This page is designed to gather a timeline of the Doppelganger operation with a few elements collected from different reports. This page goes beyond the single Doppelganger operation and also brings together additional knowledge about other operations (RRN, WarOnFakes, Ukraine Inc) allegedly led by the same operators, namely Russian companies Struktura and Social Design Agency (SDA/ASP).

To this date, this resource page is mainly based on:

We would like to thank all stakeholders who have worked on this topic and made their findings public to understand the overall operation better.

If you feel we’ve missed some key reporting that should appear here, please contact us.

Last update: 12 June 2024

1. Intro

Since at least February 2022, a multi-faceted online information operation originating from Russia has targeted multiple countries worldwide. Regarding the content side, the operation mainly aims to:

  • undermine support for Ukraine following Russia’s aggression by demonising the Ukrainian government and accusing it of Nazism and corruption
  • sow divisions within countries supporting Ukraine, claiming that supporting Ukraine financially and implementing sanctions on Russia are ultimately failing strategies that only hurt civil society

The campaign has also been pivoting towards spreading disinformation on international events such as Paris Olympic Games.

The EU DisinfoLab team working on the investigation decided to name the campaign Doppelganger for its regular use of fake clones of legitimate websites (both from media organisations and public institutions). 

Over time, it seems the overall campaign is wider than Doppelganger pattern, yet the name is mostly attributed to side operations.

The campaign and its avatars are also known as:

  • RRN (Recent Reliable News), an anonymous news media organisation that serves as a content repository for most of the operation.
  • Matriochka, a side-operation consisting of sedimenting fake media videos into multi-layered social media accounts.
  • Overload, a continuation of the Matriochka operation, specifically targeting journalists and media organisations
  • Storm-1099 / Storm-1679, the code names given by Microsoft for these actors.

The actors identified and running this operation are Struktura and Social Design Agency (also known as ASP), two Russian companies.

Doppelganger amplification techniques have not been used only with Doppelganger-related content. The networks of fake accounts and the obfuscated infrastructure have been used to amplify other pro-Russian operations, such as InfoRos assets, but also authentic news/opinion pieces from legitimate stakeholders. Reports have also shown Portal Kombat’s intermediary role in redistributing similar content.

At this stage, no verifiable elements suggest all these efforts are centrally coordinated. We advise caution on reports suggesting any centralization of such efforts.

2. Tactics

Doppelganger has mostly used the following tactics to disseminate its operation:

1. Content production

a) Clones of media websites

Most of Doppelganger’s public-facing operations consisted of developing websites impersonating established news organisations. Such impersonations have targeted Le Monde, The Guardian, Ansa, Der Spiegel, and Fox News. These impersonations were run through typosquatting on alternative domain names. The operations targeted specifically underrated registrars such as .ltd, .online, or .foo.

The stories, often written in poor language, were all aligned with the narratives described earlier. Content production also included the production of fake videos mimicking the graphic design of original outlets.

b) Clones of government websites

Similarly to what happened with established news organisations, Doppelganger impersonated public authorities and international organisations. The most known examples are an impersonation of the French Ministry of Foreign Affairs, the Interior Ministry of the German federal government or even NATO itself. The tactics to impersonate these stakeholders correspond to those mentioned in the previous section, with the use of typosquatting of legitimate domain names on alternative DNS registrars.

Content-wise, the campaign focused on announcing fake governmental measures, like the establishment of a tax to support Ukraine, the doubling of all military budgets or prevention campaigns against alleged imported Ukrainian criminality.

c) Anti-Ukrainian websites

Another part of the operation consisted of the development of anti-Ukrainian websites. This content specifically targeted Ukrainian President Volodymyr Zelensky through a series of animated cartoons. These cartoons depict the Ukrainian leader, his family and the Ukrainian government as corrupted, blindly obeying a made-up international conspiracy kabbal, and murdering his own citizens.

d) Pro-Russian websites

Additionally, the operation also consisted of the development and maintenance of pro-Russian websites. One of these websites, called ‘War On Fakes’, was established closely after the new invasion of Ukraine. Mimicking fact-checking content, it was designed to counter facts on the Ukrainian defence against this invasion.

Soon after, in the spring of 2022, another website called ‘RRN’ was set up, sharing the same infrastructure. Initially labelled as ‘Reliable Russian News’, it was renamed ‘Recent Reliable News’ without any explanation. This website, still active to this date, aligned with Russian propaganda narratives attacking the West on a regular basis.

