Banner: VK videos distributed by the Pravda network focusing on Ukraine, the US and the UK. (Source: news-pravda.com)

An investigation by the DFRLab and Finland-based company CheckFirst has found that the Russian website ecosystem known as “Pravda” expanded its infrastructure over the course of 2024. The operation, previously dubbed “Portal Kombat,” has evolved to encompass more countries and launder content in more languages across Europe, Africa, and Asia. Website forensic analysis linked the operation to the Crimea-based IT company TigerWeb, as well as its owner, who shares dubious links with the Russian-backed government of occupied Crimea.

The Pravda ecosystem encompasses several hundred news aggregators, or portals, that repost content from Russian news sources, social media and Telegram channels. Since 2022, a new iteration of websites featuring the word “Pravda” – Russian for “the truth” – emerged primarily targeting Ukrainian and Western audiences. The portals appear to be fully automated and do not feature original content, but repost videos and translate publications in an effort to reach a wider audience and circumvent sanctions.

Despite its name, the Pravda ecosystem does not share links with the Russian media outlets with the same name.

A February 2024 report by the French disinformation watchdog Viginum exposed an inauthentic set of news portals laundering pro-Kremlin narratives across multiple cities in Ukraine and translated into multiple European languages, including English, German, French, Portuguese, and Spanish. At the time, the operators of the fraudulent new portals used domains that included “pravda-” with specific hyphenated country codes.

In the leadup to the 2024 European parliamentary elections, the Pravda ecosystem evolved and launched new domains targeting almost every member country of the European Union, as well as countries of the European Eastern Partnership. In addition, a series of multiple websites emerged targeting French-speaking countries in Africa’s Sahel region, which has recently experienced a series of coups d’état. Similar websites were registered in the leadup to the Georgian parliament election of October 2024. Amidst efforts to regroup all domains under one domain (news-pravda[.]com), in the fall of 2024 and in early 2025, the network utilized 140 subdomains targeting more than eighty-three countries and regions across the globe.

Following Viginum’s February 2024 report, and two months before the European parliament elections of 2024, we observed that the ecosystem attempted multiple times to create country-specific domains. In April 2024, a first series of four domains registered on April 26, 2024, targeted the Baltic states and the Republic of Moldova. Contrary to the first installments of the campaign, where the websites operated in domestic and official national languages, this subset of four websites operates in Russian, in a likely attempt to appeal to the Russian-speaking minorities in these countries. The websites were also spread across two IP addresses.

On August 3, 2024, twenty-one new domains appeared, targeting cities throughout Ukraine. The domains operate in Russian and appear on the IP address 178.21.15.41, which is hosted by the Russian registrar reg.ru and located in the Moscow region.

Similarly, two months before the Georgian parliament elections of October 2024, we observed that two new websites appeared targeting Georgia and Armenia within a two-day window. Similarly to the above websites, this subset exclusively operates in Russian and uses the same IP address as the news-estonia[.]com and moldova-news[.]com websites.

In the fall of 2024, the Pravda ecosystem reverted to one top-level domain portal, news-pravda[.]com, which redirects traffic to a series of sixty-three subdomains focusing on a staggering forty-nine countries around the world. 

A US-specific domain, us.news-pravda[.]com, appeared on November 4, 2024, one day before the 2024 US presidential election. On November 8, three additional domains appeared. These domains began targeting the US, EU, NATO, German Chancellor Olaf Scholz, French President Emmanuel Macron, and President-Elect Donald Trump.

Between December 3, 2024 and January 8, 2025, twenty-eight new subdomains appeared, targeting a wide array of countries in Europe, including Malta, Iceland, Ireland, the Balkans, Bosnia’s Republika Srpska, and Montenegro. They produced content in minority languages such as Catalan, Galician, Basque, Welsh, and Scottish). Additional subdomains targeted Africa (Algeria, Mali, Senegal, Cameroon, Guinea, Gambia, Eritrea, Egypt, Mauritania, Nigeria, Chad, South-Sudan and Sudan), the Caucasus (Ossetia, Abkhazia) and Maori-speaking New Zealand audiences. More recently, the network expanded its reach to focus on countries across Asia, including South Korea, North Korea, Taiwan, Japan, and Singapore.

