Full Report
CopyCop expands Russian influence ops with 300+ fake websites targeting the US, France, Canada & more—using AI, deepfakes, and GRU-backed infrastructure.
Analysis Summary
# Threat Actor: CopyCop (Storm-1516)
## Attribution & Identity
Attributed as a Russian covert influence network, very likely operated by **John Mark Dougan** with support from the **Moscow-based Center for Geopolitical Expertise (CGE)** and the **Main Directorate of the General Staff of the Russian Federation (GRU)**.
## Activity Summary
Since March 2025, CopyCop has significantly expanded its operations, creating at least 200 new fictional media websites. This expansion builds upon previous reporting, bringing the total observed websites to over 300 in the year to date. New activity includes establishing a regionalized network of fake fact-checking organizations publishing content in **Turkish, Ukrainian, and Swahili**, languages not previously used by the network. They have also created websites impersonating French and Canadian media brands and political parties/movements. The network continues to amplify content via an ecosystem of social media influencers and other Russian influence networks like Portal Kombat and InfoDefense.
## Tactics, Techniques & Procedures
- Dissemination of influence content via a massive network of fictional media websites (at least 200 new sites noted since March 2025).
- Impersonation of established media brands and political movements/parties.
- Publication of Artificial Intelligence (AI)-generated content with pro-Russian and anti-Ukrainian themes.
- Use of **deepfakes**.
- Creation of lengthy dossiers intended to embarrass targets.
- Circulation of fake interviews featuring alleged whistleblowers discussing political leaders in NATO states.
- **New TTP:** Use of **self-hosted, uncensored Large Language Models (LLMs)** based on Meta’s Llama 3 open-source models (specifically Llama-3-8b) for content generation, rather than relying on Western AI service providers.
- Use of subdomains as mirrors to strengthen resilience and reach.
## Targeting
- Sectors: General media consumers, political discourse surrounding Western support for Ukraine.
- Geography: **United States (US)**, **France**, **Canada**, **Germany** (previously targeted), and within Russia's sphere of influence: **Armenia** and **Moldova**.
- Victims: Political leadership in NATO member states (US, France, Germany) and specific political parties/movements in France and Canada.
## Tools & Infrastructure
- **Malware families used:** None explicitly detailed, focuses on media infrastructure.
- **Infrastructure (C2, domains, IPs - defang URLs):**
- **New Domains/Websites (Examples):** reuters[.]uk[.]net, albertaseparatist[.]com, torontojournal[.]ca, darkpulsar[.]ai, darkquasar[.]tech, among 200+ new sites. (Note: Numerous French/Canadian examples were listed, including multiple URLs for the same site structure, e.g., *reportagesinternationaux[.]fr*).
- **IP Addresses:** 82[.]221[.]136[.]1, 82[.]221[.]136[.]47, 82[.]221[.]129[.]24, 185[.]11[.]145[.]145, 185[.]11[.]145[.]254, 198[.]54[.]116[.]120, 82[.]221[.]136[.]24.
- **AI Models:** Self-hosted, uncensored versions of **Meta’s Llama-3-8b**.
- **Email Addresses (Used for registration/contact):** Various Gmail, Protonmail, and Zohomail addresses listed.
## Implications
CopyCop represents a significant and expanding threat in the information domain, focused on eroding public support for Ukraine and exacerbating political fragmentation in Western nations. The adoption of self-hosted LLMs for content generation suggests an effort to increase operational security and bypass potential restrictions imposed by commercial AI vendors, allowing for higher-volume, targeted content creation. Their influence content frequently achieves high organic engagement and has a precedent for entering mainstream political discourse.
## Mitigations
- **Persistently identify and publicly expose** these influence networks, websites, and associated actors.
- Government, journalistic, and research organizations should monitor for content originating from new languages (Turkish, Ukrainian, Swahili) and geographies (Moldova, Armenia) associated with the network.
- Be vigilant against content featuring deepfakes, dossiers, or perceived "whistleblower" accounts concerning political leaders, especially during election cycles (e.g., upcoming 2025/2026 elections in Moldova/Armenia).
- Implement technical measures to detect and block traffic to known associated domains and IP addresses.
- Raise awareness regarding the use of AI-generated content in influence operations.