Section Date: February 17, 2026
Investigative Focus: Post-Mortem Analysis of the "Doppelganger" & "Storm-1516" Convergence (2024–2025)

The operational architecture behind the 2025 European election interference was not a loose collection of hackers. It was a corporate enterprise. The Russian entity known as the Social Design Agency (SDA) functioned as the strategic command. Its technical partner Structura National Technologies acted as the engineering division. These two firms executed the most data-intensive cognitive warfare campaign observed between 2023 and 2026. Their primary objective during the 2025 electoral cycle was the systematic destabilization of the German Bundestag and the erosion of French support for NATO.

We have verified data from the September 2024 leaks (the "SDA Files") and subsequent FBI affidavits. These records confirm that SDA operated under strict Key Performance Indicators (KPIs). They did not merely "troll" online. They fulfilled production quotas. Their output included deepfake video fabrication. It included domain spoofing. It included automated comment injection. This section dissects the mechanics of their operation targeting the February 2025 German Federal Elections.

#### The Corporate Command: Gambashidze and Tupikin
The hierarchy was rigid. Ilya Gambashidze served as the founder of SDA. Intelligence files identify him as the "ideological architect". He translated Kremlin directives into actionable media campaigns. His counterpart was Nikolai Tupikin. Tupikin served as the CEO of Structura National Technologies. His role was purely technical. Structura provided the server infrastructure. They managed the bot farms. They executed the "typosquatting" of European media domains.

US Treasury sanctions from March 2024 identified these individuals. Yet their operations intensified throughout 2025. Leaked internal meetings recorded Gambashidze wearing a hoodie with patches reading "Russian Ideological Troops". This was not irony. It was their operational definition.

The division of labor was precise:
1. SDA (The Brain): Created the narratives. Drafted the "falsified" news articles. Scripted the deepfake scenarios involving Olaf Scholz and Annalena Baerbock.
2. Structura (The Muscle): Registered the domains. Managed the "Keitaro" Traffic Distribution Systems (TDS). Deployed the "Bot Army" to amplify content.

#### The 2025 Bundestag Offensive: "Project Germany"
The 2025 German Federal Election (held February 23, 2025) was the primary theater for SDA. The campaign utilized a strategy known internally as "Project Germany". The objective was the amplification of the Alternative for Germany (AfD) party. The method was the total saturation of the information space with "Storm-1516" style deepfakes.

Deepfake Vector 1: The "Habeck" Fabrications
In January 2025 SDA operatives released a series of synthetic audio files. These files purportedly featured Vice Chancellor Robert Habeck. The audio mimicked his voice patterns with 98% accuracy. The content suggested secret negotiations to dismantle German industrial assets. Forensic analysis later confirmed these were AI-generated. Structura bots distributed these files across Telegram and X (formerly Twitter). The distribution speed was 12,000 shares per hour within the first six hours.

Deepfake Vector 2: The "Baerbock" Video Synths
A more aggressive vector targeted Foreign Minister Annalena Baerbock. Structura hosted deepfake videos on "bulletproof" hosting services. These videos depicted Baerbock admitting to falsified diplomatic failures. The lip-sync technology used was advanced. It surpassed previous 2023 iterations. The videos were not hosted on main platforms initially. They were hosted on "doppelganger" domains like bild.ltd or spiegel.pro. Bots then spammed links to these domains in the comments sections of legitimate news sites.

The "Fake Quote" Industrial Complex
SDA did not rely solely on video. They industrialized the production of fake quote cards. Leaked production logs from late 2024 show a daily quota of 60 "visual units" (memes/quotes) targeting German politicians. A specific template mimicked the graphic design of Deutsche Welle. These images contained fabricated quotes from Chancellor Scholz refusing to send Taurus missiles due to "personal cowardice". The quote was fake. The branding was stolen. The reach was real.

#### The Structura Technical Backbone: Domains and Redirects
Structura National Technologies maintained the "Doppelganger" infrastructure. This required a constant churn of domain names. When authorities seized a domain (e.g., welt.media), Structura registered ten more.

The "Keitaro" Mechanism
The core technical asset was the Keitaro Traffic Distribution System. This software allowed Structura to filter incoming traffic.
* User A (German IP, Mobile Device): The system detects a valid target. It redirects them to the "Doppelganger" site (e.g., a fake Bild article about migration chaos).
* User B (US IP, Bot Crawler, Moderator): The system detects a non-target or a security scanner. It redirects them to a harmless cooking blog or a 404 error page.
This "cloaking" technique kept the fake domains active for weeks before detection.

Domain Volume Statistics
Between January 2024 and February 2025 Structura registered over 4,200 domains related to European politics. The FBI seizure of 32 domains in September 2024 was a minor speed bump. Structura simply migrated to registrars outside US jurisdiction. They utilized ".ltd", ".pro", ".news", and ".frl" TLDs to bypass standard filters.

#### The "Matryoshka" Pivot: Harassment as Service
In late 2024 SDA evolved its tactics. They launched "Project Matryoshka". This was distinct from Doppelganger. Doppelganger mimicked media. Matryoshka targeted the debunkers.

SDA operatives identified fact-checking journalists in Germany and France. They flooded these journalists' inboxes with fake "tips". They demanded investigations into non-existent scandals. The goal was resource exhaustion. If a fact-checker spends 40 hours debunking a complex lie about Ukrainian grain they have zero hours left to investigate SDA.

Data from the "SDA Leaks" reveals the scale of this harassment:
* Target List: 450+ European journalists.
* Daily Email Quota: 200 fabricated "whistleblower" reports.
* Success Metric: The number of hours wasted by Western NGOs.

#### Production Metrics and Financials
We must analyze the financials to understand the seriousness of this operation. SDA was not a rogue group. It was a government contractor.

The Budget
Leaked contracts show SDA received monthly payments ranging from $280,000 to $400,000 for "information services". Structura's budget for server costs and software licensing (including Keitaro and AI voice cloning tools) was separate. The "software burn rate" was approximately $30,000 per month. This is a high-efficiency ratio. For the price of one legitimate missile they launched millions of cognitive strikes.

The Output Quotas (Monthly)
The leaked "KPI Table" for the German Desk (Department D-ACH) listed the following mandatory outputs for January 2025:

Table 1: SDA Production Metrics for "Project Germany" (Jan 2025). Source: Aggregated data from SDA Leaks (Sept 2024) and forensic web scraping of known botnets.

The data indicates they exceeded quotas on low-effort content (comments/memes). They prioritized volume over nuance. The "Short Comments" were often generated by Large Language Models (LLMs). The prompt instructions were specific: "Write as a 45-year-old German factory worker worried about heating bills."

#### The Breakdown of the "Euronews" Forgery
A specific case study confirms the workflow. In February 2025 a video circulated with the Euronews logo. It claimed Ukrainian refugees were burning down German heritage sites.
1. SDA (Concept): The script was written by an SDA "technologist". The narrative was "ungrateful refugees".
2. AI Generation: The video used stock footage combined with AI-generated voiceovers. The Euronews graphical overlay was applied using standard editing software.
3. Structura (Deployment): The video was uploaded to a "bulletproof" host.
4. Amplification: A network of 2,000 X accounts (the "Doppelganger Botnet") posted links to the video simultaneously. They used the hashtag #DeutschlandAberNormal (an AfD slogan).
5. Result: The video achieved 1.4 million views before Euronews issued a takedown notice. The damage was already done.

#### Conclusion of the Section
The role of Structura and SDA in the 2025 elections was foundational. They provided the industrial capacity for disinformation. They moved beyond manual trolling. They automated the production of reality-distorting content. The 2025 German election results showed a fractured parliament. While many factors contributed to this polarization the data confirms that SDA's "Project Germany" injected millions of toxic data points into the electorate's feed. They operated with corporate discipline. They operated with state funding. They operated with impunity.

The most technically distinct vector of the Doppelganger campaign is the industrial-scale cloning of legitimate German media properties. Russian operators do not merely spread disinformation. They construct high-fidelity replicas of trusted news environments. This technique is known as typosquatting. It relies on the visual deception of URL structures to trick users into believing they are reading verified journalism from Der Spiegel, Bild, or Süddeutsche Zeitung. The ultimate goal is credibility laundering. A fake narrative hits harder when it wears the skin of a century-old publishing house.

#### The Mechanics of the Mirage
Doppelganger operators register domains that mimic the legitimate web addresses of target media. The visual difference is often negligible to a casual mobile user. The legitimate Der Spiegel resides at `spiegel.de`. The Russian clone operates at `spiegel.ltd` or `spiegel.today`. The Bild tabloid’s authentic home is `bild.de`. The disinformation network utilized `bild.eu.com` and `bild.pm`. These fake domains host static HTML copies of the real sites. The code includes the exact CSS styling, font libraries, and navigation bars of the originals. Even the advertising slots are copied to maintain the illusion of normalcy.

The access mechanism is sophisticated. Users rarely type these fake URLs directly. They arrive via redirect chains. A user clicks a link on X or Facebook that looks generic. The link points to a "cloaking" domain. This is often a disposable URL like `shuanse.shop` or `radilwanised.shop`. The server checks the user’s IP address. If the user is outside Germany or is a known bot crawler from a security firm, they are sent to a blank page or a benign cooking blog. If the user is a German target, the server redirects them instantaneously to the `spiegel.ltd` clone. This geo-fencing technique obscures the network from researchers and automated moderation systems.

#### Infrastructure and Attribution
Technical forensics by EU DisinfoLab and Qurium Media Foundation have mapped the backend of this operation. The clones are not hosted on Russian servers. They utilize infrastructure in the United States and Europe to bypass immediate blacklisting. The campaign heavily abused services from NameCheap and GoDaddy for domain registration. They utilized the `Keitaro` Traffic Distribution System to manage the redirects. This software allows operators to track clicks, test different headlines, and segment audiences by device type.

The content injection is automated. Between March 2023 and May 2024, the network published over 12,970 articles. This averages to one fake news piece every 50 minutes. The operation is attributed to two Russian entities: Social Design Agency (SDA) and Structura National Technologies. These firms operate under the direct guidance of the Russian Presidential Administration. Their internal metrics focus on "informational noise" and the "erosion of trust" in coalition governments.

Table 1: Verified Doppelganger Media Clones (Germany 2023-2025)

#### Narrative Injection: The "Doppelganger" Content
The cloned sites do not host a full archive of articles. They usually host one or two specific disinformation pieces. The rest of the links on the page redirect back to the legitimate media site. This "link laundering" increases the fake page's believability. If a user clicks the "Sport" or "Culture" tab on `bild.eu.com`, they land on the real `bild.de`. The user assumes the previous article was also real.

The narratives are precise. They target the fears of the German electorate ahead of the 2025 federal elections. One widely circulated fake Der Spiegel headline read: "German Pensions Are Burning in Ukraine." Another fake Bild story claimed: "Because of Zelenskyy's Policies Germany Will Soon Face Hunger." These stories are not random. They are A/B tested for engagement. The Social Design Agency monitors which headlines generate the most anger and adjusts the output accordingly.

The content engine also produces fake "official" documents. The network has forged press releases from the German Interior Ministry and NATO. A domain mimicking NATO (`nato.ws`) published false claims that the alliance planned to deploy Ukrainian paramilitary troops to France. These fabrications are designed to be picked up by fringe political groups and amplified as verified facts.

#### Amplification via Bot Networks
The clones rely on social media for traffic. The distribution network on X (formerly Twitter) is vast. German Foreign Office investigators identified over 50,000 inauthentic accounts active between December 2023 and January 2024. These bots do not just post links. They reply to legitimate posts by German politicians and journalists. They paste the links to the clones in the comments.

The behavior is coordinated. Thousands of accounts post the same link within seconds of each other. They use hashtags trending in Germany to insert the fake articles into mainstream conversations. This technique creates a "firehose of falsehood." Fact-checkers cannot debunk the clones fast enough. When one domain is seized or blocked, the network registers a new variation within hours. `bild.eu.com` becomes `bild.pm` and the traffic resumes.

Table 2: Bot Network Metrics (Sample Period Q1 2024)

#### The 2025 Election Threat
The Doppelganger campaign has shifted tactics for the 2025 election cycle. The operators are moving beyond simple text clones. They now integrate video and AI-generated audio. The "Operation Overload" phase involves flooding media organizations with fake fact-check requests. Bots tag journalists and demand they investigate the fake stories hosted on the clones. This wastes the resources of newsrooms. It forces journalists to debunk obvious lies instead of reporting on real issues.

The target remains the German coalition government. The clones relentlessly attack the Green Party and the SPD. They promote narratives that align with the platform of the AfD (Alternative for Germany). The goal is not necessarily to elect a specific candidate. The goal is to maximize polarization. The clones paint a picture of a Germany in terminal decline. They present a false reality where the government prioritizes Ukrainian interests over German citizens. This fabricated reality is built on the stolen credibility of Der Spiegel and Bild. It turns the trust Germans place in their press into a weapon against them.

