The Unique Media Brand SUBJECT DOMAINS

108. As noted above, in addition to impersonating legitimate news outlets, Doppelganger, led by ANO Dialog and TABAK, under the direction and control of KIRIYENKO, a sanctioned person, also created original media brands (which are included among the SUBJECT DOMAINS). These brands purport to be independent journalists or news media organizations but are actually under the direction and control of the Russian government. The investigation has revealed that as ANO Dialog created the domains for its purportedly unique media brands, it also registered email addresses that correspond to those domains.
109. RRN, War on Fakes, and the RovGeneral Persona
110. As discussed above, GAMBASHIDZE’s notes from Presidential Administration meetings with KIRIYENKO document the use of Reliable Recent News (*RRN”) by TABAK and ANO Dialog to further the malign influence campaign, noting *They were assigned Russian Reliable News – changed it into Recent, it s going to work. (was sent by Tabak). ” RRN was hosted at rn[.]world and published in numerous languages. As the Meta coordinated inauthentic behavior reports[i] note, RRN “maintain[ed] accounts on Twitter and Telegram, which were amplified by the operation’s Facebook Pages. The Facebook Pages of the Russian diplomatic missions in Malaysia, Sweden, Hungary, Slovakia and Bangladesh shared links to the site.” According to Meta, Doppelganger articles would often appear on RRN after they were posted on the cybersquatted domains: “For example, the same article about Bucha was published on the same day in English on the spoofed Guardian site, in Italian on the spoofed ANSA site, and in German on the spoofed Spiegel site. It also appeared in English, French, German, Italian, Spanish and Chinese on rn[.]world.”[ii]

110. Information received from NameSilo, a U.S. company, pursuant to legal process revealed that the domain rrn[.]world was registered on June 6, 2022, by an identified individual, using a Moscow address, with email address reliablerecentnews[@]gmail.com. The individual applied for and received visas from the State Department to enter the United States from Russia in 2008, 2012, 2015, and 2019. Information received from Google pursuant to legal process revealed that reliablerecentnews[@]gmail.com was created on July 14, 2023, with the name Reliable Recent News, a recovery email of rrussianews[@]gmail.com and recovery telephone number that matched the number provided by the individual on her State Department applications.
111. I determined that rn[.]world continued to post Doppelganger content until approximately July 10, 2024, when it appears ANO Dialog lost control of the domain. At some point shortly thereafter, unknown actors took over the domain and renamed it Rotten Reliable News and used the domain to publish information regarding Doppelganger’s methods and activities, much of which I know to be accurate.
112. Records received pursuant to legal process from Namecheap, revealed that on July 26, 2023, a week after the VIGINUM report was published identifying rrn[.]world as part of Doppelganger, RoyGeneral[ @]proton.me was used to register an account with Namecheap and lease rrn|.]media and vip-news|.Jorg. In registering that Namecheap account, the RoyGeneral persona provided a Beaverton, Oregon address and what appeared to be an incomplete U.S. phone number. Law Enforcement and open-source records checks indicate the name and home address provided are not correlated. Additionally, as further discussed below, the RoyGeneral persona also created an account with NameSilo to lease three more Doppelganger domains and provided a New York City address and Canadian phone number.
113. On July 26, 2023, the RoyGeneral persona accessed Namecheap with an Estonian VPS IP address ending in 77.25 (the 77.25 Server”) and deposited $55.00 with BitPay.[iii] That same day, the RoyGeneral persona used $42.90 of the $55 deposited to lease rrn[.Jmedia. Like the 11.27 Server, given the frequent use of the 77.25 Server by Doppelganger actors, I assess that the 77.25 Server was leased by Doppelganger and only accessible to persons involved in Doppelganger.
114. As discussed further below, the RoyGeneral, Goodbye, Levinaigrenet, Holylandherald, and Artichocio personas used the 77.25 Server to access their Namecheap accounts between February 27, 2023 and July 12, 2024. On at least four occasions, more than one Doppelganger persona accessed their Namecheap accounts at approximately the same times using this same IP address. This was not the only shared IP address. Between May 11, 2024 and July 1, 2024, the RoyGeneral, Levinaigrenet, Holylandherald, and Artichocio personas each accessed their Namecheap accounts on at least two occasions from the same Dutch IP address resolving to the same Russian VPS ending in 76.173 (the “76.173 Server”). Based on my training and experience, I know that unlike VPNS, which tend to be used once and discarded, when cyber-criminals lease a VPS they will frequently make use of that particular server for a period of time until the lease ends. For example, records received pursuant to legal process revealed that Doppelganger leased servers from the Provider who provided the 11.27 Server in three-month intervals before switching to a new server from the same Provider.

