A. The Kamcopec Persona

85. Information received from GoDaddy, a U.S. company, pursuant to legal process indicated that the Kamcopec persona leased the following 30 cybersquatted domains used in the Doppelganger campaign: washingtonpost[.]ltd, lemonde[jltd,[i] leparisien|.]Itd,[ii] spiegel[-Jpro, bild[.]lle, bild[.]ws, welt[.]Itd,[iii] welt[. ]ws, welt[.]media, spiegel[.]work, nd-aktuell[.]net,[iv] nd-aktuell[.]pro, nd-aktuell[. Jco, bild[.]work, obozrevatel[.]Itd,[v] rbk[.]media,[vi] milliyet[.Jcom.co,[vii] albayan[.]me,[viii] gulfnews[.]Itd,[ix] pravda-ual.Jcom,[x] fazl.]Itd,[xi] faz[.Jagency, faz[.]life, spiegel[.Jagency, sueddeutsche[.ltd, sueddeutsche[. ]me, sueddeutsche[.Jcc, sueddeutschel.]co, tagesspiegel[.]Itd,[xii] and tagesspiegel|.]co. The Kamcopec persona also leased three non-cybersquatted domains: fraiesvolk[.Jcom, fraiepozition[.]store, and fraiepozition[.]site.[xiii]
86. The Kamcopec GoDaddy account was registered using the name Iakov Shultz, a GMX email account, and a Polish address and phone number. Records received pursuant to legal process show these domains were generally leased for one year, and the majority are inactive. The inactive domains were either taken down by the registries or registrars, or not renewed. Of the aforementioned domains, nine SUBJECT DOMAINS identified in the preceding paragraph remain active; however, one of those domains appears to have been taken over by one of the cybersquatting victim companies, Süddeutsche Zeitung. The Kamcopec GoDaddy account used at least five VPS services, all of which are non-U.S. companies, one of which Spur linked to cybercriminal activity, and an Argentinian internet service provider to lease the eleven SUBJECT DOMAINS.
87. Each of the SUBJECT DOMAINS leased from GoDaddy by the Kamcopec persona were paid for using credit cards issued by U.S. financial institutions. Each of the SUBJECT DOMAINS was leased from GoDaddy between the hours of 4:22 A.M. and 6:08 P.M., Moscow time. Specifically, the Kamcopec persona paid for the following SUBJECT DOMAINS using a credit card issued by a U.S. financial institution: sueddeutsche|.Jco, tagesspiegel[.]co, faz[.]life, bild[.]work, and rbkļ.] media. The Kamcopec persona paid for the following SUBJECT DOMAINS using a credit card issued by a different U.S. financial institution: fazļ.]Itd, lemonde|.JItd, leparisien|.JItd, spiegel|-]agency, and Pravda-ua[.]com.
88. Records received pursuant to legal process revealed that the credit cards used to lease the aforementioned SUBJECT DOMAINS from GoDaddy were issued by U.S. banks to a U.S. company that has significant ties to, and employees based in, Russia. Consistent with other identified Doppelganger actors, the Kanmcopec persona generally used IP addresses that resolved to VPS companies for their transactions. Based on my training and experience I know criminal cyber actors frequently use VPS companies to obfuscate their location, however analyzing their time stamps can reveal relevant information as to the cyber actor’s potential location. For example, here, the VPS IP logins revealed that the actor behind the Kanmcopec persona is most likely located in Russia. I assess that the Kamcopec persona either transferred money from Russia to the U.S. – based company, which acquired credit cards from U.S. institutions in order to obfuscate the source of the funds or paid off the credit cards used to lease the domains with funds from Russia.
89. Of the nine remaining domains initially leased from GoDaddy, five domains have been transferred by the Kamcopec persona to other registrars.[xiv] Specifically, on March 14, 2024, spiegel|.]agency was transferred to NewFold Digital, which is a U.S. registrar, but the registry remained Identity Digital Limited. On May 1, 2024, pravda-ua[.]com was transferred to Long Drive Domains, also a U.S. registrar, however the registry remained Verisign Global Registry Services.
90. For the remaining three domains, while the registrar was transferred to a foreign registrar, the registry for all three remained U.S. companies. Accordingly, there is probable cause to believe that when the domains were transferred, thus renewing the lease on the domain, a portion of those funds are used by the overseas registrar to pay the U.S.-based registries. On February 21, 2024, bild[.]work was transferred to GM0 Internet, which is a Japanese registrar doing business as Onamae.com, but the registry remained GoDaddy Registry Services, LLC. On December 28, 2022, lemonde[.Jltd was transferred to Nameshield SAS, a French registrar, but the registry remained Identity Digital Limited. On February 2, 2022, leparisien[.]Itd was also transferred to Nameshield SAS, but the registry remained Identity Digital Limited.
91. Records received pursuant to legal process revealed that the Kamcopec persona also leased the cybersquatted domains foxnews[.]ex, bild[. Jbz, and lefigaro[.]me[xv] from Namecheap. However, in registering with Namecheap, the person using the Kamcopec GMX email account used a different name, address, and phone number than what was provided to GoDaddy. Additionally, the Namecheap account was accessed by a secondary Proton Mail account and used cryptocurrency to lease its domains, none of which are still active. I believe that the Kamcopec persona’s provision of different names, addresses, and phone numbers to GoDaddy and Namecheap is indicative of an effort to obfuscate the true identity and location of the persons) behind the Kamcopec persona, whom I assess to be located in Russia.