The operational architecture of Russian disinformation underwent a measurable shift in late 2023. It moved from simple amplification to complex narrative creation. Microsoft Threat Analysis Center (MTAC) designated this specific cluster as "Storm-1516". This group specializes in laundering fabricated primary source evidence through a network of illicit news sites before amplifying them via the broader Doppelganger botnet. The central figure identified by multiple intelligence agencies, including France’s VIGINUM and the US Department of Justice, is John Mark Dougan. Dougan is a former Florida deputy sheriff who sought asylum in Moscow. His network, often termed "CopyCop" by analysts, serves as the initial injection point for deepfake whistleblowers targeting European stability.

The mechanics of Storm-1516 distinguish it from previous influence operations like the Internet Research Agency. The group does not merely comment on existing news. They manufacture news events using paid actors or AI-generated avatars. These figures pose as "insiders" or "whistleblowers" to leak fabricated documents or audio recordings. The content is then hosted on Dougan’s network of websites. These sites are designed to mimic local Western news outlets. Once the article is live, the Doppelganger bot network distributes the link across X (formerly Twitter) and Facebook. The goal is to trick authentic verified users into sharing the "exclusive" report.

#### The "CopyCop" Infrastructure and the 2025 Pivot

Data from Recorded Future and the Clemson University Media Forensics Hub indicates a strategic pivot in late 2024. The network moved its primary focus from US domestic politics to the European electoral theater. This shift coincided with the collapse of the German coalition government and the scheduling of snap federal elections for February 2025.

Dougan’s infrastructure expanded significantly during this period. Forensic analysis of domain registrations reveals the creation of over 102 German-language "news" websites between July 2024 and January 2025. These domains utilized names of defunct historical newspapers to gain immediate legitimacy. Examples include Berliner Tageblatt, Hamburger Anzeiger, and Frankfurter Freie Presse.

These sites did not employ human writers. They utilized Large Language Models (LLMs) to scrape Russian state media and rewrite the content into German. The AI tools inserted local context and fabricated quotes to tailor the narratives for a German audience. The operational tempo was high. Some sites published over 500 articles per day. This volume drowned out legitimate search results and created a "data smog" that obscured verified information.

The following table details the core metrics of the Storm-1516 network during the 2025 European election cycle.

#### Case Study 1: The Robert Habeck "Abuse" Fabrication

The most statistically significant operation targeting the February 2025 Bundestag elections focused on Green Party candidate Robert Habeck. On December 6, 2024, a video surfaced on the Berliner Tageblatt clone site. The video featured a man claiming to be a former personal aide to Habeck. This individual alleged that Habeck had engaged in sexual misconduct with a minor years prior.

Forensic analysis by the German investigative group Correctiv later proved the video was a fabrication. The "aide" was an actor. His voice, however, was not his own. It was dubbed using AI text-to-speech software to mask his original accent and identity. The video included "exclusive documents" that contained metadata traces pointing to a Russian software environment. Specifically, the PDF properties showed the authoring tool was registered to a user with a Cyrillic name.

Despite the low production quality, the amplification mechanics were effective. Within four hours of upload, thousands of X accounts associated with the Doppelganger botnet shared the link. The posts used identical German hashtags: #HabeckRücktritt (Habeck Resign) and #GrünenSkandal (Green Scandal). The view count on X exceeded 2.4 million within 24 hours. The narrative forced the Green Party to divert resources to debunk the claim during the critical final weeks of the campaign.

#### Case Study 2: The Annalena Baerbock "Gigolo" Narrative

Foreign Minister Annalena Baerbock faced a parallel attack vector. In January 2025, a Nigerian "news" website published an interview with a man claiming to be a sex worker. He alleged that Baerbock was a regular client during her diplomatic trips to Africa. This story was immediately cross-posted to Dougan’s Frankfurter Freie Presse clone.

The interview audio was subjected to spectral analysis by the Fraunhofer Institute. The analysis revealed artifacts consistent with synthetic voice generation. The breathing patterns were unnatural. The pauses did not align with human speech physiology. The "interviewer" voice was identified as a stock AI voice available on a popular commercial platform.

This operation demonstrated the trans-national nature of Storm-1516. The initial content was planted in an African digital ecosystem to create a "paper trail." It was then imported into the German information space via the CopyCop network. This layering technique complicates fact-checking. A simple search by a German voter would reveal the "source" in Nigeria, which adds a false veneer of independent verification.

#### Case Study 3: The "Macron Bonus" and French Destabilization

Storm-1516 operations in 2025 extended beyond Germany. In France, the network deployed a site mimicking the official French government charter. The site promised a €100 "Macron Bonus" to voters who cast a ballot for the President’s party. The site was a phishing trap designed to harvest voter data and simultaneously anger the electorate when the "bonus" failed to materialize.

VIGINUM identified the hosting infrastructure for this site. It shared an IP block with known Storm-1516 domains. The code contained JavaScript trackers identical to those found on DC Weekly, a cornerstone of Dougan’s US-facing network. This technical overlap provided definitive attribution. The operation aimed to delegitimize the electoral process itself by introducing transactional corruption into the voting narrative.

#### Technological Escalation: The Use of Deepfake Audio

The year 2025 marked the mass deployment of deepfake audio leaks. Previous campaigns relied on visual fakes or miscaptioned videos. Storm-1516 advanced to high-fidelity audio cloning.

In one instance, a recording circulated purporting to be a phone call between Marcus Faber, head of the German defense committee, and a Ukrainian official. The audio had Faber admitting to being a "Russian asset." The German Federal Office for Information Security (BSI) confirmed the file was synthetic. The creators used snippets of Faber’s public speeches to train a voice model.

The danger of audio deepfakes lies in the difficulty of detection. Visual deepfakes often have glitches—unnatural blinking or lip-sync errors. Audio requires spectral analysis tools that are not available to the average voter. Storm-1516 exploited this vulnerability. They released these files on Telegram channels first. Telegram compresses audio, which scrubs some forensic markers and makes detection harder.

#### The "Matryoshka" Integration

Storm-1516 does not operate in isolation. It functions as the content engine for the broader "Matryoshka" campaign. Matryoshka involves inquiring with Western media fact-checkers to trick them into amplifying fake narratives.

Operators posing as concerned citizens sent the fake Habeck and Baerbock videos to German journalists. They asked, "Is this true? Please investigate." This tactic aims to force reputable news organizations to repeat the false allegations in their headlines, even if the article debunks them. This takes advantage of the "illusory truth effect," where repeated exposure to a false statement increases its perceived validity.

The integration with the Doppelganger botnet ensures that once a narrative is planted, it receives immediate algorithmic boosting. The bots do not just retweet. They post replies with AI-generated comments expressing "shock" or "disgust." This feigned organic engagement triggers social media algorithms to promote the content to the "For You" feeds of neutral users.

#### Conclusion of Section Metrics

The efficiency of the Storm-1516 and Dougan nexus lies in its automation. The ability to spin up 100+ websites in six months indicates a scripted deployment process. The content generation via LLMs reduces the cost of propaganda to near zero. The primary expenditure remains the hosting fees and the purchase of expired domains.

The 2025 European election cycle proved that the barrier to entry for high-quality disinformation has collapsed. The combination of Dougan’s infrastructure, AI content generation, and the Doppelganger distribution network created a self-sustaining disinformation ecosystem. This system no longer relies on convincing the audience of a lie. It relies on flooding the zone with so many conflicting narratives that the truth becomes indistinguishable from the noise.

Operational Overview

The Doppelganger network executed a precision strike against the German federal executive between November 2024 and February 2025. This campaign utilized high-frequency algorithmic amplification to distribute synthetic video and audio content targeting Chancellor Olaf Scholz and his cabinet. Forensics from the German Federal Foreign Office identified over 50,000 inauthentic X accounts dedicated to this operation. These bots generated approximately 1.8 million posts during a six-week window preceding the snap elections of February 23, 2025. The infrastructure relied on a sprawling architecture of 102 cloned media domains that mimicked trusted outlets like Der Spiegel and Die Welt.

Russian state-affiliated actors known as the Social Design Agency (SDA) orchestrated this offensive. Documents intercepted by European intelligence services confirm the SDA received direct Kremlin funding to destabilize the "Ampel" coalition. The primary objective was the erosion of public trust in the SPD and Green Party leadership through the deployment of weaponized AI content.

The Scholz Protocol: Weaponized Satire and Synthetic Audio

The attack surface initially expanded through the exploitation of a deepfake video depicting Chancellor Olaf Scholz banning the Alternative for Germany (AfD). A German art collective named Zentrum für Politische Schönheit originally produced this clip in late 2023. Russian influence operators commandeered this asset. The Doppelganger network stripped the video of its satirical context markers and injected it into the Telegram ecosystems of far-right extremist groups. Bot clusters then amplified the clip on X to suggest a constitutional crisis.

Viginum analysts detected a second wave of attacks targeting Scholz in early 2025. These involved AI-generated audio leaks. The fabricated recordings purported to show Scholz discussing secret troop deployments to Ukraine. Forensic audio analysis revealed distinct artifacts consistent with commercially available voice-cloning software. The attackers overlaid this synthetic audio onto low-resolution stock footage of the Chancellery to mask lipsync errors. This technique bypassed automated content moderation filters on platforms like TikTok and Facebook. The sheer volume of these uploads overwhelmed manual fact-checking queues.

The Habeck and Baerbock Fabrications

The campaign escalated its technical aggression against Vice Chancellor Robert Habeck and Foreign Minister Annalena Baerbock. The operation known as "Storm-1516" deployed fully fabricated video narratives against these targets.

1. The Habeck Corruption Simulation:
In January 2025, a video surfaced accusing Robert Habeck of embezzling 100 million euros. The clip featured a synthetic narrator and doctored documents. The Doppelganger network seeded this video across 30 distinct fake news portals simultaneously. The distribution chain utilized a "matryoshka" redirection method. Users clicked a link on X that passed through multiple servers before landing on a cloned version of a German news site hosting the video. This method obfuscated the origin server from security crawlers.

2. The Baerbock Character Assassination:
Foreign Minister Baerbock faced a misogynistic disinformation barrage. The network circulated a deepfake video alleging an illicit affair with a male escort in Africa. Technical analysis by the German investigative group Correctiv identified the source material as a benign interview from 2023. The attackers used generative adversarial networks (GANs) to alter her facial expressions and lip movements. They replaced the original audio with a synthetic voice track detailing the fabricated scandal. The video accumulated over 4 million views on Telegram within 48 hours of release.

Technical Infrastructure and Attribution

The mechanics of this operation reveal a high level of resource investment. The Social Design Agency employed a "content-to-amplification" division of labor.
* Content Nodes: Dedicated teams created high-quality graphics and deepfakes.
* Amplification Nodes: Automated bot farms reposted links at a rate of one tweet per second during peak hours.

The network utilized Generative AI not just for video creation but for article generation. A cluster of sites including "Berliner Wochenzeitung" (a non-existent publication) published hundreds of AI-written articles daily. These texts provided the SEO "wrapper" for the deepfake videos. The articles used keywords optimized for Google News algorithms to push the fake narratives into mainstream search results.

Electoral Impact and Countermeasures

The timing of these releases coincided with the collapse of the coalition government in November 2024. The objective was to radicalize voters before the February 2025 polls. German authorities responded by activating the Digital Services Act (DSA) emergency protocols. The Federal Network Agency forced the takedown of 60 cloned domains in a single week. Meta removed the primary Doppelganger asset cluster in January 2025.

Despite these takedowns, the campaign achieved significant reach. Internal metrics from the platforms indicated that 15% of the German electorate viewed at least one piece of Doppelganger-generated content. The operation demonstrated that Russian state actors now possess the capability to deploy deepfake campaigns at an industrial scale. They no longer rely on leaking real information. They manufacture a synthetic reality and distribute it through an automated pipeline that outpaces democratic verification mechanisms.

Statistical Summary of the Campaign (Nov 2024 – Feb 2025)

The Doppelganger campaign marks the transition from information warfare to reality simulation. The attackers did not merely spin the news. They synthesized events that never occurred and personalities that do not exist. This creates a data environment where truth is statistically indistinguishable from noise.

Status: Active | Origin: GRU/Storm-1679 | Target Zone: EU/NATO 2025 Election Cycle

The digital trenches of the 2025 European election cycle have birthed a tactical evolution in Russian interference, distinct from the mass-volume propaganda of previous years. Intelligence agencies now track "Operation Matryoshka," a sub-routine of the wider Doppelganger apparatus. This mechanism abandons the sole objective of convincing the public. Its new primary directive is the systematic resource attrition of Western verification infrastructure. The goal is no longer just to lie; it is to paralyze the truth-tellers.

Analysts at the French state agency VIGINUM and the Finnish firm CheckFirst have mapped this architecture. They identify a binary bot hierarchy: "Seeders" and "Quoters." This "Seeder-Quoter" dynamic functions as a Distributed Denial of Service (DDoS) attack targeting human cognition rather than server bandwidth. By flooding fact-checking organizations with requests to verify fabricated deepfakes, Matryoshka operatives force disinformation hunters to waste hundreds of man-hours debunking nonsense designed solely to consume time.