115. On July 1, 2024, the RoyGeneral persona accessed Namechcap via three IP addresses, including a British IP address resolving to a Russian VPS that Spur has linked to a cybercriminal network, a Moscow IP address that Spur has linked to a cybercriminal network, and from the 76.173 Server. That same day, the RoyGeneral persona deposited $300.00 with BitPay and used $42.90 to renew the lease for rrn|.]media and $7.66 to lease vip-news|.Jorg. I reviewed materials posted on rrn[.]media and discovered that it uses the same logo and branding as the original rrn[.]world and continues to post content consistent with the malign influence campaign previously posted on rn[.]world.

116. In addition, records received from OpenAI, a U.S.-based artificial intelligence research organization, revealed the purchase of multiple artificial intelligence program accounts, like ChatGPT, to generate and edit articles and comments specifically for rrn[.]media and other Doppelganger-linked domains. There were five email accounts used to register for OpenAI services linked to Doppelganger. Records received pursuant to legal process revealed one of those email accounts was connected by cookies to reliablerecentnews[(@]gmail.com. Based on my training and experience, I know that when two or more accounts are linked by cookies, this means that the accounts were accessed using the same device(s) and are likely accessed by the same user(s). One of the other email accounts used to register for OpenAI was connected by cookies to 37 other email accounts. Almost all of these connected email accounts used naming conventions that corresponded to domains used by Doppelganger as part of their unique media branding operation, including some of the SUBJECT DOMAINS, as discussed further below.

117. One of the SUBJECT DOMAINS, waronfakes|.]com, was discussed in length in the VIGINUM report:

The first articles published on RRN website were identical copies of articles previously published on the fake Russian fact-checking website War on Fakes, launched a few hours after Russia invaded Ukraine. Quickly identified for its role in legitimizing the Russian ‘special military operation’ and discrediting the Ukrainian State, War on Fakes has also been amplified by at least 65 official Facebook pages and official Twitter accounts of the Russian diplomatic network. Moreover, War on Fakes the administrator’s login page has been set up to redirect traffic to rrussianews.com, thereby establishing a technical link between the two websites. The domain name waronfakes|.]com was registered on 1 March 2022 and was updated a year later by Timofey VASILIEV a Russian citizen known for having worked for ANO Dialog. Dialog is an organization created in 2019 under the supervision of the Russian Presidential Administration and the Department of Information Technologies of Moscow city. n charge of a portion of the public relations and communication strategy of Moscow, ANO Dialog has been accused of conducting online propaganda activities on behalf of the Russian State.[iv]

118. As noted in the VIGINUM report, the administrator’s login page for waronfakes[.]com redirected traffic to rrussianews.com. The corresponding email address for rrussianews.com, rrussiannews[(@lgmail.com was the recovery email for the above-described Russian citizen’s reliablerecentnews[@]gmail.com account, which in turn was used to register the rrn[.]world domain. In addition, SDA records revealed that GAMBASHIDZE had the resume of an individual assessed to be working for Doppelganger, who described their experience from October 2022 to present as a writer for the Telegram channel war on fakes, with duties including writing posts for the channel war on fakes and war on fakes analytics, and working on translations and open-source research. Waronfakes|.]com is leased from an overseas registrar which leases the domain from the U.S. registry, VeriSign Global Registry Services (“VeriSign”). Accordingly, there is probable cause to believe that when ANO Dialog renews the lease on the domain, a portion of those funds are used by the overseas registrar to pay VeriSign in the United States for the benefit of sanctioned persons.

