On 16 March 2022, three weeks after Russia launched its full-scale invasion of Ukraine, a video appeared on the website of the Ukrainian television channel Ukraine 24. On screen, President Volodymyr Zelenskyy stood behind a podium addressing the nation. “I have decided to return Donbas,” said a man resembling him. “Our efforts have failed. My advice is for everyone to lay down their arms and return to their families.”
In reality, Zelenskyy never said any of this. The video was a deepfake — a digitally fabricated clip uploaded by hackers to the compromised website of the television channel and simultaneously inserted into its live broadcast ticker. Within minutes, it had spread across Telegram, VKontakte and Twitter. Facebook removed it following user reports, but by then it had already accumulated hundreds of thousands of views.
Zelenskyy responded swiftly, recording a video address in military uniform from a street in Kyiv. “We are defending our land, our children, our families,” he said. But researchers at the organisation Witness, which specialises in detecting manipulated content, quickly warned of the wider implications. “The specific problem is the so-called liar’s dividend, where genuine video can easily be declared fake and the burden of proof shifted onto those claiming it is authentic,” said Witness researcher Sam Gregory.
It was not an isolated experiment, but a public demonstration of a new kind of combined weapon — and an early test of how far Russia was willing to go in its information war against Ukraine.
Operation Doppelganger: how Kremlin clones online reality
As Russia’s invasion continued, another operation ran in parallel — larger in scale, more sophisticated, and aimed not only at Ukraine but at the wider West. It was called “Doppelganger”. The concept was straightforward: build websites designed to closely mimic established media outlets — Fox News, Washington Post, Der Spiegel, Le Monde and the BBC — and publish fabricated content on them. Readers would see familiar logos, fonts and layouts and often fail to notice that the web address was slightly altered. Instead of washingtonpost.com, they would land on washingtonpost.pm; instead of fox-news.com, fox-news.top. The operation began in May 2022 and, by September, had been exposed by the organisation EU DisinfoLab. But exposure did not end it — it simply evolved.
According to documents released by the US Department of Justice in 2024, the operation was run by two Russian companies, Social Design Agency and Structura, acting under direct orders from the Kremlin. US Deputy Attorney General Lisa Monaco put it bluntly: “At Putin’s direction, Russian companies SDA, Structura, and ANO Dialog used cybersquatting, fabricated influencers, and fake profiles to covertly promote AI-generated false narratives on social media.”
Regarding Ukraine, the operation’s targets were clear. Fake versions of Fox News and the Washington Post pushed stories claiming that US debt was rising because of aid to Ukraine, that Zelenskyy was corrupt, and that Washington should focus on its own domestic problems.
One of SDA’s internal strategy documents, cited in the US indictment, set out the goal: to “influence public opinion in the United States so that Americans believe their country should focus its efforts on solving domestic issues instead of spending money on Ukraine and other troubled regions.” The content was also tailored for different audiences.
For US LGBT communities, it circulated claims about the persecution of “transgender youth” in Ukraine. For German-speaking audiences, it amplified criticism of the government and its support for Kyiv. For French-speaking audiences, it pushed narratives portraying France as a “vassal state” of the United States and suggesting NATO was acting against French interests.
Behind the scenes, the technical setup was tightly organised. Domains were registered through US-based providers Namecheap, NameSilo and GoDaddy, payments were routed through front people in the United States, and server IP addresses had previously been linked to cybercriminal activity. To slip past platform moderation, the operation used a cloaking service called Kehr, serving different content depending on whether the visitor was a regular user or a platform moderator.
Bavarian intelligence services tracked more than 7,983 campaigns and 828,842 clicks across just two servers between May 2023 and July 2024. Alongside that, a separate network of fake profiles — the so-called “Odette” accounts — systematically pushed Doppelganger content in comment sections under posts from major Facebook pages. All of the profiles used the same female name, Odette, and all claimed to work at Netflix.