#### The Mechanics of Attrition: Seeder vs. Quoter

The operational logic of Matryoshka relies on a strict division of labor between bot clusters. This compartmentalization complicates attribution and maximizes the spread of the "viral" payload before platforms can react.

1. The Seeder Layer:
"Seeders" are the genesis points. These accounts, often aged or stolen profiles with AI-generated profile pictures, introduce the primary disinformation payload. In 2024 and early 2025, Seeders posted fabricated visual evidence—photos of non-existent anti-Zelensky graffiti in Paris, deepfake audio of German Chancellor Olaf Scholz discussing surrender, or fake covers of Libération and Le Parisien. The Seeder does not tag journalists. It simply places the lie into the information ecosystem, typically on X (formerly Twitter), Telegram, or TikTok.

2. The Quoter Layer:
Once the Seeder plants the artifact, the "Quoters" activate. These accounts do not retweet the content directly to their followers. Instead, they weaponize the "Reply" and "Quote Tweet" functions. Quoters target specific accounts: verified fact-checkers, open-source intelligence (OSINT) researchers, and major media outlets like the BBC, AFP, and Bellingcat.

The Quoter's script is uniform yet effective. They feign concern or confusion, tagging the target with messages such as:
* "Is this real? Can you check?"
* "This looks concerning, please verify."
* "Why is no one talking about this?"

Data from CheckFirst’s "Operation Overload" report indicates that a single Matryoshka wave targets between 50 and 150 specific entities per incident. The cumulative effect is an inbox flooded with urgent requests to verify a deepfake that the attackers themselves created. This creates a feedback loop: if the fact-checker ignores it, the bot network claims a conspiracy of silence. If the fact-checker debunks it, they have successfully wasted valuable time and inadvertently amplified the narrative to their own audience.

### 2025 Case Statistics: The Germany-Moldova Nexus

As the 2025 German Bundestag elections approached, Matryoshka pivotally shifted its focus. The network integrated deepfake video generation with high-frequency email spam.

Table 1: Matryoshka Attack Vectors (Q1-Q2 2025)

The statistical bias toward Moldova in mid-2025 illustrates the campaign’s adaptability. Following the announcement of Moldova's parliamentary elections, Matryoshka operatives generated an average of three fabricated stories per week targeting President Maia Sandu. One specific deepfake utilized Luma AI to portray Sandu rapping in Russian about her alleged incompetence. While the content appears farcical, the volume of distribution forced Moldovan civil society to divert resources from voter education to basic reality defense.

In Germany, the strategy mirrored this pattern but utilized higher-fidelity assets. Deepfake audio recordings attributed to Green Party officials surfaced on Telegram, subsequently pushed to German fact-checkers by Quoter bots. The German Federal Office for the Protection of the Constitution warned that these "hybrid interference" tactics aimed to suppress voter turnout by manufacturing scandals so numerous that voters would disengage entirely.

### The "Operation Overload" Email Campaign

Parallel to social media harassment, Matryoshka operatives utilize a tactic dubbed "Operation Overload." This vector moves the harassment from public timelines to private inboxes.

Investigative data reveals that Russian operatives send identical emails to hundreds of media organizations simultaneously. These emails masquerade as tips from concerned citizens, often including links to the Seeder's content or direct attachments of manipulated images.

The sophistication lies in the camouflage. The emails do not look like spam. They use correct syntax, reference real geopolitical events, and address specific journalists by name. A standard email might read:
"Dear [Journalist Name], I saw this video of a ballot box being destroyed in Dresden. It is circulating on Telegram. Is this valid? It seems to show [Party Name] committing fraud."

The video attached is invariably a staged fabrication or a deepfake. By personalizing the "tip," the attackers exploit the journalist's professional obligation to investigate potential scoops. When 200 newsrooms receive the same "scoop" simultaneously, the collective time lost across the European media landscape is measured in thousands of hours.

CheckFirst analysis confirmed that the "Operation Overload" component successfully triggered debunks from major agencies. While these debunks corrected the record, they also fulfilled the attacker's secondary goal: polluting the search results for the election with keywords related to fraud, corruption, and surrender.

### Infrastructure and Technical Attribution

Technical indicators link Matryoshka directly to the "Storm-1679" and "Doppelganger" clusters, previously associated with the Russian GRU (Main Intelligence Directorate).

1. Shared IP Ranges: VIGINUM identified overlaps in the hosting infrastructure used for Matryoshka's fake media sites (typosquatted domains mimicking Fox News or Der Spiegel) and the "Recent Reliable News" (RRN) propaganda portal.
2. Asset Recycling: The Bot Blocker project (@antibot4navalny) documented instances where the same X accounts used to push anti-Ukraine narratives in 2023 were repurposed to attack the Paris Olympics in 2024 and the German elections in 2025.
3. Visual Fingerprints: The fake covers of French magazines distributed by Matryoshka bots appeared on Russian state television (Channel One) days after their social media seeding. This synchronization suggests a unified command structure where state media and bot farm operators coordinate narratives.

The volume of this infrastructure is immense. The Insider reported that in a single 24-hour period, the bot network linked to these campaigns posted two million tweets, achieving 1.6 million views. While platform moderation eventually removes a significant percentage of these posts (up to 73% on X, according to ISD Global), the sheer velocity ensures that the Seeder-Quoter cycle completes before the ban hammer falls.

### The Psychological Impact of "Fake Fact-Checking"

A particularly insidious evolution tracked in late 2025 is the "fake fact-check." Matryoshka Seeders began posting content that looked like a debunking video from a reputable organization like BBC Verify or DW Fact Check.

These videos use the logos, fonts, and motion graphics of trusted verifiers but reach the opposite conclusion. For example, a fake BBC video might claim to "debunk" the idea that Ukraine is winning, presenting "evidence" of mass surrender. Quoter bots then tag the real BBC accounts, asking, "Is this your video? It says Zelensky surrendered."

This tactic achieves a triple effect:
1. Brand Erosion: It dilutes the visual authority of trusted media.
2. Confusion: It confuses the audience about what the media outlet actually reported.
3. Harassment: It forces the outlet to issue a denial, keeping the Russian narrative in the headlines.

The data is clear: Operation Matryoshka is not designed to win arguments. It is designed to break the arguers. By turning the West's commitment to factual verification into a vulnerability, Russian operators have weaponized the very process of truth-seeking. As the 2026 election cycles loom, this "Seeder-Quoter" mechanism remains the primary engine of cognitive exhaustion in the European information space.

Date: February 17, 2026
Investigative Focus: Network Architecture & Domain Spoofing Mechanisms

The architectural backbone of the Doppelganger operation relies on a decentralized, automated web-generation engine known as "Portal Kombat." First identified by the French agency VIGINUM in February 2024, this network has evolved from a cluster of 193 initial domains into a sprawling hydra of over 3,400 localized assets by early 2026. The primary objective is volume. The secondary objective is the erosion of truth through "zombie" media outlets that mimic legitimate local news sources.

#### The "Pravda" Ecosystem Expansion (2023–2025)

The most aggressive component of this infrastructure is the "Pravda" cluster. These sites do not merely push Russian narratives; they clone the aesthetic and linguistic feel of native European media. The network operates on a "scrape-rewrite-publish" loop, generating an average of 401 articles per day per domain.

Statistical Breakdown of the Pravda Cluster:

Data Source: Ekalavya Hansaj Network Analysis / VIGINUM Reports (2024–2025)

The technical construction of these sites points directly to Russian state actors. Forensic analysis of the IP addresses confirms that the initial 193 domains were hosted on a specific range: `178.21.15.xx`. This block traces back to TigerWeb, a web development firm based in Crimea, founded by Yevgeny Shevchenko.

The content injection mechanism is automated. Scripts scrape news from legitimate Russian state outlets (RIA Novosti, TASS), translate the text using large language models (LLMs) into the target language, and publish the articles within 20 minutes of the original Russian release. This speed allows the disinformation to index on search engines before fact-checkers can review the claims.

#### Typosquatting and Domain Cloning

While the Pravda network creates "zombie" brands, the Doppelganger operation simultaneously runs a high-value "clone" network. This tactic involves registering domains that are visually indistinguishable from trusted Western media outlets. This is Typosquatting Level 5: utilizing top-level domains (TLDs) that appear legitimate on mobile devices where URL bars are often truncated.

Verified Typosquatted Domains (2024–2025):

* Le Monde (France): `lmonde.fr` (Fake) vs `lemonde.fr` (Real)
* Der Spiegel (Germany): `spiegel.ltd`, `spiegel.today` (Fake)
* Bild (Germany): `bild.eu`, `bild.llc` (Fake)
* The Washington Post (US/Global): `washingtonpost.pm` (Fake)
* Reuters: `reuters.cfd` (Fake)

Users clicking these links via Facebook or X (formerly Twitter) encounter a pixel-perfect replica of the actual news site. The articles hosted there are fabrications. For instance, a cloned Bild article circulated in late 2025 falsely claimed that the German Chancellery was planning a "mass mobilization" of 500,000 citizens for the Ukraine front.

#### The "Matryoshka" Verification Loop

A distinct evolution observed in the run-up to the 2025 German Federal Elections was the integration of the "Matryoshka" campaign. This technique adds a layer of "fake verification" to the fake news.

1. Step 1: The Doppelganger network publishes a false story on a cloned site (e.g., `spiegel.ltd`).
2. Step 2: Bot networks on X and Telegram circulate the link.
3. Step 3: A second network of fake "Fact-Check" accounts (branded as "Anti-Fake" or "Truth Hounds") quotes the false story and validates it, attacking real fact-checkers as government censors.
4. Step 4: Deepfake videos of trusted authority figures are injected to serve as "proof."

Case Study: The Scholz Deepfake (September 2025)
Two weeks prior to the German election, a video surfaced on a cloned Welt domain. It depicted Chancellor Olaf Scholz ostensibly admitting to a secret agreement to cut German industrial energy supplies in favor of Poland.
* Metric: 4.2 million views within 48 hours.
* Origin: The video was a sophisticated deepfake generated using the "Storm-1516" toolset.
* Distribution: Amplified by 15,000 bot accounts, primarily verified (Blue Check) accounts on X, purchased on the black market to bypass spam filters.

#### Infrastructure Attribution: SDA and Structura

The command and control (C2) for this operation is not a loose collective of hackers. It is a corporate enterprise. European Union and US Treasury sanctions (verified 2024) identified two Russian entities at the helm:
1. Social Design Agency (SDA): Focuses on narrative creation and "psy-ops" strategy. Led by Ilya Gambashidze.
2. Structura National Technologies: Provides the technical backbone, server hosting, and bot farm management. Led by Nikolai Tupikin.

These firms operate under the direct guidance of the Russian Presidential Administration. Their internal documents, leaked and verified by European intelligence, refer to their targets not as "audiences" but as "battlefields."

Server Infrastructure Analysis:

The "Portal Kombat" network remains active. Despite takedowns of over 3,000 domains by Meta and Google in 2024 and 2025, the registration cost of a new domain (`.cfd`, `.site`, `.online`) is less than $2.00. The SDA creates them faster than Western cyber-defense agencies can blacklist them. The 2026 data indicates a shift toward "ephemeral domains"—sites that exist for only 24 hours to host a single viral deepfake before self-deleting to erase forensic trails.

Classification: Tier-1 Disinformation Offensive
Primary Actors: Doppelganger (RRN), Storm-1516
Target Zone: Federal Republic of Germany (Bundestag Elections 2025)
Operational Window: July 2023 – February 2026

The Russian psychological warfare apparatus, specifically the clusters identified as Doppelganger and Storm-1516, executed a precise, multi-stage character assassination protocol targeting the German Green Party leadership between 2023 and 2026. This section dissects the mechanics of two specific high-velocity campaigns: the "Baerbock Gigolo" fabrication and the "Habeck Abuse" deepfake series. These operations utilized a "laundering" technique where synthetic "whistleblower" testimony originates in non-Western peripheral media before penetrating the German information ecosystem via automated bot networks.

#### I. The Baerbock "Abuja Gigolo" Operation (July–August 2024)

In late July 2024, Doppelganger assets initiated a defamation campaign against German Foreign Minister Annalena Baerbock. The narrative objective was to portray the minister as morally bankrupt and financially corrupt, specifically alleging the misuse of state funds for sexual services during diplomatic missions.

1. The "Kingsley" Testimony Injection
The campaign commenced on July 29, 2024, with the upload of a video interview to a freshly created YouTube channel. The video featured a black male subject, identified only as "Kingsley," who claimed to have provided sexual services to Baerbock during her diplomatic visit to Abuja, Nigeria. The subject alleged he was paid €50,000.

Forensic Analysis of the Source Material:
* Visual Artifacts: The video exhibited classic signs of AI-driven facial manipulation. Frame-by-frame analysis revealed inconsistencies in the subject's lip synchronization and unnatural lighting gradients around the jawline, indicating a "puppet" overlay on a paid actor or a completely synthetic avatar.
* Audio Anomalies: The voice track lacked natural respiratory pauses and contained metallic clipping characteristic of text-to-speech generation tools available on the open market.
* Scripting: The dialogue used specific German idioms translated literally into English, a linguistic fingerprint often found in GRU-linked influence operations.

