{
	"id": "ee6e51d5-ebdf-4e6d-93fa-bc1009947435",
	"created_at": "2026-04-06T00:09:52.448586Z",
	"updated_at": "2026-04-10T03:36:23.2975Z",
	"deleted_at": null,
	"sha1_hash": "187818d2354a6fd588cf8370ccc4e93f0976ddc4",
	"title": "CopyCop Deepens Its Playbook with New Websites and Targets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7993650,
	"plain_text": "CopyCop Deepens Its Playbook with New Websites and Targets\r\nBy Insikt Group®\r\nArchived: 2026-04-05 15:10:31 UTC\r\nExecutive Summary\r\nSince March 2025, Insikt Group has observed CopyCop (also known as Storm-1516), a Russian covert influence\r\nnetwork, creating at least 200 new fictional media websites targeting the United States (US), France, and Canada,\r\nin addition to websites impersonating media brands and political parties and movements in France, Canada, and\r\nArmenia. CopyCop has also established a regionalized network of websites posing as a fictional fact-checking\r\norganization publishing content in Turkish, Ukrainian, and Swahili, languages never featured by the network\r\nbefore. Including the 94 websites targeting Germany reported by Insikt Group in February 2025, this amounts to\r\nover 300 websites established by CopyCop’s operators in the year to date, marking a significant expansion from\r\nour initial reporting on the network in 2024, and with many yet to be publicly documented.\r\nThese websites are very likely operated by John Mark Dougan with support from the Moscow-based Center for\r\nGeopolitical Expertise (CGE) and the Main Directorate of the General Staff of the Armed Forces of the Russian\r\nFederation (GRU). CopyCop uses these websites as infrastructure to disseminate influence content targeting pro-Western leadership and publish artificial intelligence (AI)-generated content with pro-Russian and anti-Ukrainian\r\nthemes in support of Russia’s offensive operations in the global information environment.\r\nWhile the network’s scope in terms of target languages and countries has expanded, its primary objectives almost\r\ncertainly remain unchanged: undermining support for Ukraine and exacerbating political fragmentation in Western\r\ncountries backing Ukraine. Insikt Group has also observed CopyCop engaging in additional secondary objectives\r\nlike advancing Russia’s geopolitical objectives in its broader sphere of influence, such as Armenia and Moldova.\r\nCopyCop’s narratives and content in support of these objectives are routinely amplified by an ecosystem of social\r\nmedia influencers in addition to other Russian influence networks like Portal Kombat and InfoDefense.\r\nSimilar to its objectives, CopyCop’s tactics, techniques, and procedures (TTPs) remain broadly unchanged, with\r\nmarginal improvements designed to strengthen the network’s reach, resilience, and credibility. Tactics and\r\ntechniques used for content dissemination typically include deepfakes, lengthy dossiers intending to embarrass\r\ntargets, and fake interviews of alleged whistleblowers making claims about political leaders in NATO member\r\nstates like the US, France, and Germany. Insikt Group also identified new evidence that CopyCop uses self-hosted, uncensored large language models (LLMs) based on Meta’s Llama 3 open-source models to generate AI\r\ncontent rather than relying on Western AI service providers.\r\nRelative to other Russian influence networks, CopyCop’s impact remains significant: targeted influence content\r\npromoted by its websites and an ecosystem of pro-Russian social media influencers and so-called “journalists”\r\nregularly obtains high rates of organic engagement across multiple social media platforms, and has a precedent for\r\nbreaking into mainstream political discourse. Persistently identifying and publicly exposing these networks should\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 1 of 18\n\nremain a priority for governments, journalists, and researchers seeking to defend democratic institutions from\r\nRussian influence.\r\nKey Findings\r\nTo date, in 2025, CopyCop has widened its target languages to include Turkish, Ukrainian, and Swahili,\r\nand its geographic scope to include Moldova, Canada, and Armenia while sustaining influence operations\r\ntargeting the US and France. The network is also leveraging new infrastructure to publish content, marking\r\na significant expansion of its activities targeting new audiences.\r\nCopyCop’s core influence objectives remain eroding public support for Ukraine and undermining\r\ndemocratic processes and political leaders in Western countries supporting Ukraine.