In August 2024, Meta said it had identified more than 6,000 threat indicators and removed over 5,000 profiles and pages. But the operation did not stop. The FBI later seized dozens of domains, including ribunalukraine.info, waronfakes.com, fox-news.top, washingtonpost.pm and spiegel.agency. Each time platforms or governments took down one part of the network, new nodes quickly appeared to replace it.
AI as a propaganda tool
A decade ago, Operation Doppelganger would have been unthinkable at this scale. What the network now produces — tens of thousands of posts in multiple languages, tailored to different audiences — would once have required an entire ecosystem of translators, editors and analysts. Today, a large part of that work is handled by artificial intelligence. In 2024, the Pravda network, one of the largest pro-Russian disinformation outlets, published around 3.5 million AI-generated articles. The aim was not only to push narratives, but also to “poison” datasets — flooding the internet with enough synthetic material that future AI models end up training on a distorted version of reality.
Operation Storm-1679 took a similar approach, using AI to mimic the voice of a well-known American actor in a fake documentary allegedly produced by Netflix and targeting the International Olympic Committee. Viewers heard a familiar voice, saw a familiar logo, and accepted what they were watching at face value. In August 2025, the same network went further, imitating ABC News, the BBC and POLITICO with deepfakes convincing enough that the material was shared by Donald Trump Jr. and Elon Musk.
February 2026 brought a fresh, documented example. During the Winter Olympic Games in Milan and Cortina, BBC Verify tracked a large-scale operation by the “Matryoshka” network targeting Ukrainian athletes and supporters. In one video, viewers first saw a real press conference by International Olympic Committee President Kirsty Coventry, before her voice was seamlessly swapped out for an AI clone just seconds later. “Matryoshka” made Coventry “say” that Ukrainian athletes had come to Milan “for insane political PR” and that she had “never met such unpleasant people”. In reality, she said nothing of the sort.
By the end of February 2026, BBC Verify had documented at least 35 videos impersonating media brands and government organisations linked to the Olympics, with one clip alone drawing more than a million views.
Separate deepfake campaigns targeting Ukraine have been running since the very beginning of the full-scale invasion. For instance, Russia has circulated a deepfake of Moldovan President Maia Sandu containing false claims about her position on Russia, as well as an audio forgery of Slovak politician Michal Šimečka.
According to Ukraine’s Centre for Countering Disinformation, since the start of 2025 there have been 191 Russian information operations using AI-generated content, with a combined reach of at least 84.5 million views. Researcher Désirée Vance, who studied the issue for the Heinrich Böll Foundation, points to a key pattern. “Even obvious copies can influence memory, beliefs and decision-making; people’s opinions can change through interaction with a digital copy even when they know they are not dealing with a real person,” she said.
Bots, “real-fake” profiles and information ‘laundering’
Producing fake content is only the first step. The second is distribution — getting it in front of the right audiences. And here, Russia has learned to turn the very architecture of social media against its users.
Traditional bots are relatively easy to spot. They post repetitive messages, have no personal history, and show suspiciously uniform activity around the clock. But the tactics have evolved.
Today, so-called “real-fake” profiles — also described by researchers as “sleeper” or “imposter” accounts — can appear fully authentic for years. They post holiday photos, comment on local news, discuss sports, even share recipes. Then, at a given moment, they are activated.
On command, they “wake up” simultaneously and begin pushing a specific narrative at scale. By the time platforms respond, these accounts often already have months or even years of apparently organic activity behind them.
Operation Doppelganger relied on another tactic researchers describe as “disinformation laundering”. A story would first appear on a little-known pro-Russian website. From there, networks of bots and sleeper accounts would pick it up, artificially amplifying likes, shares and comments. Platform algorithms would detect the spike in engagement and start recommending the post to wider audiences. Real users would then share it further — often without realising the original source was linked back to the Kremlin.
Doppelganger tracked more than 2,800 real American influencers as potential partners. One of SDA’s internal documents proposed bringing them in to help fuel “internal tensions” within allied countries. Some of these opinion leaders had no idea they were already on the radar of the Kremlin’s PR apparatus.