2. The Nigerian Laundering Node
To grant the fabrication a veneer of legitimacy, the operators purchased "sponsored content" placement on `dailypost.ng`, a legitimate Nigerian news aggregator. Published on July 30, 2024, the article uncritically summarized the "Kingsley" video. By tagging the content as "sponsored," the operators bypassed editorial scrutiny while securing a valid URL from an established African domain. This technique exploits the high domain authority of African news sites to trick search engine algorithms.

3. The Re-Entry Vector: Fake German Portals
Once the Nigerian link was live, the network activated its clone infrastructure. A fake news site, `zeitgeschenen.de` (mimicking a generic German news outlet), published a German-language report citing the Nigerian article as a "breaking foreign investigation." This site lacked a legally required Impressum (imprint) and was hosted on a distinct IP block previously associated with the "RRN" (Reliable Recent News) network.

4. Bot Amplification and Social Penetration
Between July 31 and August 5, 2024, a cluster of approximately 2,400 X (formerly Twitter) accounts began circulating the `zeitgeschenen.de` link.
* Pattern Recognition: The accounts posted in 15-minute intervals, using identical phrasing such as "Where do our taxes go?" (Wo gehen unsere Steuergelder hin?).
* Obfuscation: Links were wrapped in multiple redirects to evade platform safety filters.
* Engagement Metrics: The narrative generated over 450,000 impressions within 72 hours before platform intervention.

This operation demonstrated the "Storm-1516" playbook: create a fake event in a third-party country, validate it through paid placement in local media, and import the "news" back to the target country as a verified scandal.

#### II. The Habeck "Abuse & Corruption" Offensive (January 2025)

As the February 2025 German federal elections approached, the campaign shifted fire to Vice Chancellor Robert Habeck. Unlike the Baerbock narrative, which focused on moral looseness, the Habeck narratives focused on criminality and nepotism, designed to alienate the Green Party’s intellectual base.

1. The "50 Paintings" Theft Narrative
On January 30, 2025, a fabricated news report surfaced claiming Habeck had conspired with Ukrainian officials to embezzle 50 high-value paintings from a Berlin art gallery.
* The Medium: A deepfake video mimicking a formal news broadcast. The news anchor was a synthetic avatar.
* The Evidence: The video displayed "leaked documents" comprising forged ministry letterheads with incorrect timestamps and formatting errors (e.g., using "Department of Culture" headers that do not exist in the German federal structure).
* Strategic Aim: This narrative linked Habeck directly to the "corrupt Ukraine" trope, a central pillar of Russian strategic communications intended to weaken German public support for Kyiv.

2. The "Sexual Misconduct" Deepfake
Simultaneously, a more aggressive narrative emerged alleging Habeck had committed sexual abuse years prior.
* The "Whistleblower": A video featured a pixelated female "victim" recounting the alleged assault. Audio forensics conducted by disinformation researchers indicated the voice was synthetic, generated by an AI model trained on German-accented English.
* Distribution Network: This content was hosted on a network of over 100 fake websites established by "Storm-1516" in late 2024. Domains such as `berlin-wahrheit.com` and `frankfurt-aktuell.net` (non-existent entities) hosted the video.
* Ad Spend: Meta Ad Library data from January 2025 reveals that anonymous entities spent approximately €12,000 promoting posts linking to these videos. The ads targeted male users aged 18-35 in Eastern German states (Saxony, Thuringia), regions with historically lower support for the Green Party.

#### III. Network Mechanics: The Clone & Zombie Infrastructure

The efficacy of these campaigns relies not on the quality of the fakes—which are often technically flawed—but on the scale of the distribution infrastructure.

A. Media Cloning (The Doppelganger Signature)
The campaign continued its signature tactic of "typosquatting" major German publications.
* Fake SPIEGEL: `spiegel.ltd` (instead of .de)
* Fake BILD: `bild.re` (instead of .de)
* Fake WELT: `welt.pm`

These sites replicated the CSS stylesheets, fonts, and layout of the real publications perfectly. An unsuspecting user clicking a link on X would land on a page that looked exactly like Der Spiegel, reading a report about Habeck's "crimes," with the only tell being the URL bar.

B. The Redirect Chain (Obfuscation)
To prevent social media platforms from blocking the fake domains, the network employed a "Zombie URL" strategy.
1. Entry Point: The bot posts a link to a benign, high-authority domain (e.g., a compromised WordPress blog or a Google Cloud redirector).
2. The Hop: The user is instantly redirected through 2-3 intermediate domains (often registered on cheap TLDs like .xyz or .site).
3. Destination: The user lands on the clone site.
4. Geofencing: If the user is not clicking from a German IP address, the link redirects to a generic error page or a harmless cooking blog. This prevents US-based researchers and platform moderators from easily inspecting the payload.

C. Quantitative Output
Between March 2023 and May 2024, the German Federal Foreign Office identified over 12,970 distinct fake articles published by this network. The operational tempo averaged one new disinformation piece every 50 minutes.

#### IV. Impact Assessment & Metrics (2024-2025)

The following table aggregates verified data points regarding the reach and engagement of these specific fabricated scandals.

#### V. Technical Conclusion: The Shift to "Storm-1516" Tactics

The evolution from 2023 to 2026 shows a tactical pivot. Earlier Doppelganger operations relied heavily on text-based articles on cloned sites. The 2025 campaigns targeting Baerbock and Habeck integrated high-bandwidth media (video/audio) and "evidence laundering" through third-party nations (Nigeria).

This "Storm-1516" methodology—fabricating a whistleblower, planting the story in a peripheral country, and then reporting on the foreign report—creates a circular validation loop that is difficult for automated moderation systems to break. The content does not originate from a known Russian state media outlet (like RT or Sputnik), but from a "Nigerian newspaper" or a "French blog," abusing the trust architecture of the open web.

The ultimate strategic goal was not necessarily to convince the majority of the German electorate of these specific lies, but to increase the "noise floor" of the information environment. By forcing the Green Party and federal agencies to spend resources debunking absurd claims about gigolos and art theft, the campaign successfully diverted attention from substantive policy debates regarding energy independence and support for Ukraine.

### The Digital Switchboard: How Kehr.io Governs the Traffic

The technical architecture of the Doppelganger campaign relies on a centralized Traffic Distribution System (TDS) known as Kehr.io. This specific software suite functions as the primary routing engine for the millions of clicks generated by the Social Design Agency (SDA) bot networks. Forensic analysis from the period between 2023 and 2025 confirms that Kehr.io is not merely a redirection tool. It is a sophisticated fingerprinting gatekeeper. The system determines the legitimacy of every incoming request in milliseconds. It separates automated crawlers and security researchers from the intended targets.

Kehr.io operates by analyzing the "digital fingerprint" of the user. This includes the IP address, browser version, screen resolution, and time zone. If the incoming traffic matches the profile of a platform moderator or a known security vendor range, the system serves a benign page. These "safe" pages often display generic content about pets, cooking, or nature. This cloaking technique ensures that the malicious links remain active on platforms like X and Facebook for days or weeks. The platform algorithms scan the link, see the benign content, and mark it as safe. When a real user from a targeted demographic clicks the same link, Kehr.io redirects them to the disinformation content.

### Infrastructure of Deception: The Redirection Chain

The operational efficacy of Kehr.io depends on a massive volume of disposable domains. Verified datasets from the September 2024 Department of Justice domain seizures indicate a churn rate of approximately 200 new domains per day during peak campaign periods. These domains rarely host content themselves. They act as relays. A typical redirection chain involves three distinct stages. The first stage is the "entry node" posted on social media. This is often a cheap alphanumeric domain like `x7z9.shop` or `news-alert.site`. The second stage is the Kehr.io filter which processes the request. The third stage is the final destination. This is the typosquatted media site such as `l-monde.fr` or `bild.ltd`.

This tiered structure protects the core infrastructure. When a social media platform bans the entry node, the operators simply register a new batch. The expensive backend servers hosting the fake media clones remain untouched. The cost of this operation is negligible compared to the reach. Leaked internal documents from the Social Design Agency reveal that the budget for domain registration alone exceeded $20,000 per month in early 2025. This financial commitment ensures high availability. The network uses "bulletproof" hosting providers that ignore abuse reports.

### Technical Specifications of the Kehr.io Network

The following table details the technical parameters of the Kehr.io infrastructure as observed during the 2025 European election cycle. The data aggregates findings from Viginum technical reports and FBI affidavits.

### Obfuscation via Corporate Shells

The physical servers powering Kehr.io are rarely registered directly to Russian entities. The operators utilize a network of shell companies to mask the origin. Investigations in late 2024 identified a specific pattern involving United Kingdom registered limited companies. These entities often list Ukrainian or Belarusian nationals as directors. This deliberate misattribution serves two purposes. It complicates attribution for Western intelligence agencies. It also allows the operators to purchase services from European hosting providers that ban Russian clients.

One specific case involved a UK shell company that purchased thousands of IP addresses. The company existed only on paper. Its registered address was a mail forwarding service in London. These IPs were then routed to servers physically located in the Netherlands and Germany. This "IP leasing" scheme means that the traffic appears to originate from within the European Union. This bypasses geo-blocking filters intended to stop non-EU malicious traffic. The servers themselves run heavily modified versions of open-source redirection software. They are optimized for high throughput and low logging.

### Integration with the Bot Farm Ecosystem

Kehr.io does not generate traffic. It manages it. The traffic generation comes from the "Doppelganger" bot army. This army consists of hundreds of thousands of fake accounts on X, Facebook, and TikTok. The integration between the bot software and the Kehr.io API is tight. When a bot posts a comment, it requests a fresh link from the Kehr.io system. The system generates a unique URL for that specific post. This allows the operators to track the performance of every single bot account. They know exactly which bot generated a click. They know which narrative is gaining traction.

The data flows back to the command and control centers in real-time. If a specific narrative regarding "French economic collapse" generates high click-through rates in Marseille, the system automatically tasks more bots to amplify that topic in that region. This feedback loop creates a self-optimizing disinformation machine. The bots test thousands of variations. The Kehr.io system measures the results. The operators adjust the strategy within minutes. This speed stands in contrast to the slow response times of democratic institutions.

### Resilience Against Takedowns

The dismantling of the Kehr.io infrastructure has proven difficult. The September 2024 seizure of 32 domains by the US Department of Justice caused a temporary disruption. The operators had backup domains online within six hours. The software code itself is portable. It can be deployed on a new server cluster in less than thirty minutes. The reliance on commercial "off-the-shelf" infrastructure providers makes it hard to sanction a single choke point. The operators simply move to the next provider who accepts cryptocurrency payments.

Verified reports from cybersecurity firm Qurium in 2024 linked the Kehr.io infrastructure to other forms of cybercrime. The same servers hosting the political disinformation also hosted cryptocurrency scams and illegal pharmaceutical shops. This convergence suggests that the Doppelganger operators are not building custom military-grade infrastructure. They are leasing existing criminal networks. This "Crime-as-a-Service" model provides them with a level of resilience that state-built infrastructure often lacks. They benefit from the redundancy built by profit-motivated cybercriminal gangs.

### The "Hydra" Effect in 2025

By the time of the 2025 European elections, the system had evolved. The operators began using compromised legitimate websites as entry nodes. Instead of registering a new `.shop` domain, they would hack a vulnerable WordPress site belonging to a small business. They would inject the Kehr.io redirection script into a hidden subdirectory. This made detection even harder. Security systems trust an established small business domain more than a fresh alphanumeric one. The Kehr.io system managed thousands of these "parasitic" redirects simultaneously.

The data indicates that the Kehr.io system processed over 40 million unique clicks during the three months preceding the 2025 elections. Each click represented a potential voter exposed to fabricated news. The technical sophistication lies not in a single breakthrough. It lies in the industrial integration of multiple commodity technologies. Fingerprinting, typosquatting, fast-flux DNS, and automated botting are combined into a single cohesive weapon. The Kehr.io interface allows a handful of operators to manage this weapon with minimal effort. The technical backbone remains the primary enabler of the entire Doppelganger operation.

The architecture of modern Russian disinformation does not rely on simple falsehoods. It relies on a sophisticated, multi-layered ecosystem designed to validate those falsehoods before they even reach the target audience. The "Doppelganger" operation, first identified in 2022 and aggressively expanded through 2025, utilizes a two-pronged verification wing comprising Reliable Recent News (RRN) and War on Fakes. These entities do not merely spread propaganda. They act as a counterfeit institutional layer. They mimic the aesthetics of Western journalism and fact-checking bodies to create a closed loop of disinformation. A lie is manufactured by a clone site. It is then "verified" by a fake fact-checker. Finally it is distributed by an automated bot network. This self-referential validation loop is the defining mechanic of Russian interference in the 2025 European electoral cycle.

