Full Report
Ukrainian authorities have dismantled a so-called “bot farm” that police say was supplying thousands of fake social media accounts to Russian intelligence services for use in disinformation campaigns against Ukraine. Ukraine’s Security Service (SBU) and the National Police said on Monday they detained the suspected organizer of the network in the northern city of Zhytomyr and blocked…
Analysis Summary
# Incident Report: Dismantling of Russian-Linked Bot Farm in Zhytomyr
## Executive Summary
Ukrainian authorities (SBU and National Police) dismantled a large-scale "bot farm" in Zhytomyr that provided fake social media accounts to Russian intelligence services. The operation resulted in the detention of the primary organizer and the blocking of nearly 20,000 fraudulent online profiles. These accounts were primarily used by Russian actors to conduct disinformation campaigns and psychological operations against Ukraine.
## Incident Details
- **Discovery Date:** April 2026 (Reported April 23, 2026)
- **Incident Date:** Ongoing until April 2026
- **Affected Organization:** Russian-directed disinformation targets (General Public/Social Media platforms)
- **Sector:** Information and Communication / Government
- **Geography:** Zhytomyr, Ukraine
## Timeline of Events
### Initial Access
- **Date/Time:** Continuous operation (Pre-April 2026)
- **Vector:** Use of local Ukrainian mobile infrastructure.
- **Details:** The organizer utilized Ukrainian mobile phone numbers to register and verify new accounts on restricted platforms.
### Lateral Movement
- **Details:** N/A (The physical "bot farm" infrastructure served as a gateway for external Russian actors to access the Ukrainian information space).
### Data Exfiltration/Impact
- **Details:** Production and sale of over 3,000 fake Telegram accounts per month. Distribution of these accounts to Russian intelligence entities for use in information operations.
### Detection & Response
- **How it was discovered:** Intelligence operations led by the Security Service of Ukraine (SBU) and the National Police.
- **Response actions taken:** Raid of the facility in Zhytomyr, detention of the suspect, and the blocking of approximately 20,000 fraudulent accounts.
## Attack Methodology
- **Initial Access:** Mass registration of social media accounts using legitimate Ukrainian SIM cards/phone numbers to bypass regional security filters.
- **Persistence:** Maintaining a rotating inventory of verified profiles.
- **Credential Access:** Creation of fraudulent Telegram and social media credentials for sale on pro-Russian specialized online platforms.
- **Discovery:** N/A (Infrastructure used for external client reconnaissance).
- **Collection:** Gathering of local mobile identifiers to facilitate account creation.
- **Exfiltration:** Transfer of account control/ownership to Russian clients.
- **Impact:** Dissemination of disinformation and "fake" narratives to destabilize the social and political climate in Ukraine.
## Impact Assessment
- **Financial:** Revenue generated for the organizer through the sale of thousands of accounts monthly.
- **Data Breach:** Compromise of mobile registration systems to generate fraudulent identities.
- **Operational:** Scale of operations included the ability to generate 3,000+ accounts monthly.
- **Reputational:** High public impact due to the spread of Russian disinformation via seemingly "local" Ukrainian accounts.
## Indicators of Compromise
- **Network indicators:** Activity associated with specialized online platforms used for marketing pro-Russian bot accounts.
- **Behavioral indicators:** Mass-registration of Telegram accounts originating from a single geographic cluster (Zhytomyr) using local mobile number pools.
## Response Actions
- **Containment measures:** Physical raid and seizure of hardware used to host the bot farm.
- **Eradication steps:** Disruption of the sale pipeline on specialized online marketplaces.
- **Recovery actions:** Collaborative blocking of approximately 20,000 profiles in coordination with platform providers.
## Lessons Learned
- **Key takeaways:** Russian intelligence services continue to rely on localized infrastructure (proxies/local SIMs) to make disinformation appear domestic and authentic.
- **What could have been done better:** Enhanced monitoring of bulk SIM card registrations and automated verification patterns by telecommunications providers could lead to earlier detection.
## Recommendations
- **Prevention measures:** Implementation of stricter KYC (Know Your Customer) protocols for bulk purchases of mobile SIM cards.
- **Monitoring:** Social media platforms should enhance "bot-like" behavior detection for accounts registered via Ukrainian mobile ranges that exhibit high-frequency automated activity.