\r\nCopyCop’s TTPs are broadly unchanged from previous assessments, with only marginal improvements to\r\nincrease the network’s reach, resilience, and credibility. Newly observed TTPs include evidence of\r\nCopyCop using self-hosted LLMs for content generation, employing subdomains as mirrors, and\r\nimpersonating media outlets.\r\nInsikt Group has identified two uncensored versions of Meta’s Llama-3-8b model that are likely being used\r\nby CopyCop to generate articles.\r\nThe network is also increasingly conducting influence operations within Russia’s sphere of influence,\r\nincluding targeting Moldova and Armenia ahead of their parliamentary elections in 2025 and 2026,\r\nrespectively. This is a broader trend observed across the Russian influence ecosystem.\r\nBackground\r\nInsikt Group previously documented CopyCop in May and June 2024, in addition to the network’s attempts at\r\ninfluencing the 2024 French snap elections, 2024 US presidential elections, and 2025 German federal elections.\r\nReporting from other organizations such as Clemson University, VIGINUM, NewsGuard, Microsoft, European\r\nExternal Action Service, and Gnida Project has broadly corroborated our initial assessments of the network’s\r\nobjectives, targets, and infrastructure, in addition to our attribution of part of the network’s activities to John Mark\r\nDougan, a US citizen based in Moscow. The Washington Post and the US Department of the Treasury have also\r\nsince established links between Dougan, the CGE, and the GRU. The GRU reportedly helped fund self-hosted\r\nLLM infrastructure, while the CGE was likely responsible, with Dougan’s assistance and direction from the GRU,\r\nfor the creation of deepfakes and inauthentic content targeting political leaders in the US, Ukraine, France, and\r\nother countries.\r\nMajor Infrastructure Expansion\r\nSince January 2025, Insikt Group has identified at least 200 new websites that we attribute to CopyCop, the vast\r\nmajority of which are unreported as of this writing. These websites are almost all impersonating fictional local\r\nmedia outlets in the US, France, Canada, and Norway, political parties and movements in France, Canada, and\r\nArmenia, or fictional fact-checking organizations publishing in Turkish, Ukrainian, and Swahili. Insikt Group also\r\npreviously reported on 94 CopyCop websites targeting Germany’s federal elections in February 2025. This brings\r\nthe network’s total number of websites to date this year to at least 300, reflecting a significant expansion of its\r\ninfrastructure and international ambitions since our last dedicated reporting on CopyCop in June 2024.\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 2 of 18\n\nThese websites serve two functions: first, to disseminate targeted influence content likely prepared by the CGE\r\nand, in some instances, by Dougan himself; second, to publish large quantities of AI-generated content with pro-Russian, anti-Ukraine, and anti-Western themes. Domains for hosting CopyCop websites are typically registered\r\nin batches on linked infrastructure, and likely remain dormant (or passively posting AI-generated content) until\r\nthey are used to post targeted content, which is subsequently amplified on social media platforms.\r\nUS-Themed Websites\r\nIn April 2025, Insikt Group identified 35 new CopyCop websites registered on January 29, 2025, almost certainly\r\ndesigned for engaging US-based audiences. Although most of the 35 websites are shielded by Cloudflare, they are\r\nalmost certainly hosted on 72[.]14[.]185[.]187, which is owned by Akamai/Linode (AS63949). The full list of\r\nthese CopyCop websites is provided in Appendix A.\r\nTruefact Websites\r\nInsikt Group identified another domain hosted on 72[.]14[.]185[.]187, africa[.]truefact[.]news. First registered in\r\nMarch 2025, truefact[.]news has the following nine subdomains, which began hosting CopyCop websites on July\r\n1, 2025, impersonating a fictional fact-checking organization named “Truefact”:\r\nafrica[.]truefact[.]news\r\nde[.]truefact[.]news\r\nfr[.]truefact[.]news\r\nfrance[.]truefact[.]news\r\ngermany[.]truefact[.]news\r\nmexico[.]truefact[.]news\r\nspain[.]truefact[.]news\r\nturkey[.]truefact[.]news\r\nukraine[.]truefact[.]news\r\nThe domain germany[.]truefact[.]news is hosted on 89[.]31[.]82[.]185, an IP address geolocated in Russia that\r\nalmost certainly hosts several of John Mark Dougan’s personal projects (such as darkpulsar[.]ai and skryty[.]ru)\r\nand previously identified CopyCop websites like clearstory[.]news. Other Truefact subdomains are identical to\r\npreviously identified CopyCop websites. The websites france[.]truefact[.]news and fr[.]truefact[.]news initially\r\nmirrored two CopyCop websites previously used to target the 2024 French snap elections, veritecachee[.]fr and\r\nfranceencolere[.]fr, respectively.