Full Report
Uncover how Russia’s CopyCop network uses AI-generated news and fake media sites to influence global audiences—and learn the key defenses against synthetic media threats.
Analysis Summary
# Threat Actor: CopyCop (Storm-1516)
## Attribution & Identity
**Attribution:** Russian influence network.
**Aliases and Known Associations:** Known as **Storm-1516**. The operation is detailed in an Insikt Group report.
## Activity Summary
CopyCop is engaged in scaling AI-driven influence operations globally, deploying over 300 inauthentic media websites since early 2025. These sites are designed to erode public trust and support for Ukraine by advancing Russia’s geopolitical objectives and deepening political fragmentation in supporting Western nations. Recent activities include:
* Forging “leaked documents” alleging misuse of Western aid by Ukrainian officials.
* Creating deepfake videos falsely accusing Armenian officials and publishing fabricated stories about French leaders being corrupt.
* Impersonating French and Moldovan media outlets to push corruption and election interference narratives.
* Promoting pro-independence sentiment and amplifying domestic polarization in Canada’s Alberta province via inauthentic websites.
## Tactics, Techniques & Procedures
- **AI-Generated Content Scale:** Mass-producing fabricated news stories, deepfakes, and fake fact-checking sites using self-hosted Large Language Models (LLMs), specifically uncensored open-source versions.
- **Content Generation TTPs:** Generating articles that weave together real and fabricated details, complete with bylines, using LLMs fine-tuned on Russian state media sources. Telltale AI artifacts include phrases like: "Please note that this rewrite aims to provide a clear and concise summary of the original text while maintaining key details."
- **Infrastructure Cloning:** Operating a vast web of cloned domains and mirrored subdomains imitating legitimate local media outlets, political parties, or fact-checking organizations.
- **Distributed Infrastructure:** Building systems designed to withstand disruption, with mirrored copies appearing elsewhere when a domain is taken down, often hosted on similar IP ranges.
- **Narrative Amplification:** Amplifying narratives through a secondary ecosystem including Telegram channels, YouTube accounts, and pro-Russian influencers like InfoDefense and Portal Kombat.
- **Information Poisoning:** Deliberately flooding the internet with synthetic "news" to contaminate data sources (LLMs, search engines, AI assistants) relied upon for generating information.
## Targeting
- **Sectors:** General public, political institutions, media organizations, and organizations involved in providing aid/funding to Ukraine (implied by forged documents).
- **Geography:** Global reach, with specific deployment across North America and Europe, including Armenia, Moldova, and parts of Africa.
- **Victims:** Western leaders, institutions, media, Ukrainian officials, Armenian officials, and French leaders.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly detailed, but relies heavily on **self-hosted, uncensored Large Language Models (LLMs)**.
- **Infrastructure (C2, domains, IPs - defang URLs):** Over 300 inauthentic websites disguised as local news outlets, political parties, and fact-checking organizations. Infrastructure is distributed and uses mirrored subdomains hosted across known IP ranges to survive takedowns.
## Implications
CopyCop represents a significant evolution in influence operations by fully weaponizing generative AI to produce high-volume, personalized disinformation at scale. This threatens the integrity of the global information supply chain by poisoning algorithmic data sources relied upon by modern AI tools, potentially undermining democratic institutions and sustained international support efforts for Ukraine.
## Mitigations
- **Domain Monitoring:** Governments should monitor domain registrations and hosting infrastructure to detect clusters of inauthentic media sites.
- **Intelligence Integration:** Integrate threat intelligence feeds into election-security and information-integrity programs.
- **Content Verification:** Newsrooms must strengthen verification workflows to detect AI-generated text, deepfakes, and synthetic imagery.
- **Look-Alike Detection:** Use threat intelligence to identify look-alike domains mimicking legitimate outlets.
- **Staff Training:** Train editorial staff on recognizing LLM-generated content telltale signs and suspicious bylines.
- **Brand Monitoring:** Enterprises should deploy brand-intelligence monitoring to uncover impersonation campaigns.
- **Incident Response:** Develop incident-response plans specifically tailored for influence operations.
- **Proactive Communication:** Communicate proactively and transparently when false narratives arise.
- **General User Practice:** Practice verification before amplification (questioning sources before sharing).