DOJ EASTERN DISTRICT OF PA; AFFIDAVIT IN SUPPORT OF SEIZURE WARRANT 32 RUSSIAN DOMAINS

Russian operatives produced fictitious news organizations to appear official targeting multiple continents, western countries including the United States.

Special Agent with the Federal Bureau of Investigation requests the seizure of 32 internet domains that have been used by the Russian government and Russian government-sponsored actors to engage in foreign malign influence campaigns colloquially referred to as “Doppelganger,” in violation of U.S. money laundering and criminal trademark laws. Since at least 2022, under the direction and control of the Russian Presidential Administration, and in particular Sergei Vladilenovich Kiriyenko, the Russian companies Social Design Agency (“SDA”), Structura National Technology (“STRUCTURA”), ANO Dialog, have used, among others, the SUBJECT DOMAINS, which include “cybersquatted” domains impersonating legitimate news entities and unique media brands created by Doppelganger, to covertly spread Russian government propaganda.

For example, from within the Eastern District of Pennsylvania, FBI agents located and reviewed six articles published on Doppelganger’s cybersquatted domain Washington Post which is almost identical to the official Washington Post website.

The articles located on the Russian Washington Post website present a pro-Russia and anti-Ukrainian viewpoint, and many of the articles focused on U.S. policy or politics. None of the articles include attribution to SDA, STRUCTURA or the Russian government. For example, one article is titled “White House Miscalculated: Conflict with Ukraine Strengthens Russia” and purports to be authored by a Washington Post reporter. The article states, in part:

"It is time for our leaders to recognize that continued support for Ukraine is a mistake. It was a waste of lives and money, and to claim otherwise only means further destruction. For the sake of everyone involved in the conflict, the Biden administration should just make a peace agreement and move on."

The use of targeted advertising by Doppelganger is corroborated by records obtained from Meta pursuant to a warrant, which identified Meta pages and advertisements linked to the Doppelganger campaign. Notably, those records revealed Doppelganger's apparent use of artificial intelligence tools to generate content, including images and videos, for use in negative advertisements about U.S. politicians. Several of these Meta accounts were registered with account names that approximate legitimate news media organizations, such as CNN California, Sacramento Inside, California News, and California BBC (screenshots from the Meta pages created by Doppelganger are contained below). The CNN California Facebook Page's profile picture displayed a blue version of the legitimate CNN logo with California written underneath in the same shade of blue. The Page was listed on Facebook as a News and Media website and had a banner in blue with the CNN logo also in blue that read BREAKING HOT NEWS /// HOT NEWS I// and LIVEHD /// TODAY. Meta records also revealed that Doppelganger used credit cards issued by U.S. financial institutions to purchase Facebook advertisements.

The second component of the Doppelganger campaign, carried out by ANO Dialog and TABAK, acting under KIRIYENKO’s direction and control, focused on creating original brands (which include the SUBJECT DOMAINS) to disseminate Russian propaganda.

In July 2023, the European Union (“EU”) sanctioned seven Russian individuals and five Russian entities for their role in Doppelganger. Among the entities and individuals sanctioned by the EU were SDA, STRUCTURA, GAMBASHIDZE, and ANO Dialog. In so doing, the EU explained:

"Russian actors have conducted a digital information manipulation campaign named ‘RRN’ (Recent Reliable News) aiming at manipulating information and disseminating propaganda in support of Russia’s war of aggression against Ukraine. That campaign, in which government bodies or bodies affiliated to the Russian State have participated, relies on fake web pages usurping the identity of national media outlets and government websites as well as fake accounts on social media."

SDA extensively monitors and collects information about a large number of media organizations and social media influencers. One document revealed a list of more than 2,800 people on various social media platforms like Twitter, Facebook and Telegram, spanning 81 countries. The U.S.-based influencers accounted for approximately 21% of the accounts being monitored by SDA. On another list of over 1,900 “anti-influencers” from 52 countries, the U.S.- based accounts comprised 26% of the total accounts being monitored by SDA.

The Good Old U.S.A Project specifically highlighted the use of “targeted advertising” on social media that would enable SDA to track Americans reactions

“to the distributed material in real time, and directing the psychological response group to contribute to comments thereof. With the help of a network of bots, the psychological response moderates top discussions and adjust further launches depending on which group was affected the most.”