During the German election period between December 2024 and January 2025, the research organisation CeMAS recorded more than 600 original pro-Russian posts, each of which was shared hundreds of times. Their combined reach amounted to 2.8 million views. Some of this content even made its way into official accounts of candidates from different parties, who shared claims alleging that the Greens and Ukrainian officials were recruiting migrants to commit crimes.
Document leaks: when “truth” becomes a weapon
A less visible but increasingly common tool of information operations is the targeted leaking of documents. First refined by Russia during the 2016 US presidential election, the tactic has since become a recurring feature of its playbook.
In May 2017, two days before the second round of France’s presidential election, hackers dumped 15 gigabytes of data from the email accounts of Emmanuel Macron’s campaign team. The operation unfolded in three phases. First came a months-long wave of rumours and false stories. Then hackers, which the US company Flashpoint assessed with “moderate confidence” as the group APT28, breached campaign accounts. Finally, just 48 hours before the vote, the material was published under the hashtag MacronLeaks, generating 47,000 tweets in three and a half hours and nearly half a million within a day.
But the documents themselves proved underwhelming. There was no damaging evidence. So the hackers followed a familiar pattern: they mixed authentic emails with fabricated material. Among the fake documents were messages suggesting Macron had allegedly used drugs. Macron later summed up the operation: “Authentic documents were mixed with fake ones to sow doubt and disinformation.”
This is the key trick behind what analysts often describe as Goebbels-style information patterns. When a leak includes even a small amount of authentic material, audiences tend to assume the entire set is genuine. Most people don’t verify files one by one — they see a “leak” and treat it as a whole, which shapes their overall impression, even if the detail that sticks most strongly later turns out to be fabricated.
In France, the operation ultimately failed: voters re-elected Macron. But it set a template. Already in December 2024, ahead of Romania’s presidential election, Russian hackers carried out more than 85,000 attacks on the country’s electoral systems and leaked compromised credentials on Russian hacking forums. Still, it did not meaningfully boost the pro-Russian candidate.
Cyber weapons and propaganda: how they converge
Modern information operations rarely stand alone. Social media campaigns are typically backed by cyber infrastructure — hacker groups, data leaks and system intrusions — all working in coordination rather than in isolation.
A clear example is the operation against the Ukraine 24 television channel in March 2022, described above. First, hackers breached the website and the live broadcast. Then a deepfake depicting Zelenskyy’s “surrender” was inserted into the broadcast ticker. At the same time, the same material began circulating through pro-Russian Telegram channels. The three elements — the cyberattack, the deepfake and the distribution network — effectively operated as a single system.
The connection between Operation Doppelganger and the hacker group APT28, known as Fancy Bear and linked to the GRU, was later confirmed by researchers at SentinelOne and ClearSky. They identified identical fragments of HTML and text templates in both Doppelganger’s infrastructure and APT28 phishing campaigns. According to Ukraine’s State Service of Special Communications, cyberattacks against Ukraine rose by nearly 70% in 2024, reaching 4,315 documented incidents targeting critical infrastructure, government services, energy and defence sectors. The main tactics included malware distribution, phishing and account compromise.
In Moldova, Russia combined cyber influence with outright bribery. The organisation Evrazia, linked to oligarch Ilan Shor, paid around 130,000 Moldovan citizens a total of $15 million to vote “no” in the 2024 referendum on EU accession. Alongside the payments, a large-scale disinformation campaign was pushed across social media. The United Kingdom sanctioned Evrazia in April 2025.
NATO Deputy Assistant Secretary General James Appathurai summed up what allies are seeing: “We are seeing an increased willingness by Russia to take risks — and I don’t mean risks for themselves, but risks for us, for our economies, for the security of our citizens,” he said.
China and Ukraine: the quiet front
If Russia operates openly and aggressively in the information space against Ukraine, China takes a different approach. Beijing does not officially support the invasion, but it also avoids condemning it. That stance is reflected in a series of documented actions in the information domain.
