On March 16, 2022, three weeks after Russia’s full-scale invasion of Ukraine began, a video appeared on the website of the Ukrainian TV channel “Ukraine 24”. On screen, President Volodymyr Zelensky stood behind a podium addressing the nation. “I have decided to return Donbas,” said the person resembling him. “Our efforts have failed. My advice is for everyone to lay down their weapons and return to their families.”
In reality, Zelensky never said this. The video was a deepfake— a digital forgery posted by hackers on the hacked TV channel’s website and simultaneously broadcast in a live ticker. Within minutes, the video spread across Telegram, VKontakte, and Twitter. Facebook removed it after complaints, but by then it had already garnered hundreds of thousands of views.
Zelensky reacted quickly by recording an address in military uniform from the street in Kyiv. “We are defending our land, our children, our families,” he said. However, researchers from Witness, a specialized organization in detecting fake content, immediately warned of the danger. “The specific problem is the so-called liar’s dividend, where real video can be easily declared fake, shifting the burden of proof onto those claiming its authenticity,” explained researcher Sam Gregory from Witness.
This was not a singular experiment but a public demonstration of a new kind of combined weaponry and the first public test of how far Russia is willing to go in its information war against Ukraine.
Operation Doppelganger: How the Kremlin Clones Reality
While the war continued, another operation unfolded in parallel— more extensive, sophisticated, and targeted not only at Ukraine but the entire West. Its name— “Doppelganger,” meaning “double.” The essence is simple: to create websites that look exactly like authoritative media— Fox News, Washington Post, Der Spiegel, Le Monde, BBC— and publish fabricated content there. The reader sees a familiar logo, font, layout, and doesn’t notice that the site address is slightly different. Instead of washingtonpost.com, washingtonpost.pm opens; instead of fox-news.com, fox-news.top. The operation started in May 2022, and by September, it was exposed by the EU DisinfoLab organization. However, despite being uncovered, it didn’t stop— only adapted.
According to documents released by the U.S. Department of Justice in 2024, the operation was conducted by two Russian companies, Social Design Agency and Structura, under direct Kremlin orders. U.S. Deputy Attorney General Lisa Monaco put it clearly: “By Putin’s order, SDA, Structura, and ANO Dialog used cybersquatting, fabricated influencers, and fake profiles to covertly promote AI-generated false narratives on social media.”
Regarding Ukraine, the aim of the operation was specific. Fake versions of Fox News and the Washington Post published materials claiming that American debt was rising due to aid to Ukraine, that Zelensky was corrupt, and that the U.S. should focus on its own issues. One of the internal “planning documents” of the SDA, cited by the American indictment, explicitly stated that the project’s goal was “to influence public opinion in the U.S. so that Americans would believe their country should focus on solving domestic issues instead of spending money on Ukraine and other troubled regions.”
For different audiences, the operation generated different content. For the American LGBT community, materials were published about the persecution of “transgender youth” in Ukraine. For the German-speaking audience, posts criticized the government and support for Ukraine. For the French-speaking audience, narratives suggested that France was a “vassal” of the U.S. and that NATO acted against French interests.
The technical scheme was detailed. Domains were registered through American registrars Namecheap, NameSilo, and GoDaddy, payment operations were conducted through front persons in the U.S., and the servers’ IP addresses were previously associated with cybercriminal activities. A special cloaking service, Kehr, was used to bypass platform moderation algorithms, displaying different content depending on whether a link was opened by a regular user or a platform moderator.
Bavarian intelligence tracked over 7,983 campaigns and 828,842 clicks from just two servers from May 2023 to July 2024. A separate network of fake profiles, so-called “Odettes,” systematically promoted Doppelganger materials in comments under publications on large Facebook pages. All of them had the female name Odetta and allegedly worked at Netflix.
