Keypoints
- 32 websites were seized by U.S. authorities as part of the Doppelganger campaign takedown.
- The campaign is believed to be Russian-sponsored and focused on cyberpropaganda and disinformation.
- Seized domains were used to publish fake news; roughly half were cybersquatting on legitimate news brands.
- WHOIS and DNS expansion discovered 384 registrant-connected domains and 123 email-connected domains linked to the seized set.
- Analysis found 64 unique IP addresses associated with the domains, 54 of which were flagged as malicious by threat intelligence.
- Seized domains were registered between 2022 and 2024 across multiple registrars (Namecheap, GoDaddy, NameSilo) and countries (Iceland, U.S., France).
MITRE Techniques
- [T1071] Command and Control – Brief description of how it was used. (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1566] Phishing – Brief description of how it was used. (‘Engages in deceptive practices to trick individuals into revealing sensitive information.’)
- [T1203] Malware – Brief description of how it was used. (‘Deploys malicious software to exploit vulnerabilities in systems.’)
- [T1483] Domain Generation Algorithms – Brief description of how it was used. (‘Uses algorithms to generate domain names for command and control purposes.’)
- [T1003] Credential Dumping – Brief description of how it was used. (‘Extracts account login credentials from compromised systems.’)
Indicators of Compromise
- [Domain names] seized campaign – washingtonpost[.]pm, fox-news[.]in, and 30 more seized domains (full list includes sites like lemonde[.]ltd, spiegel[.]agency).
- [IP addresses] malicious hosts tied to domains – 172[.]67[.]191[.]9, 104[.]21[.]53[.]189, and 52 more IPs flagged as malicious.
- [Registrant-connected domains] WHOIS expansion results – 384 registrant-connected domains discovered (examples available in the report sample).
- [Email-connected domains] historical WHOIS email links – 123 email-linked domains discovered; 11 public email addresses found in WHOIS history.
The Justice Department announced the seizure of 32 websites tied to the “Doppelganger” campaign, which investigators say was a covert Russian-backed effort to push disinformation. Many of the domains imitated well-known news outlets or were created specifically to publish fabricated stories; roughly half of the seized domains were judged to be cybersquatting on legitimate news brands.
Open-source follow-up work (including a listing from The Hacker News) and a DNS/WHOIS deep dive connected the 32 domains to a much larger footprint: 384 registrant-connected domains, 123 email-connected domains, and 64 unique IP addresses. Threat intelligence flagged 54 of those IPs as associated with malicious activity such as phishing, malware, and command-and-control operations.
The seized sites were registered between 2022 and 2024 across multiple registrars (Namecheap led with 14 domains) and in several countries, with Iceland, the U.S., and France among the top registrant locations. Researchers provide a sample of additional artifacts and a more detailed dataset for download, noting that some entities flagged as threats may change classification after further investigation.