SDA documents include a proposal for another campaign focused on influencing the United States, titled “The Guerrilla Media Campaign in the United States.”

The Guerilla Media Campaign focused on exploiting the perceived polarization of U.S. society by focusing on eight “Campaign Topics.” As reflected in the proposal, SDA anticipated using social media profiles on Facebook, X (formerly known as Twitter), YouTube, and Truth Social but noted that with “Facebook, Twitter and YouTube, we need to create multiple ‘perishable’ accounts, primarily for the work with comments.” The Guerilla Media Campaign would disseminate its propaganda through posts,

“comments on social networks and local group chats”, memes, and “video content, including news stories in the Fox News style.” SDA’s plan stated “In order for this work to be effective, you need to use a minimum of fake news and a maximum of realistic information. At the same time, you should continuously repeat that this is what is really happening, but the official media will never tell you about it or show it to you.”

The FBI agent believes the reference to the “work in the comments” is a reference to Doppelganger’s creation of inauthentic social media profiles to post comments on social media that included links to the cybersquatted domains, including the SUBJECT DOMAINS, “real facts to complement fake facts.”

SDA records also revealed its planning of campaigns targeting foreign countries, including Mexico and Israel, with the intent that those efforts would influence associated ethnic or religious groups residing in the United States. The goal of these campaigns was twofold:

(1) to influence each countries’ populace; and

(2) to influence the U.S. 2024 Presidential Election. A Presidential Administration meeting note from January 13, 2023, revealed that one of the objectives of the campaign, which had been assigned to GAMBASHIDZE, was to “draft a media plan for work through expat community media outlets (Armenia--France; Turkey--Germany, Israel--USA)” and to “compile a list of scenarios for stirring inter-ethnic, religious, racial, and political conflicts in ‘focus countries’.”

For example, one SDA document with the sub-heading “PROJECT OF EFFECTIVE PROXY PARTICIPATION IN THE NOVEMBER 2024 CAMPAIGN” presented a theme of “México no perdona” which translates in English to “Mexico does not forgive.”

The campaign intended to encourage “anti-American sentiment” as well as to exacerbate confrontation between the United States and Mexico. Although the campaign would target Mexico, the campaign’s goal also intended to influence the U.S. Presidential Election. The proposal concluded with:

“Today, the time has come to show to the United States that it is under a threat. And we can do it.”

As another example, an SDA document described a project titled The Comprehensive Information Outreach Project in Israel (and also Jewish Community Outreach in the US)”. Notably, the proposal suggested creating “a full-fledged three language” information project that would “target Jewish communities across the globe, first and foremost in Israel and the US.” I believe that this reference to a full-fledged online information project is likely a reference to the unique Doppelganger media brands.

Five email accounts were identified as using OpenAl services in furtherance of Doppelganger: Records received from Google pursuant to legal process revealed that one of those accounts (the "Demon Account") was subscribed in the name of "White Seo." When it was registered, the Demon Account selected Russian as its language, listed a Russian recovery email ending in ru with the same naming convention, namely "Demon" followed by a string of numbers, and provided a Russian phone number. The Demon Account was linked by cookies to 37 other email accounts with naming conventions that correspond to domains connected to Doppelganger's unique media branding operation, including some of the SUBJECT

DOMAINS, such as:

The FBI’s investigation revealed that Doppelganger leased numerous cybersquatted domains from U.S. companies Namecheap, NameSilo, and GoDaddy using four online personas, which the FBI agent refers to as Kethorn, Kamcopec, Kaspartill, and Anguillet. Each of these personas used email accounts that incorporated the persona’s name in the email address.

The personas used a similar pattern of cryptocurrency payments and Proton Mail email addresses. In general, Doppelganger actors took steps to obfuscate the origin of the cryptocurrency by using services like ChangeNOW and cryptocurrency mixing algorithms to obfuscate the originating cryptocurrency wallet used in their transactions.

Information received from GoDaddy, a U.S. company, pursuant to legal process indicated that the Kamcopec persona leased 30 cybersquatted domains used in the Doppelganger campaign. The domains are in attached.