In August 2024, Meta announced it had identified over 6,000 threat indicators and removed over 5,000 profiles and pages. But the operation continued. Eventually, the FBI seized dozens of domains, including ribunalukraine.info, waronfakes.com, fox-news.top, washingtonpost.pm, spiegel.agency. Each time platforms and governments closed one node of the network, new ones emerged.
Artificial Intelligence at the Service of Propaganda
A decade ago, Operation Doppelganger would have been impossible, at least on such a scale. What the network did with tens of thousands of publications in different languages and for different audiences would have required an army of translators, editors, and analysts. Today, much of this work is done by artificial intelligence. In 2024, the “Truth” network, one of the largest pro-Russian disinformation resources, published about 3.5 million AI-generated articles. The goal was not only to spread narratives but also to “poison” databases. If sufficient fake content makes its way online, the next generation of AI models learns from a distorted picture of the world.
Operation Storm-1679 used AI to fake the voice of a well-known American actor in a fake documentary on behalf of Netflix aimed against the International Olympic Committee. Viewers heard a familiar voice, saw a familiar logo, and trusted what they saw. In August 2025, the same network so convincingly mimicked ABC News, BBC, and POLITICO using deepfake that its materials were shared by Donald Trump Jr. and Elon Musk.
February 2026 brought a new documented case. During the Winter Olympics in Milan and Cortina, BBC Verify documented a large-scale operation by the “Matryoshka” network targeting Ukrainian athletes and fans. In one video, viewers first saw a genuine press conference by the President of the International Olympic Committee, Kirsty Coventry, and after a few seconds, the real voice was replaced by an AI clone. “Matryoshka” forced Coventry to “state” that Ukrainian athletes came to Milan “for crazy political PR” and she “never met such unpleasant people.” In reality, Coventry said nothing of the sort. According to BBC Verify, by the end of February 2026, at least 35 videos mimicking media brands and governmental organizations related to the Olympics were documented, one of which garnered over a million views.
Ukraine has been targeted by specific deepfake campaigns since the beginning of the full-scale invasion. Russia disseminated a deepfake of Moldovan President Maia Sandu with false statements about her stance on Russia, as well as an audio forgery of Slovak politician Michal Šimečka.
According to Ukraine’s Center for Combating Disinformation, since the beginning of 2025, 191 Russian information operations using AI content have been recorded, reaching an audience of at least 84.5 million views. Researcher Désirée Vints, who studied this topic for the Heinrich Böll Foundation, identified an important pattern. “Even obvious copies can affect memory, beliefs, and decision-making. People’s opinions may change under the influence of interacting with a digital copy, even when they know it’s not a real person,” she explained.
Bots, “live” profiles, and the “laundering” scheme of information
The production of fake content is just the first part of the operation. The second key element is its distribution to target audiences. Here, Russia has learned to use the very architecture of social networks against their users. Detecting “traditional” bots is relatively easy. They post similar messages, lack personal history, and show suspiciously uniform activity around the clock. But technology has advanced: modern “live” profiles, which researchers also call “sleepers” or “imposters,” look like real people for years. They post vacation photos, discuss local news, comment on sports materials and recipes. Then, at a specified moment, on command, they simultaneously “wake up” and begin massively distributing a specific narrative. Platforms fail to respond in time because by the time of activation, the profile already has months or even years of “clean” organic history.
Operation Doppelganger used another scheme, which researchers called “disinformation laundering.” Initially, the material appeared on a little-known pro-Russian site. A network of bots and “sleeping” accounts picked up the publication and artificially increased likes, shares, and comments. The platform’s algorithm registered the activity and started recommending the post to a wider audience. And real people shared it further — without realizing the original source was linked to the Kremlin.
Doppelganger tracked over 2,800 real American influencers as potential partners. One of the SDA’s internal documents included a proposal to engage them in fomenting “internal tension” within allied countries. Some of these opinion leaders were unaware they were already in the crosshairs of the Kremlin’s PR department.