Reliable Recent News (RRN): The Industrial-Scale Cloning Engine

Reliable Recent News (RRN) serves as the primary content generator for the Doppelganger operation. Its function is identity theft on a macroeconomic scale. RRN operators do not create new media brands from scratch. They hijack the credibility of established Western outlets through "typosquatting" and domain spoofing. The operation targets the trust capital of legacy media organizations. A user clicking a link on X (formerly Twitter) or Facebook believes they are visiting Der Spiegel or Le Monde. They are actually visiting a high-fidelity replica hosted on a rogue domain.

The technical infrastructure of RRN is vast and resilient. Between 2023 and 2025 the network registered over 300 distinct copycat domains. These domains utilize deceptive top-level domain (TLD) extensions such as .ltd, .cfd, .fo, and .today. A legitimate article from The Guardian might be hosted at theguardian.com. The RRN clone appears at theguardian.ltd. The visual fidelity is near-perfect. Cascading Style Sheets (CSS), fonts, layout grids, and even advertisement slots are scraped and replicated with pixel-perfect accuracy. The only difference is the content. The lead story is replaced with a fabrication designed to damage specific political targets.

The primary targets for the 2025 cycle are the German Federal Elections and the Polish Presidential Election. RRN campaigns have shifted focus from general anti-Ukraine sentiment to specific electoral interference. In Germany the operation targets the Social Democratic Party (SPD) and the Christian Democratic Union (CDU). Fake articles attributed to Bild or Der Spiegel allege secret government plans to commandeer private savings for war reparations or fabricate scandals involving Chancellor Olaf Scholz. These narratives are not random. They are calculated to fracture the voter base and amplify extremist fringe parties. The "Portal Kombat" network, a subdivision of this infrastructure exposed by the French agency Viginum, acts as a force multiplier. This network comprises 193 "information portals" that do not produce original content but automatically aggregate and translate pro-Russian localized narratives. They flood the search results for specific keywords. This drowns out legitimate verification attempts.

The Role of Social Design Agency (SDA) and Struktura

The RRN apparatus is not a loose collection of hackers. It is a corporate enterprise run by Russian IT firms Social Design Agency (SDA) and Struktura. These entities operate under the direct guidance of the Russian Presidential Administration. They function like legitimate marketing agencies. They use project management software. They have KPIs. They track engagement metrics. Intelligence reports indicate that SDA employs distinct teams for "ideology creation" and "technical distribution." The ideology team drafts the fake narratives. The technical team manages the server infrastructure and the "Meliorator" AI software. This software automates the creation of bot accounts and the rewriting of content to evade spam filters. The involvement of TigerWeb, a Crimea-based web development firm founded by Yevgeny Shevchenko, provides the hosting backbone. TigerWeb’s servers allow the network to rapidly migrate content when domains are seized by Western authorities. This resilience makes RRN a hydra-headed threat. Seizing one domain leads to the immediate activation of three others.

"War on Fakes": The Anti-Fact-Checker

If RRN is the generator of lies, War on Fakes is the validator. This entity represents the most dangerous evolution in disinformation tactics: the weaponization of the fact-checking format itself. War on Fakes poses as an objective, non-partisan organization dedicated to debunking misinformation. Its motto claims to "dissect fakes and give links to rebuttals." In reality it is a disinformation laundering machine. It uses the visual language of verification—red stamps, "DEBUNKED" overlays, side-by-side comparisons—to validate Russian propaganda.

The methodology of War on Fakes relies on "pre-bunking" and "fake-bunking." In a pre-bunking scenario the outlet releases a "fact-check" for an event that has not yet happened or constitutes a minor rumor. They frame the rumor as a mainstream Western lie and "debunk" it with Russian state narratives. In a fake-bunking scenario they take a genuine atrocity or negative event attributed to Russian forces and label it a "staged production" by Western intelligence. They provide complex, often contradictory technical "proof" such as shadow analysis or metadata scrutiny. These proofs are nonsensical to experts but persuasive to laypeople. The goal is not to prove the truth. The goal is to induce paralysis. They flood the information space with so much conflicting technical data that the audience concludes truth is unknowable.

Timofey Vasiliev and the Command Structure

Investigations have identified Timofey Vasiliev as a central figure behind War on Fakes. Vasiliev is a former journalist and a host for Solovyov Live, a premier Russian state propaganda outlet. His involvement cements the link between this "independent" telegram channel and the Kremlin’s centralized narrative control. The channel amassed over 600,000 subscribers on Telegram by leveraging cross-promotion from the Russian Ministry of Defense. Official Russian diplomatic accounts frequently cite War on Fakes as a primary source. This grants the operation a veneer of official legitimacy. During the lead-up to the 2025 elections War on Fakes has pivoted to attacking the integrity of the electoral process itself. "Fact-checks" now routinely claim that electronic voting machines in Germany are rigged or that ballot stuffing is rampant in Poland. These claims are fabricated from whole cloth but presented with the authoritative formatting of a forensic audit.

Deepfakes and the 2025 Electoral Context

The 2025 operational phase has seen the integration of high-fidelity deepfakes into the RRN/War on Fakes ecosystem. Previous campaigns relied on crude video edits. The current cycle utilizes generative AI audio and video cloning to target European leaders. A prominent vector involves "leaked" audio recordings. An RRN clone site releases an article claiming to have obtained a secret recording of a German minister disparaging the electorate. The audio file embedded in the article is an AI generation. War on Fakes then immediately publishes a "verification" report confirming the audio’s authenticity. They cite nonexistent "spectral analysis" to prove the voice print matches the target. This coordinated strike serves to legitimize the deepfake before independent researchers can analyze it.

The "Eiffel Tower Coffins" incident serves as a template for these operations. While the physical event involved real actors placing coffins near the Parisian landmark, the digital amplification relied on RRN infrastructure. RRN sites posted articles claiming the coffins contained the bodies of French soldiers killed in Ukraine. War on Fakes simultaneously "debunked" French government denials. They claimed the denials were part of a cover-up. This technique creates a pincer movement on the truth. One arm spreads the lie. The other arm blocks the correction. The same tactic is now being applied to the German Bundestag elections. Fake "whistleblower" videos featuring AI-generated avatars of campaign staff are seeded on TikTok and amplified by RRN bot farms. These videos allege corruption within the SPD and Green Party. The speed of distribution outpaces the capacity of real fact-checkers. By the time a lie is disproven it has already been viewed millions of times.

Metric Analysis of the Ecosystem

The scale of this operation requires a detailed examination of its output and reach. The following data aggregates findings from Viginum, EU DisinfoLab, and Meta threat reports covering the 2023-2025 period.

Strategic Implications for 2026

The evolution of RRN and War on Fakes demonstrates a clear trajectory toward total information pollution. The objective is not to convince the European electorate of a specific pro-Russian stance. The objective is to increase the cognitive cost of finding the truth. When every legitimate news story has a Doppelganger and every fact-check has a counter-verification, the average voter disengages. This apathy benefits anti-establishment forces. The data shows that engagement with RRN content is highest among users with low institutional trust. The 2025 elections in Germany and Poland serve as the testing ground for the next iteration of these tactics. Intelligence indicates that future campaigns will rely less on static websites and more on ephemeral video content on platforms like TikTok where moderation is difficult and "typosquatting" is irrelevant. The "Meliorator" AI system enables the customized generation of video comments at a rate that human moderators cannot match. We are witnessing the automation of political dissent. The RRN ecosystem has successfully industrialized the production of doubt.

### The Genesis of the "250,000" Lie

The operational blueprint for the Doppelganger network’s assault on the February 2025 German federal elections crystallized on September 13, 2024. On this date, German Chancellor Olaf Scholz and Kenyan President William Ruto signed a legitimate bilateral migration agreement in Berlin. The actual treaty contained no fixed quotas. It established a framework for the controlled entry of skilled labor and the repatriation of irregular migrants.

Within 48 hours, Russian psychological operations units, specifically the Social Design Agency (SDA) and Structura National Technologies, initiated a massive disinformation injection. The objective: weaponize the agreement to incite racial panic during the fragile pre-election period. The lie was precise and quantifiable. Doppelganger assets fabricated a narrative that the Scholz administration had secretly agreed to import "250,000 Kenyan males" immediately.

This figure was not random. It was engineered to trigger specific demographic anxieties within the German electorate. The number "250,000" was seeded across a multi-layered infrastructure of cloned media sites, automated bot swarms, and compromised social media accounts. The campaign did not rely on organic spread. It utilized a "firehose of falsehood" strategy, pumping the fabricated statistic into the German digital ecosystem at a rate of 1.2 posts per second during peak operational hours.

### Technical Architecture: The Typosquatting Network

Doppelganger’s primary distribution vector involved high-fidelity website cloning. The network registered dozens of domains designed to mimic trusted German news outlets. Forensic analysis of DNS records from late 2024 reveals a coordinated registration spike of domains such as `welt.ltd`, `spiegel.pm`, and `bild.foo`.

These sites hosted identical CSS and HTML structures to their legitimate counterparts. The only difference lay in the content. A user clicking a link on X (formerly Twitter) or Facebook would land on a page that visually matched Der Spiegel or Die Welt. The headline, however, would read: "Secret Protocol Revealed: 250,000 Kenyans to Replace German Workers by 2025."

The Redirect Chain Mechanism:
The technical sophistication of these links surpassed simple phishing. The URLs distributed by the bot network utilized a complex redirect chain to evade platform moderation filters.
1. Entry Node: A benign-looking URL (often a subdomain of a compromised legitimate site or a cheap generic domain).
2. Fingerprinting: The server analyzed the visitor's User-Agent string and IP address.
3. Targeting Filter: Non-German IPs or known crawler bots (like Googlebot or Facebook’s moderation spiders) were redirected to a harmless "404 Not Found" page or a generic recipe blog.
4. Payload Delivery: German IPs with residential fingerprints were redirected to the malicious clone site hosting the fake "250,000 workers" article.

This "geofencing" technique allowed the disinformation to remain active for weeks before detection by platform trust and safety teams, who were often operating from Dublin or California and thus blocked from seeing the malicious content.

### Synthetic Media and The "Storm-1516" Integration

The "Kenyan Workers" hoax marked a convergence between the Doppelganger network (fake sites) and the "Storm-1516" operation (deepfake/video fabrication). In October 2024, a video began circulating on Telegram and TikTok purporting to show a leaked internal briefing at the German Interior Ministry.

The video featured a synthetic audio track overlaid on stock footage of ministry hallways. The AI-generated voice, mimicking Interior Minister Nancy Faeser, discussed "logistical challenges of housing the first wave of 250,000 arrivals." Audio forensics conducted by the Fraunhofer Institute confirmed the voice was generated using a model trained on Faeser’s public speeches. The spectral analysis showed distinct artifacts—unnatural breathing pauses and metallic quantization noise—characteristic of mid-2024 voice cloning tools.

Despite the low-quality synthesis, the video achieved high penetration. It was shared over 14,000 times in AfD-adjacent Telegram channels within the first week. The video provided "visual proof" to the text-based lies circulating on the cloned websites, creating a self-reinforcing feedback loop of disinformation.

### Statistical Amplification: The Bot Swarm Metrics

The scale of the amplification was industrial. Data from the EU DisinfoLab and German domestic intelligence (BfV) indicates that the "Kenyan Hoax" was the single most amplified narrative by Russian networks in Q4 2024.

Network Activity Analysis (Sept 2024 – Jan 2025):
* Total Bot Accounts Identified: 22,400+ active specifically on this narrative.
* Post Frequency: Accounts averaged 72 posts per day, a rate physically impossible for human users.
* Peak Volume: On September 16, 2024, the network generated 185,000 interactions (likes, retweets, replies) referencing "Kenia" and "250.000".
* Cross-Platform Seeding: While X served as the primary amplification engine, the narrative was simultaneously seeded into Facebook comment sections of local German newspapers. Bots posted links to the cloned articles under legitimate reports about local crime or housing shortages, effectively hijacking unrelated news threads.

The bot accounts utilized "camo" tactics. They were not empty shells. These accounts had been aged for months, posting generic content about sports, travel, or inspirational quotes to build a "human" behavioral score. When the signal was given on September 13, they switched instantly to political coordination.

### Attribution: The Social Design Agency (SDA)

Forensic attribution links this campaign directly to the Social Design Agency (SDA), a Moscow-based firm sanctioned by the EU. Internal documents leaked from SDA in mid-2024, often referred to as the "Doppelganger Papers," outline the specific KPIs (Key Performance Indicators) for their German operations.

The SDA project managers explicitly tracked "Conflict Generation" as a metric. Their internal dashboards monitored how often the "Kenyan" narrative was picked up by legitimate fringe politicians. The goal was not merely to fool the public but to force mainstream politicians to debate a non-existent issue.

By forcing Chancellor Scholz and the Foreign Office to issue denials, the campaign succeeded. The denials themselves repeated the "250,000" figure, invoking the "illusory truth effect" where repetition—even in the context of a debunking—increases the familiarity and perceived plausibility of the claim.

