Banner: US government seizure notice on one of the Doppelganger websites shut down on September 5, 2024. (Source: rrn.media/archive)

On September 4, 2024, the US Treasury Department announced that it had sanctioned ten Russian citizens and two entities for participating in malign influence efforts targeting the November 2024 US presidential election. The sanctions featured high-ranking staff members of RT, including editor Margarita Simonyan, as well as a Russian organization called ANO Dialogue, which the department accused of participating in the Russian influencer operation known as Doppelganger. Simultaneously, the US Department of Justice seized more than thirty online domains operated by Social Design Agency, which has previously been linked to Doppelganger.

Creating forged versions of news articles, websites, and reports, among other things, is nothing new in the world of Russian influence operations. Individually, a single fake article or website may cause confusion among internet readers, but generally doesn’t infiltrate much deeper into public discourse. In contrast, persistent efforts to impersonate authoritative news websites and promote their content at scale in a coordinated manner can have tangible impact, casting propaganda narratives far and wide on a systematic basis. Doppelganger is such an operation; among the most documented Russian influence operations, it has continued to evolve since at least 2022. Also sometimes referred to by the Microsoft designation of Storm-1099, Doppelganger creates online clones of well-established media outlets and government websites, propagating them with anti-Western, anti-Ukrainian, and pro-Russian messaging intended to deceive Internet users into thinking they are legitimate online sources. When it comes to distribution, the techniques vary.

The primary method used by Doppelganger to infiltrate the US information space is through the reply sections of Twitter posts. The operation employs bot-like networks for engaging with audiences. These are referred to as originators and amplifiers, depending on their function. Originator networks concentrate on producing large quantities of similar but not identical posts that serve as fodder for dissemination, while amplifier networks exclusively repost the originator content to high-profile accounts in the form of replies. The targeted high-profile accounts could include politicians, celebrities, influencers, meme accounts, and the like; usually, their audiences range from hundreds of thousands to millions of subscribers. This approach indicates an attempt to engage with influential segments of society by consistently disseminating pro-Kremlin content.

The operation also utilizes single-use accounts (or “burner” accounts) that typically publish a single post, making no effort to establish an account’s online presence or authenticity. These posts are then promoted by amplifier networks, whose accounts are often more active and appear more authentic. Burner accounts are used on Facebook as well, as previously documented by Viginum, the French government agency tasked with fighting disinformation. Similarly, the DFRLab uncovered a network of thousands of burner accounts on TikTok in conjunction with the BBC in late 2023.

Doppelganger posts often include geo-fenced URLs leading US users to bogus news websites with familiar but incorrect domain names, such as fox-news.in, while showing a blank page to non-US users. Before landing a user on the bogus website, the operation employs different staging domains for redirection purposes.

Inauthentic accounts also promoted URLs directing readers to Doppelganger’s flagship website, known as Recent Reliable News (RRN). Before it was deplatformed in September 2024 by the US government seizure, RRN camouflaged itself as a legitimate media outlet and was available in ten languages. On Facebook, Doppelganger bought advertising to promote posts, using burner accounts for launching a single ad before abandoning these accounts.

Doppelganger might also be involved in hybrid activities combining physical and online operations. Following the October 2023 Hamas attack on Israel, graffiti featuring the Star of David appeared on walls across Paris, likely aiming to inflame fear among France’s Jewish community. Photos of the graffiti quickly spread on social media. Viginum exposed the involvement of Doppelganger in both the initial distribution and broader dissemination of graffiti images across social media.

RRN was by no means the only Doppelganger domain operating in the information space. The latest announcements from the US government cite more than thirty seized domain names. These domains featured content sowing political division regarding US immigration policy, the ongoing Middle East conflict, LGBTQ+ rights, the economy, and other hot-button election issues.

Information laundering is the process of placing narratives on the fringes of public discourse and slowly normalizing them by quoting them via more credible sources, in an attempt to gradually legitimize them. Such practices date back to the Soviet era, including Operation Denver (or Operation Infektion), whose methods were recycled decades later in 2019 by pro-Kremlin actors in a similar effort uncovered by the DFRLab, which became known as Secondary Infektion.

Information laundering techniques continue to evolve, particularly since the COVID pandemic and Russia’s February 2022 invasion of Ukraine. Immediately after the invasion, Russia lost its primary tools for information spreading, like RT America, when it was dropped from DirecTV and subsequently went off the air. This forced Russia to develop other means to reach audiences.

According to Pew data, 12 percent of the US adult population consumes news from Twitter, while 14 percent do so from TikTok; 59 percent and 36 percent of these users go to these respective platforms specifically for political news. In recent years, Twitter introduced monetization for so-called blue tick accounts, following TikTok’s model for rewarding creators based on engagement levels. Blue tick accounts were previously limited to verified users, but this changed when Twitter abandoned the service and repackaged it as a subscriber service that any platform user could purchase without ID verification. This exacerbated an ecosystem in which sensationalism in news and politics became profitable for individual influencers, making the platform attractive for malign actors.

Laundering campaigns often start from some obscure corner of the internet, during the ‘placement’ stage. It might be a fringe YouTube channel, an anonymous TikTok account, a video on an Instagram account, a publication on a Russian Telegram channel, or a Russian TV channel. It is intentionally not prominent, providing a launching point for disinformation and propaganda to spread to more mainstream online locales.

This allows such content to be a low-hanging fruit for influencers, news aggregators, link farms, pro-Kremlin websites like DC Weekly, and others involved in Doppelganger to pick up the story and amplify it further, adding a veneer of credibility known as ‘layering.’ These messages, due to their sheer volume, popularity, and emotion-provoking nature, create a sense of credibility so that regular users, platforms, and influencers pick up the story and push it deeper into the public information space, making it indistinguishable from credible and truthful information. The stage is known as ‘integration.’

Russia uses this approach to inject stories into Western discourse, including in the US. Microsoft linked these efforts to a campaign they designated as Storm-1516, while the Washington Post published leaked Russian dashboards that provided evidence of Kremlin-tied actors monitoring the success of similar campaigns. Even once discovered, these efforts can be recycled again and again to influence audiences in the US and elsewhere, effectively creating a pandora’s box for generating malign influence.

While Doppelganger and information laundering might seem distinct, they are intrinsically linked because their activities overlap and reinforce each other. The Russian influence operations deplatformed by the US government in September 2024 are the latest example of Kremlin activities targeting the US election; they likely will not be the last.

Roman Osadchuk and Eto Buziashvili, “Explainer: the Russian influence operations targeting the 2024 US elections,” Digital Forensic Research Lab (DFRLab), September 6, 2024, https://dfrlab.org/2024/09/06/how-doppelganger-and-other-russia-linked-operations-target-us-elections/.