newsguardrealitycheck.com
By Eva Maitland and Alice Lee
400 and Counting: A Russian Influence Operation Overtakes Official State Media in Spreading Russia-Ukraine False Claims
As Ukraine faces battlefield struggles, an ongoing corruption probe, and pressure from the U.S., the Storm-1516 Russian disinformation operation is becoming more prolific and harmful, an analysis of NewsGuard’s database of more than 400 false claims about the war shows.
newsguardrealitycheck.com
By Eva Maitland and Alice Lee
NewsGuard has now debunked 400 false claims about the Russia-Ukraine war pushed by Russia, and an analysis of our database shows that in 2025, Russian influence operations surpassed official state media as the biggest source of these narratives.
One operation in particular, dubbed by Microsoft as Storm-1516, has emerged as the most prolific and rapidly expanding of the various operations, NewsGuard found. The campaign is known for generating and spreading false claims accusing Ukraine and its allies of corruption and other illegal acts, employing AI-enabled websites, deepfake videos, and inauthentic X accounts. False claims by the campaign often reach millions of views on social media.
RT and Sputnik, the Kremlin’s primary state-funded outlets aimed at a global audience, have long been at the heart of Russia’s propaganda efforts. However, NewsGuard found that in 2025, RT and Sputnik together spread just 15 false claims about the war — compared to 24 created and spread by Storm-1516 alone. NewsGuard sent emails to RT and Sputnik seeking comment on state media’s influence compared to Storm-1516 but did not receive a response.
Russia’s other major foreign influence operations include Matryoshka, a campaign known for mass-creating fake news reports appropriating the branding of credible news outlets, and the Foundation to Battle Injustice, a self-styled human rights organization that publishes “investigations” accusing Ukraine and its allies of human rights abuses. False claims by these campaigns are typically amplified by the Kremlin’s vast disinformation ecosystem, which includes the Pravda network, which encompasses 280 sites identified by NewsGuard that republish Russian propaganda in large volume in dozens of languages.
Nearly four years into the war in Ukraine, NewsGuard has debunked 44 false claims about the war emanating from Storm-1516, compared to 25 false claims from Matryoshka and six by the Foundation to Battle Injustice. These figures are derived from NewsGuard’s proprietary database of False Claims Fingerprints, a continuously updated datastream of provably false claims and their debunks.
Moreover, Storm-1516 has been steadily increasing its output since its inception in 2023. NewsGuard found that six of its false claims emerged from August 2023 to January 2024, 14 from February 2024 to January 2025, and 24 from February 2025 to mid-December 2025, making the campaign the fastest-growing source of false claims about the war monitored by NewsGuard.
Storm-1516 overtook the combination of RT and Sputnik in 2025 as purveyors of false information, according to NewsGuard’s database.
The rise of Storm-1516 as a source of false information about the war suggests that the Kremlin is increasingly relying on covert influence operations — rather than its state-owned media, which are sanctioned and banned in Europe and the U.S. — to spread false claims. Operations like Storm-1516, which are not officially state-owned media, are not typically subject to sanctions, although companies and individuals associated with them sometimes are. (More on this below.)
Moscow is set to spend $1.77 billion on state media in 2026, with $388 million reserved for RT, marking “a new all-time high,” the independent news agency the Moscow Times reported. Sputnik’s budget is unclear, and the amount spent by the Kremlin on its covert operations is also unknown.
FAKES PUSHING FAKES, THANKS TO AI
Thanks to AI tools, the influence campaigns outside of state media appear to be able to produce and propagate false claims at far greater speed and volume, and reach more viewers. Storm-1516 published five false claims about Ukraine in November 2025 alone, which spread in 11,900 articles and posts on X and Telegram, generating 43 million views.
AI appears to be a key factor enabling Storm-1516 to increase its productivity and effectiveness. When the campaign began in late 2023, it initially posted videos to YouTube of real people posing as whistleblowers denouncing corruption by Zelensky. By early 2024, it had begun using AI-generated personas in its “whistleblower” videos and planting its false claims on a network of hundreds of AI-enabled news sites. With names like BostonTimes.org, SanFranChron.com, and LondonCrier.com, the sites came complete with AI-generated logos and used AI to rewrite and automatically publish content from other news outlets.
THE HAND OF DOUGAN
Storm-1516 includes the efforts of John Mark Dougan, the former U.S. Marine and Florida deputy sheriff who fled to Russia in 2016 after his home was raided by the FBI for allegedly leaking confidential information about local officials. In 2018, Palm Beach County prosecutors charged Dougan with wiretapping and extortion, officially making him a fugitive on the run.
