When fake news wears a familiar face
In September 2022, researchers at EU DisinfoLab uncovered something unsettling: a network of websites that looked exactly like Europe’s most trusted newspapers — but weren’t. The sites had the same logos, the same layouts, the same fonts. Only the domain names were slightly different. And the articles they published were pure Kremlin propaganda.
The researchers called it “Doppelganger” — German for “double.” It would become one of the most sophisticated and persistent Russian information operations ever documented.
The mechanics of media cloning
The concept was deceptively simple. Russian operatives purchased domain names that closely resembled legitimate news outlets. Instead of spiegel.de, they registered spiegel.ltd. Instead of washingtonpost.com, they created washingtonpost.pm. The visual design was copied precisely — same colors, same typography, same navigation menus. Many pages even contained links to real articles on the authentic sites, making the deception harder to detect.
By the time investigators mapped the operation, at least 17 major media outlets had been impersonated: Germany’s Bild, Der Spiegel, Süddeutsche Zeitung, Die Welt, Frankfurter Allgemeine Zeitung, and Der Tagesspiegel; France’s Le Monde, Le Figaro, Le Parisien, and 20 Minutes; Italy’s Ansa; the UK’s Guardian; Poland’s Polityka and Polskie Radio; Ukraine’s RBC Ukraine and UNIAN; and in the United States, Fox News and The Washington Post.
The fake articles weren’t subtle. They depicted Ukraine as corrupt and Nazi-affiliated. They denied the Bucha massacre. They claimed Western military aid was being stolen. They warned that supporting Ukraine would bankrupt European economies. One fake Le Monde article carried the headline: “French Minister supports the murder of Russian soldiers in Ukraine.”
The operation also targeted government websites. Fake versions of NATO’s website (nato.ws) published fabricated press releases about doubled military budgets. Clones of Germany’s Interior Ministry and France’s Foreign Ministry spread false policy announcements.
Who was behind it
U.S. and European investigators traced Doppelganger to a constellation of Russian companies operating under Kremlin direction. The Social Design Agency (SDA), led by Ilya Gambashidze, and Structura National Technologies, founded by Nikolai Tupikin, were identified as the primary operators. A nonprofit called ANO Dialog provided AI-enhanced tools for generating content.
But the chain of command reached higher. According to a 277-page FBI affidavit unsealed in September 2024, the operation was overseen by Sergei Kiriyenko — First Deputy Chief of Staff of the Russian Presidential Administration and, as the U.S. Treasury described him, “Putin’s right-hand man” and domestic policy curator.
Internal documents obtained by investigators showed regular communication between the operators and Kremlin representatives. Weekly reports tracked the campaign’s performance across platforms — Facebook, YouTube, Telegram, TikTok. Dashboards monitored which narratives were gaining traction and which needed adjustment.
The amplification machine
Creating fake websites was only half the operation. The content needed to reach real audiences. Doppelganger operators deployed several techniques:
Bot networks. Hundreds of fake social media accounts — posing as Americans, Germans, French, and others — shared links to the cloned websites. These accounts posted comments, engaged in debates, and gradually built audiences. On X (formerly Twitter), researchers tracked over 800 accounts dedicated to promoting fake Ukrainian news articles alone.
Paid advertising. The operators purchased Facebook ads targeting French and German users with messages about Ukraine aid, farmers’ protests, and the Gaza war. AI Forensics, a nonprofit tracking online manipulation, found the ads reached five to ten times more people than initially estimated.
Cloaking. To evade platform moderation, Doppelganger used a technique borrowed from cybercriminals. Links shared on social media didn’t lead directly to the fake news sites. Instead, users were routed through disposable domains with innocuous names like “radilwanised.shop” or “climzenante.shop.” The system detected which users were likely targets (based on location and other factors) and only then redirected them to the propaganda content. Content moderators at X or Facebook saw only harmless landing pages.
Celebrity exploitation. In November 2023, researchers found Facebook ads featuring fabricated pro-Russian quotes attributed to Taylor Swift, Beyoncé, Justin Bieber, and other celebrities. The ads were designed to suggest that popular Western figures secretly supported Russian positions.
