PUBLISHED ON 18 SEP 2025
recordedfuture.com
Insikt Group®

Executive Summary
Since March 2025, Insikt Group has observed CopyCop (also known as Storm-1516), a Russian covert influence network, creating at least 200 new fictional media websites targeting the United States (US), France, and Canada, in addition to websites impersonating media brands and political parties and movements in France, Canada, and Armenia. CopyCop has also established a regionalized network of websites posing as a fictional fact-checking organization publishing content in Turkish, Ukrainian, and Swahili, languages never featured by the network before. Including the 94 websites targeting Germany reported by Insikt Group in February 2025, this amounts to over 300 websites established by CopyCop’s operators in the year to date, marking a significant expansion from our initial reporting on the network in 2024, and with many yet to be publicly documented.

These websites are very likely operated by John Mark Dougan with support from the Moscow-based Center for Geopolitical Expertise (CGE) and the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). CopyCop uses these websites as infrastructure to disseminate influence content targeting pro-Western leadership and publish artificial intelligence (AI)-generated content with pro-Russian and anti-Ukrainian themes in support of Russia’s offensive operations in the global information environment.

While the network’s scope in terms of target languages and countries has expanded, its primary objectives almost certainly remain unchanged: undermining support for Ukraine and exacerbating political fragmentation in Western countries backing Ukraine. Insikt Group has also observed CopyCop engaging in additional secondary objectives like advancing Russia’s geopolitical objectives in its broader sphere of influence, such as Armenia and Moldova. CopyCop’s narratives and content in support of these objectives are routinely amplified by an ecosystem of social media influencers in addition to other Russian influence networks like Portal Kombat and InfoDefense.

Similar to its objectives, CopyCop’s tactics, techniques, and procedures (TTPs) remain broadly unchanged, with marginal improvements designed to strengthen the network’s reach, resilience, and credibility. Tactics and techniques used for content dissemination typically include deepfakes, lengthy dossiers intending to embarrass targets, and fake interviews of alleged whistleblowers making claims about political leaders in NATO member states like the US, France, and Germany. Insikt Group also identified new evidence that CopyCop uses self-hosted, uncensored large language models (LLMs) based on Meta’s Llama 3 open-source models to generate AI content rather than relying on Western AI service providers.

Relative to other Russian influence networks, CopyCop’s impact remains significant: targeted influence content promoted by its websites and an ecosystem of pro-Russian social media influencers and so-called “journalists” regularly obtains high rates of organic engagement across multiple social media platforms, and has a precedent for breaking into mainstream political discourse. Persistently identifying and publicly exposing these networks should remain a priority for governments, journalists, and researchers seeking to defend democratic institutions from Russian influence.

Key Findings
To date, in 2025, CopyCop has widened its target languages to include Turkish, Ukrainian, and Swahili, and its geographic scope to include Moldova, Canada, and Armenia while sustaining influence operations targeting the US and France. The network is also leveraging new infrastructure to publish content, marking a significant expansion of its activities targeting new audiences.
CopyCop’s core influence objectives remain eroding public support for Ukraine and undermining democratic processes and political leaders in Western countries supporting Ukraine.
CopyCop’s TTPs are broadly unchanged from previous assessments, with only marginal improvements to increase the network’s reach, resilience, and credibility. Newly observed TTPs include evidence of CopyCop using self-hosted LLMs for content generation, employing subdomains as mirrors, and impersonating media outlets.
Insikt Group has identified two uncensored versions of Meta’s Llama-3-8b model that are likely being used by CopyCop to generate articles.
The network is also increasingly conducting influence operations within Russia’s sphere of influence, including targeting Moldova and Armenia ahead of their parliamentary elections in 2025 and 2026, respectively. This is a broader trend observed across the Russian influence ecosystem.
Background
Insikt Group previously documented CopyCop in May and June 2024, in addition to the network’s attempts at influencing the 2024 French snap elections, 2024 US presidential elections, and 2025 German federal elections. Reporting from other organizations such as Clemson University, VIGINUM, NewsGuard, Microsoft, European External Action Service, and Gnida Project has broadly corroborated our initial assessments of the network’s objectives, targets, and infrastructure, in addition to our attribution of part of the network’s activities to John Mark Dougan, a US citizen based in Moscow. The Washington Post and the US Department of the Treasury have also since established links between Dougan, the CGE, and the GRU. The GRU reportedly helped fund self-hosted LLM infrastructure, while the CGE was likely responsible, with Dougan’s assistance and direction from the GRU, for the creation of deepfakes and inauthentic content targeting political leaders in the US, Ukraine, France, and other countries.

Depuis la fin de l’année 2023, VIGINUM observe et documente les activités d’un mode opératoire informationnel russe susceptible d’affecter le débat public numérique francophone et européen, connu sous le nom de « Storm-1516 ».
Le mode opératoire informationnel (MOI) Storm-1516, actif depuis plus d’un an et demi, est responsable de plusieurs dizaines d’opérations informationnelles ayant ciblé des audiences occidentales, dont française. S’appuyant sur l’analyse de 77 opérations informationnelles documentées par VIGINUM et conduites par Storm-1516 entre la date de son apparition supposée et le 5 mars 2025, ce rapport détaille les principaux narratifs et contenus employés, leur chaîne de diffusion, ainsi que les acteurs étrangers impliqués dans la conduite du MOI.

L’analyse par VIGINUM de ces différentes opérations informationnelles démontre que le dispositif d’influence informationnelle russe a investi des efforts conséquents pour coordonner les actions d’un important réseau d’acteurs, d’organisations et de MOI agissant depuis le territoire russe et dans les pays ciblés, et ce depuis le début de l’invasion à grande échelle de l’Ukraine par la Russie en 2022.

Storm-1516 constitue aujourd’hui un mode opératoire informationnel mature, qui offre à ses commanditaires la capacité de mener à la fois des actions de court terme en réaction à l’actualité, mais également de s’inscrire dans des stratégies de long terme, visant à décrédibiliser des personnalités ou des organisations européennes et nord-américaines, notamment en amont de grands événements et de processus électoraux.

Si l’impact réel sur le débat public numérique demeure difficile à estimer, VIGINUM observe que de nombreux narratifs propagés via ce MOI ont atteint une visibilité très importante en ligne, et qu’ils sont parfois repris, de manière inconsciente ou opportuniste, par des personnalités et des représentants politiques de premier plan.

Les opérateurs de Storm-1516 poursuivent aujourd’hui leurs activités avec un rythme opérationnel soutenu, et devraient très probablement continuer à adapter leurs TTPs, notamment pour crédibiliser davantage leurs contenus, tenter de contourner les mécanismes de modération des plateformes, gêner le suivi et l’imputation technique de leurs activités, ou encore renouveler leurs infrastructures d’attaque.

Au regard de ces éléments, VIGINUM considère que les activités de Storm-1516 réunissent les critères d’une ingérence numérique étrangère, et représentent une menace importante pour le débat public numérique français et européen.