Our investigation also confirmed the 2024 findings of Viginum, connecting the operation to a digital agency based in Russian-occupied Crimea. Records of the first websites linked to Portal Kombat found on the Internet Archive show that they displayed the logo of an agency called Tiger Web. The logo was found in two instances on archived pages of crimea-news[.]com and sochi-news[.]com.

Additionally, we identified one instance of a review left by news portal crimea-news[.]com on the website Rating of Runet. The review, titled Лента новостей Крыма (“Crimea News Feed”), connects TigerWeb to a Russian client. The review states, “I ordered the creation of a news aggregator of Crimea. The guys are pleasant to talk to and all the comments I made were taken into account.[…]”

Web forensics also confirmed the above findings. We identified that the website tigerweb[.]ru, which belongs to the agency, shared a Google AdSense code with multiple websites that spread news in Russian between 2016 and 2024 targeting cities across Russia and Ukraine. The websites identified in this subset targeted the Ukrainian cities of Volyn and Kharkiv in Ukrainian. These are suspected to be the first iterations of the Portal Kombat operation.

DNS records from 2015 also show that Tigerweb shared an IP address with the website uanews.crimea[.]ua, another fraudulent news portal that shared the same website schemes and news content as those flagged throughout 2016 until 2024. Other websites found during that period also include news portals targeting the Russian cities of Saratov, Krasnoyarsk, Sochi, and Ufa.

The origins of this operation can be traced back to the activities of the founder, Yevgeny Shevchenko. As early as 2011, Shevchenko was involved in the creation of Crimea News– an endeavor documented on his personal blog – which we consider as the precursor or Pravda v0 of the network. The website is a news aggregator referencing multiple sources of content into a single website; lenta[.]crimea[.]ua. The first establishment of TigerWeb as an “agency” occurred in 2013, despite the organization only formally registering in Russia in 2019. By 2014, the first versions of the Pravda network began to emerge, hosted on the same IP as tigerweb[.]ru. For instance, websites such as vladivostok-news[.]net and yaroslavl-news[.]net exhibit significant overlaps, not least in the use of a shared Google Analytics account (UA-47448818-*) as evidenced in archived source code. 

The earliest articles in the network are dated from March 2014 on crimea-news[.]com. We were able to trace activities on yaroslavl-news[.]net back to July 2014, further demonstrating that these websites were operational well before later iterations of the network were established.

Analysis of Shevchenko’s website provides additional evidence of the usage of the domain “crimea[.]ua” to host his projects, on the same IP address as other elements of the network. In 2018, the agency name TigerWeb reappeared in the footers of some websites, such as vladimir-news[.]net , thereby reinforcing the agency’s persistent involvement across multiple platforms.

Over the years, the Pravda ecosystem has continued to evolve. Official corporate registration of TigerWeb in Russia was completed in 2019 and its trademark was registered in 2020. New websites adopting the Pravda look and feel have been registered, such as alchevsk-news[.]ru and dnr-news[.]ru, focusing on Ukraine and the Donbas. Evidence from the Internet Archive demonstrates that these sites follow the domain naming conventions of the previous Russian network. The domain dnr-news[.]ru, first observed in 2015,  targeting the self-proclaimed Russian-backed Donetsk People’s Republic, experienced technical issues in 2019.

In 2022, dnr-news[.]ru reappeared with a distinctly updated Pravda aesthetic, signaling a significant shift in both design and operational strategy. The website now utilizes the ColorMag theme—a modern, responsive design developed by ThemeGrill—which is recognized for its sleek appearance and user-friendly functionality. This theme not only enhances the visual appeal of the site but also aligns it with contemporary European digital media standards, ensuring that the platform remains competitive and accessible.

Alongside the technical overhaul, the website introduced in 2024 a new editorial team to reinforce its apparent commitment to quality content, appointing editors Viktor Artemyev and Yuri Vlasenko, with their names prominently featured on the site’s “About Us” page alongside contact information. The presence of these new editors suggests that the operation is trying to look more professional and transparent.