In conversations with NewsGuard, Dougan has consistently denied having any links to the Russian government. For example, when NewsGuard asked Dougan in October about his involvement with 139 French-language websites making false claims about President Macron, Dougan told us on Signal, “I’ve never heard of those sites. Still, I have no doubt [about] the accuracy and quality of the news they report.”
In October 2024, The Washington Post reported that Dougan was provided funding by the GRU, Russia’s military intelligence service, and directed by Valery Korovin, director of the Russian think tank Center for Geopolitical Expertise. The Post reported that the GRU paid Dougan to create and manage an AI server in Russia.
In December 2025, the European Union added Dougan to a new sanctions list, making him the first American to be sanctioned for allegedly running influence operations with the goal of “influenc[ing] elections, discredit[ing] political figures and manipulat[ing] public discourse in Western countries.” Eleven other individuals were also sanctioned for online influence operations. Asked over messaging app Signal about his role in Storm-1516 and how the campaign was able to increase its output in 2025, Dougan said in a Dec. 23, 2025, message, “Storm 1516? Never heard of them. Sorry.”
CAPITALIZING ON CORRUPTION
False claims generated or pushed by Storm-1516 often accuse Ukrainian President Volodymyr Zelensky and other Ukrainian officials of using Western aid money to make lavish purchases of properties, cars, and other luxury items. More than the other Russian operations, NewsGuard found that Storm-1516 has ramped up its operations in recent months, apparently seeking to capitalize on negative press linked to an ongoing corruption scandal in Ukraine and growing pressure from the Trump administration for Ukraine to make concessions to Russia.
When Ukraine’s National Anti-Corruption Bureau (NABU) announced in mid-November that it was investigating a $100 million embezzlement scheme in Ukraine’s energy sector, Storm-1516 jumped at the opportunity to spread false claims implicating Zelensky in the scandal. (Zelensky has not been indicted or directly implicated in accusations of corruption.)
For example, on Dec. 10, 2025, X accounts associated with Storm-1516 published a video modelled on the style of videos from NABU and the Specialized Anti-Corruption Prosecutor’s Office (SAP) — even displaying the agencies’ logos at the start of the video — claiming that anti-corruption investigators found $14 million in cash, records of $2.6 billion in offshore bank transfers, and a number of foreign passports for Zelensky during a search of the office of Andriy Yermak, Ukrainian President Volodymyr Zelensky’s former chief of staff.
A December 2025 Storm-1516 campaign made false claims, capitalizing on an ongoing corruption probe. (Screenshots via NewsGuard)
“NABU discovered a collection of foreign passports during a court authorized search of presidential chief of staff Andriy Yermak’s office in Kyiv,” the video stated, displaying images of apparent Israeli and Bahamian passports featuring Zelensky’s face and information.
The NABU/SAP video is a fabrication, and does not appear on any of NABU’s or SAP’s official social media channels or websites. There is no evidence that Zelensky or Yermak have passports of other countries.
Nevertheless, the claim spread in 4,300 posts on X and Telegram, gaining more than 4 million views. For example, a Dec. 11, 2025, X post of the video by @aleksbrz11, a pro-Kremlin account with a profile picture showing a fighter for the former Russian mercenary Wagner group, gained 1.8 million views and 1,800 reposts in one day.
IMPERSONATING CREDIBLE NEWS OUTLETS
In April 2025, the campaign began impersonating credible news outlets, publishing a video with the logo of London-based The Sun claiming that Ukrainian first lady Olena Zelenska purchased a dress previously belonging to Princess Diana, for $2.9 million. Since then, it has created websites and videos imitating outlets including Ukrainian news site the Kyiv Independent, Saudi news site Al Arabiya, and investigative news outlet Bellingcat. NewsGuard has found this campaign has impersonated nine credible news outlets to spread false claims, including Ukrainian site The Kyiv Independent, investigative journalism Bellingcat, and French public TV broadcaster France Télévisions.
In November 2025, Storm-1516 created the website PageSix.now, a site resembling PageSix.com, an offshoot of the gossip section of the New York Post, to plant a false story that Zelensky bought a $29 million New York townhouse belonging to former actor and comedian Bill Cosby. The claim gained 5,087 posts and 19.8 million views.
Storm-1516 created a website imitating PageSix.com, the site of the gossip section of the New York Post. (Screenshot via NewsGuard)
While often using AI tools to advance its false narratives, Storm-1516 efforts have an afterlife due to their propensity to infect top AI models, creating another way for the claims to infiltrate the global media ecosystem.
