How "Doppelgänger" works: The Kremlin's largest disinformation operation in Western countries

Kremlin’s “Doppelgänger” operation

Article by “Novaya Gazeta Europe”

You scroll through your news feed and suddenly see headlines like: NATO plans to send Ukrainian soldiers to France to suppress protests over pension reform, German authorities are raising health insurance costs for the elderly at the behest of the US, and Vladimir Zelensky has admitted to developing biological weapons. Don’t believe it? But these are reported by reputable media like Le Parisien, Der Spiegel, and The Washington Post…

Yes, in a parallel reality where Le Parisien’s domain is .ltd instead of .fr, Der Spiegel’s is .pro instead of .de, and where millions of daily-generated bots set the agenda by deceiving advertising algorithms through technical tricks. Imposing this reality on users is the goal of Operation Doppelgänger. Unlike other propaganda projects from Russian authorities, it appears to be quite effective.

For “Novaya Gazeta Europe,” Andrey Sapozhnikov investigates how the Doppelgänger networks manage to mislead people in Western countries, the principles behind its disinformation spread, and how ignoring this new type of propaganda could irreversibly change the internet as we know it.

Propaganda: Real or just for show?

In the early 2010s, Russian propaganda moved beyond its “Surkovian” phase and entered a new era, demanding far greater audacity and cynicism from Kremlin manipulators. This period introduced the public to absurd concepts such as the “crucified boy,” “Navalny-Hitler,” “combat mosquitoes,” and “dirty bombs,” among other crude clichés designed to justify expansionist policies and repression.

This grotesque disinformation, personified by figures like Vladimir Solovyov and Margarita Simonyan, became so intertwined with the concept of “Russian propaganda” that many Russians involved in the political discourse began to dismiss it as unserious. Today, opposition bloggers view press releases from the Russian Ministry of Defense, Dmitry Kiselyov’s “Vesti Nedeli,” or fake news from Z-Telegram channels about Vladimir Zelensky’s alleged drug use as low-quality nonsense, intended for the uninformed and poorly educated segments of the population and deserving only of condescendingly ironic analysis on YouTube.

However, it is important to note that Solovyov’s shrill cries about war with NATO are not the most representative embodiment of Kremlin propaganda. Disinformation targeted at the “internal consumer” — ranging from “Channel One” to Z-segment Telegram channels, from Kristina Potupchik to Olga Skabeeva — is far from the complete “propaganda showcase.” In 2024 Russia, the discourse is shaped more effectively by laws on military censorship, crackdowns on the opposition, and the destruction of any forms of public life that diverge from the official narrative. In such conditions, traditional propaganda plays a secondary role and can even be outsourced to “enthusiasts,” as seen with organizations like “Znanie” or the ANO “IRI.”

The Kremlin would be delighted to use the same repressive and censoring tools to influence public opinion in the West, but it can only reach foreign audiences through media channels.

Ironically, the average German is currently more valuable to Russian authorities than the average Russian. This is because Russians lack direct tools to influence their own state’s policies, while Germans are active protesters and voters, including for candidates in the Bundestag and the European Parliament, institutions that play a crucial role in supporting Ukraine.

While “useless” Russians are unconvincingly told by television propagandists about the undemocratic and puppet-like nature of European countries, it is evident that the Russian presidential administration places significant faith in and bets on Western democracy. To persuade a hypothetical German voter to support euroskeptics in the next election, Kremlin-hired media technologists spend hundreds of thousands of dollars on advertising on Facebook and X, daily forge websites of prominent Western media and ministries, deceitfully request expert comments, purchase domains and servers in European data centers in vast quantities, use artificial intelligence, and employ complex redirect systems. Ultimately, they achieve an audience reach of hundreds of millions of users, a feat that Western authorities and social media moderators are currently almost powerless to counter.

Why Doppelgänger?

The issue with the phenomenon in question is that it is not confined to a specific analytical center or media outlet. It is a vast, decentralized infrastructure, presumably affiliated with dozens of diverse companies worldwide and supported by thousands of bots and hacked social media accounts.

The first to draw attention to it was the European think tank EU DisinfoLab in September 2022, when it released a report detailing how, in May of that year, a “coordinated operation” to promote anti-Ukrainian and anti-Western narratives through clones of well-known media sites was launched in the Western segment of the internet. Due to this specificity, EU DisinfoLab named the campaign Doppelgänger, meaning “double” (though, less commonly, it is referred to as RRN or Recent Reliable News in official EU documents, after the “core” news site for the campaign).