The Kamcopec GoDaddy account used at least five VPS services, all of which are non-U.S. companies, one of which Spur linked;

1. Obozrevatel is a Ukrainian news outlet that uses the domains OBOZ.ua and Obozrevatel.com.

2. RBK is a Russian media group that runs a newspaper, TV station, and the website, rbc.ru.

3. Milliyet is a Turkish newspaper based in Istanbul that uses the domain milliyet.com.tr.

4. Al-Bayan is an Arabic language newspaper in the United Arab Emirates (UAE) which is owned by Government of Dubai that uses the domain albayan.ae.

5. Gulf News is a daily English language newspaper published from Dubai, UAE, currently distributed throughout the UAE and also in other Persian Gulf Countries that uses GulfNew.com.

6. Ukrainska Pravda is a Ukrainian online newspaper using the domain pravda.com.ua.

7. Frankfurter Allgemeine Zeitung is a German newspaper that uses the domain. faz.net.

8. Der Tagesspiegel is a German daily newspaper, though it has a regional correspondent office in Washington, D.C. and uses the domain tagesspiegel.de.

Special FBI agent believes "Based on my training and experience and information gathered through this investigation, I believe that the fraiesvolk domain was intended to mimic a German daily newspaper published in the 1950s that was highly critical of the Allied Powers."

Each of the SUBJECT DOMAINS leased from GoDaddy by the Kamcopec persona were paid for using credit cards issued by U.S. financial institutions. Records received pursuant to legal process revealed that the credit cards used to lease the aforementioned SUBJECT DOMAINS from GoDaddy were issued by U.S. banks to a U.S. company that has significant ties to, and employees based in, Russia.

The Kethorn persona leased the following domains:

70-putinfreunde[.]de, freikorps[.]press, friekorps[.]press, jfreicorp[.]press, jfriecorp[.]press, sieben47 La Repubblica is an Italian newspaper and website using the following domains repubblica.it, quotidiano.repubblica.it, and video.repubblica.it.

ManaBalss.lv is a civic organization based in Latvia that launched in June 2011 to provide a possibility for the citizens of Latvia to promote their initiatives and gain support for these initiatives for further submission to the national parliament of Latvia.

"Another one of the purportedly independent media brands that has been identified as having been established by the Doppelganger campaign is Journalisten Freikorps. This brand appears to be a reference to the German Freikorps which was a paramilitary unit that existed in Germany for decades. During World War II, many former Freikorps members rose to power in the Nazi party. I know that the Russian government has made claims about the presence of purported Nazis or Neo-Nazis in Ukraine as a justification for Russia’s invasion of Ukraine. I accessed both freikorps[.]press and jfriecorp[.]press using the Wayback Machine and ascertained that both webpages ostensibly posted news stories in German consistent with other Doppelganger content using the same Freikorps logo and banner.

Through the investigation, the FBI identified an associated email address that incorporated “J.Freikorps” that was created on August 24, 2022, two days after a Telegram channel associated with Journalisten Freikorps started posted on Telegram inviting journalists to share their pieces. Records received pursuant to legal process revealed the subscriber’s name for the “J.Freikorps” email address was Journalisten Freikorps and that an SDA employee’s email address was connected to that account by cookies. Based on my training and experience, I know that when two or more accounts are linked by cookies, this means that the accounts were accessed using the same device(s) and are likely accessed by the same user(s). Thus, there is probable cause to believe that SDA is directing and controlling the Journalisten Freikorps campaign.

Four of the SUBJECT DOMAINS infringe on the trademarks of U.S. media outlets. Specifically, washingtonpost[.]pm, washingtonpost[.]ltd, fox-news[.]in, fox-news[.]top, and forward[.]pw, are domains operated by Doppelganger that are likely to confuse, mislead, or deceive viewers into believing they are visiting the legitimate Washington Post, Forward, and Fox News websites.

Records also show RNN Media and VIP News fictitiously appearing to be American based organizations. For example;

Records received pursuant to legal process from Namecheap, revealed that on July 26, 2023, a week after the VIGINUM report was published identifying rrn[.]world as part of Doppelganger, RoyGeneral[@]proton.me was used to register an account with Namecheap and lease rrn[.]media and vip-news[.]org. In registering that Namecheap account, the RoyGeneral persona provided a Beaverton, Oregon address and what appeared to be an incomplete U.S. phone number. Law Enforcement and open-source records checks indicate the name and home address provided are not correlated. The RoyGeneral persona also created an account with NameSilo to lease three more Doppelganger domains and provided a New York City address and Canadian phone number.