1. Other Doppelganger Media Brands

119. Based on records received pursuant to legal process, open-source research, the content of articles published on the domains, and information obtained throughout this investigation, I assess that each of the SUBJECT DOMAINS listed below is part of Doppelganger.
120. The Demon Accounts
121. As noted above in paragraph 116, five email accounts were identified as using OpenAI services in furtherance of Doppelganger. Records received from Google pursuant to legal process revealed that one of those accounts (the “Demon Account”) was subscribed in the name of “White Seo.” When it was registered, the Demon Account selected Russian as its language, listed a Russian recovery email ending in .ru with the same naming convention, namely “Demon” followed by a string of numbers, and provided a Russian phone number. The Demon Account was linked by cookies to 37 other email accounts with naming conventions that correspond to domains connected to Doppelganger’s unique media branding operation, including some of the SUBJECT DOMAINS, such as:

Email Account Linked by Cookies to the Demon Account

Corresponding SUBJECT DOMAIN

holylandheraldcomn[@]gmail.com
holylandherald[.] com

mypride.press[@]gmail.com
mypride[.]press

liesofwallstreet.com[@]gmail.com
liesofwallstreet[.]io

50statesoflie.com[@]gmail.com
50statesoflie|.]media

ukrlm.info[@]gmail.com
ukrlm[.]info

meisteruiancom[@]gmail.com
meisterurian[.]io

Acrosstheline.press[@]gmail.com
acrosstheline[-]press

Electionwatch.live[@]gmail.com
electionwatch[.]io

Honeymoney.infonow[@]gmail.com
honeymoney.press

Uschina.press.now[@]gmail.com
uschina[.Jonline

Spicyconspiracy.info[@]gmail.com
spicyconspiracy[.]io

Levinaigre.net[@]gmail.com
levinaigre[.]net

2 The Goodbye Persona Leased the Acrossthelinelpress, ukrlmLJinfo. And myprideL]press Domains Linked to the Demon Account

121. Two Proton Mail email accounts, Aurevourmail[@]proton.me and Buenasnochesmail[@]proton.me, (collectively, the “Goodbye persona”), leased domains from Namecheap for use in the Doppelganger campaign, including acrosstheline[.]press,[v] ukrlm[.]info,[vi] and mypride|.]press.[vii] Given that these Proton Mail addresses included derivations of a phrase roughly translated into two languages: Au Revoir and Buenas Noches, I assess that the Namecheap accounts were created using operational email addresses by ANO Dialog employees or agents acting on their behalf and will refer to them collectively as the Goodbye persona.
122. Records received from Namecheap pursuant to legal process revealed that the Goodbye persona leased acrosstheline[-Jpress, ukrlm[.]info, and mypride|.Jpress using the 77.25 Server and paid for them using a U.S.-based payment provider, called BitPay, which allows users to make payments via Bitcoin. Records received pursuant to legal process from Namecheap and BitPay revealed the following:

77. On February 27, 2023, the Goodbye persona, using the 77.25 Serve, sent 0.002612 BTC, equivalent to $60.46, from a Bitcoin address ending in -MİP6T to Namecheap. The same day, Namecheap credited the Goodbye persona account with $60.00 and the account used $53.12 to lease acrosstheline[.-Jpress, ukrlm[.]info, and myprideļ.]press which included a $38.64 monthly subscription for Easy WP, a Namecheap product for managing websites.
78. On March 21, 2023, the Goodbye persona, using the 77.25 Server, sent 0.001486 BTC, equivalent to S40.84, from a Bitcoin address ending in -JPrHF to Namecheap. The same day, Namecheap credited the Goodbye persona account with $40.00, which prevented the previously mentioned subscription from overdrawing the account.