Since the scandal surrounding Russian interference in the 2016 US presidential election, Kremlin’s external information operations have not generated as much resonance in Western media as Doppelgänger did in 2024. This operation was covered and investigated by The New York Times, Der Spiegel, The Atlantic, The Washington Post, and Politico, with detailed technical reports released by OpenAI, Meta, and Viginum. The European Council imposed sanctions against companies and individuals responsible for the operation, including the notorious A.N.O. “Dialogue,” the GRU-affiliated news agency “Inforos,” the IT group “Structure,” and the “Social Design Agency” — a political technology company working with clients from the State Duma and the Ministry of Internal Affairs, as well as key figures in these organizations.

None of these entities, nor the Russian authorities, have commented on the hypotheses about the existence of Doppelgänger as a coordinated operation. Moreover, there is a suspicious “silent consensus” within the Russian media environment regarding Doppelgänger. Despite the extensive discussion of the topic in the West and the overall scale of the operation, Russian-language media coverage has been limited to “banned” and “undesirable” outlets like The Insider, Meduza, or Novaya-Europa.

Mentions of Doppelgänger (or its other names, such as RRN or Storm-1099/Storm-1679, used by Microsoft) are conspicuously absent in archives of Lenta.ru, Kommersant, RBC, or TASS — even indirectly through related news such as sanctions imposition or official press releases from the French Ministry of Foreign Affairs. This could indicate the existence of a specific “negative block” imposed on state media editors concerning this topic. Is it really that sensitive?

How Doppelgänger works

How exactly does Doppelgänger operate? If you are an active user of Facebook or X and reside in Europe, North America, or Israel, you can experience it firsthand. The campaign’s curators place a particular emphasis on France, Germany, Ukraine, Latvia, Italy, the United Kingdom, the United States, and Poland. With each passing month, the propaganda infrastructure expands its audience reach (by early June 2024, the publications of its bots were viewed up to 1.6 million times daily), while ad moderation on social networks covers less than 5 percent of commercial posts, which Doppelgänger successfully bypasses through a three-tiered redirection system (more on that later). If you live in these “target countries,” chances are you have come across strange content in your feed.

Typically, these are one-line propaganda statements generated by a chatbot, such as “Macron is lying to the French people, it’s time to overthrow him — read more here.” Most likely, a French person would see this text in their feed, and specifically in French — Doppelgänger spreads propaganda in 13 languages and tailors content to the preferences of its target audience (TA) through advertising algorithms. For example, a Facebook user interested in LGBT topics is highly likely to be prompted to read material on the site mypride.press — one of the hundreds of “information dumps” controlled by Doppelgänger, which are highly typological in their content and design.

The My Pride portal looks very amateurish, with articles written in Comic Sans font and comprising reprints of materials from various conservative US resources — always criticizing Joe Biden’s administration and accompanied by AI-generated illustrations. There is no information about the portal’s editorial staff on the site, and the social media icons are clickable but redirect users to their main pages. A similar principle applies to the site Holy Land Herald about Israel or Le Dialogue — one of Doppelgänger’s most successful fakes, attempting to mimic an authoritative French media outlet, for which a former National Assembly deputy regularly writes columns.

These are the types of sites you will land on if you click on the links that Doppelgänger bots urge you to visit. This is an attempt to use the format and style of traditional media, which European readers are accustomed to trusting, to feed them propaganda — and Doppelgänger has hundreds of such ersatz sites, almost all of which are edited and updated daily. The flagship among them is considered to be Recent Reliable News (formerly known as Reliable Russian News), and a very similar portal, Voice of Europe (VOE), which the European Union authorities recently blocked and included in the sanctions register. According to media reports, through VOE, Russian authorities financed the German right-wing populist party Alternative for Germany.

However, more often, Doppelgänger resorts to blatant typosquatting—registering domains that are almost identical to the addresses of well-known Western media outlets. For example, Spiegel.pro instead of Spiegel.de, Leparisien.ltd instead of Leparisien.fr, and so on. What’s notable is that, besides the domain names, the site designs are also copied, making them visually almost indistinguishable from the originals and capable of deceiving less attentive users.

One of the first victims of this “dualism” was the website of the reputable German newspaper Süddeutsche Zeitung, whose clone in the summer of 2022 decided to inform its audience about empty shelves in German grocery stores, police violence against demonstrators, and the results of a fictitious survey claiming that most Germans believe their government is “not doing enough for its citizens.”