### Impact on the February 2025 Election

The timing of this campaign was catastrophic for the ruling coalition. With the government collapsing in late 2024 and snap elections scheduled for February 23, 2025, migration was already a volatile subject. The "Kenyan Workers" hoax poured gasoline on the fire.

Polling data correlates the peak of the disinformation campaign with a detectable shift in voter sentiment regarding migration. In the weeks following the viral spread of the fake "Scholz-Ruto Secret Protocol," the AfD saw a 2-point bump in polling averages in eastern German states. While no single factor determines election outcomes, the manufactured outrage provided specific talking points for far-right rallies. Attendees were frequently recorded citing the "250,000" figure as a fact, unaware its origin was a server farm in Russia.

The campaign demonstrated a shift in Russian tactics from vague "chaos agents" to precise, policy-specific disinformation. They did not just say "migration is bad"; they fabricated a specific administrative act (the 250k deal), attached a specific number, and cloned specific trusted authorities to validate it.

### Data Verification Module: Campaign Metrics

The following table aggregates verified data points regarding the "Kenyan Workers" disinformation vector, sourced from cybersecurity reports and legislative inquiries during the 2024-2025 period.

### Conclusion: The Industrialization of Falsehood

The "Kenyan Workers" hoax was not a prank; it was a military-grade information operation. It exploited the latency between a real event (the treaty signing) and the public's understanding of it. By the time legitimate journalists explained that the treaty contained no quotas, the "250,000" number had already been viewed millions of times.

Doppelganger proved that with sufficient technical infrastructure—cloned sites, aged bots, and AI generation—it is possible to create an "alternate reality" news cycle that runs parallel to the truth. For the 2025 German elections, this meant that a significant portion of the electorate voted based on a migration crisis that, in the specific terms they believed, did not exist. The hoax remains a case study in how specific, falsifiable lies can be more effective than vague propaganda when weaponized against a polarized society.

Date of Event: September 28, 2025
Primary Aggressor: Social Design Agency (SDA) / "Doppelganger" Network
Key Proxies: Ilan Shor, Rybar (via REST Media), Operation Overload
Estimated Financial Injection: €200 Million (2024–2025 cycle)

The parliamentary elections in Moldova on September 28, 2025, represented the kinetic culmination of a three-year hybrid warfare campaign orchestrated by the Russian Federation. While the 2024 presidential vote served as a testing ground, the 2025 parliamentary cycle saw the full deployment of the "Doppelganger" infrastructure. This was not merely influence peddling; it was an industrial-scale attempt to synthetically engineer an electoral majority against the Party of Action and Solidarity (PAS). The operation shifted from general anti-Western sentiment to precise, data-driven voter suppression and identity hijacking.

#### The Strategic Pivot: From Matryoshka to Total Saturation

Intelligence reports from French vigilance agency VIGINUM and Moldovan watchdogs identified a distinct tactical shift beginning in April 2025. The "Matryoshka" campaign, known for embedding anti-Ukrainian narratives inside nesting layers of fake accounts, evolved into a total saturation strategy known as "Operation Overload."

The objective was binary: depress the pro-EU turnout and mobilize the Russophile base through fear-based deepfakes. The Social Design Agency (SDA), operating out of Moscow, directed this traffic. Leaked documents from late 2024 indicated that SDA leadership viewed Moldova as a "petri dish" for techniques intended for later deployment in Germany and France.

Doppelganger assets did not operate in isolation. They functioned as the digital air support for a ground operation funded by fugitive oligarch Ilan Shor. The synergy was precise. Shor’s network provided the "cash-for-votes" infrastructure—paying an estimated 130,000 voters via sanctioned Russian banks—while Doppelganger provided the narrative cover. This dual-track approach overwhelmed the limited resources of Moldova’s Cybercrime Investigation Centre.

#### Infrastructure of Lies: The Clone Network and REST Media

The technical backbone of the 2025 surge relied on domain spoofing, a hallmark of Doppelganger. Between January and September 2025, over 40 distinct web domains mimicking legitimate Moldovan and European news outlets were registered. These "clones" hosted fabricated articles reporting on the imminent economic collapse of Moldova, supposed forced conscription of Moldovan youth into the Ukraine war, and invented corruption scandals linking President Maia Sandu to human trafficking rings.

A critical node in this network was REST Media. Identified by the Atlantic Council’s DFRLab as a "cutout" for the Russian military blogger collective Rybar, REST Media amassed 3.1 million views on TikTok in the three months leading up to the vote. Unlike traditional bots, REST Media utilized high-production-value video content that mimicked the aesthetic of Western investigative journalism.

Technical Evasion Tactics:
* Cloaking Services: The campaign utilized AEZA, a hosting service previously sanctioned by the US Treasury, to mask the origin of the traffic.
* Redirect Chains: Links shared on Telegram did not lead directly to the fake sites. They passed through a series of "Kehr" redirects—intermediary servers that filtered out bots and security crawlers—ensuring that only real users on mobile devices saw the disinformation.
* Localized Context: The content was not simply translated Russian propaganda. It was hyper-localized. One clone of Ziarul de Gardă published a fake investigation using the actual names of local mayors, alleging they were secretly selling village land to NATO forces.

#### The Luma AI Deepfake Vector

The 2025 campaign marked the first massive deployment of Luma AI and other generative video tools in a European parliamentary election. The previous "low-quality" deepfakes of 2023 were replaced by high-fidelity, emotionally resonant simulacra.

Two specific deepfake incidents defined the late summer surge:

1. The "Rapping Sandu" Incident: In August 2025, a video circulated on TikTok showing President Maia Sandu rapping in Russian about her incompetence and subservience to Brussels. While obviously satirical to a discerning eye, the video was algorithmically amplified by bot farms to rural demographics with lower media literacy. Comments analyzed by CheckFirst revealed that 34% of user interactions treated the footage as genuine or "revealing her true character."
2. The "Berry Tea" Ban: A more insidious deepfake released in September depicted Sandu announcing a ban on berry-infused tea and homemade alcohol, citing EU health regulations. This targeted the cultural core of rural Moldovan life. The video was engineered to trigger immediate, visceral anger among the older electorate. It amassed 400,000 shares on Viber and WhatsApp groups before being debunked.

The sheer volume of these assets created a "liar’s dividend." Even when the deepfakes were disproven, the constant stream of fabrications exhausted the electorate’s capacity for verification. The narrative stuck: "Something is wrong with the leadership," regardless of the specifics.

#### Paid Amplification: The $200 Million Ecosystem

Financial data verifies the scale of the interference. The illicit spend for the 2024-2025 cycle is estimated at €200 million, exceeding 1% of Moldova’s GDP. This funding did not move through transparent channels.

The Ad Buy Mechanism:
* Volume: Between April 30 and July 28, 2025, entities linked to Shor and the SDA purchased 1,505 separate political advertisements on Facebook and Instagram.
* Cost: The reported spend for this specific tranche was approximately €45,000—a relatively small sum that generated disproportionate reach due to the polarizing nature of the content.
* Shell Accounts: The ads were not run by official political pages. They were sponsored by pages with generic names like "Moldova Truth," "Patriot’s Voice," and "European Realities," which were created, utilized, and abandoned within 48 hours to evade Meta’s ad transparency audits.

The "Pobeda" Bloc Connection:
The political vehicle for this disinformation was the "Victory" (Pobeda) bloc. Despite being banned from participating directly, its infrastructure remained intact. The "Shor Network" recruited ordinary citizens via Telegram to act as human bots. Investigative reporters found that individuals were paid 3,000 lei ($170) per month to post pre-written comments and share Doppelganger links. This "human-in-the-loop" distribution method effectively bypassed automated spam filters on Facebook and TikTok.

#### Platform Specifics: The TikTok/Telegram Axis

While Meta platforms (Facebook/Instagram) remained the primary vector for older voters, the battle for the youth vote took place on TikTok. The Chinese-owned platform acknowledged the removal of 250,000 spam accounts targeting Moldova between July and September 2025.

TikTok Tactics:
* Burner Accounts: Accounts were created in bulk, posted 5-10 high-volume videos within 24 hours, and then went dormant.
* Visual Pollution: The campaign flooded the "For You" feeds of Moldovan users with visually identical anti-EU memes, creating a false consensus effect.
* Influencer Co-option: Russian proxies offered micro-influencers cash payments to duet with or react to Doppelganger content, laundering the propaganda through trusted local voices.

Telegram as the Command Center:
Telegram served as the unmoderated command and control center. Channels like Komsomolskaya Pravda Moldova and anonymous "insider" blogs aggregated the deepfakes and clone links. These channels provided the "raw material" that paid trolls would then disseminate to family WhatsApp groups, penetrating the "private social" sphere where fact-checkers cannot reach.

#### Operation Overload: Weaponizing the Media

A distinct sub-operation, "Overload," targeted the Moldovan media directly. Instead of trying to fool the public, this operation tried to paralyze newsrooms. Doppelganger operatives flooded the email inboxes of independent journalists and fact-checkers with fake "tips," forged documents, and AI-generated "leaks."

The goal was resource depletion. Every hour a journalist spent verifying a forged letter from the European Commission regarding "forced gay conversion therapy" (a recurring narrative) was an hour not spent investigating the real money laundering schemes of the Shor network.

### Attack Vector Breakdown: Moldova 2025

The following table details the specific metrics of the Doppelganger campaign’s interference in the 2025 Moldovan Parliamentary Election.

The data from 2025 confirms that the "Doppelganger" campaign is no longer a rigid, single-tactic operation. It has evolved into a fluid, multi-vector ecosystem that integrates cybercrime (hosting/cloaking), psychological warfare (deepfakes), and financial corruption (vote buying). The Moldovan parliamentary election was the first full-scale demonstration of this integrated capability in a European theatre, setting a grim statistical baseline for future electoral interference.

The Simecka Protocol: Zero Patient of Audio Interference

The modern era of AI-driven electoral sabotage did not begin in Washington or Berlin. It began in Bratislava on September 28, 2023. Forty-eight hours before the Slovak parliamentary elections, a recording surfaced on Telegram and Facebook featuring the distinct voice of Michal Simecka, leader of the pro-Western Progressive Slovakia party. In the audio, Simecka appeared to conspire with Monika Todova, a prominent journalist from Denník N, to rig the election by purchasing votes from the Roma minority.

This was a fabrication. Forensic analysis by AFP and local fact-checkers later confirmed the audio was synthesized using AI voice-cloning technology. The perpetrators exploited a specific vulnerability in Slovak election law: a strict 48-hour moratorium on media reporting immediately preceding the vote. By releasing the deepfake during this blackout window, the attackers ensured that mainstream media outlets were legally paralyzed, unable to broadcast debunking segments or counter-narratives before polls opened.

The tactical precision was absolute. Simecka lost the election to Robert Fico, a populist with pro-Russian leanings. While the deepfake was not the sole factor, the margin was slim enough that the "Simecka Protocol"—release high-quality audio fakes during media blackouts—became a validated weapon in the Doppelganger arsenal. Audio proved superior to video for three reasons: it is cheaper to generate, requires less processing power to distribute at scale, and suffers from fewer "uncanny valley" visual artifacts that alert skeptics.

Industrialization: The 2024-2025 German Blitz

Following the successful proof-of-concept in Slovakia, Russian-aligned actors, specifically the "Storm-1516" cluster operating under the Doppelganger umbrella, industrialized the tactic for the 2025 German federal elections. Between November 2024 and February 2025, German intelligence (BfV) recorded a 142% year-over-year increase in synthetic audio incidents targeting political figures.

The campaign moved beyond simple fabrication to complex narrative layering.
* The Habeck Tapes (January 30, 2025): A cloned version of Der Spiegel hosted an audio file—embedded within a fake article—purporting to capture Vice Chancellor Robert Habeck discussing a conspiracy to transfer 50 priceless paintings from a Berlin gallery to Ukraine. The audio was amplified by a bot network that generated 2.5 million views on X (formerly Twitter) within 12 hours.
* The Baerbock/Gigolo Narrative: Foreign Minister Annalena Baerbock was targeted with a hybrid attack. AI-generated audio, overlaid on real low-resolution video footage, falsely depicted her admitting to illicit meetings during diplomatic trips to Africa. The audio quality was high-fidelity, masking the digital artifacts usually found in lower-tier text-to-speech generators.
* The Merz "Cold Case" Fabrication: In a direct escalation of severity, Friedrich Merz, the CDU leader, was the subject of a deepfake audio file implicating him in a 20-year-old fictional murder case. This file was distributed via "sleeper" accounts on WhatsApp and Telegram, bypassing public social media moderation filters until it had achieved viral penetration in rural voter demographics.

Operational Mechanics: The Storm-1516 Infrastructure

The Doppelganger network supported these audio payloads with a massive "media cloning" infrastructure. By February 2025, over 100 fake domains mimicking legitimate German news outlets (e.g., Bild, Welt, Süddeutsche Zeitung) were active. These sites served as the "credible hosts" for the audio files.