77. On April 20, 2023, the Goodbye persona, using the 77.25 Server, sent 0.003881 BTC, equivalent to $110.62, from a Bitcoin address ending in -mhtcF to Namecheap. The same day, Namecheap credited the Goodbye persona account with $110.00, which prevented the previously mentioned subscription from overdrawing the account.
78. On July 23, 2023, the Goodbye persona, using a German IP address that Spur has linked to a cybercriminal network, sent O.00679 1 BTC, equivalent to $202.51, The same day, Namecheap credited the Goodbye persona account with $200.00, which prevented the previously mentioned subscription from overdrawing the account.
79. On December 15, 2023, the Goodbye persona, using a German IP address that Spur has linked to a cybercriminal network, sent 0.002 147 BTC, equivalent to $89.99, from a Bitcoin address ending in qpwW to Namecheap. The same day, Namecheap credited the Goodbye persona account with $70.00, which prevented the previously mentioned subscription from overdrawing the account.
80. On July 23, 2023, the Goodbye persona, using a German IP address that Spur has linked toa cybercriminal network, sent 0.004861 BTC, equivalent to $206.86, from a Bitcoin address ending in -Z2my to Namecheap. The same day, Namecheap credited the Goodbye persona account with $205.00 and the account used $89.48 to renew their lease of acrosstheline|.]press, ukrlm[.Jinfo, and mypride[-lpress.

123. Based on these BitPay transactions, the IP addresses, and my training and experience, there is probable cause to believe the funds used to lease these three SUBJECT DOMAINS originated from outside the United States.

3. The Levinaigrenet Persona Leased the Levinaigre[.]net, and Meisterurian[.]io Domains Linked to the Denon Account and Warfareinsider[.]us.
4. Records received from Namecheap pursuant to legal process revealed that a user with the email address levinaigrenet[@]proton.me leased levinaigreļ.]net,[viii] meisterurian[-]io,[ix] and warfareinsider[.]us.[x] The Levinaigrenet persona provided Namecheap with a name of Jay Rom and a Broken Bow, Nebraska mailing address. All payments were made using funds transferred from BitPay. Law enforcement records checks reveal no association between a Jay Rom and the physical mailing address in Nebraska provided to Namecheap. In addition, despite indicating a U.S. mailing address, on June 16, 2023, the Levinaigrenet persona accessed Namecheap via the 77.25 Server and, using BitPay, deposited $72.00. On June 19, 2023, the Levinaigrenet persona used the 77.25 Server to access Namecheap and used $25.04 to lease levinaigre[.]net and purchase a monthly subscription of EasyWP. Then, on July 5, 2023, the Levinaigrenet persona accessed Namecheap via a French IP address that Spur linked to a cybercriminal network and, using BitPay, deposited $120.00. The same day the Levinaigrenet persona used $70.22 to lease warfareinsider[.]us and meisterurian[.]io and purchase monthly subscriptions of EasyWP for both. On June 4, 2024, the Levinaigrenet persona accessed Namecheap via the 76.173 Server. and, using BitPay, deposited $200.00. The same day the account used $10.48 to renew the lease for warfareinsider[.]us and meisterurian|.]io.
5. As discussed below, on both June 16 and 19, 2023, another Doppelganger linked Namecheap account also used the 77.25 Server to access their Namecheap account. Accordingly, although the Levinaigrenet persona provided Namecheap with a U.S. address, I assess that the individual accessing and paying for the account is actually located overseas.

4. The Holylandherald Persona Leased the Holylandherald[Llcom Domain Linked to the Demon Account and Grenzezank[.]com, and Lexomnium[Jcon

126. Records received from Namecheap pursuant to legal process revealed that a user with the email address holylandheraldcom[(@]proton.me leased holylandherald[.]com,[xi] grenzezank[.]com,[xii] and lexomnium[.] com.[xiii] The Holylandherald persona provided Namecheap with a first name of holyland, a last nanme of herald, and a mailing address in Kansas City, Missouri that indicated the country of residence to be Germany. All payments for the domains were made using funds transferred from BitPay.

