The RoyGeneral Persona Leased the 50statesoflie[.]media, uschina[.]online, and HoneyMoney[.]press Linked to the Demon Account

129. As referenced above, the Doppelganger campaign created email addresses with a naming convention that correspond to 50statesoflie[.]media,[i] honeymoney[.]press,[ii] and uschina[.]online.[iii] The registrar for all three of those domains was NameSilo and the domains were leased, from QHoster, a Uruguayan domain reseller,[iv] using RoyGeneral[@]proton.me. Records received pursuant to legal process from NameSilo, revealed that the RoyGeneral persona created a QHoster account, using a New York, New York address and a Canadian phone number and leased the 50statesoflie|.]media, uschina[.]online, and honeymoney[.]press. Law enforcement and open-source records checks indicate the name and home address provided are not correlated. As referenced above in paragraph 112, the RoyGeneral persona also leased rrn[.]media and vip-news[.]org but provided an Oregon address and an incomplete U.S. telephone number. At least one article published on honeymoney[.]press focused on the current U.S. Presidential administration’s stance on Ukraine. Although the RoyGeneral persona provided NameSilo with a U.S. address, based on the RoyGeneral’s use of VPSS with Namecheap, links to other Doppelganger actors, and leasing of rrn[.]media and waronfakes[.]com, I assess that the individual accessing and paying for the RoyGeneral account is actually located overseas.
130. Mandiant, an American cybersecurity firm and a subsidiary of Google, tracks the “Doppelganger Information Operations Campaign” and publishes a monthly report with updates to the state of the campaign in a document Mandiant calls a “Narrative Tracker:” In their April 2024 report, Mandiant noted in addition to the continued use of cybersquatted websites, the Doppelganger campaign had begun using the following domains to target American audiences: Election Watch (electionwatch[.]live), Spicy Conspiracy (spicyconspiracy [.Jinfo), 50 States of Lie (50statesoflie[.]com), and Dragonfly Tinmes (uschina[.Jpress). Of note, records received from Hostinger pursuant to legal process, showed that the Goodbye persona leased Electionwatch[LJlive, 50statesoflie[.]com, and uschina[.]press on February 23, 2023, using cryptocurrency transferred using CoinGate, a Lithuanian cryptocurrency payment processor.
131. As noted above, the Demon Account created email addresses that correspond directly to spicyconspiracy[.]io[v] and electionwatch[.]io.[vi] At present, electionwatch[LJlive, spicyconspiracy[.Jinfo, 50statesoflie[.]com, and uschina[.]press are no longer active. However, I have reviewed the active domains 50statesoflie|.]media, uschina[.Jonline, spicyconspiracy[.]io, and electionwatch[.Jio and have confirmed that they use the same branding and formatting as electionwatch[.]live, spicyconspiracy[.Jinfo, 50statesoflie[.]com, and uschina[.Jpress, which leads me to conclude that the same person(s) are behind these domains.
132. The Artichocio persona leased truthgatel.Jus, shadowwatchLlus,[vii] and artichocLlio,[viii]
133. Records received from Namecheap revealed that an individual using the email address artichocio[@]proton.me leased truthgate|.]us, shadowwatch|.]us, and artichoc[-]io, and provided the name Jason Kant with a French mailing address and a U.S. phone number. The domains were purchased using Bitcoin transferred through BitPay.
134. June 29, 2023, the Artichocio persona used the 77.25 Server to access Namecheap and deposit $120.00 using BitPay. As discussed above, given the frequent use of the 77.25 Server by Doppelganger actors, I assess that the 77.25 Server was leased by Doppelganger and only accessible to persons involved in Doppelganger. The same day, the Artichocio persona used $52.86 to lease artichoc[.Jio and purchase a monthly subscription of EasyWP. On April 16, 2024, the artichocio account accessed Namecheap via a German IP address that Spur has linked to a cybercriminal network and, using BitPay, deposited $92.00. On May 30, 2024, Namecheap charged the artichocio account $48.98 to renew the lease for artichoc[.Jio.
135. On July 5, 2023, the artichocio account accessed Namecheap via a U.S. IP address resolving to a British VPS service and, using BitPay, deposited $120.00. The same day, the artichocio account used $34.72 to lease truthgate|.Jus and shadowwateh|.]us and purchase monthly subscriptions of Easy WP for both. On June 18, 2024, the artichocio account accessed Namecheap from the 76.173 Server and, using BitPay, deposited $220.00. The same day, the account used $20.96 to renew the lease for truthgate|.]us and shadowwatch|.Jus.
136. The Ukraine Domains
137. As noted above, one of GAMBASHIDZE’s notes from a meeting with the Presidential Administration referenced a participant as fully in charge offilling the content on the Ukraine Tribunal portal.” Two Doppelganger-linked domains, tribunalukraine[.]info[ix] and ukraine-inc[.]info,[x] were leased from Newfold Digital, a U.S. registrar. Records received from Newfold Digital revealed that ukraine-inc[.]info was registered on November 3, 2023. Those records also revealed that the email address trelelcalra1975[@]yaho0.com, was used to lease ukraine-inc[.]info. The trelelcalra1975[@]yahoo.com was only logged into five times, four times from German VPSS and once from a Russian IP address. The trelelcalra1975[@]yahoo.com user registered their Newfold Digital account in the name of Dennis Eggers with a German mailing address and German phone number. Subscriber records received from Yahoo Inc. revealed that the trelelcalra1975[@]yahoo.com account was registered using a Cyrillic first name and the last name Reddy and a Brazilian phone number, which does not match the information provided to Newfold Digital.
138. Records received from Newfold Digital revealed that tribunalukraine[.]info was registered on June 10, 2022. Those records revealed that the email address glennwallace9672 [@]outlook.com was used to lease tribunalukraine[.]info. The glennwallace9672[@]outlook.com user registered their Newfold Digital account in the name of Glen Wallace with a Vienna mailing address and an Austrian phone number. Records received from Microsoft revealed that glennwallace9672 [@]outlook.com was registered by Glenn Wallace from Austria. Notably, that Outlook account was only logged into twice, September 28, 2022, and October 5, 2022. According to records received from Newfold Digital, the Newfold Digital account for tribunalukraine[.]info was accessed from the 11.27 Server.

[i] 50 States of Lie describes itself as “Exposing the scandals that shape American politics and culture. We bring you the latest on corruption, cover-ups, and controversies in the land of the free.”

[ii] Honey Money Press is an English language website that focuses on U.S. consumer trends.

[iii] US China Online on issues related to China’s national interest, including U.S. -China relations, Taiwan, and U.S. trade and foreign policies.

[iv] A reseller is a third-party company that offers domain name registration services through a registrar, in this case NameSilo, a U.S. company.

[v] Spicy Conspiracy describes itself as “Uncovering the truth behind the veil. Your source for in depth coverage of conspiracies, secret agendas, and hidden realities.”

[vi] Election Watch focuses on U.S. elections, including the 2024 U.S. presidential election, political candidates, purported corruption, and polling results.

[vii] Truth Gate and Shadow Watch are English language wcbsites that focused on disseminating corruption and conspiracy disinformation targeting the U.S.

[viii] Artichoc io is a French language website with a tagline that translates to “Art that Shocks.” It purports to focus on pop culture, art, and entertainment.

[ix] Tribunal Ukraine is a German language website a focus on revealing the alleged truth about what is happening in Ukraine

[x] Ukraine Inc is an English language website that features animated anti-Ukrainian videos. The videos contain anti-Semitic tropes that depict Ukrainian President Zelensky as an alcoholic and imply that the deaths of Ukrainians benefit him financially.