This website also hosts content and video interviews of known pro-Russian Western stakeholders. A video interview of French MEP Thierry Mariani was removed from the website after France called out the Russian origin of RRN in June 2023.

e) Potential hybrid operations

Early November 2023,  blue Stars of David – a symbol that could be interpreted as either pro- or anti-Israeli – appeared on buildings in Paris, followed by images spreading fast on social media, fuelling controversy and confusion. The French state’s technical and operational service responsible for protection against foreign digital interference, VIGINUM, detected the involvement of a network of over a thousand bots on X, affiliated with RRN.

2. Distribution of disinformation

a) Amplification through comments of fake personas/accounts on Meta/X

One of the first distribution techniques of the Doppelganger operation has been the use of fake profiles on Meta. One avatar of this technique is what has been called the ‘German Odettes’, a network of profiles all named ‘Odette’ and allegedly working for Netflix. This network systematically pushed the Doppelganger content directly on the comment section of established Facebook pages. The technique was designed to directly engage with regular Facebook users with less exposure than an established asset like a Facebook page itself.

Part of the operation also used inauthentic distribution on X through networks of fake accounts. These accounts, operated in a coordinated way, pushed Doppelganger assets to their audience as well as replying to tweets in a similar modus operandi to the one seen on Meta.

b) Amplification on other platforms

Working documents from Struktura obtained by the Washington Post showed that Doppelganger operators have been weekly reporting on the operation’s performance. Dashboards show that narratives and engagement are monitored across platforms, including Facebook, YouTube, Telegram and TikTok.

c) Buying ads with networks of fake Facebook pages

A constant tactic used by Doppelganger operators has been the use of the Meta advertisement platform. Through the use of thousands of Facebook pages, Doppelganger operations targeted Facebook users with the content they produced. Such amplification was made through ‘burner’ accounts, which are disposable assets used only for one advertisement and then abandoned.

d) Dissimulation/ OpSec

The operation has implemented specific operational security measures to obfuscate its nature. These included, for instance, geofencing, a setting that allows restricting content visibility for specific users. For instance, a French web user could not see the content restricted to German users.

The operation also used multiple redirection URLs to circumvent the restrictions set up by platforms like Meta on Doppelganger domain names. Part of this obfuscation infrastructure has been exposed.

3. Reach / impact

At this stage, the list of countries and languages this operation has been targeting are the following ones:

  • Main countries targeted (* marks countries more targeted, based on observations):
    • France* 
    • Germany*
    • Ukraine
    • Latvia
    • Italy
    • The United Kingdom
    • The United States
    • Poland
  • Main organisations cloned:
    • Media organisations (online versions of well-established newspapers)
    • French Ministry of Public Affairs
    • German Ministry of Interior
    • NATO
  • Platforms used:
    • Facebook
    • Instagram (advertisement for Instagram users only)
    • X
    • Dailymotion

In September 2022, Meta announced that around 105,000 USD were invested in advertisements on their platform.

Since then, studies have shown that thousands of ads have still been pushed and moderated by the platform. At this stage, no updated public communication has been made by Meta on this matter.

4. Attribution

In December 2022, Meta attributed the operation to two Russian companies: Struktura and Social Media Agency. In June 2023, VIGINUM (the French service countering digital foreign interference) confirmed these elements.

In November 2023, an ongoing investigation on the ‘Star of David’ hybrid operation is looking into the involvement of additional individuals. French authorities attributed the amplification of this hybrid operation to the Doppelganger/RRN network.

In November 2023, the US State Department also attributed to the same two Russian companies and their managers an information operation targeting Latin America.

There are still unresolved questions about the link between Doppelganger operation and other information Operations such as Matriochka.

Several European and global companies were used as intermediaries/service providers by the Doppelganger operation, for instance, on geofencing solutions, hosting solutions or direct domain name acquisition.

5. Responses

EU DisinfoLab has provided a first assessment of measures being taken against Doppelganger campaign on 5 main criteria:

  • Situational awareness 
  • Impact on malign actors’ capabilities
  • Triggering new responses
  • Attribution
  • Deterrence

Following exposure, multiple media outlets have announced to open legal complaints for impersonation (Le Monde, Süddeutche Zeitung, and 20 minutes, at the best of our knowledge).

 In July 2023, Struktura and Social Media Agency companies, and some individuals running them were placed on the EU Sanction List. According to the Council of the EU, “All those designated are subject to an asset freeze and EU citizens and companies are forbidden from making funds available to them. Natural persons are additionally subject to a travel ban, which prevents them from entering or transiting through EU territories.”

Also, in October 2023, after a ruling of the World Intellectual Property Office (WIPO), the French government could seize the domain name impersonating the French Ministry of Foreign Affairs (diplomatie.gouv[.]fm). The ruling concluded that NameCheap, which was responsible for selling this domain name to an individual, should return the domain to the French government.

doppelganger_summary