THE U.S. TRADEMARK INFRINGING SUBJECT DOMAINS

98. Four of the SUBJECT DOMAINS infringe on the trademarks of U.S. media outlets. Specifically, washingtonpost[-]pm, washingtonpost[.]Itd, fox-news[.Jin, fox-news|.] top, and forward[-Jpw, are domains operated by Doppelganger that are likely to confuse, mislead, or deceive viewers into believing they are visiting the legitimate Washington Post, Forward, and Fox News websites.[i] See Exhibit 1. These SUBJECT DOMAINS not only feature infringing content but also are themselves infringing through their use of registered trademarks as part of the domain name.
99. The Washington Post is an American daily national newspaper published in Washington, D.C. According to its website, The Washington Post’s mission statement includes seven principles, including “to tell the truth as nearly as the truth may be ascertained.” The legitimate domain for The Washington Post is washingtonpost.com. The following marks have been registered on the Principal Register maintained by the USPTO by WP Company LLC on behalf of The Washington Post:

The wordmark:[ii] The Washington Post
The stylized wordmark:[iii]
The wordmark:[iv] Democracy Dies in Darkness

100. I have reviewed content published on washingtonpost|.Jpm and washingtonpost[. ]Itd. Those domains feature articles purportedly written by a Washington Post reporter and feature their pictures and bylines. A review of the legitimate Washington Post website reveals no such articles written by that journalist. The washingtonpost[.]pm and washingtonpost[.]ltd domains use the registered marks of The Washington Post.
101. Fox News is an American national media outlet based in New York City. According to its website, FOX News Media offers its audiences in-depth news reporting, along with opinion and analysis encompassing the principles of free people, free markets and diversity of thought, as an alternative to the left-of-center offerings of the news marketplace.” The legitimate domain for Fox News is foxnews.com. The following marks have been registered on the Principal Register maintained by the USPTO by Fox Media LLC on behalf of Fox News:

The wordmark:[v] Fox News
The Stylized wordmark:[vi] FOX NEWS
The Stylized wordmark:[vii]
The Stylized wordmark:[viii]

102. I have reviewed content published on fox-news[.Jin and fox-news[-]top. Those domains feature articles purportedly written by a Fox News reporter and feature their pictures and bylines. A review of the legitimate Fox News website reveals no such articles written by that journalist. Both fox-news[.Jin and fox-news[.]top use the registered marks of Fox News.

103. Forward is an American news media organization. According to its website, Forward delivers incisive coverage of the issues, ideas and institutions that matter to American Jews.” The legitimate domain for Forward is forward.com. The following mark has been registered on the Principal Register maintained by the USPTO by The Forward Fund, Inc., on behalf of Forward:

The Stylized wordmark:[ix] Forward

104. I have reviewed content published on forward[-Jpw and have been unable to find the same or similar articles on forward.com. The forward[.]pw domain uses the registered mark of The Forward Fund, Inc.
105. Records received from Cloudflare Inc. pursuant to legal process, revealed that two Proton Mail email accounts purchased Cloudflare services for washingtonpost[.]pm, fox- news[.Jin, and fox-new|.] top. The Cloudflare accounts associated with these two Proton Mail email accounts were each accessed from the same Netherlands IP address which resolves to a British VPS server leased by Doppelganger with an address ending in l1.27 (the “11.27 Server”). On January 2, 2024, a search warrant was authorized for the 11.27 Server. The 11.27 Server had been identified as having been created by the same user who created two other VPS servers from the same provider that were used by the Kamcopec persona to register foxnews[.Jcx from Namecheap, Spiegel[. JItd, fax[.]Itd, and welt[.Jltd from GoDaddy, and to access a Cloudflare account associated with Sueddeutsche[.]ltd.

106. The true IP address[x] for forward[.]pw resolves to a Hostinger VPS IP address. Records received from Hostinger pursuant to legal process, reveal that the Hostinger VPS was leased by adampalmer1973[@]proton.me on May 18, 2023 using cryptocurrency. The account accessed the Hostinger VPS using all three of the Doppelganger Servers leased from the British provider, including the 11.27 Server.[xi] Based on my training and experience, I know that when a person leases a VPS server, like the 11.27 Server, only that person or individuals they grant access to, can use that VPS server. Accordingly, I assess that any account or domain accessed from the 11.27 VPS server is a member of the Doppelganger conspiracy.
107. As described further above, the SUBJECT DOMAINS were used by Doppelganger as part of a foreign malign influence campaign carried out at the behest of the Russian government. SDA and STRUCTURA are Russian companies that list various Russian government entities as clients and that perform work for the Russian government.

[i] The registry for fox-news[.Jin is National Internet Exchange of India and the registrar is Tucows, Inc. The registry for fox-news[.J top is .TOP Registry and the registrar is Tucows, Inc. The registry for forward|[-Jpw is Micronesia Investment and Development Corporation and the registrar is Sarek Oy. The registry for washingtonpost|.]pm is Association Francaise Pour Le Nommage Internet en Cooperation and the registrar is Sarek Oy.

[ii] Registration number 1665832.

[iii] Registration number 1665831.

[iv] Registration number 6590892.

[v] Registration number 2708769.

[vi] Registration number 6548048.

[vii] Registration number 88980501.

[viii] Registration number 518099.

[ix] Registration number 5243694.

[x] A true IP address for a domain is the server where the actual information that comprises the website or webpage resides. Accordingly, a True IP address for a domain is leased or purchased by the individual in control of the domain.

[xi] As noted above, records received pursuant to legal process revealed that Doppelganger leased three servers from the Provider who provided the 11.27 Server in three-month intervals before switching to a new server from the same Provider.