to their audience as well as replying to tweets in a similar modus operandi to the one seen on Meta.

b) Amplification on other platforms

Working documents from Struktura obtained by the Washington Post showed that Doppelganger operators have been weekly reporting on the operation’s performance. Dashboards show that narratives and engagement are monitored across platforms, including Facebook, YouTube, Telegram and TikTok.

Other artifacts/assets are visible on the German Ministry of Foreign Affairs report.

c) Buying ads with networks of fake Facebook pages

A constant tactic used by Doppelganger operators has been the use of the Meta advertisement platform. Through the use of thousands of Facebook pages, Doppelganger operations targeted Facebook users with the content they produced. Such amplification was made through ‘burner’ accounts, which are disposable assets used only for one advertisement and then abandoned.

d) Dissimulation/ OpSec

The operation has implemented specific operational security measures to obfuscate its nature. These included, for instance, geofencing, a setting that allows restricting content visibility for specific users. For instance, a French web user could not see the content restricted to German users.

The operation also used multiple redirection URLs to circumvent the restrictions set up by platforms like Meta on Doppelganger domain names. Part of this obfuscation infrastructure has been exposed.

3. Reach / impact

The impact of the Doppelganger operation should be considered cautiously. The assessments can only be partial and reflect the data made available by stakeholders, which is restricted. For more about this and how Russian propaganda is building its communications strategy on the over-coverage of the alleged success of such operations, we recommend reading Thomas Rid’s article on this topic.

Data obtained and communicated publicly by Bavarian intelligence show the following distribution of campaigns and clicks. This data covers a period from May 2023 to July 2024, for only 2 servers identified. The initial period of February 2022 to May 2023 is, therefore, not represented, neither probably all campaigns ran in the monitored period.

On a total of 7983 campaigns and 828 842 clicks (average of 103 clicks per campaign):

  • Main countries impact
    • Germany, 2250 campaigns, 250 061 clicks (30,17%)
    • France, 2245 campaigns, 249 481 clicks (30,1%)
    • The United States, 1024 campaigns, 180 521 clicks (21,78%)
    • Ukraine, 1339 campaigns, 148 777 clicks (17,95%)
    • Israël, 221 campaigns, (No detailed figures)
    • Poland, 118 campaigns, (No detailed figures) 
    • Italy, 89 campaigns, (No detailed figures)
    • Latvia, (Observed in 2022 but no figures)
    • The United Kingdom, (Observed in 2023 but no figures)

In September 2022, Meta announced that around 105,000 USD were invested in advertisements on their platform. Since then, studies have shown that thousands of ads have still been pushed and moderated by the platform. At this stage, no updated public communication has been made by Meta on this matter.

In Q2 2024: Meta claims that “Since [their} last update in May, [they] have also detected and removed over 5,000 accounts and Pages. In August 2024, Meta announces that more than 6000 threat indicators have been detected on this operation and published on Github. The quasi-totality (96%) of these indicators concerns redirection domains blocked by the platform.

  • Main organisations cloned:
    • Media organisations (online versions of well-established newspapers)
    • French Ministry of Public Affairs
    • German Ministry of Interior
    • NATO
  • Platforms used:
    • Facebook
    • Instagram (advertisement for Instagram users only)
    • X
    • Dailymotion

4. Attribution

In December 2022, Meta attributed the operation to two Russian companies: Struktura and Social Media Agency. In June 2023, VIGINUM (the French service countering digital foreign interference) confirmed these elements.

In November 2023, an ongoing investigation on the ‘Star of David’ hybrid operation is looking into the involvement of additional individuals. French authorities attributed the amplification of this hybrid operation to the Doppelganger/RRN network.

In November 2023, the US State Department also attributed to the same two Russian companies and their managers an information operation targeting Latin America.

There are still unresolved questions about the operational ties between the Doppelganger operation and other like-minded information Operations such as Matriochka or Overload.

Multiple investigations showed that the Doppelganger operation used several European and global companies as intermediaries/service providers, for instance, on geofencing solutions, hosting solutions, or direct domain name acquisition. 

5. Responses

EU DisinfoLab has provided a first assessment of measures being taken against Doppelganger campaign on 5 main criteria:

  • Situational awareness 
  • Impact on malign actors’ capabilities
  • Triggering new responses
  • Attribution
  • Deterrence

Following exposure, multiple media outlets have announced to open legal complaints for impersonation (Le Monde, Süddeutche Zeitung, and 20 minutes, at the best of our knowledge).

 In July 2023, Struktura and Social Media Agency companies, and some individuals running them were placed on the EU Sanction List. According to the Council of the EU, “All those designated are subject to an asset freeze and EU citizens and companies are forbidden from making funds available to them. Natural persons are additionally subject to a travel ban, which prevents them from entering or transiting through EU territories.”

In March 2024, the same companies have been added to the United States’ Treasury sanction list.

Also, in October 2023, after a ruling of the World Intellectual Property Office (WIPO), the French government could seize the domain name impersonating the French Ministry of Foreign Affairs (diplomatie.gouv[.]fm). The ruling concluded that NameCheap, which was responsible for selling this domain name to an individual, should return the domain to the French government.

Since then, similar decisions have restituted doppelganger domain names to legitimate owners.

doppelganger_summary