“These texts always carry the same message: Germans are suffering from the sanctions against Russia, they are angry about it, and therefore the ‘economic war’ against the Kremlin must end,”

— the Süddeutsche Zeitung described the thematic content of its doppelgänger. This is true for all projects involved in this infrastructure: Ukraine is portrayed as deeply corrupt, Nazi-like, and a puppet state, while Europe is depicted as a victim of alien U.S. interests, forced to pay for its support of Ukraine with a deteriorating quality of life.

Doppelgänger openly sympathizes with right-wing Eurosceptics like Alternative for Germany and the National Rally, and significantly ramps up disinformation for specific countries during elections or key events related to Ukraine, such as the Munich Security Conference. Some analysts also attribute Peter Pellegrini’s victory in the Slovak presidential election this spring to Kremlin propaganda activities.

From a technical standpoint, Doppelgänger is quite sophisticated. It skillfully navigates through social media moderation (which, as noted, is already not very diligent and covers up to five percent of total advertising) by promoting itself through a three-step redirection. When a user clicks on the widget of an article referenced by a Doppelgänger bot, they first land on a blank webpage responsible for the widget’s content. The average reader might notice this only during an unusually long loading time, and the cybersecurity analysis center Sekoia.io discovered that seemingly empty page has meaningless text written in white font in Russian.

The next page is also filled with random words (this time in English), and it contains a script that triggers another JavaScript code, which then redirects the user to the final page of the fake news site. Notably, this page uses a traffic tracker from Keitaro, allowing the campaign’s curators to analyze its effectiveness.

Little is known about these curators. Most analytical centers agree that the previously mentioned under-sanction “Agency for Social Design” and the “Structure” group play central roles in the Doppelgänger operation. These are highly non-public companies, comparable to Prigozhin’s “Internet Research Agency,” more commonly known as the “troll factory.” The latter was a sort of “proto-Doppelgänger,” much less technically sophisticated and large-scale, more centralized, and therefore more vulnerable to journalistic investigations based on leaks and the employees’ disregard for confidentiality.

If Doppelgänger is exposed in the foreseeable future, that is, if the public learns how the work process is structured within this infrastructure, who is directly responsible for the editorial policy of hundreds of fake sites, and to whom they report, it will most likely happen due to leaks, the first of which the team behind the operation allowed at the end of June, for the first time in two years of activity.

What do we know about it today?

So far, the media has only briefly mentioned the leak. German outlet CORRECTIV touched on it in their recent investigation, revealing that Doppelgänger’s fake websites are hosted on servers within EU countries. This critical detail could potentially be the starting point for unmasking the Doppelgänger team.

On June 27, Paul Bouchaud, a member of the NGO AI Forensics, which investigates “opaque algorithms,” posted on X an illustration related to one of Doppelgänger bot’s publications. Apparently, the image editor made a mistake and uploaded a screenshot of the illustration taken in the VK Teams program instead of the illustration itself. This program is a copy of the similarly named platform by Microsoft, used by quasi-governmental companies and universities in Russia due to “post-war” digital security requirements.

The VK Teams interface strongly resembles Telegram, where in the desktop version, an opened photo occupies a specific central area of the screen, with the edges blurred. Using AI, Bouchaud managed to enhance this blur, and now a screenshot of the desktop of an employee from one of Doppelgänger’s affiliated companies is publicly available. This screenshot allows us to draw several important conclusions.