The Paris Stars of David
One Doppelganger operation crossed from the digital realm into physical space. In late October 2023, blue Stars of David began appearing on buildings across Paris — stenciled graffiti immediately condemned as antisemitic. The imagery evoked Nazi persecution.
French authorities traced the graffiti to a Moldovan couple recruited by Anatolii Prizenko, a pro-Russian Moldovan businessman. The operation was designed to sow division and inflame tensions — and then be amplified by Russian media to portray France as hostile to Jews. On November 9, 2023, France officially blamed the Doppelganger network for orchestrating the incident.
Resilience of the operation
Despite being exposed, Doppelganger refused to die. The EU sanctioned Social Design Agency, Structura, and key individuals in July 2023. The U.S. Treasury added them to its sanctions list in March 2024. In September 2024, the U.S. Justice Department seized 32 domains — and within days, the operators registered new ones through a German company (1API GmbH), which shut them down only after journalists alerted them.
The technical infrastructure kept shifting. When German hosting company Hetzner blocked Doppelganger accounts, the operation moved elsewhere. When Estonian software company Apliteni discovered its Keitaro redirect tool was being abused, it revoked the licenses — but the operators simply found alternatives. A bulletproof hosting provider called AEZA, despite having founders prosecuted for running a darknet drug marketplace, continued providing infrastructure until it was sanctioned by the U.S., UK, and Australia in November 2025.
Researchers found that IP addresses accessing Doppelganger’s infrastructure included those belonging to Voentelekom — a telecommunications company founded by the Russian government and operating under the Ministry of Defense. The digital fingerprints led directly to the Russian state.
The AI evolution
As the operation matured, it incorporated artificial intelligence. In May 2024, OpenAI announced it had removed accounts used by Doppelganger for influence operations. A related network called CopyCop registered over a hundred websites in a single month, all featuring AI-generated journalist personas — slight variations of real conservative American media personalities.
The economics were compelling. As one researcher noted, “Prigozhin’s bot farm no longer has to cram rows of desktops in a dusty Saint Petersburg factory when AI can do the work of a full team of trolls from a single device.” The cost-per-influence had dropped dramatically.
Lessons from Doppelganger
Trust is hackable. Doppelganger exploited the visual language of credibility — familiar logos, professional design, legitimate-looking domains — to launder propaganda through the appearance of journalism. Readers who saw “spiegel.ltd” didn’t always notice it wasn’t “spiegel.de.”
The domain system is vulnerable. Nothing prevented Russian operatives from purchasing domains that mimicked trusted brands. EU DisinfoLab called for better regulation of the domain name industry to protect legitimate actors from impersonation.
Sanctions have limits. Despite EU and U.S. sanctions, the operation continued for years. Operators simply moved between hosting providers, payment processors, and domain registrars — often within Europe itself.
Platform responses remain inadequate. Facebook and X struggled to keep up with cloaking techniques, disposable domains, and bot networks. The operators were consistently one step ahead.
Attribution doesn’t equal deterrence. Even after Kiriyenko was publicly named as the overseer, even after internal documents were leaked, even after companies and individuals were sanctioned — Doppelganger adapted and persisted. The Kremlin calculated that the benefits outweighed the costs.
Doppelganger represents a new category of information warfare: the industrial-scale impersonation of trusted institutions. In an environment where anyone can clone a website in minutes, the authenticity of news itself becomes a casualty.
Sources:
- EU DisinfoLab. “Doppelganger: Media clones serving Russian propaganda.” September 2022.
- U.S. Department of Justice. “Justice Department Disrupts Covert Russian Government-Sponsored Foreign Malign Influence Operation.” September 4, 2024.
- CORRECTIV. “Inside Doppelganger: How Russia uses EU companies for its propaganda.” July 2024.
- Atlantic Council DFRLab. “Doppelganger: How Russia mimicked real news sites to target US audiences.” September 2024.
- Centre for Eastern Studies (OSW). “‘Doppelgänger’: the pattern of Russia’s anti-Western influence operation.” September 2024.
- Wikipedia. “Doppelganger (disinformation campaign).”
