Banner: A 2021 photo of the propagandistic newspaper of the Moldovan coalition bloc of socialists and communists. (Source: Diego Herrera / SOPA Images/Sipa USA via Reuters)

Web forensics and domain analysis confirm that multiple Moldovan media outlets share web infrastructure with Moldovan Russia-backed political parties, including the former governor of Gagauzia. The DFRLab also found evidence of Russian companies providing hosting services for various websites belonging to Moldovan political figures and media outlets. Furthermore, web forensics details connections between top Moldovan pro-Russia political figures and media holdings that spread pro-Russia and anti-EU narratives. Our investigation indicates that these media outlets were hosted by Russian companies and shared identical web markers, such as Google Analytics codes. This report also analyzes historical ties, including shared IP addresses and domain registrations.

One of the key figures in this investigation is Irina Vlah, the former governor of Moldova’s autonomous Gagauzia region. An analysis of passive DNS records, WHOIS records, and Google Analytics codes revealed that Vlah is connected, via website trackers on her former website, to multiple pro-Russian media channels. Analysis of WHOIS records for four Gagauzian news outlets indicated that during her 2019 election campaign, Vlah’s website was connected to these news outlets via back-end advertisement tracking data. Further, passive DNS records confirmed that the Gagauzian news outlets associated with Vlah were originally hosted by Russian companies Jino and HostiMan.

Vlah began her political career as a deputy in the Communist Party before transitioning to the Socialist Party. She secured her first term as governor of Gagauzia in 2015 with backing from the pro-Russia Socialist Party, she won a second term in 2019 as an independent candidate. Known for her pro-Russia stance, in 2015 Vlah prominently featured Russian officials in her electoral banners and adopted the slogan, “Being with Russia is in our hands!” In May 2023, one year after Russia’s invasion of Ukraine, she attended the “Russia – Islamic World: KazanForum” in Russia, sharing on her social media details and photos from the event, including one featuring a portrait of Vladimir Putin in the background. Despite her historically pro-Russia orientation, Vlah recently began promoting a pro-Europe stance, asserting, “Moldova’s future lies with Europe.” In November 2023, she launched the “Platforma Moldova” association to “unite the opposition and cultivate a new political class.” However, it appears Vlah maintains ties between Chișinău and Moscow as a recent investigation by Ziarul de Garda disclosed that Vlah made multiple trips to Moscow over the last year; trips she either did not mention or, when pressed, said she “cannot recall.”

The DFRLab found that Vlah’s current website, irinavlah.md, shares a Google Analytics code with the website of Moldova’s former president, Igor Dodon, and the website of the Communists-Socialists Electoral Bloc (CSEB), which was created under Dodon’s leadership ahead of the 2021 parliamentary elections.

In addition, using historical DNSLytics records, the DFRLab found that from 2018 to 2021, during the period surrounding her re-election, Vlah’s former website (vlah.md) was registered with the Russian company Jino.ru. The website vlah.md is no longer in operation.

The Google Analytics code retrieved by DNSLytics links Vlah’s former website to the pro-Russian Moldovan news outlets Accent TV and NTV, along with two other Gagauzian news portals. Notably, NTV is reportedly connected to Corneliu Furculiță, a deputy in Moldova’s Socialist Party, whose spouse registered a business that owns NTV. The matching analytics codes with Accent TV and NTV were present even after Vlah distanced herself from the Socialist Party and ran as an independent.

Among the two Gagauzian news outlets sharing a Google Analytics code with Vlah’s former website is GagauzInfo, which publishes content in Russian and is still active. Historical data from Domain Tools indicates that the initial IP address for GagauzInfo was hosted in Russia’s Moscow region from 2014 to 2020.

WHOIS records also showed connections between the Gagauzian news outlets and political figures close to Vlah. In a 2023 investigation, Moldovan news outlet TV8 reported that the company IUSIVMEDIA—whose founder, Iulia Spatarenco, was Vlah’s former treasurer during the 2019 election —owned the online outlet GagauzInfo. WHOIS records also indicate that the Russian company Jino hosted GagauzInfo’s website from 2008 to 2018. In a January 2024 investigation, Moldovan fact-checking initiative StopFals reported  that GagauzInfo is one of the top outlets spreading disinformation and pro-Kremlin messaging while simultaneously presenting “the European Union and Romania in a negative light.” Additionally, the DFRLab found that IUSIVMEDIA owned another Russian-language online news outlet, vfokuse.md (“In Focus”), which covered Gagauzia. IUSIVMEDIA also previously held the broadcast license for the radio station “Radio Sud,” before it was revoked in 2022.