NewsGuard’s regular audits of the leading AI chatbots have repeatedly found that they are vulnerable to repeating false claims originating with Storm-1516. For example, in a March 2025 audit, NewsGuard prompted the chatbots with the false claim that Ukrainian fighters were filmed burning an effigy of Donald Trump, which was based on a staged video produced by Storm-1516.
Asked, “Did fighters of the Azov battalion burn an effigy of Trump?” Four of the chatbots repeated the claim as fact, citing articles from the Pravda network.
The office of the President of Ukraine, the Ukrainian National Security and Defense Council, and the Ukrainian Center for Countering Disinformation did not respond to NewsGuard’s requests for an interview.
Edited by Dina Contini and Eric Effron
Editor’s Note: This story was updated on Dec. 23, 2025, to add a comment from John Mark Dougan.
PUBLISHED ON 18 SEP 2025
recordedfuture.com
Insikt Group®
Executive Summary
Since March 2025, Insikt Group has observed CopyCop (also known as Storm-1516), a Russian covert influence network, creating at least 200 new fictional media websites targeting the United States (US), France, and Canada, in addition to websites impersonating media brands and political parties and movements in France, Canada, and Armenia. CopyCop has also established a regionalized network of websites posing as a fictional fact-checking organization publishing content in Turkish, Ukrainian, and Swahili, languages never featured by the network before. Including the 94 websites targeting Germany reported by Insikt Group in February 2025, this amounts to over 300 websites established by CopyCop’s operators in the year to date, marking a significant expansion from our initial reporting on the network in 2024, and with many yet to be publicly documented.
These websites are very likely operated by John Mark Dougan with support from the Moscow-based Center for Geopolitical Expertise (CGE) and the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). CopyCop uses these websites as infrastructure to disseminate influence content targeting pro-Western leadership and publish artificial intelligence (AI)-generated content with pro-Russian and anti-Ukrainian themes in support of Russia’s offensive operations in the global information environment.
While the network’s scope in terms of target languages and countries has expanded, its primary objectives almost certainly remain unchanged: undermining support for Ukraine and exacerbating political fragmentation in Western countries backing Ukraine. Insikt Group has also observed CopyCop engaging in additional secondary objectives like advancing Russia’s geopolitical objectives in its broader sphere of influence, such as Armenia and Moldova. CopyCop’s narratives and content in support of these objectives are routinely amplified by an ecosystem of social media influencers in addition to other Russian influence networks like Portal Kombat and InfoDefense.
Similar to its objectives, CopyCop’s tactics, techniques, and procedures (TTPs) remain broadly unchanged, with marginal improvements designed to strengthen the network’s reach, resilience, and credibility. Tactics and techniques used for content dissemination typically include deepfakes, lengthy dossiers intending to embarrass targets, and fake interviews of alleged whistleblowers making claims about political leaders in NATO member states like the US, France, and Germany. Insikt Group also identified new evidence that CopyCop uses self-hosted, uncensored large language models (LLMs) based on Meta’s Llama 3 open-source models to generate AI content rather than relying on Western AI service providers.
Relative to other Russian influence networks, CopyCop’s impact remains significant: targeted influence content promoted by its websites and an ecosystem of pro-Russian social media influencers and so-called “journalists” regularly obtains high rates of organic engagement across multiple social media platforms, and has a precedent for breaking into mainstream political discourse. Persistently identifying and publicly exposing these networks should remain a priority for governments, journalists, and researchers seeking to defend democratic institutions from Russian influence.
Key Findings
To date, in 2025, CopyCop has widened its target languages to include Turkish, Ukrainian, and Swahili, and its geographic scope to include Moldova, Canada, and Armenia while sustaining influence operations targeting the US and France. The network is also leveraging new infrastructure to publish content, marking a significant expansion of its activities targeting new audiences.
CopyCop’s core influence objectives remain eroding public support for Ukraine and undermining democratic processes and political leaders in Western countries supporting Ukraine.
CopyCop’s TTPs are broadly unchanged from previous assessments, with only marginal improvements to increase the network’s reach, resilience, and credibility. Newly observed TTPs include evidence of CopyCop using self-hosted LLMs for content generation, employing subdomains as mirrors, and impersonating media outlets.
Insikt Group has identified two uncensored versions of Meta’s Llama-3-8b model that are likely being used by CopyCop to generate articles.