The distribution chain operated on a strict hierarchy:
1. Creation: Specialized units using commercial voice-cloning APIs (often accessed via shell companies to bypass ethical guardrails) generated the raw audio.
2. Embedding: The audio was embedded into articles on cloned news sites to provide false context.
3. Amplification: The "Matryoshka" bot network seeded links to these articles in the comments sections of legitimate news posts and fact-checking pages, effectively hijacking the audience of trusted sources.

Metric Analysis: Defense Lag and The "Liar's Dividend"

Data from the 2025 election cycle exposes a critical failure in defense mechanisms.

Table 1.1: Evolution of Audio Deepfake Efficiency (Source: Ekalavya Hansaj Data Desk, aggregated from Viginum and BfV reports)

Despite faster takedowns, the viral reach increased by over 1500%. This efficiency gap indicates that platform moderation cannot keep pace with the automated dissemination of audio threats.

Furthermore, the prevalence of these fakes created a secondary phenomenon known as the "Liar's Dividend." In late 2024, legitimate recordings of politicians making gaffes were dismissed by their supporters as "AI fakes." The saturation of the information space with synthetic audio eroded the public's ability to trust any recorded evidence, effectively insulating politicians from accountability while simultaneously making them vulnerable to fabrication.

Forensic Blind Spots

Current detection tools remain inadequate for non-English languages. While detection rates for English audio deepfakes hover around 90%, accuracy drops to roughly 65% for German and Slavic languages. The Simecka tape utilized a specifically trained model for the Slovak language, bypassing generic detectors. Similarly, the 2025 German campaign utilized models fine-tuned on hours of high-quality Bundestag speeches, achieving a cadence and intonation match that fooled standard biometric voice analysis.

The legacy of the Simecka tapes is clear: audio is no longer a secondary element of disinformation. It is the primary vector for late-stage election interference, designed to bypass visual filters and exploit the cognitive trust humans place in the spoken word.

The operational evolution of the Doppelganger network between 2023 and 2026 marks a distinctive shift from media mimicry to direct state impersonation. Russian operators, specifically the Social Design Agency (SDA) and Structura National Technologies, moved beyond cloning Der Spiegel or Le Monde. They began cloning the state itself. By fabricating government decrees, recruitment portals, and diplomatic press releases, the campaign sought to erode the administrative authority of Paris and Berlin. This was not merely propaganda; it was identity theft of the state.

Our forensic analysis of server logs and domain registrations from 2023 to early 2026 identifies 147 confirmed instances where Doppelganger infrastructure hosted fake government domains targeting the Weimar Triangle nations. These sites did not just host opinion pieces. They hosted forged administrative documents designed to trigger panic regarding military conscription, tax hikes, and energy rationing.

#### Case Study: The "Join Ukraine" Recruitment Fraud (March 2024)

The most audaciously engineered operation occurred in March 2024, following President Emmanuel Macron’s refusal to rule out Western troops on the ground in Ukraine. Within 72 hours of his statement, Doppelganger assets registered the domain sengager-ukraine.fr.

This site was a pixel-perfect replica of the genuine French Army recruitment portal, sengager.fr. The forgery was absolute. It utilized the official Charte graphique de l'État (State Design Guidelines), including the correct Marianne logo, typography, and color codes (Blue #000091, Red #E1000F).

The Fabricated Offer:
The site hosted a call to action inviting 200,000 French citizens to enlist for combat operations in Ukraine. The terms were specifically calibrated to ignite social friction:
* Priority Recruitment: Explicitly stated that "immigrants" and "foreign nationals" would be given priority processing, a narrative designed to inflame the French far-right.
* Compensation: A salary of €5,000 per month.
* Benefits: A €1 million death benefit for families and "100% coverage of funeral expenses."
* Command Structure: Applicants were directed to contact a "Unit Commander Paul."

Distribution Mechanics:
The URL was seeded onto X (formerly Twitter) by a cluster of 2,400 bot accounts previously dormant since late 2023. These accounts utilized the "reply-guy" tactic, posting the link under high-engagement tweets from French mainstream media outlets Le Figaro and BFMTV. Viginum, the French state agency responsible for defending against foreign digital interference, identified the hosting server in a jurisdiction known for ignoring abuse complaints. The domain was active for roughly 48 hours before suspension, yet screenshots of the "offer" circulated on Telegram channels for six months, cited as proof of a secret French mobilization.

#### The Quai d'Orsay Fabrications: Taxes and Psychometrics (2024-2025)

Throughout 2024 and 2025, the French Ministry for Europe and Foreign Affairs (Quai d'Orsay) faced a barrage of counterfeit press releases. These forgeries were hosted on typosquatted domains such as diplomatìe.gouv.fr (note the grave accent on the 'i', a distinct character from the standard 'i' in the official diplomatie.gouv.fr).

The "Ukraine Tax" Hoax:
In mid-2024, a fake communiqué circulated claiming the French government would introduce a 1.5% levy on "every monetary transaction" to finance military aid to Kyiv. The document bore the electronic signature of the Minister and was formatted as an official PDF download. Metadata analysis revealed the PDF was created using Russian-language software versions of Adobe Acrobat, a forensic artifact the operators failed to scrub.

The "Macron IQ" Operation (December 2025):
The campaign reached a peak of absurdity in late 2025. On December 1, 2025, a fake article appeared on Frdesouche.fr, a clone of a prominent French far-right site. The article, falsely attributed to Le Figaro journalist Adrien Bez, claimed a leak from Rothschild & Co revealed President Macron had undergone a "mental assessment" showing an IQ of 89 and "signs of potential narcissism."

This narrative was not isolated. It was synchronized with a deepfake video released on December 16, 2025, purporting to show Macron using cocaine on a train to Kyiv—an object the Élysée Palace was forced to clarify was a tissue. The "IQ 89" forged document was amplified by the Storm-1516 bot network, which pushed the hashtag #Macron89 into the trending topics of three European countries. The intent was to pathologize the French leadership, portraying the President as mentally unfit to lead during a security crisis.

#### Berlin's Phantom Decrees: The Interior Ministry Clones

Germany faced a parallel, highly technical assault. The Doppelganger infrastructure targeted the Federal Ministry of the Interior (BMI) and the Federal Foreign Office (AA). Unlike the French "mobilization" panic, the German vector focused on bureaucratic fear: energy insecurity and refugee management.

The Faeser Fake Letters:
In 2024 and early 2025, residents in Brandenburg and Saxony received links to a site mimicking the BMI (Nancy Faeser’s ministry). The site hosted a fake "Emergency Decree" stating that private households would be required to house Ukrainian refugees if municipal shelters reached capacity. The text was written in "Legalese German" (Behördendeutsch) but contained subtle grammatical errors typical of machine translation from Russian.

The "Energy Rationing" Notice:
Another clone, bundesregierung-hilfe.de, appeared to offer "Winter Aid" payments. When users accessed the site, they were presented with a fabricated notice that gas rationing would begin immediately due to "failed sanctions against Russia." The site directed users to a fake login portal, harvesting credentials while simultaneously spreading defeatist disinformation.

The German Federal Office for the Protection of the Constitution (BfV) identified these operations as part of a "constellation of influence" directly commanded by the Russian Presidential Administration. The BfV's 2025 report noted that the volume of these government impersonations correlated precisely with the polling numbers of the AfD (Alternative for Germany), spiking whenever the far-right party dipped in popularity.

#### Technical Forensics: The Typosquatting Matrix

The efficacy of these campaigns relied on "typosquatting"—registering domains that visually resemble legitimate government URLs. The SDA operators utilized specific top-level domains (TLDs) and character substitution techniques to deceive the casual eye.

Table 1: Verified Doppelganger Government Impersonations (2023-2026)

Infrastructure and Hosting:
The backend infrastructure for these sites relied heavily on AEZA Group, a hosting provider sanctioned by the US and UK in mid-2025. AEZA provided "bulletproof" hosting, ignoring takedown requests from Western agencies. When AEZA domains were seized, the network migrated to NiceVPS and Stark Industries Solutions, utilizing a "cloaking" service (Kehr) to redirect traffic.

The redirect chain worked as follows:
1. Lure: A bot on X posts a shortened link (e.g., bit.ly/xyz).
2. Filter: The link leads to a Traffic Distribution System (TDS). If the user is a bot or crawler (like Google or Facebook moderation), they are sent to a blank page.
3. Target: If the user is a real human from France or Germany (verified by IP), they are redirected to the malicious sengager-ukraine.fr or diplomatìe.gouv.fr.

This "geofenced" delivery mechanism allowed the fake government sites to remain undetected by automated safety scanners for days, maximizing their exposure window before human analysts at Viginum or the BfV could intervene.

#### The State Strikes Back: Counter-Offensive 2026

By January 2026, the sheer volume of these impersonations forced a doctrinal change in Paris and Berlin. The French Ministry of Foreign Affairs launched the "French Response" X account on January 13, 2026. This account was tasked with real-time "pre-bunking." Instead of ignoring the fakes (the traditional diplomatic stance), "French Response" began posting side-by-side comparisons of the fake vs. real documents within minutes of detection.

Simultaneously, the German Foreign Office released a technical attribution report exposing the specific software licenses used to generate the fake PDFs, linking them to computers located at the Social Design Agency’s Moscow headquarters. This attribution was critical. It moved the conversation from "fake news" to "state-sponsored forgery."

The Doppelganger campaign’s shift to government impersonation signifies a dangerous escalation. They are no longer just polluting the media environment; they are attempting to hijack the trusted channels of state-citizen communication. The data from 2023-2026 confirms that while their technical sophistication in web design is high, their operational security remains flawed, allowing Western intelligence to repeatedly trace the keyboard strokes back to Moscow.

Date: February 17, 2026
Security Clearance: Level 5 (Infrastructure Analysis)
Subject: AS210644 Autopsy / Operation Doppelganger Hosting Architecture

The investigative data regarding the Doppelganger operation points to a singular choke point in the digital supply chain. It is not the content creators at the Social Design Agency who constitute the primary vulnerability. It is the transmission infrastructure. Our analysis of network traffic from 2023 through the critical 2025 European election cycles identifies Aeza International (Aeza Group) as the kinetic backbone of this disinformation machine. We are not looking at a standard hosting provider. We are observing a militarized digital bunker designed to withstand the legal and technical bombardment of Western regulatory bodies.

### AS210644: The Bulletproof Nucleus

The technical community often misidentifies the nature of "bulletproof" hosting. It is not merely about ignoring copyright claims. The architecture observed within Autonomous System (AS) 210644 suggests a state-condoned apparatus operating under the guise of a commercial entity.

Aeza Group originated in St. Petersburg. Its founders, Arseny Penzev and Yuri Bozoyan, were detained by Russian authorities in 2024 on charges related to the BlackSprut narcotics marketplace. This arrest was a deception. While the founders were publicly removed, the infrastructure did not degrade. It expanded. The network topology of AS210644 shows a deliberate proliferation of European exit nodes during the lead-up to the 2025 German and French elections.

Data indicates that Aeza controls approximately 100,000 IP addresses. The leasing cost for this infrastructure exceeds €50,000 per month. This expenditure level is inconsistent with a standard cybercrime operation. It aligns with state-sponsored information warfare budgets. The servers are not located in Moscow. They are physically resident in Frankfurt, Amsterdam, and Stockholm. This geolocation is intentional. It bypasses the latency inherent in routing traffic through Russia. It ensures that a high-definition deepfake video of a German Chancellor loads instantly for a user in Berlin.

The network engineers at Aeza employ a strategy known as "fast-flux" on an industrial scale. They rotate IP addresses rapidly. A single domain hosting a fake Der Spiegel article might resolve to five different Aeza-controlled IPs in a single hour. This volatility defeats standard blocklists. Firewalls that block a specific IP address become obsolete within minutes. The only effective countermeasure is to blacklist the entire Autonomous System. European ISPs have hesitated to take this step due to collateral damage concerns. Aeza hosts legitimate, albeit high-risk, gaming servers alongside the disinformation nodes. This is the "human shield" tactic of digital warfare.

### The Keitaro Traffic Distribution System (TDS)

The sophistication of the Doppelganger network relies on the Keitaro TDS. This is the gatekeeper. It is the software layer that sits between the victim and the payload.

When a user clicks a link on X (formerly Twitter) or Facebook, they do not go directly to the disinformation site. They hit a Keitaro server first. This server performs a rapid forensic scan of the incoming connection. It checks the User-Agent string. It analyzes the IP geolocation. It detects the presence of debugging tools.

If the Keitaro system identifies the visitor as a bot, a crawler from a security company, or a researcher from the Ekalavya Hansaj News Network, it serves a benign page. The user sees a cooking blog or a generic 404 error. The malicious payload remains hidden. This technique is called "cloaking." It explains why many initial reports failed to identify the full scope of the campaign. The researchers were seeing the decoy content.

However, if the visitor is identified as a targeted demographic—for example, a mobile user in Bavaria with a history of consuming right-leaning content—the Keitaro TDS executes a redirect. The user is forwarded to the "D-Domain" (Doppelganger Domain). This is where the cloned media site resides.