Footnote: 2022, RRN published an article titled “Video: False Staging in Bucha Revealed!” which falsely alleged the atrocities were staged by Ukraine.

The first articles published on RRN website were identical copies of articles previously published on the fake Russian fact-checking website War on Fakes, launched a few hours after Russia invaded Ukraine. Quickly identified for its role in legitimizing the Russian ‘special military operation’ and discrediting the Ukrainian State, War on Fakes has also been amplified by at least 65 official Facebook pages and official Twitter accounts of the Russian diplomatic network. Moreover, War on Fakes the administrator’s login page has been set up to redirect traffic to rrussianews.com, thereby establishing a technical link between the two websites.

The domain name waronfakes[.]com was registered on 1 March 2022 and was updated a year later by Timofey VASILIEV a Russian citizen known for having worked for ANO Dialog. Dialog is an organization created in 2019 under the supervision of the Russian Presidential Administration and the Department of Information Technologies of Moscow city. In charge of a portion of the public relations and communication strategy of Moscow, ANO Dialog has been accused of conducting online propaganda activities on behalf of the Russian State.

Records received from Namecheap pursuant to legal process revealed that a user with the email address levinaigrenet[@]proton.me leased levinaigre[.]net, 69 meisterurian[.]io, 70 and warfareinsider[.]us. 71 The Levinaigrenet persona provided Namecheap with a name of Jay Rom and a Broken Bow, Nebraska mailing address. All payments were made using funds transferred from BitPay. Law enforcement records checks reveal no association between a Jay Rom and the physical mailing address in Nebraska provided to Namecheap.

Records received from Namecheap pursuant to legal process revealed that a user with the email address holylandheraldcom[@]proton.me leased holylandherald[.]com, 72 grenzezank[.]com, 73 and lexomnium[.]com. 74 The Holylandherald persona provided Namecheap with a first name of holyland, a last name of herald, and a mailing address in Kansas City, Missouri that indicated the country of residence to be Germany. All payments for the domains were made using funds transferred from BitPay.

As noted above, one of GAMBASHIDZE’s notes from a meeting with the Presidential Administration referenced a participant as “fully in charge of filling the content on the Ukraine Tribunal portal.” Two Doppelganger-linked domains, tribunalukraine[.]info, 83 and ukraine-inc[.]info, were leased from Newfold Digital, a U.S. registrar.

Records received from Newfold Digital revealed that ukraine-inc[.]info was registered on November 3, 2023. Those records also revealed that the email address trelelcalra1975[@]yahoo.com, was used to lease ukraine-inc[.]info.

The trelelcalra1975[@]yahoo.com was only logged into five times, four times from German VPSs and once from a Russian IP address. The trelelcalra1975[@]yahoo.com user registered their Newfold Digital account in the name of Dennis Eggers with a German mailing address and German phone number. Subscriber records received from Yahoo Inc. revealed that the trelelcalra1975[@]yahoo.com account was registered using a Cyrillic first name and the last name Reddy and a Brazilian phone number, which does not match the information provided to Newfold Digital.

For the foregoing reasons, the FBI agent submits that there is probable cause to believe that the SUBJECT DOMAINS are used in and/or intended to be used in facilitating and/or committing the

SUBJECT OFFENSES. Accordingly, the SUBJECT DOMAIN NAMES are subject to seizure pursuant to 18 U.S.C. §§ 981(b), 982(b)(1), 2323(a)(2), 2323(b)(2), 21 U.S.C. § 853(f), and subject to forfeiture to the United States pursuant to 18 U.S.C. §§ 981(a)(1)(A) and 982(a), and 18 U.S.C.

§ 2323(a)(1)(B), (b)(1), and respectfully request that the Court issue a seizure warrant for

SUBJECT DOMAIN NAMES.

Because the warrant will be served on the PROVIDERS that control the SUBJECT

DOMAINS, and the PROVIDERS, thereafter, at a time convenient to them, will transfer control of the SUBJECT DOMAINS to the government, there exists reasonable cause to permit the execution of the requested warrant at any time in the day or night.

Respectfully submitted,

Special Agent, Federal Bureau of Investigation

The affidavit is 277 pages long and contains more information if you are interested.

Please consider subscribing to my newsletter if you find the information valuable. The investigative research takes a copious amount of personal time and effort.