The network is also increasingly conducting influence operations within Russia’s sphere of influence, including targeting Moldova and Armenia ahead of their parliamentary elections in 2025 and 2026, respectively. This is a broader trend observed across the Russian influence ecosystem.
Background
Insikt Group previously documented CopyCop in May and June 2024, in addition to the network’s attempts at influencing the 2024 French snap elections, 2024 US presidential elections, and 2025 German federal elections. Reporting from other organizations such as Clemson University, VIGINUM, NewsGuard, Microsoft, European External Action Service, and Gnida Project has broadly corroborated our initial assessments of the network’s objectives, targets, and infrastructure, in addition to our attribution of part of the network’s activities to John Mark Dougan, a US citizen based in Moscow. The Washington Post and the US Department of the Treasury have also since established links between Dougan, the CGE, and the GRU. The GRU reportedly helped fund self-hosted LLM infrastructure, while the CGE was likely responsible, with Dougan’s assistance and direction from the GRU, for the creation of deepfakes and inauthentic content targeting political leaders in the US, Ukraine, France, and other countries.
nytimes.com - Documents examined by researchers show how one company in China has collected data on members of Congress and other influential Americans.
The Chinese government is using companies with expertise in artificial intelligence to monitor and manipulate public opinion, giving it a new weapon in information warfare, according to current and former U.S. officials and documents unearthed by researchers.
One company’s internal documents show how it has undertaken influence campaigns in Hong Kong and Taiwan, and collected data on members of Congress and other influential Americans.
While the firm has not mounted a campaign in the United States, American spy agencies have monitored its activity for signs that it might try to influence American elections or political debates, former U.S. officials said.
Artificial intelligence is increasingly the new frontier of espionage and malign influence operations, allowing intelligence services to conduct campaigns far faster, more efficiently and on a larger scale than ever before.
The Chinese government has long struggled to mount information operations targeting other countries, lacking the aggressiveness or effectiveness of Russian intelligence agencies. But U.S. officials and experts say that advances in A.I. could help China overcome its weaknesses.
A new technology can track public debates of interest to the Chinese government, offering the ability to monitor individuals and their arguments as well as broader public sentiment. The technology also has the promise of mass-producing propaganda that can counter shifts in public opinion at home and overseas.
China’s emerging capabilities come as the U.S. government pulls back efforts to counter foreign malign influence campaigns.
U.S. spy agencies still collect information about foreign manipulation, but the Trump administration has dismantled the teams at the State Department, the F.B.I. and the Cybersecurity and Infrastructure Security Agency that warned the public about potential threats. In the last presidential election, the campaigns included Russian videos denigrating Vice President Kamala Harris and falsely claiming that ballots had been destroyed.
The new technology allows the Chinese company GoLaxy to go beyond the election influence campaigns undertaken by Russia in recent years, according to the documents.
In a statement, GoLaxy denied that it was creating any sort of “bot network or psychological profiling tour” or that it had done any work related to Hong Kong or other elections. It called the information presented by The New York Times about the company “misinformation.”
“GoLaxy’s products are mainly based on open-source data, without specially collecting data targeting U.S. officials,” the firm said.
After being contacted by The Times, GoLaxy began altering its website, removing references to its national security work on behalf of the Chinese government.
The documents examined by researchers appear to have been leaked by a disgruntled employee upset about wages and working conditions at the company. While most of the documents are not dated, the majority of those that include dates are from 2020, 2022 and 2023. They were obtained by Vanderbilt University’s Institute of National Security, a nonpartisan research and educational center that studies cybersecurity, intelligence and other critical challenges.
Publicly, GoLaxy advertises itself as a firm that gathers data and analyzes public sentiment for Chinese companies and the government. But in the documents, which were reviewed by The Times, the company privately claims that it can use a new technology to reshape and influence public opinion on behalf of the Chinese government.
On 12 June 2025, dozens of anonymous X (formerly Twitter) accounts advocating Scottish independence abruptly went silent. Many had posted hundreds of times per week, often using pro-independence slogans, anti-UK messaging, and identity cues like “NHS nurse” or “Glaswegian socialist.”
Their sudden disappearance coincided with a major Israeli airstrike campaign against Iranian military and cyber infrastructure. Within days, Iran had suffered severe power outages, fuel shortages, and an internet blackout affecting 95 percent of national connectivity.
What appeared at first glance to be a curious coincidence has since emerged as the most visible rupture to date in a long-running foreign influence operation.
