BANNER: Supporters of the ruling Party of Action and Solidarity (PAS) attend a pro-EU rally on the final day of the electoral campaign in Chisinau, Moldova, on September 26. (Source: STR/NurPhoto via Reuters)

The day before Moldova’s critical 2025 parliamentary election, a new online portal emerged, cataloguing politicians considered to be traitors, including Moldovan President Maia Sandu. The portal was first published in a Telegram post by the Russian media portal Gagauznews, which linked to the online platform, titled “Trădători” (Romanian for “Traitors”).

Using DNS analysis and a comparison of IP addresses associated with the portal, the DFRLab identified links between Trădători and the Russian organization Aeza Group, which provides online infrastructure, such as bulletproof hosting services, to enable cybercrime. Aeza is sanctioned by the US Department of the Treasury and the UK’s Foreign Commonwealth Development Office. Aeza Group was also reported to have helped facilitate the Russian disinformation operation Doppelganger. Aeza’s former CEO, Yuri Bozoyan, was reportedly arrested and jailed in April 2025, following accusations that the provider had hosted BlackSprut, Russia’s largest online dark marketplace reselling drugs.

According to Ziarul de Gardă (ZdG), Aeza is also linked to the hosting infrastructure for HaiTV, a mobile application and website that enables sanctioned Moldovan and Russian TV channels to broadcast in the country. The DFRLab identified further evidence that connects the Trădători portal to HaiTV, to an anti-PAS poster contest, and to a campaign impersonating an LGBTQIA+ organization in Moldova.

The technical evidence collected by the DFRLab indicates that the Aeza Group acted as an infrastructure provider by registering and hosting domains to facilitate the impersonation of political and civil society actors and enabled the reuse of Russian website templates to mislead the Moldovan public. The investigation found that Aeza enabled the registration of multiple domains with MX records impersonating an LGBTQIA+ organization, sending emails on behalf of the organization’s head, Angelica Frolov, in an attempt to impersonate and defame the organization. The campaign operators also reused a Tilda website template for a poster contest targeting PAS, with much of the content generated by AI.

In its September 27 Telegram post, Gagauznews reported that “the website tradatori[.]live has published a list of individuals whom the project’s authors accuse of betraying national interests and driving the country into poverty. The database already contains over forty-five cases, including [President] Sandu, [then-Prime Minister] Dorin Recean, [Parliament President] Igor Grosu, and their close associates.”

The website, available in English, Russian, and Romanian, also lists the Proton Mail address tradatori@protonmail[.]com, which the DFRLab had not authenticated at the time of writing.

Using DNSLytics, the DFRLab found that tradatori[.]live used two Google Tag identifiers that linked to ten other websites. These included three additional Trădători domains using different top-level domains and seven HaiTV-related websites.

HaiTV is an app that was banned in Moldova in July 2025, after authorities determined that it was being used to circumvent the broadcasting ban imposed by the Audiovisual Council in the wake of  Russia’s invasion of Ukraine. Channels accessible through HaiTV included Russia’s NTV, Rossyia 24, Pervyi Kanal, and Moldova24, which the DFRLab previously reported on and linked to Russian-based infrastructure.

According to DNSLytics records, “HaiTV” also appeared in the homepage title associated with the domain tradatori[.]live, further reinforcing the technical links between the two properties.

Upon investigating the domains’ previous IP locations, the DFRLab uncovered that both HaiTV and Trădători were hosted on the IP address 95.181.173.105, which belongs to Aeza International LTD.

On June 6, the Telegram channel ONO.News, which the DFRLab linked to a Russia-funded online operation aimed at influencing the 2025 Romanian and Moldovan elections, republished a Telegram post from Gagauznews inviting subscribers to take part in a poster contest “to make [their] voice heard.” The theme of the contest was “PAS – the party of unfulfilled dreams.” The post indicated that the top three contestants would be awarded cash prizes ranging from 3,000 to 5,000 Moldovan lei (178 to 297 USD). It also contained a link to the website antipas[.]com and the email address antipas.konkurs@gmail[.]com.

Upon examining the source code of antipas[.]com, the DFRLab found that the developers left an intact HTML link tag to the Russian-language website конкурсплакатов2024[.]рф (“Poster Contest 2024”), an online initiative organized by Russia’s Andryupov Fond with the support of the  Russian Ministry of Culture. Large portions of antipas[.]com appear to have been copied and adapted from this Russian website.

Using the WayBack Machine and EXIF metadata analysis tools Invid by WeVerify and Vera.ai, the DFRLab recovered data embedded in the images allegedly submitted for the contest. The EXIF metadata show that many of the images were generated using OpenAI and are therefore unlikely to represent authentic, user-submitted posters.

Using DNSLytics, eight mirror or typo-squatted domains containing the words “anti PAS” and “Moldova” were identified. These domains point to the same content as antipas[.]com, even though they are not hosted on the same IP address.

As with HaiTV, the IP address belongs to Aeza International LTD, further linking the poster campaign to infrastructure associated with the Russian cybercriminal group.

In two instances, the websites associated with the anti-PAS campaign, hosted on Aeza infrastructure, were found to use Blue VPS OU, an Estonia-based virtual private server provider that offers rapid deployment and confidentiality features. The domains gdm-moldova[.]com and gdmmoldova[.]com used the same MX mail server configuration domains as the anti-PAS campaign.

A June 12 article by Moldovan news site Agora reported that the outlet’s editorial email received a notification that the Moldovan LGBTQIA+ organization GenderDoc-M (GDM) would request educational institutions to send students to a “Solidarity March” during Moldova Pride. The email appeared to be sent from an address impersonating the executive director of the GDM Center, Angelica Frolov. The GDM Center is a Moldova-based civil society organization whose stated mission is to “create a favorable legal and social environment for lesbian, gay, bisexual, and transgender people by developing the LGBTQIA+ community.”  Frolov declared on Facebook that the messages were sent “from an address that does not belong to [her].” According to declarations she made in 2024, Frolov and the LGBTQIA+ community were often targets of anti-EU disinformation, amid the country’s EU referendum vote.

In September 2025, the BBC, together with the DFRLab, uncovered a campaign in which paid-for operators targeted President Sandu and her party. During the campaign, one operator was notably asked to post unfounded allegations that “Moldova’s potential EU membership is contingent on the country’s citizens changing their “sexual orientation” to LGBT, and that President Sandu is facilitating child trafficking.”

The technical evidence shows that the MX servers used to distribute the fraudulent emails were also connected to the MX servers of the anti-PAS campaign, suggesting an infrastructural connection between the Frolov impersonation email and the Aeza-hosted domains targeting Moldova’s ruling party.

Aeza appears to have played a unique role in providing online infrastructure, including domains and MX servers, to operatives seeking to defame Moldova’s pro-EU politicians, the PAS party, and the NGO GenderDoc-M. While it is not possible to determine whether the same operators were behind all these campaigns, the shared infrastructure suggests that these campaigns benefited from the same hosting services to distribute pro-Kremlin and anti-EU messaging during the 2025 parliamentary election. Furthermore, this reinforces the idea that Aeza collaborated with pro-Russian actors before and during the electoral period to influence Moldovans and election results.

Valentin Châtelet, “Moldovan ‘Traitors’ portal linked to Russian cybercrime group,” Digital Forensic Research Lab (DFRLab), December 23, 2025, https://dfrlab.org/2025/12/23/moldovan-traitors-portal-linked-to-russian-cybercrime-group/.