\r\nOther websites in the Truefact cluster are likely building novel identities and intending to target new audiences by\r\npublishing AI-generated content in a wider range of languages, demonstrating the value that LLMs can provide to\r\ncovert influence networks looking to expand their reach. Several of the websites in this cluster still use the default\r\n“Zeen News” WordPress template by template makers CodeTipi, which uses “The World Times” masthead.\r\nFrench Websites\r\nInsikt Group identified at least 141 new CopyCop websites posing as fictional French media outlets registered\r\nbetween February and June 2025, in addition to one website impersonating public broadcaster France Télévisions,\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 3 of 18\n\ndetailed in the section of this report titled “TTPs Evolve to Enable Content Generation and Network\r\nSurvivability.” The full list of CopyCop websites targeting France is included in Appendix C. Insikt Group also\r\nidentified at least 43 Gmail, Proton Mail, and Zoho Mail throwaway email addresses being used to register\r\nclusters of CopyCop websites targeting France, which are also included in Appendix C.\r\nBy discovering this new infrastructure, Insikt Group was also able to link older, unreported activity to CopyCop.\r\nFor example, partiroyaliste[.]fr, an inauthentic website posing as a French royalist political party first registered\r\nin August 2024 using partiroyaliste@proton[.]me, is likely linked to CopyCop. The website is hosted on the same\r\ninfrastructure as other newly identified CopyCop websites targeting France. Unlike other websites, however,\r\npartiroyaliste[.]fr does not use WordPress or another content management system (CMS) to publish AI-generated\r\ncontent. Insikt Group was unable to identify any references to the website’s domain in open sources, and the intent\r\nbehind maintaining the website online remains unclear. A potential aim of the website is to appeal to existing\r\nfringe monarchist elements in France, such as Alliance Royale, whose anti-EU and anti-republican aims can very\r\nlikely align with Russian influence objectives.\r\nFigure 1: CopyCop website partiroyaliste[.]fr impersonating a French royalist political party\r\n(Source: partiroyaliste[.]fr)\r\nCanadian Websites\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 4 of 18\n\nCopyCop is almost certainly attempting to capitalize on growing pro-independence sentiment in the Canadian\r\nprovince of Alberta and exacerbate domestic polarization in Canadian politics amid calls for an independence\r\nreferendum. Insikt Group identified at least two new CopyCop websites targeting Canada:\r\nalbertaseparatist[.]com\r\ntorontojournal[.]ca\r\nThe website torontojournal[.]ca was used in July 2024 to promote inauthentic content targeting German\r\nChancellor Friedrich Merz. The second website identified by Insikt Group, albertaseparatist[.]com, impersonates\r\na grassroots independence movement from Alberta, Canada. Based on shared infrastructure and similarities with\r\nother identified websites, this website is likely operated by CopyCop.\r\nThe website has an associated social media account (@bertaseparatist), TikTok account (@bertaseparatist), and\r\nYouTube channel (@bertaSeparatist), demonstrating a change in TTPs from previously observed CopyCop\r\nwebsites, which rarely have associated social media accounts. The social media account began posting in early\r\nMay 2025, shortly after the website’s domain was registered on May 2, 2025. The website and accounts promote\r\ninfluence narratives calling for Alberta’s independence from Canada (Figure 2), including highlighting Ottawa’s\r\nalleged “systematic theft” of Alberta’s economic resources in favor of redistribution toward poorer provinces like\r\nQuebec.\r\nOther Websites\r\nInsikt Group identified at least twelve other websites categorized either as likely affiliated with Dougan or as\r\nwebsites targeting other geographies, such as the European Union (EU) and Armenia. The list of websites is\r\nincluded in Appendix E.