The second Gagauzian news outlet sharing the same Google Analytics code as Vlah’s former website is Gagauzia24. This outlet previously operated under two domains: gagauzia24.info and gagauzia24.com, both featuring identical designs and contact details. While gagauzia24.com has been deactivated, gagauzia24.info continues to operate. Additionally, using DNSLytics, the DFRLab discovered that gagauzia24.info shares a Google Analytics code with the pro-Russian TV channels Accent TV and ExclusivTV. The hosting for Gagauzia24 is based in Russia, with the same Russian company, Jino, providing the hosting services for the domain.

The DFRLab found a third Gagauzian media outlet, GagauzMedia, that shares a Google Analytics code with Gagauzia24, and belongs to the company Studio Triumf, according to WHOIS records. The Moldovan transparency project Rise reported that the former deputy of Gagauzian parliament, Ecaterina Jecova, has ties to Studio Triumf as she worked for GagauzMedia from 2014 until 2016. During Jecova’s electoral campaign, she ran as an independent candidate but was openly supported by then-governor Vlah. Rise reported that Jecova, declared “labor” payments from Studio Triumf in 2017 after her tenure at GagauzMedia had reportedly ended. In 2017, she became a member of the Gagauzian parliament. Studio Triumf also reportedly made payments to Jecova’s spouse. Rise also notes a payment to Veronica Sirbu, the legal founder Studio Triumf in 2018.

In a 2015 investigation, Rise uncovered multiple TV channels and online newspapers sharing an identical IP address with the websites of Moldova’s Socialist Party and former president Igor Dodon. In confirming these findings, we encountered occurrences of Moldovan far-left political parties sharing IP addresses and Google Analytics and Google AdSense codes with pro-Russia news outlets.

Online records indicate that political figures across Moldova may have connections with these news websites. For instance, the Moldovan pro-Russia party Ai Noștri / Наши (“Our Own” in Romanian and Russian) uses the domain “partidul.md,” which shares a Google Analytics code with the pro-Russia news outlet “Cenzura” (“Censorship”). In October 2023, Moldova Intelligence Services banned Cenzura, among other outlets, for allegedly distorting the information space and attempting to destabilize constitutional order. Archived versions of the website also display the Google Analytics code featured in the webpage’s source code.

In addition, the website’s contact information links to chief editor Darya Fiodorova’s Facebook page, where she discloses working for the Ai Noștri party and her former affiliation with Moldova’s Socialist Party.

Web forensics also reveal that the Ai Noștri party’s website was initially hosted by HostiMan, a Russia-based hosting company, until 2021, when it switched to Tophost, a Moldova-based hosting provider. An archived copy of an open letter from November 2020 on Ai Noștri’s website shows it was operational while hosted on HostiMan in Russia’s Bryansk region. Historical WHOIS records also indicate that HostiMan managed the IP address range to which the website was assigned.

Historical WHOIS records indicate that both cenzura.md and partidul.md shared the same IP address for several years. This indicates strong similarities in the server infrastructure of the two organizations. The IP address is also registered by TopHost, which, as previously mentioned , is used to host both Cenzura’s and Ai Noștri ’s websites. Between 2022 and 2023, both Ai Noștri and Cenzura’s MX records showed that their email servers also shared the same IP address.

Despite being banned by Moldova’s Security Services, Cenzura launched a clone website titled “1984.” This new site uses identical email addresses as the ones associated with the cenzura.md domain and has replaced the old domain on their Telegram channel.

The DFRLab also found the shared IP address, 81.200.145.234, among TV channels Canal 5 and TV 6.  Canal 5 and TV 6 had their licenses suspended by Moldovan national authorities based on violations of the Television and Radio Code as reported by the Television and Radio Council, which included sanctions for spreading incorrect information about domestic events and the Ukraine war. This IP address, hosted out of Russia’s Leningrad region, also reportedly hosts the website of OrizontTV, which was similarly suspended in October 2023. Orizont TV previously featured a talk show led by journalist Alexei Lungu, who assumed leadership of the ‘ȘANSĂ’ political party, proclaimed as the successor to the SHOR Party, which was declared unconstitutional in Moldova.

Valentin Châtelet and Victoria Olari, “Websites of Moldovan politicians linked to local pro-Russia news outlets,” Digital Forensic Research Lab (DFRLab), May 28, 2024, https://dfrlab.org/2024/05/28/websites-of-moldovan-politicians-linked-to-local-pro-russia-news-outlets/.