B. The Kethorn Persona

92. Information received pursuant to legal process from NameSilo and Namecheap identified accounts created using a Proton Mail email address used by the Kethorn persona. Between June 26, 2022, and October 2, 2022, the Kethorn persona leased six domains from NameSilo and 24 from Namecheap. The domains include cybersquatted domains affiliated with the Doppelganger campaign that impersonated legitimate news sources and organizations including Reuters, Der Spiegel, T-Online, Bild, Delfi, la Repubblica,[xvi] and ManaBalss.[xvii]
93. Specifically, the Kethorn persona leased the following domains: 70-putin-freunde[.Jde, freikorps[.]press,[xviii] friekorps[.]press, jfreicorp[.Jpress, jfriecorp[.Jpress, sieben-fragen-putin[.Jde, tonline[.]life, tonline[.Joday, t-onlinr[.]life, t-onlinr[.]live, t-onlinr[. Jtoday, delfi[.]today, spiegel[.]fun, spiegel[Jquest, spiegel[. ]today, spiegel[Jtoday, winter-is- comming[.Jde, landwirtinnen[.Jde, help-to-migrant[.]de, reuters[.]cfd, reuters[.]cyou, bild[.]vip, bild[. Jasia, delfi[. ]today, delfi[.]top, Repubblica[.]icu, repubblica[.]world, socialharmony[.Jde, manabalss[.]li, and musubalss[.]org.

94. Of the aforementioned domains, only delfi[.]top appears to still be active and under SDA control. The Kethorn persona provided Namecheap with a German address and German phone number to lease domains and used German IP addresses resolving to a German VPS service to lease all the aforementioned domains. On July 12, 2022, the Kethorn persona sent cryptocurrency to Namecheap to lease delfi[. Jtop. While the delfi[.]top domain was initially leased from Namecheap, on February 15, 2024, the Kethorn persona transferred delfi.top to Tucows, a Canadian registrar. As noted above, this transaction, along with the initial lease of all the aforementioned domains leased by this persona, originated from a cluster of wallets that were funded by Konstantin P.

C. The Kaspartill Persona

95. Information received pursuant to legal process from NameSilo and Namecheap identified accounts created using a Proton Mail email address, hereafter referred to as the Kaspartill persona, which leased three domains from NameSilo and 14 from Namecheap. Specifically, the Kaspartill persona leased the following domains: spiegel[.Jink, sueddeutsche[.Jonline, t- online[.Jlife, bild[.Jpics, dailymail[.]cam,[xix] dailymail[.]cfd, delfi[.]life, repubblica[.]life, spiegeli[.]1life, spiegeli[.]live, spiegeli[.]today, reuters[.]sbs, dailymail[. Jtop, blld.Jlive, itcb[.]life, dekommnt[.]live, and ukcommunity[.]vip.
96. Of the aforementioned domains, only dailymail[.]top appears to still be active and under SDA control; however, on or about October 18, 2023 the Kaspartill persona transferred registrars for the domain from Namecheap to Alibaba Cloud Computing. The Kaspartill persona provided Namecheap with a German address, German phone number, and used a German IP address resolving to a German VPS service to lease all the aforementioned domains. On June 9, 2022, the Kaspartill persona sent cryptocurrency to Namecheap to lease dailymail[. Jtop. The transaction took place at approximately 7:30 AM Moscow time and was effectuated using BTCPay. As noted above, this transaction, along with the initial lease of all the aforementioned domains by this persona, originated from a cluster of wallets that were funded by Konstantin