\r\nOn March 7, 2025, CopyCop operators registered a domain almost certainly targeting NewsGuard,\r\nnewsguard[.]tech, named “News Guard Parody.” NewsGuard has previously covered CopyCop and Dougan\r\nthroughout the network’s lifecycle, naming Dougan its “2024 Disinformer of the Year.” The News Guard Parody\r\nwebsite is likely one of the latest attempts at trolling researchers and journalists who cover Dougan’s activities,\r\nsuch as a website impersonating the BBC targeting journalist Mike Wendling, documented in Insikt Group’s first\r\nreport on the network.\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 5 of 18\n\nIn July 2025, researchers at Gnida Project noted CopyCop’s use of several *eu[.]com domains to create\r\ninauthentic websites and promote influence content, such as insider[.]eu[.]com and ndc[.]eu[.]com. Insikt Group\r\nwas unable to identify any larger clusters of similar subdomains registered by CopyCop on this domain. Gnida\r\nProject researchers also identified a CopyCop website impersonating the Armenian Green Party used to promote\r\ninfluence content targeting Armenia, greenarmenia[.]org.\r\nInsikt Group also identified several website registrations likely tied to Dougan’s freelancing projects, such as three\r\ndomains (darkquasar[.]tech, skryty[.]ru, and skryty[.]com) hosting a login page for “SKRYTY” and requiring a\r\nregistration key. Insikt Group also identified another similarly named domain (darkpulsar[.]ai) tied to a self-hosted PeerTube video hosting platform (video[.]darkpulsar[.]ai). In January 2025, darkpulsar[.]ai also briefly\r\nfeatured a login page with the following caption: “Shining information to websites worldwide, like a pulsar\r\nbeacon.” In March 2025, chat[.]darkpulsar[.]ai also hosted an Open WebUI login page, likely intended for\r\ninteracting with self-hosted LLMs.\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 6 of 18\n\nFigures 3 and 4: Login form on darkquasar[.]tech and reg[.]skryty[.]ru (Left) and darkpulsar[.]ai (Right)\r\n(Source: URLscan 1, 2)\r\nObjectives Persist as Narratives Continually Adapt\r\nCopyCop almost certainly maintains its original objective, which is to erode international political and public\r\nsupport for Ukraine’s defense against Russia. CopyCop clearly seeks to diminish support for Western aid by\r\npromoting false narratives about Ukraine’s war effort and by questioning the legitimacy of President\r\nVolodymyr Zelensky’s administration, thereby aiming to reshape public sentiment in favor of leadership change in\r\nKyiv.\r\nCopyCop also continues to align its activities closely with broader Kremlin influence objectives, including\r\ndiscrediting Western and pro‑Western leaders, legitimizing Russia’s maximalist demands in Ukraine, undermining\r\ndemocratic institutions, and sowing distrust among NATO and EU members. It projects these narratives by\r\nrecycling content from Russian state and pro‑Kremlin media outlets, amplifying divisive messaging, and injecting\r\nfabricated claims into Western information streams through its network of inauthentic news websites, other pro-Kremlin media sources, and sympathetic social media influencers.\r\nUS-Centric Websites Used to Sow Anti-Ukraine Narratives\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 7 of 18\n\nCopyCop’s latest US-themed websites almost certainly attempt to appear as localized news portals; however, the\r\npurported media outlets tend to base their coverage on US national and international news with a distinct focus on\r\nRussia-Ukraine. The websites also have subsections dedicated to non-political themes such as entertainment,\r\nlifestyle, and technology news. The articles almost certainly originate from various international news sources,\r\nmedia outlets, and tabloids, and have been rewritten using an LLM.\r\nOf the 35 US-focused domains, only six have been used to launder original CopyCop-created content or have\r\nbeen mentioned on social media so far: allstatesnews[.]us, capitalcitydaily[.]com, fldaily[.]news,\r\nsilvercity[.]news, usatimes[.]news, and wval[.]news. The remaining 29 websites, as of this writing, are\r\nrepublishing news content derived from US and international sources, but have not been used as sources for\r\noriginal inauthentic CopyCop content.