{
	"id": "b6284898-fb07-4a39-9314-014713fd6e3c",
	"created_at": "2026-04-06T00:19:32.557959Z",
	"updated_at": "2026-04-10T13:12:47.180674Z",
	"deleted_at": null,
	"sha1_hash": "31529dac59252d599c1084f01cc5afc676b526d6",
	"title": "Russian disinformation network’s infrastructure is spread across Europe, report says",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80425,
	"plain_text": "Russian disinformation network’s infrastructure is spread across\r\nEurope, report says\r\nBy Daryna Antoniuk\r\nPublished: 2024-07-11 · Archived: 2026-04-05 13:14:39 UTC\r\nResearchers have uncovered infrastructure located or registered in Europe that is used by a prolific Russian-language disinformation network dubbed Doppelgänger, as well as by cybercriminals.\r\nResearchers at digital rights nonprofits Qurium and EU DisinfoLab — who first exposed Doppelgänger in 2022\r\n— say the group is doing business in at least 10 countries across Europe, including Germany, the U.K., and the\r\nCzech Republic.\r\nThis means that European companies, whether knowingly or not, make their services available to a disinformation\r\noperation affecting their own nations, researchers said.\r\nDoppelgänger has been operating in Europe since at least May 2022. It is known for spreading fake articles on\r\nwebsites that resemble the design of real media outlets such as Germany’s Der Spiegel and Britain’s The\r\nGuardian.\r\nThe network’s goal is to advance the interests of the Kremlin and sow discord among its enemies, including the\r\nU.S. and Western Europe.\r\nThe researchers spent several months tracking Doppelgänger’s activity, by tracing the path an internet browser\r\ntakes when a targeted user clicks on one of the fake news sites.\r\nAccording to German nonprofit journalism group Correctiv, which was involved in the investigation, an early\r\nversion of the Qurium report has been circulating since spring this year among government agencies in at least\r\ntwo European countries, including Germany.\r\n“However, the information has apparently not been used to put a stop to the campaign,” Correctiv said. This\r\n“raises the question of how seriously European authorities are fighting disinformation,” they added.\r\nForeign infrastructure\r\nDoppelgänger registered dozens of legal entities in the U.K., often in the names of young Russian citizens, in\r\norder to build the propaganda campaigns and obscure its alleged Russian origins, researchers said.\r\nOne such company, TNSecurity, with a virtual office in London, is home to hundreds of malicious web domains,\r\nthe report said. It also provides services to cybercriminals who buy stolen credit cards or bank accounts.\r\nAccording to an earlier report by security company Hyas, TNSecurity “may have been compromised or willingly\r\ncollaborating with cybercriminals.”\r\nhttps://therecord.media/doppelganger-disinformation-infrastructure-european-companies\r\nPage 1 of 3\n\nAt the core of Doppelgänger’s operation in Europe and Russia is a company called Aeza — a Saint Petersburg-based hosting service provider. Aeza allows suspected criminals to operate on its own servers and usually finds its\r\nclients on the darknet, researchers said. For example, the company likely provides its services to the operators of\r\nthe malware infrastructures known as Lumma and Meduza.\r\nSome of the European hosting companies identified in the report are direct or hidden branches of Aeza.\r\nFor example, the Frankfurt-based IT company Aurologic partly runs data traffic for TNSecurity and other\r\ncompanies associated with Aeza, according to the research. The owner of Aurologic told Correctiv that he knows\r\nnothing about Doppelgänger and that the German authorities have not made any complaints against him.\r\nThe technical infrastructure of Doppelgänger is “extensive,” researchers say, comprising more than 300 network\r\nprefixes and 100,000 IP addresses with a market value of €5 million or a leasing cost of approximately €50,000 a\r\nmonth.\r\n“This massive infrastructure investment can only be sustained by serious financial support from external actors,”\r\nthe report said.\r\nRecorded Future News reached out to several hosting providers mentioned in the report but had not received a\r\nresponse as of the time of publication.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/doppelganger-disinformation-infrastructure-european-companies\r\nPage 2 of 3\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/doppelganger-disinformation-infrastructure-european-companies\r\nhttps://therecord.media/doppelganger-disinformation-infrastructure-european-companies\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/doppelganger-disinformation-infrastructure-european-companies"
	],
	"report_names": [
		"doppelganger-disinformation-infrastructure-european-companies"
	],
	"threat_actors": [],
	"ts_created_at": 1775434772,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/31529dac59252d599c1084f01cc5afc676b526d6.pdf",
		"text": "https://archive.orkl.eu/31529dac59252d599c1084f01cc5afc676b526d6.txt",
		"img": "https://archive.orkl.eu/31529dac59252d599c1084f01cc5afc676b526d6.jpg"
	}
}