1. Doppelgänger indeed exists as a coordinated infrastructure. In the chat list of the person who took the screenshot, there are seven chats dedicated to countries targeted by Doppelgänger (Ukraine, Germany, France, Israel, the USA, Italy, and Poland), one chat related to a “Site U” (presumably referring to Ukraine again), and another about cartoons, indicated by the truncated word “cartoon” under the displayed image and a group photo of Winnie the Pooh. This makes sense, as Doppelgänger also produces its own multimedia content, including caricatures, cartoons, and fake graffiti photos in European cities, distributed through the “Matryoshka” system (as detailed in an AFP report). They even create entire animated series. A prime example is “Ukraine Inc,” an animated project with 12 episodes so far, falsely presented by Russian propaganda as a “French cartoon.” OpenAI’s report also mentions that Doppelgänger “tried to make our programs create cartoon images of well-known European politicians and critics of Russia. The programs rejected these requests.” In the screenshot, there is a French chat preparing an article on Ukraine’s inability to win the war for publication on a fake Le Parisien site, this time with the domain .wf. The people, likely senior or chief editors within Doppelgänger, assign tasks in chats, mark articles as “in progress,” and attach writers to them, reminiscent of the “conveyor belt” work organization in Russian state media news services. It is possible that former employees of these news services are involved in Doppelgänger’s management, as indicated by a German T-Online investigation highlighting Doppelgänger’s connections to “Channel One,” “Izvestia,” and “REN TV” (associated with the Putin-aligned “National Media Group”).
2. Doppelgänger employs a woman named Alina Malinina, a man with the surname Feoktistov, and a person using the pseudonym John Galt. There is no reason to believe the first two names are false, but there is insufficient information to identify these individuals. Alina’s profile photo (heavily distorted by AI processing) shows a woman with blonde hair, wearing a red sweater, sitting cross-legged. As of July 2024, there are no VK users with that name and a similar avatar. Based on the activity of Malinina and Feoktistov in the chats, it can be assumed that they are senior or chief editors: they assign tasks to employees, request status updates, and address others as “colleagues.” The question, “Who is John Galt?” remains unanswered, much like in Ayn Rand’s “Atlas Shrugged,” from which the anonymous propagandist borrowed this pseudonym. In our context, this pseudonym indicates the ideological leanings of some Doppelgänger employees. The figure of John Galt, like “Atlas,” is popular in American right-wing conservative circles, with posters referencing Galt appearing during the libertarian Tea Party Movement protests in the late 2000s. Doppelgänger attempts to exploit this right-wing conservative discourse. According to Infosecurity Magazine, Doppelgänger purchased paid airtime from Andrew Napolitano, a libertarian commentator and YouTuber well-known among American conservatives.
3. It’s also worth noting the macOS taskbar captured in the screenshot. The most interesting detail here is a mysterious program called FBtool, open at the time the screenshot was taken, indicating its use during the working hours of the alleged image/editor of Doppelgänger. Most likely, this is a utility for creating and managing multiple Facebook accounts, described on GitHub as a “bot for creating Facebook accounts.” Less likely, it is a plugin for Keitaro, listed on its official website (Keitaro being the company whose tracker Doppelgänger uses on fake news sites). Additionally, the fact that the Doppelgänger team uses the VK Teams platform strongly suggests that they operate in compliance with the security requirements of Russian state agencies. Even if everything shown in the screenshot is the work of a private company fulfilling a shadowy government contract, the client strictly controls and ensures the confidentiality of this activity.

The fields of the new propaganda war

Is this institution really so important that, for some reason, state media and Russian officials refuse to make any information about it public, neither through denials nor through the usual mockery from the Foreign Ministry and Presidential Administration? Why is such a massive operation, which could essentially be considered the Kremlin’s propaganda pride in the context of the “combat mosquitoes” and “dirty bombs” mentioned at the start of the article, deliberately being kept silent?

It can be assumed that those responsible for this campaign would very much prefer not to publicize that the reality existing on fake domains like Reuters.cdf and Spiegel.pro, where Zelensky is portrayed as a “weak-willed drug addict despised by war-weary, starving, and gas-hungry Europeans,” exists solely within the framework of a disinformation operation.

For the Kremlin, this worldview is crucial and must be promoted both domestically and internationally to align reality with expansionist ideologies and normalize its policies.

In this worldview, Le Dialogue becomes more authoritative than Le Figaro, and the spreading nonsense bots become more significant than the publicists and essayists whom Russian authorities label as foreign agents.

In nearly all the technical reports I reviewed for this article, cybersecurity experts assess the impact of Doppelgänger on Western political processes as minimal, although they note the troubling trend of the uncontrollable expansion of the operation, which is difficult to combat with administrative methods. However, even with reassuring assessments of the harmfulness of such campaigns, it’s important to remember that each one is part of a massive systemic problem, which The Atlantic’s Anne Applebaum described in her significant essay as a “new propaganda war.”

This involves nearly all modern authoritarian regimes, especially China, Russia, Iran, and Venezuela. Each has hundreds of companies, operations, and media personnel actively turning the internet into an unpleasant place, where reality is distorted by AI efforts and millions of bots, and high-quality, reliable content is submerged in fake news and algorithmic manipulation. For instance, China and Iran have their own versions of Doppelgänger: Spamouflage and the International Union of Virtual Media, respectively.