\r\nContent presented as “investigations” and “exclusive stories” embedded within AI-reproduced versions of\r\nauthentic media almost certainly seek to damage Ukraine’s public support among US audiences. In March 2025,\r\nthe CopyCop-attributed source clearstory[.]news published content suggesting that President Volodymyr Zelensky\r\nwas “misappropriating US taxpayer funds” by paying journalists to negatively depict US President Donald Trump,\r\nciting a document on Ukrainian presidential letterhead that was almost certainly forged. The article, later shared to\r\nnew CopyCop sources USA Times News and All States News, further suggested that Washington Post\r\ncorrespondent Catherine Belton was playing “a key role” in the effort, stating it was “logical” Zelensky would\r\nchoose Belton, citing her so-called “anti-Trump articles and tweets.”\r\nIn a separate instance, CopyCop-attributed sources attempted to undermine the Ukrainian government in the eyes\r\nof American audiences by accusing it of covertly sponsoring military aid to Mexican cartel groups, which were\r\ndesignated as foreign terrorist organizations (FTOs) in the US in February 2025. In April 2025, the newly\r\nlaunched CopyCop website Capital City Daily uploaded a clip from the alternative video sharing platform Rumble\r\nthat was originally posted by a user named “Red Pill News”. The video, titled “Whistleblower Claims Ukraine\r\nSelling US Weapons To Cartel on Red Pill News Live,” claimed to include an interview with an anonymous\r\nMexican cartel member. In addition to its non-credible claims of covert weapons transfer, the video also almost\r\ncertainly attempted to exploit polarizing topics in US domestic politics related to US immigration and asylum\r\npolicies.\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 8 of 18\n\nFigure 5: CopyCop video shared to Rumble featuring Red Pill News Live, April 14, 2025\r\n(Source: Rumble via archive)\r\nIn June 2025, CopyCop websites Silver City News and WVAL News published “exclusive” findings of an\r\n“unprecedented large scale attack on Ukraine,” following Ukraine’s June 1, 2025, \"Operation Spiderweb” drone\r\nattack on Russian airbases. The story likely was an attempt to project Russia as operating from a position of\r\nstrength after the successful Ukrainian drone operation, as well as to continue to stoke war fatigue in the West.\r\nThe story claimed Western media, citing alleged leaked NATO intelligence reports, found that Russia was\r\nplanning severe retaliatory strikes against critical military and civilian infrastructures in major Ukrainian cities,\r\nincluding Kyiv, Lviv, Khmelnytskyi, Dnipro, and Kharkiv. The report described Western analysts as alarmed by\r\nthe scale of the planned attack and of further escalation of the war in Ukraine. After publication, Insikt Group\r\nfound secondary amplification of the story through tracked influence network InfoDefense Slovenia, with tertiary\r\namplification through Portal Kombat’s Pravda Balkan website. Notably, the end of the article in Silver City News\r\ncontained LLM artifacts, stating, “Please note that this rewrite aims to provide a clear and concise summary of the\r\noriginal text while maintaining key details,” and “the tone is objective and factual, focusing on the information\r\npresented in the intelligence report.”\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 9 of 18\n\nFigure 6: Article written on Silver City News reporting alleged Russian military retaliation plans against Ukraine\r\n(Source: Silver City News)\r\nFigure 7: The end of the Silver City News “exclusive” containing LLM artifacts\r\n(Source: Silver City News)\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 10 of 18\n\nClemson University researchers have previously detailed how CopyCop and the Storm-1516 ecosystem share a\r\nclose historical, technical, and organizational connection with the Russian organization “Foundation to Battle\r\nInjustice” (R-FBI). Insikt Group has continued to observe R-FBI content targeting the US that is designed to\r\nreshape US public opinion negatively against Ukraine. One of R-FBI’s fabricated investigative articles, for\r\nexample, alleged after the US 2024 presidential election that Ukrainian operatives were planning to conduct an\r\nassassination attempt of then-President-elect Donald Trump as part of an “Operation Sting.” Versions of the\r\ninvestigation were subsequently reshared on two websites that have previously amplified CopyCop content,\r\nincluding “The Intel Drop” and the “London Times.”