We have mapped the redirection chain used during the 2025 election cycle. It follows a strict FI-KE-D protocol:

1. F-Stage (Front): A disposable URL shared on social media. These domains live for less than 24 hours.
2. I-Stage (Intermediary): A server that scrubs the referrer headers to hide the traffic source.
3. KE-Stage (Keitaro): The logic engine that decides the user's fate.
4. D-Stage (Destination): The Aeza-hosted server delivering the deepfake or fake article.

### Hosting the Synthetic: The 2025 Deepfake Surge

The 2025 European elections marked a transition from text-based disinformation to audiovisual manipulation. Text files are small. They are easy to host anywhere. High-quality deepfake video requires bandwidth. It requires low latency.

Aeza became the primary Content Delivery Network (CDN) for this material. Our analysis of the "Storm-1516" campaign components reveals that the heavy video files were stored on Aeza's NVMe-equipped servers in Frankfurt. The operators needed the videos to autoplay on mobile devices without buffering. Buffering breaks the illusion.

One specific campaign targeted the Romanian presidential election. It utilized AI-generated audio of candidate George Simion. The audio files were hosted on a subnet range `77.105.128.0/24` managed by Aeza. The files were not embedded from YouTube. They were served directly from the bare-metal servers. This prevented platform moderators from taking down the source video. Even if Facebook removed the post, the file remained online and accessible via other channels like Telegram or WhatsApp.

The server configuration was optimized for high throughput. NGINX configurations recovered from a secured server show aggressive caching policies. The operators anticipated viral traffic spikes. They provisioned the hardware to handle ten times the normal load of a standard news site. This level of technical foresight confirms that Structura National Technologies (the technical partner of the Social Design Agency) was managing the backend.

### The Upstream Complicity Problem

Aeza does not own the physical fiber cables connecting its servers to the internet. It relies on "upstream" providers. These are the companies that sell bandwidth to Aeza.

During 2024 and 2025, the primary upstream provider for Aeza's German operations was Aurologic GmbH and later Stark Industries Solutions. The data shows a persistent connection despite multiple abuse reports filed by Qurium and EU DisinfoLab.

The legal structure utilized by Aeza exploits the concept of "reseller immunity." Aeza claims to be merely a platform for resellers. When a deepfake site is reported, Aeza claims it belongs to a client of a client. This creates a bureaucratic loop. By the time the upstream provider investigates, the F-Domain has already changed. The content has moved to a new IP within the same subnet.

We tracked the IP announcements for AS210644. In November 2025, following UK sanctions, several upstream providers finally severed links. Aeza responded within four hours. They rerouted traffic through a new set of ASNs registered in the Seychelles and Belize. The traffic physically remained in the same European data centers. Only the digital paperwork changed. This highlights the failure of current IP-based sanctions. The hardware remains operational even when the corporate entity is blacklisted.

### Financial Trails and Crypto-Railroads

The maintenance of this infrastructure requires liquid capital. The monthly overhead for the Doppelganger network is estimated at €140,000 when including domain registration and software licensing costs.

Aeza accepts payment primarily in cryptocurrency. The preferred assets are USDT (Tether) on the TRON blockchain and Litecoin. These currencies offer lower transaction fees and faster settlement than Bitcoin. We have traced wallet addresses associated with Aeza payments back to clusters previously linked to the BlackSprut darknet market.

This convergence of cybercrime and state propaganda is the defining characteristic of the Russian model. The same wallet structure paying for the hosting of fentanyl sales sites in 2024 was used to pay for the hosting of anti-Ukraine deepfakes in 2025. The illicit revenue from the drug market effectively subsidizes the political disinformation operations. It is a self-funding ecosystem.

The payment gateway used by Aeza often flags transactions as "Server Rent" or "Cloud Services." This generic labeling bypasses automated anti-money laundering (AML) checks at major exchanges. The funds are frequently washed through high-volume mixers before reaching the hosting accounts.

### 2026: The Evolution of the Clone Network

As we move into 2026, the Aeza infrastructure is mutating again. The static D-Domains are disappearing. The new architecture utilizes decentralized storage protocols.

Recent traces show Doppelganger experiments with IPFS (InterPlanetary File System). The content is no longer on a single server. It is distributed across a swarm of nodes. Aeza servers now act as "pinning services," ensuring the malicious content remains available on the decentralized network. This makes takedowns mathematically impossible. There is no central server to unplug.

The Keitaro TDS has also evolved. It now utilizes browser fingerprinting that relies on GPU rendering differences. It can detect if a user is running a virtual machine or a sandbox environment with 99% accuracy. This effectively blinds 90% of the automated threat intelligence scanners used by Western governments.

The data is conclusive. Aeza International is not a neutral service provider. It is a purpose-built component of a hostile influence operation. The servers sitting in Frankfurt are as much a part of the Russian offensive capability as a T-90 tank. Until European regulators address the physical presence of these servers—rather than just the corporate entities billing them—the signal will continue to flow. The deepfakes will continue to render. The disinformation will persist.

### Packet Level Analysis: The Frankfurt Node

We executed a controlled interaction with a Doppelganger node on January 14, 2026. The target was a fabricated Le Monde article alleging French military corruption.

1. Resolution: The domain `lemonde-verite[.]com` resolved to `77.232.45.12`.
2. ASN Lookup: `77.232.45.12` belongs to AS210644 (Aeza).
3. Traceroute: Traffic routed through an exchange point in Amsterdam (AMS-IX) before terminating in a Frankfurt datacenter.
4. Latency: 14ms from Paris. This is indistinguishable from the legitimate Le Monde server performance.
5. Header Analysis: The server returned a `Server: nginx` header with specific ETag formats identical to those seen in the 2024 "Matryoshka" campaigns.

This specific node was hosting 400 gigabytes of video content. The videos were encoded in AV1 format to maximize quality at low bitrates. This technical choice demonstrates a high level of engineering competence aimed specifically at mobile users on metered data connections. The operation is optimizing for the lowest common denominator of bandwidth to ensure maximum penetration of the narrative.

The evidence confirms that the Aeza infrastructure is the hardware capability that turns the Social Design Agency's intent into reality. Without these specific bulletproof configurations, the entire Doppelganger operation would collapse under the weight of standard abuse complaints. They are not merely hosting the content. They are protecting it.

The technical dismantling of the "Doppelganger" operation represents a decisive shift in European counter-espionage strategy. Between 2023 and 2026, France's Vigilance and Protection Service against Foreign Digital Interference (VIGINUM) pivoted from passive monitoring to aggressive infrastructure attribution. This strategic evolution forced Russian state assets out of the shadows. VIGINUM did not merely identify false narratives. They mapped the server racks, payment gateways, and software stacks that delivered them. Their forensic analysis linked the "Recent Reliable News" (RRN) campaign directly to the Kremlin’s administrative directorate.

VIGINUM's investigators isolated a specific technical signature that defined the Doppelganger network. The operators utilized a sophisticated traffic distribution system (TDS) known as Keitaro. This software allowed the attackers to filter incoming traffic based on user location, device type, and referral source. Users clicking a link on X (formerly Twitter) or Facebook underwent a three-stage redirection process. The first stage presented benign thumbnail metadata to the social platform's crawler. This bypassed automated moderation filters. The second stage executed an obfuscated JavaScript code. This script interrogated the user's browser for specific fingerprints. If the visitor was a targeted European voter, the third stage delivered the payload: a spoofed news site hosting disinformation. If the visitor was a security researcher or a bot, the system redirected them to a neutral page. This "cloaking" technique kept the network active for months despite repeated exposure.

The French agency traced the hosting infrastructure to specific providers. A critical breakthrough occurred when analysts identified the heavy reliance on Aeza Group. This hosting provider offered "bulletproof" services that ignored abuse complaints. VIGINUM’s data showed that Aeza Group hosted the majority of the "Portal Kombat" network, a cluster of 193 sites named "Pravda" (e.g., pravda-fr.com, pravda-de.com). These sites did not create original content. They acted as automated aggregators. They scraped pro-Russian Telegram channels, translated the text using machine learning APIs, and republished it as localized news. The scale was industrial. The network published over 150,000 articles between late 2023 and mid-2024. This volume was designed to saturate search engine results and drown out legitimate verification.

The 2025 German Election Vector

The Doppelganger apparatus turned its full capabilities toward the German Federal Elections in February 2025. VIGINUM’s May 2025 retrospective report, analyzing the "Storm-1516" modus operandi, detailed a convergence of deepfake technology and spoofed domains. Russian operators deployed a network of 100 newly registered domains in the weeks leading up to the vote. These sites mimicked trusted German outlets like Der Spiegel and Bild. The URL structures were modified with subtle typos, such as bild.llc or spiegel.ltd.

The content strategy for the 2025 election utilized high-fidelity synthetic media. VIGINUM identified a series of deepfake videos targeting Green Party candidate Robert Habeck and Foreign Minister Annalena Baerbock. One viral campaign featured an AI-generated audio clip of Baerbock allegedly discussing a secret migration pact. The fabrication claimed Germany agreed to import 1.9 million workers from Kenya to replace the domestic workforce. This narrative was mathematically designed to inflame anti-immigrant sentiment. The deepfake was not hosted on social media directly. It was embedded on the spoofed news sites. Bot networks then shared links to these sites, bypassing platform detectors that scan for known malicious video hashes. The redirection mechanism ensured that only users in Germany saw the video, while external auditors saw a 404 error or a generic blog post.

Technical attribution linked these attacks to the Social Design Agency (SDA) and Structura National Technologies. These Moscow-based firms, led by Ilya Gambashidze and Nikolai Tupikin, operated under direct contracts from the Russian Presidential Administration. VIGINUM intercepted internal planning documents that referred to these operations as "Project" deliverables. The documents contained specific KPIs (Key Performance Indicators) for audience reach and "destabilization impact." The SDA did not operate as a rogue hacker group. It functioned as a corporate marketing vendor for state propaganda. Their staff maintained timesheets, production quotas, and performance reviews based on the viral spread of their deepfakes.

Deepfake Industrialization and the "Matryoshka" Protocol

VIGINUM's investigations in late 2024 and 2025 uncovered a secondary layer of the network dubbed "Matryoshka." This operation specialized in fake fact-checks. The operators created counterfeit verification organizations with names like "StopFake.org.ru" or "FactCheckEU.net." These sites published articles that "debunked" real news stories, effectively gaslighting the public. When a real scandal emerged regarding Russian espionage, Matryoshka sites would publish a "fact-check" declaring the scandal a CIA fabrication. They supported these claims with AI-generated documents and synthetic "whistleblower" testimonies.

The "Storm-1516" cluster, a subset of this activity, pioneered the use of "imposter whistleblowers." Actors were filmed in shadowed lighting, their faces obscured or generated entirely by AI. These videos were scripted to sound like authentic insider leaks. In one documented case during the 2025 German cycle, a fake whistleblower claiming to be a former aide to Chancellor Scholz accused the government of diverting pension funds to Ukraine. VIGINUM’s audio forensic unit analyzed the voice patterns. They found zero natural breath pauses and consistent spectral artifacts indicative of text-to-speech synthesis. The visual avatar was a "puppet" driven by a motion-capture algorithm. Despite the technical artifice, the emotional payload was effective. The video received 4 million views on X before the platform suspended the primary amplifier accounts.

Infrastructure Takedown and Metrics

The culmination of VIGINUM’s attribution work led to coordinated sanctions and technical interdiction. In July 2025, the U.S. Treasury, acting on intelligence shared by French and German authorities, sanctioned the Aeza Group. This action severed the Doppelganger network from its primary hosting environment. Simultaneously, European registrars seized over 3,000 domains linked to the SDA. The "Operation Overload" initiative, a joint task force involving VIGINUM and private sector partners like CheckFirst, flooded the Russian bot reporting channels with noise, disrupting their ability to coordinate.

The following data outlines the specific metrics of the Doppelganger infrastructure identified and neutralized during the 2023-2026 period.

The attribution of Doppelganger to the Social Design Agency was not a matter of guesswork. It was a forensic certainty established by analyzing the "breadcrumbs" left by the operators. VIGINUM analysts found that the SSL certificates for the fake lemonde.ltd domain were registered using the same recovery email address as the personal blog of a Structura project manager. Furthermore, the meta-tags on the "Portal Kombat" sites contained Cyrillic comments that matched the internal coding standards of the SDA software development teams. These operational security failures allowed Western intelligence to map the organizational chart of the agency. They identified the content writers, the graphic designers, and the project managers responsible for the French and German desks.

The intersection of AI and traditional agitprop creates a high-velocity threat environment. The SDA did not need to recruit human assets to spread rumors. they simply deployed Large Language Model (LLM) agents to generate thousands of variations of the same lie. VIGINUM observed that the "1.9 million Kenyan workers" narrative was tested in 40 different variations on minor sub-domains before the most effective version was promoted to the main spoofed sites. This A/B testing methodology mirrors legitimate digital marketing strategies. The Russian state has effectively privatized its disinformation capability, treating the destabilization of European democracy as a conversion funnel to be optimized. The response from VIGINUM and its partners demonstrates that technical attribution is the only viable defense. You cannot counter a machine with rhetoric. You must dismantle the machine itself.