During the elections in Germany from December 2024 to January 2025, the research organization CeMAS recorded over 600 original pro-Russian publications, each disseminated hundreds of times. The total reach was 2.8 million views. Some of this content appeared on the official accounts of candidates from different parties, spreading claims that the “Greens” and Ukrainian officials were recruiting migrants to commit crimes.
Leaks of Documents: When “Truth” Becomes a Weapon
A specific tool of information operations that often escapes public attention is targeted document leaks. This scheme was perfected by Russia during the 2016 U.S. presidential elections and has been used regularly since. In May 2017, two days before the second round of the French presidential elections, hackers leaked 15 gigabytes of data from the mailboxes of Emmanuel Macron’s campaign team. The operation included three sequential phases. First, a disinformation campaign with rumors and fakes lasted for months. Then, hackers, identified by the American company Flashpoint with “moderate confidence” as the APT28 group, hacked the campaign accounts. Finally, two days before the vote, the documents were released under the hashtag MacronLeaks, which gained 47,000 tweets in three and a half hours and almost half a million in a day.
But the documents themselves turned out to be uninteresting. Nothing compromising was found within them. Therefore, the hackers acted characteristically: they mixed genuine letters with fake ones. Among the forgeries were messages suggesting that Macron allegedly used drugs. Macron described the operation as: “Authentic documents were mixed with fake ones to sow doubt and disinformation.”
This is precisely the key trick in Goebbels’ templates. When the leak contains some genuine documents, the audience tends to believe the entire collection. Since people do not verify each file individually, but see a “leak” — this forms the overall picture for them. Even if a specific detail that made the biggest impression turned out to be fake.
The operation failed: the French electorate re-elected Macron, but it became a template. Already in December 2024, before the presidential elections in Romania, Russian hackers conducted over 85,000 attacks on the country’s electoral systems and leaked compromised account data on Russian hacker forums. However, this did not significantly help the pro-Russian candidate.
Cyber Weapons and Propaganda: How Do They Work Together?
Modern information operations almost never exist independently. Social media campaigns are accompanied by cyber infrastructure:
- hacker groups,
- data leaks,
- system attacks.
A classic example is the operation against the TV channel “Ukraine 24” in March 2022 described above. Initially, hackers breached the website and live broadcast. A deepfake with Zelensky’s “surrender” was then embedded in the broadcast’s ticker. Simultaneously, the same material began being spread by pro-Russian Telegram channels. The three components—a cyberattack, deepfake, and distribution network—worked as a single system. The connection between Operation Doppelganger and the hacker group APT28, known as Fancy Bear and linked with GRU, was confirmed by researchers at SentinelOne and ClearSky. Identical fragments of HTML and text templates were found in the infrastructure code of Doppelganger and in APT28’s phishing attacks. According to Ukraine’s State Service for Special Communications, in 2024, the number of cyberattacks on Ukraine increased by nearly 70% to 4,315 documented incidents targeting critical infrastructure, government services, energy, and defense enterprises. Tactics included the spread of malware, phishing, and account compromise.
In Moldova, Russia combined cyber influence with direct bribery. The organization Evrazia, associated with oligarch Ilan Shor, paid approximately 130,000 Moldovan citizens a total of 15 million dollars to vote “no” in the 2024 referendum on joining the EU. Alongside the bribery was a massive disinformation campaign on social networks. The United Kingdom sanctioned Evrazia in April 2025. NATO Deputy Assistant Secretary General James Appathurai summarized what allies observe. “We see an increase in Russia’s propensity for risk, and I mean not risk to themselves, but risk to us, to our economies, to the security of our citizens,” he said.
China and Ukraine: The Quiet Front
While Russia attacks Ukraine openly and aggressively in the information space, China acts differently. Beijing does not officially support the invasion but also does not condemn it. In the information space, this is expressed in specific documented actions. According to the Security Service of Ukraine, in the days preceding the full-scale invasion in February 2022, the cyber unit of the People’s Liberation Army of China carried out attacks on hundreds of websites of Ukraine’s Ministry of Defense and other state institutions. Spyware and malware developed by Chinese hackers were used by Russia in Ukraine both in the early months of the invasion and afterward.