It is important to note that a technical link connects the ‘-news’ network, developed primarily for Russian and Ukrainian audiences, with the Pravda network. Both networks utilize a Content Management System (CMS) to manage the content of their respective websites. Importantly, to display content on the client side, both types of websites use an internal API that is identical across both the old and new versions of the platforms, employing the same endpoint and parameters. This uniformity in API usage suggests that the development team behind these operations has employed a standardized framework, effectively unifying the disparate networks under a single technical architecture. 

In order to try to determine the different servers used by Tigerweb we ran a script across all known REG.ru IP ranges, including 176.99.*.*, 178.21.9.*, 185.38.18.*, 188.93.208.1.*, 188.93.213.*, 193.227.134.*, 194.67.64.*, 194.67.76.*, 194.67.77.*, 194.67.106.*, 213.189.199.*, 62.113.93.*, 176.99.4.*, 178.21.12.*, 185.38.18.*, 193.227.134.*, 194.67.106.*, and 213.189.199.*. The script processed each IP address with a valid HTTP response to retrieve their attached SSL certificate details.

Four certificates associated to Tigerweb were discovered:

On multiple occasions, Shevchenko seems to have worked with the Russian-backed government of the Republic of Crimea, since the takeover of the peninsula in March 2014. In 2013 TigerWeb launched the website crimea-news.com, which was part of the “topnews” network, a prior iteration of news aggregators that focused originally on Ukrainian towns. According to information retrieved on DomainTools, crimea-news.com and topnews.volyn.ua existed on the same IP address between 2013 and 2016. In its report, Viginum also points out that the email address topnewsua7@gmail[.]com appears on archived records of multiple websites of the network.

On the Russia social media VK, the page associated with crimea-news.com has been active since November 2013 and also features an “A+” rank, meaning it is approved by Russian telecom regulator Roskomnadzor. According to Roskomnadzor’s online registry of approved pages and channels, the website’s affiliated page on Odnoklassniki (OK) and Telegram are also approved.

According to an online resume published on namebook.club, Shevchenko worked as a project manager between 2015 and 2016 for the state-owned company Krymtekhnologii (“Crimea Technology”). The now-privatized state company has notably created the portal of the Russian-backed government of Crimea, as well as Russian Spring, which spreads pro-Kremlin narratives justifying the 2014 annexation. Krymtekhnologii is also responsible for public tenders of IT services.

In 2014, Ukraine’s National Security and Defense Council issued a ban against the company’s website, rtech.ru, and two other websites affiliated with promoting Russia’s unlawful annexation of the peninsula. Ukraine introduced new sanctions in 2018 against the company and its director, Aleskandr Ilich Uzbek. The company’s leadership is also suspected of corruption, and owns real-estate businesses throughout Crimea. One of Krymtekhnologii’s co-founders, Arsen Sidakov, is also part of a Saint Petersburg based business with links to Russian oligarch Arkady Rotenberg, a longtime supporter and financier of Putin.

TigerWeb currently still works for clients affiliated with the Russian-backed government of Crimea. In 2021, TigerWeb created an online portal dedicated to the Republican Center of Estimation (RCO in Russian for Республиканский Центр Оценки), a private business that estimates the prices of land and real estate in the region of Crimea. A December 2022 document published on the website of  the Russian occupation government of Ukraine’s Zaporizhzhia region appointed the RCO for “Valuation services: A. Determining the market value of the valuation object; determining the market value of the right of temporary use and ownership of the leased object (market annual rent); B. Drawing up floor plans of buildings, structures, premises.” The RCO proposal was allegedly funded at a cost of 1,350 million rubles, or approximately USD $15.2 million. RCO also indicates on its website that it allegedly provides similar services for the Kherson region under Russian occupation, although the DFRLab did not find documents corroborating this.

Amaury Lesplingart is co-founder and CTO of CheckFirst.

Amaury Lesplingart and Valentin Châtelet, “Russia’s so-called “Pravda” network expands worldwide,” Digital Forensic Research Lab (DFRLab), February 24, 2025, https://dfrlab.org/2025/02/24/russia-pravda-network-expands-worldwide/.