According to Ukraine’s Security Service, in the days leading up to the full-scale invasion in February 2022, the cyber unit of China’s People’s Liberation Army carried out attacks on hundreds of websites belonging to Ukraine’s Ministry of Defence and other government institutions. Espionage tools and malware developed by Chinese hackers were also used by Russia in Ukraine, both in the early months of the invasion and later on.
In the information space, China has consistently amplified narratives favourable to Russia. In March 2022, China’s Foreign Ministry and state media echoed Moscow’s claims that Ukraine was developing biological weapons in US-linked laboratories. BBC Reality Check, the UN and the Bulletin of the Atomic Scientists all rejected these allegations, calling them completely baseless.
Researchers at the Foreign Policy Research Institute documented a broader pattern in May 2024: Chinese media repeatedly echoed the same themes on Ukraine and NATO being pushed by Russian propaganda. The timing of the messaging suggested coordination rather than coincidence.
The Spamouflage operation also extended to Ukraine. Chinese accounts posing as American voters and military personnel, among others, circulated content casting doubt on US support for Ukraine. The goal was less about shifting Washington’s position directly, and more about deepening internal divisions in the United States — making it harder for Congress to pass aid packages.
Finally, in 2025, as part of a broader convergence of Chinese and Russian information operations documented by the Centre for European Policy Analysis, China began using generative AI more actively to produce and distribute content aimed at undermining trust in NATO. CEPA researchers concluded that both countries are pursuing a shared objective: portraying the West as divided, hypocritical, and unable to effectively support Ukraine.
All the operations described above share one defining feature that makes them a fundamentally new phenomenon in modern conflicts. None of the states behind them has formally declared war or accepted legal responsibility for the actions. Russia denies any involvement in Doppelganger. China denies Spamouflage.
Attribution in the digital space is technically complex. Operators rely on VPNs, front companies in third countries, cryptocurrency payment systems and layers of intermediary firms. In the Doppelganger case, a key figure known only as “Konstantin” told US investigators he was “just an exchanger”, even though most transactions were carried out during Moscow working hours.
This is where a new reality of modern conflicts is taking shape — cognitive warfare. NATO formally recognised the concept, publishing a dedicated research report in 2025 that defines cognitive warfare as a distinct domain of conflict alongside land, sea, air, space and cyberspace. The report argues that modern conflict is increasingly behaviour-driven, and that the decisive “terrain” is no longer physical geography, but cognition itself: human perception, beliefs, and the ability to make decisions.
Will this war ever end?
The video showing Zelenskyy’s “capitulation”, which appeared in March 2022, has long since been removed from platforms. Algorithms reacted, journalists debunked it, and Zelenskyy himself appeared on camera to make clear he was not surrendering. At first glance, the system of defences appeared to have worked. But even a debunked deepfake leaves a trace. Anyone who has once seen a video of “capitulation” now knows, permanently, that such a video existed. And the next time they see a genuine address from Zelenskyy, a thought can easily creep in: what if this is fake too?
This is precisely what the states using these tools are counting on — not to win an argument or prove themselves right, but to create uncertainty about everything. Supporting Ukraine costs billions, so is it worth spending that money on a country whose president may already have struck a deal with Moscow? NATO is defending Europe, but what if it is itself the aggressor? Perhaps Russia is being forced to act to protect Russian speakers from genocide? Elections are being held — but can they really be trusted, if the old elites have simply bought everything and cut deals behind closed doors?
Russia and China did not choose this tool by accident. It is cheaper than an army, leaves no debris, and requires no declaration of war. It works where traditional weapons cannot reach: inside the minds of voters, parliamentary debates and political alliances. And crucially, it turns democracy’s own strengths against it — the openness of information, freedom of speech and trust in media.
And while democratic governments impose sanctions and take down domains, cognitive operations adapt and continue. That does not mean responses are futile, but it does mean there is no front line in information warfare, and no end point marked by a signed surrender. It plays out daily in news feeds, algorithmic recommendations and the split-second hesitation before clicking “share”. So the question is not whether you have already become a target in this war. The question is whether you know it — and whether you are prepared to respond.