\r\nFigure 8: R-FBI-fabricated investigation alleging Ukrainian plans of an assassination attempt against then-President-elect Trump in December 2024, reshared in the London Times (Source: London Times via archive)\r\nCopyCop Attempts to Divide Strategic Ties Between France and Armenia\r\nAmid strained relations between Russia and Armenia, France and Armenia have deepened their strategic ties in\r\nrecent years. France itself is a strong Western supporter of Armenia, in part due to its influential Armenian\r\ncommunity, and deepening bilateral relations of late are manifest through continued French support of Armenian\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 11 of 18\n\neconomic, military, and political development and advocacy for Armenia in the April 2025 Armenia-Azerbaijan\r\npeace process. More recently, this also includes the formalization of closer bilateral relations, including through\r\nthe signing of a “strategic partnership agreement” to outline France’s commitment to Armenian development for\r\n“years and decades ahead.”\r\nGiven these new strategic dynamics, CopyCop is likely seeking to introduce a strain on the two countries’ bilateral\r\nrelations. In April 2025, CopyCop likely produced a deepfake video of a 16-year-old individual named Narine,\r\nfalsely accusing Armenian Prime Minister Nikol Pashinyan of sexual abuse in October 2020. In July 2025,\r\nCopyCop-associated social media amplifiers disseminated a similarly structured video of a 25-year-old woman\r\nnamed Arpine, who accused Armenian National Security Service officers of sexual abuse because she “dared to\r\nprotest against Pashinyan.”\r\nFigures 9 and 10: (Left) CopyCop-attributed deepfakes accusing Prime Minister Pashinyan and National\r\nSecurity Service officers (Right) of sexual abuse (Source: Social media via archive)\r\nOn May 29, 2025, the CopyCop website infofrancaisedujour[.]fr was used to propagate a non-credible\r\ninvestigative article targeting the French and Armenian governments. The article claimed that Prime Minister\r\nPashinyan had used French foreign aid from the French Development Agency (AFD) to purchase a villa in\r\nMarseille, France. The article was further amplified on social media and Telegram by accounts known to amplify\r\nCopyCop content, such as the social media account @its_The_Dr.\r\nOn June 27, 2025, an article featured on the Armenian-themed website “Green Armenia” (greenarmenia[.]org),\r\nalmost certainly impersonating the Green Party of Armenia, targeted French nuclear energy company Orano by\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 12 of 18\n\naccusing it of colluding with the US government to bury nuclear waste in Armenia’s Dilijan National Park. The\r\narticle cited “French media reports” with a link to a June 25, 2025, article on another CopyCop website,\r\ncourrierfrance24[.]fr. The articles were then amplified on social media by known CopyCop amplifier accounts\r\nlike @KevorkAlmassian, @ROYALMRBADNEWS, and @worldgreendlp.\r\nIn addition to attempting to drive a wedge between France and Armenia, CopyCop has continued direct targeting\r\nof the French government, portraying the sitting leadership as corrupt and engaging in abuses of power. In April\r\n2025, researchers from Gnida Project disclosed that lequotidienfrancais[.]fr (The French Daily) disseminated\r\ninfluence content produced by CopyCop that denigrated the current French judiciary. An archive of the claim, in\r\naddition to the article in The French Daily, states that the French government — including key judiciary members\r\nGérald Darmanin, Bruno Retailleau, and Simon Brunnquell — was planning to issue arrest warrants against\r\nFrench right-wing opposition leadership figures Marine Le Pen, Marion Maréchal, Sarah Knafo, and Florian\r\nPhilippot. As “evidence” to support its claim, the source published an excerpt of an almost certainly inauthentic\r\nWhatsApp chat titled “Chat du Tribunal de Paris,” discussing a series of arrest warrants against the right-wing\r\nfigures. The French Daily claimed the arrest warrants included the following charges: undermining the due\r\nprocess of law, misappropriation of public funds, incitement to hatred or discrimination, and disturbing the peace.\r\nFigure 11: Inauthentic WhatsApp group chat titled “Chat du Tribunal de Paris” discussing fabricated arrest\r\nwarrants for prominent French right-wing political leaders (Source: Le Quotidien Français / The French Daily\r\nvia archive)\r\nCopyCop Eyes Moldova’s Parliamentary Elections\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 13 of 18\n\nSources attributed to CopyCop, as well as to R-FBI, have almost certainly attempted to damage the credibility and\r\npublic image of Moldovan President Maia Sandu ahead of the September 2025 parliamentary elections. This\r\nactivity is likely part of a broader campaign by Russian influence networks targeting Moldova as detailed in our\r\nSeptember 2025 report.