In the information dimension, China systematically reinforces narratives beneficial to Russia. In March 2022, the Ministry of Foreign Affairs of China and Chinese state media actively disseminated Moscow’s assertions that Ukraine was developing biological weapons in laboratories connected to the USA. BBC Reality Check, the UN, and the Bulletin of the Atomic Scientists refuted these claims, calling them utterly unfounded. Researchers from the Foreign Policy Research Institute documented a systematic overlap in May 2024: Chinese media simultaneously reinforced the same themes about Ukraine and NATO that Russian propaganda was promoting. The timing of the publications indicated coordination rather than a coincidental overlap. Operation “Spamouflage” also touched on the topic of Ukraine. Chinese accounts, disguised as American voters and military personnel, among other topics, spread content questioning US support for Ukraine. The aim of this operation was not so much to directly change Washington’s position as to deepen internal American disputes, making it more difficult for Congress to make decisions about aid.
Finally, in 2025, as part of a broader convergence of Chinese and Russian information operations documented by the Center for European Analysis, China moved towards more active use of generative AI to produce and disseminate content that undermines trust in NATO. CEPA researchers found that both countries pursue a common goal: portraying the West as divided, hypocritical, and incapable of effectively supporting Ukraine.
All the operations described above have one common feature that makes them a fundamentally new phenomenon in modern conflicts. None of the states behind them officially declared war or bear legal responsibility for their actions. Russia denies involvement in Doppelganger. China denies “Spamouflage.”
Attribution in the digital space is technically complex: operators use VPNs, front persons in third countries, cryptocurrency payment systems, and intermediary companies. In the Doppelganger case, a key figure known only as “Konstantin” told American investigators that he was “just an exchanger,” although most transactions occurred during Moscow business hours.
This is where a new reality of modern conflicts is forming — cognitive warfare. NATO officially recognized it by issuing a separate research report on cognitive warfare in 2025, defining it as an independent domain of conflict alongside traditional ones — land, sea, air, space, and cyberspace. The report establishes that modern conflict is increasingly behaviorally oriented and that the decisive “terrain” of battles is not geographic but cognitive: human perception, beliefs, and decision-making ability.
Will this war ever end?
The video of Zelensky’s “surrender” that appeared in March 2022 has long been removed from platforms. Algorithms worked, journalists refuted, and Zelensky himself appeared on camera to prove he did not give in. It seemed the defense system worked. But even a debunked deepfake leaves a trace. A person who once saw the video of the “surrender” will forever know that such a video existed. And the next time they see a real address from Zelensky, the thought might flash: what if it’s a forgery again?
This is exactly what the states employing these tools rely on. Not to win the argument or prove their point — just to make it so that citizens of other countries are uncertain about everything. Supporting Ukraine costs billions, so is it worth spending them on a country whose president might have already made a deal with Moscow? NATO protects Europe, but who said that it is not the aggressor itself? Maybe Russia is forced to use force to protect against the genocide of Russian speakers and “little crucified boys”? Elections are held — but can they be trusted, as the old elites might have bought everything and made all the deals?
Russia and China have chosen this tool for a reason. It’s cheaper than an army, leaves no debris, and doesn’t require a declaration of war. It acts where traditional weapons are powerless and cannot reach: inside the heads of voters, parliamentary debates, and alliances. And importantly, it uses against democracies their own strengths: openness of the information space, freedom of speech, and trust in media.
And while democratic governments impose sanctions and delete domains, cognitive operations adapt and continue. This doesn’t mean that responding is futile, but it does mean that the information war has no front line and won’t end with the signing of a capitulation. It continues every day in news feeds, algorithm recommendations, and in the momentary hesitation before clicking “share.” So, the question is not whether you personally have already become a target in this war. The question is whether you are aware of it and whether you are ready to counteract it.
Illustration: Foundation for Defense of Democracies