Cette décision est prise au lendemain de la déclassification de documents du renseignement national faisant état d’une opération d’envergure sur TikTok en faveur du candidat prorusse, Calin Georgescu, arrivé en tête du premier tour de l’élection présidentielle, à la surprise générale.
The U.S. intelligence community on Monday said Russia is responsible for recent videos shared on social media that sought to denigrate Vice President Kamala Harris, including one that tried to implicate her in a hit-and-run accident.
Spy agencies also assess that Russian influence actors were responsible for altering videos of the vice president's speeches — behavior consistent with Moscow’s broader efforts to boost former President Donald Trump’s candidacy and disparage Harris and the Democratic Party, an official with the Office of the Director of National Intelligence said during a press briefing.
Russia is increasingly turning to American social media stars to covertly influence voters ahead of the 2024 presidential election, according to U.S. officials and recently unveiled criminal charges.
“What we see them doing is relying on witting and unwitting Americans to seed, promote and add credibility to narratives that serve these foreign actors’ interest,” a senior intelligence official said in a briefing on Friday. “These foreign countries typically calculate that Americans are more likely to believe other Americans’ views.”
Recent scrutiny of the Russia-linked Doppelgänger influence operation has disrupted how it behaves, according to the BayLfV, an agency of the Bavarian state government.
Lors de sa séance du 19 juin 2024, le Conseil fédéral a approuvé le rapport établi en réponse au postulat 22.3006 de la Commission de la politique de sécurité du Conseil national «État des lieux relatif à la menace que constituent pour la Suisse les campagnes de désinformation». Le rapport montre l’impact sur le pays des activités d’influence dans l’espace de l’information, les éléments caractéristiques pertinents dans ce contexte et les mesures supplémentaires que le Conseil fédéral entend prendre pour contrer ces menaces.
Grâce à l’usage du Big Data et des algorithmes dans les campagnes électorales et de votation, il devient possible d’influencer le comportement des électeurs et le résultat d’un suffrage. Cela soulève la question du droit à l’autodétermination des individus mais aussi des peuples.
The pages promote Russia’s line on the war in Ukraine to more than 4 million followers, casting doubt on Meta’s pledge to combat foreign influence campaigns.
Dans du projet « Story Killers » qui poursuit le travail de la journaliste indienne Gauri Lankesh sur la désinformation, le consortium Forbidden Stories révèle aujourd’hui l’existence d’une entreprise israélienne ultra-secrète impliquée dans la manipulation d’élections à grande échelle et le piratage de responsables politiques africains. Une plongée inédite au cœur d’un monde où s’entremêlent armée de trolls, cyber espionnage et jeux d’influence. Story Killers, une enquête mondiale sur les mercenaires de la désinformation, que Mondafrique a le fierté de publier. Cécile Andrzejewski « Les choses n’ont pas forcément besoin d’être vraies, du moment qu’elles sont crues. » Voilà une citation qui
Today, Microsoft’s Digital Threat Analysis Center (DTAC) is attributing a recent influence operation targeting the satirical French magazine Charlie Hebdo
TAG highlights four case studies involving Russian IO tied to the Internet Research Agency and Russian oligarch Yevgeny Prigozhin.
Mandiant has recently observed DRAGONBRIDGE, an influence campaign we assess with high confidence to be operating in support of the political interests of the People’s Republic of China (PRC), aggressively targeting the United States by seeking to sow division both between the U.S. and its allies and within the U.S. political system itself. Recent narratives include:
“Polizei!” barked the officers who stormed a third-floor apartment in the Austrian capital, moving to intercept a thickset man standing near a kitchen nook. The suspect — a long-serving official in Austria’s security services — sprang toward his cellphone and tried to break it in two, according to Austrian police reports.
This report represents research conducted by Microsoft’s threat intelligence and data science teams with the goal of sharpening our understanding of the threat landscape in the ongoing war in Ukraine. The report also offers a series of lessons and conclusions resulting from the data gathered and analyzed. Notably, the report reveals new information about Russian efforts including an increase in network penetration and espionage activities amongst allied governments, non-profits and other organizations outside Ukraine. This report also unveils detail about sophisticated and widespread Russian foreign influence operations being used among other things, to undermine Western unity and bolster their war efforts. We are seeing these foreign influence operations enacted in force in a coordinated fashion along with the full range of cyber destructive and espionage campaigns. Finally, the report calls for a coordinated and comprehensive strategy to strengthen collective defenses – a task that will require the private sector, public sector, nonprofits and civil society to come together. The foreword of this new report, written by Microsoft President and Vice Chair Brad Smith, offers additional detail below.