\r\nIn mid-July 2025, R-FBI published the latest in a series of inauthentic investigative pieces attempting to damage\r\nPresident Sandu’s reputation, claiming Sandu and the ruling Party of Action and Solidarity (PAS) are “preparing\r\nlarge-scale interference” in Moldova’s 2025 parliamentary elections. R-FBI claimed to have found evidence\r\n“indicat[ing] systematic suppression of the opposition, manipulation of legislation, and preparations for electoral\r\nfraud, including bribing Moldovan diasporas abroad, using ‘dead souls,’ banning parties from the opposition\r\n‘Victory’ bloc, and restricting the rights of residents of Transnistria.” After the publication of this investigative\r\npiece to its core website, fondfbr[.]ru, R-FBI contributing “journalist” Lucas Leiroz republished the investigation\r\nto Veterans Today (VT), a previously documented laundering technique used in order to further amplify the story\r\nin social media, particularly in circumstances where social media sources have restricted visibility\r\n(shadowbanning) links from fondfbr[.]ru. Leiroz also provided a French translation version of the story, linking\r\nthe article hosted to the previously mentioned Truefact subdomain france.truefact[.]news. Insikt Group then\r\nobserved several previously identified CopyCop influencers resharing versions of the story republished to the\r\naforementioned London Times outlet, some of which included the hashtags #MoldovaPolitics and\r\n#MoldovaElections, likely to gain greater visibility.\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 14 of 18\n\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 15 of 18\n\nFigures 12 and 13: CopyCop influencers “Sprinter Observer” and “Leandro Romão” share R-FBI articles\r\nrepublished to the London Times using the same word-for-word script within 20 minutes of each other (Source:\r\nSocial media via archive)\r\nIn May 2025, Russian investigative outlet The Insider, citing the Gnida Project, reported that the previously\r\nmentioned inauthentic website insider[.]eu[.]com had published an article impersonating legitimate Romanian\r\njournalist Radu Dumitrescu. The article purportedly written by Dumitrescu claimed that the mayor of Chișinău,\r\nIon Ceban, had accused President Sandu of embezzling funds associated with a legitimate September 2024\r\nUSAID assistance package for energy infrastructure. Citing a fake quote attributed to Ceban, the article claimed\r\nthat the money was “illegally diverted through presidential advisory networks and shadow NGOs” at President\r\nSandu’s direction.\r\nTTPs Evolve to Enable Content Generation and Network Survivability\r\nCopyCop is broadly using the same TTPs previously documented by Insikt Group and other organizations,\r\nnamely:\r\nRegistering websites impersonating fictional local outlets\r\nPublishing deepfakes and other pieces of inauthentic influence content targeting Western and Ukrainian\r\npolitical leaders\r\nAmplifying influence content via pro-Russian social media influencers\r\nPublishing AI-generated content and profiles on websites hosting the influence content to build a layer of\r\ncredibility for the fictional media outlets\r\nInsikt Group has observed several additional details and minor evolutions in TTPs for generating content,\r\nextending the network’s presence, and helping establish credibility for its inauthentic websites. Most notably,\r\nadditional evidence corroborates the Washington Post’s findings that CopyCop operators are likely using self-hosted servers running an uncensored version of Meta’s Llama 3 models (likely dolphin-2.9-llama3-8b or llama-3-\r\n8B-Lexi-Uncensored) to generate biased content. According to the Washington Post and the US Department of the\r\nTreasury, Dougan’s LLM servers are financially sponsored by the GRU. Insikt Group also observes CopyCop\r\noperators using subdomains on fictional media websites used to mirror other websites in the network, likely to\r\nincrease the network’s presence and resilience. Finally, Insikt Group also observed a shift in the type of targeted\r\ncontent promoted by CopyCop websites to imitate the production style of legitimate media outlets.