127. Specifically, on June 16, 2023, the Holylandherald persona accessed Namecheap via the 77.25 Server and, using BitPay, deposited $65.00. On June 19, 2023, the Holylandherald persona accessed their Namecheap account using the 77.25 Server and used $22.64 to lease holylandherald[.]com and purchase a monthly subscription of EasyWP. As referenced above, records received from Namecheap revealed that the account used to lease Levinaigre|.]net, meisterurian[.]io, and warfareinsider[.]us accessed Namecheap from the same server at approximately the same time. On April l6, 2024, the Holylandherald persona accessed Namecheap via a U.S. IP address that Spur has linked to a cybercriminal network and, using BitPay, deposited $104.00. On May 20, 2024, Namecheap charged the account $16.06 to renew the lease for holylandherald[.]com.

128. On July 5, 2023, the Holylandherald account accessed Namecheap via a German IP address that Spur has linked to a cybercriminal network and, using BitPay, deposited $120.00. The same day the account used $45.28 to lease grenzezank[.]com and lexomnium[.]com and purchase monthly subscriptions of EasyWP for both. On May 31, 2024, the account accessed Namecheap via the 76.173 Server. and, using BitPay, deposited $100.00. The same day the account used $32.12 to renew the lease for grenzezank[.]com and lexomnium[.]com.

[i] Starting on September 27, 2022, Meta released a series of reports regarding Doppelganger. These reports are available to the public on Meta’s website.

[ii] During the Russian occupation of Bucha, Ukraine, numerous reports of Russian war crimes were alleged. After the Russian military retreated from the town, independent journalists confirmed significant atrocities largely against the civilian population. See https://www.hrw.org/news/2022/04/21/ukraine-russian-forces-trail-death-bucha. The Russian Defense Ministry denied allegations that its forces killed civilians in Bucha, stating ina Telegram post on April 3, [2022] that ‘not a single local resident has suffered from any violent action’ while Bucha was “under the control of the Russian armed forces,’ and claiming instead that the evidence of crimes was a ‘hoax, a staged production and provocation” by authorities in Kyiv.” On July 7, 2022, RRN published an article titled “Video: False Staging in Bucha Revealed!” which falsely alleged the atrocities were staged by Ukraine.

[iii] As noted below, the persona responsible for leasing levinaigre[.]net, warfareinsider(.Jus, and meisterurian|.Jio also accessed Namecheap from the 77.25 Server. Likewise, the individual responsible for leasing holylandherald|.] com, grenzezankļ.Jcom, and lexomnium[.Jcom also accessed Namecheap from the 77.25 Server.

[iv] Available at https://www.sgdsn.gouv.fr/files/files/20230719_ NP_ VIGINUM RAPPORT- CAMPAGNE-RRN EN1.pdf

[v] Across the Line presents itself as a website focused on migration and forced displacement issues, often presenting only an adverse perspective as it relates to the U.S. Its website footer notes, “Join us in tackling the problems of refugees across the globe and at the US border. Let’s cross the line to support those who didn’t ask to leave their homes and face uncertainty.”

[vi] UKRLM is an English language website that describes itselfas “Bringing you the latest updates, analysis, and insights from war-torn Ukraine. Stay informed on the ongoing Russia-Ukraine conflict with us.”

[vii] My Pride Press is an English language website that focuses on the LGBTQ community, with topics including trans youth, athletes, health, woke wars, LGBT.

[viii] Levinaigre is a French language website that focuses on French scandals.

[ix] Meisterurian is a German language website that purports to publish German news stories.

[x] Warfareinsider is an English language website that describes itself as reporting on Latest military news. Stay sharp to look at it from the different perspective.”

[xi] Holyland Herald poses as an Israeli based English language news website focused on Isracl-US relations, the war in Gaza, and other Middle East issues, however it also posted articles related to Ukraine, such as an article titled “Ukraine Interferes in Russian Presidential Elections.”

[xii] Grenzezank is a German language website that focuses on international news, including U.S. politics.

[xiii] Lex omnium, which translates to The Law of AIl in Latin, is a French language website that appears to focus on French news with a legal perspective.