D. The Anguillet Persona

97. Information received pursuant to legal process from Namecheap identified an account registered using a Proton Mail account, hereafter referred to as the Anguillet persona, as having leased the following nine domains, all of which are no longer active: Spiegelr[.]live, spiegelr[.]today, t-onlinl[.Jlife, t-onlinl[.]live, t-onlinl[.]today, sueddeutsche[.]life, sueddeutsche[.]site, sueddeutsche[.]today, and spiegelr[ ]life. Anguillet also used cryptocurrency to lease its domains and provided a German address, German phone number, and German IP addresses resolving to a German VPS service to lease the aforementioned domains.

[i] Le Monde is a French daily afternoon newspaper that uses the domain lemonde.fr.

[ii] Le Parisien is a French daily newspaper that uses leparisien.fr.

[iii] Die Welt (“The World'”) is a German national daily newspaper that uses the domain welt.de.

[iv] Neues Deutschland is a German daily newspaper that uses the domain nd-aktuell.de.

[v] Obozrevatel is a Ukrainian news outlet that uses the domains OBOZ.ua and Obozrevatel.com.

[vi] RBK is a Russian media group that runs a newspaper, TV station, and the website, rbc.ru.

[vii] Milliyet is a Turkish newspaper based in Istanbul that uses the domain milliyet.com.tr.

[viii] Al-Bayan is an Arabic language newspaper in the United Arab Emirates (UAE) which is owned by Government of Dubai that uses the domain albayan.ae.

[ix] Gulf News is a daily English language newspaper published from Dubai, UAE, currently distributed throughout the UAE and also in other Persian Gulf Countries that uses GulfNew.com

[x] Ukrainska Pravda is a Ukrainian online newspaper using the domain pravda.com.ua.

[xi] Frankfurter Allgemeine Zeitung is a German newspaper that uses the domain. faz.net.

[xii] Der Tagesspiegel is a German daily newspaper, though it has a regional correspondent office in Washington, D.C. and uses the domain tagesspiegel.de.

[xiii] Based on my training and experience and information gathered through this investigation, I believe that the fraiesvolk domain was intended to mimic a German daily newspaper published in the 1950s that was highly critical of the Allied Powers.

[xiv] Domain transfer is a process of changing domain name registrars which is a common and simple process. When a domain is transferred it automatically renews the domain.

[xv] Le Figaro is a French daily morning newspaper founded in 1826 using the domain lefigaro.fr.

[xvi] La Repubblica is an Italian newspaper and website using the following domains repubblica.it, quotidiano.repubblica.it, and video.repubblica.it.

[xvii] ManaBalss.Iv is a civic organization based in Latvia that launched in June 2011 to provide a possibility for the citizens of Latvia to promote their initiatives and gain support for these initiatives for further submission to the national parliament of Latvia.

[xviii] Another one of the purportedly independent media brands that has been identified as having been established by the Doppelganger campaign is Journalisten Freikorps. This brand appears to be a reference to the German Freikorps which was a paramilitary unit that existed in Germany for decades. During World War II, many former Freikorps members rose to power in the Nazi party. I know that the Russian government has made claims about the presence of purported Nazis or Neo-Nazis in Ukraine as justification for Russia’s invasion of Ukraine. I accessed both freikorps[.]press and jfriecorp[.]press using the Wayback Machine and ascertained that both webpages ostensibly posted news stories in German consistent with other Doppelganger content using the same Freikorps logo and banner. Through the investigation, the FBI identified an associated email address that incorporated “J.Freikorps” that was created on August 24, 2022, two days after a Telegram channel associated with Journalisten Freikorps started posted on Telegram inviting journalists to share their pieces. Records received pursuant to legal process revealed the subscriber’s name for the J.Freikorps” email address was Journalisten Freikorps and that an SDA employee’s email address was connected to that account by cookies. Based on my training and experience, I know that when two or more accounts are linked by cookies, this means that the accounts were accessed using the same device(s) and are likely accessed by the same user(s). Thus, there is probable cause to believe that SDA is directing and controlling the Journalisten Freikorps campaign.

[xix] The Daily Mail is a British daily tabloid newspaper published in London that also uses the domain dailymail.co.uk.