\r\nSelf-Hosted LLMs for Content Generation\r\nCopyCop operators are almost certainly continuing to use LLMs to rewrite articles from legitimate news outlets to\r\npost on inauthentic websites. Insikt Group observed a continued presence of AI-generated text artifacts in articles\r\npublished by CopyCop websites impersonating US media outlets, such as the following passage from a February\r\n19, 2025, article on bayoucity[.]news stating the model’s knowledge cutoff date as January 2023:\r\nIt appears that you would like me to rewrite the provided text while maintaining all the details and presenting\r\nthem in a comprehensive manner, formatting the response as JSON. However, please note that I cannot directly\r\ninteract with external websites or sources. Therefore, I will provide a rewritten version based on the information\r\navailable within my knowledge cutoff of January 2023.\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 16 of 18\n\nDougan expressed his frustration with using Western LLMs to generate pro-Russian content in a January 2025\r\nroundtable in Moscow, stating that “right now there are no very good models for AI to amplify Russian news [...]\r\nwe need to start starting training AI models without this [Western] bias; we need to train it from the Russian\r\nperspective.” This framing, in addition to infrastructure linked to LLM use identified in this report (such as an\r\nOpen WebUI login page hosted on infrastructure with ties to Dougan), reinforces the assessment that CopyCop\r\noperators are very likely using self-hosted, uncensored LLMs for content generation rather than relying on\r\ncommercial LLM APIs, which Dougan also claimed in an interview (now unavailable) with French media in June\r\n2025. Frames from Dougan’s interview with French media show a Python script calling Ollama (via a function\r\nnamed restart_ollama() ), an LLM inference framework used to run local or self-hosted LLMs.\r\nFigure 14: Python script using Ollama shown by Dougan in a TV interview with French media\r\n(Source: YouTube)\r\nDuring the 2025 roundtable, Dougan admitted asking Russian state media outlet TASS for access to articles to\r\nfine-tune LLMs “originally trained in the West” on Russian government-aligned narratives, mentioning an\r\n“uncensored” version of Meta’s Llama models. The closest candidate to Dougan’s description and the\r\naforementioned January 2023 knowledge cutoff date (which can be inexact when asking models directly) is likely\r\nan uncensored model based on Meta’s Llama-3.1-8b, which has a knowledge cutoff date of March 2023. The two\r\nmost popular uncensored versions of Llama-3.1-8b on open-source platform HuggingFace and on Ollama’s model\r\nregistry are dolphin-2.9-llama3-8b and Llama-3-8B-Lexi-Uncensored, suggesting that one of these models is\r\npotentially being used by CopyCop to generate pro-Russian influence content at scale.\r\nHowever, using local, uncensored models is likely a constraint that hampers the network’s ability to consistently\r\ngenerate content without including operational security mistakes. Model “abliteration” and other methods to\r\n“uncensor” existing open-source models can impact LLMs’ performance, including their ability to consistently\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 17 of 18\n\nfollow users' instructions. Other artifacts identified on CopyCop websites point to operators struggling to obtain\r\nstructured JSON outputs:\r\nSubdomains as Mirrors\r\nStarting in March 2025, CopyCop operators also began hosting website mirrors for websites impersonating French\r\nmedia outlets by combining different CopyCop website domains as subdomains (Figure 15). This measure is\r\nalmost certainly designed to improve the network’s resilience to takedowns and maximize audience exposure to\r\nthe same content.\r\nFigure 15: Illustration of subdomains used by CopyCop to mirror other websites (Source: Recorded Future)\r\nSource: https://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nhttps://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets"
	],
	"report_names": [
		"copycop-deepens-its-playbook-with-new-websites-and-targets"
	],
	"threat_actors": [
		{
			"id": "8d4b4b62-c221-412d-bf8e-243cddc728cd",
			"created_at": "2026-02-04T02:00:03.7163Z",
			"updated_at": "2026-04-10T02:00:03.956172Z",
			"deleted_at": null,
			"main_name": "Storm-1516",
			"aliases": [
				"CopyCop"
			],
			"source_name": "MISPGALAXY:Storm-1516",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434192,
	"ts_updated_at": 1775792183,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/187818d2354a6fd588cf8370ccc4e93f0976ddc4.pdf",
		"text": "https://archive.orkl.eu/187818d2354a6fd588cf8370ccc4e93f0976ddc4.txt",
		"img": "https://archive.orkl.eu/187818d2354a6fd588cf8370ccc4e93f0976ddc4.jpg"
	}
}