CopyCop Deepens Its Playbook with New Websites and Targets

Since early 2025, the CopyCop (Storm-1516) covert Russian influence network has expanded to operate over 300 inauthentic websites—impersonating local media, political parties, and fact-checkers—to publish AI-generated, pro‑Russian and anti‑Ukrainian narratives targeting the US, France, Germany, Canada, Moldova, Armenia, and new language audiences including Turkish, Ukrainian, and Swahili. Attribution links the network to John Mark Dougan with support from the Moscow-based Center for Geopolitical Expertise (CGE) and the GRU, which likely funded self-hosted uncensored Llama‑3 models used to generate content and deepfakes. #CopyCop #JohnMarkDougan #CenterForGeopoliticalExpertise #GRU #Llama3

Keypoints

Insikt Group identified at least 200 new CopyCop websites in 2025 (over 300 total this year including 94 previously reported targeting Germany), expanding targets and languages to include Turkish, Ukrainian, and Swahili.
Operators almost certainly include John Mark Dougan, supported by the Moscow-based CGE and GRU; the GRU likely financed self-hosted LLM infrastructure used for content generation.
CopyCop’s primary objective remains undermining support for Ukraine and fracturing political cohesion in Western countries, with secondary aims targeting Moldova, Armenia, and other regional audiences.
TTPs include impersonating local and legitimate media outlets, publishing deepfakes and fake whistleblower interviews, amplifying content via pro‑Russian influencer ecosystems, and using AI-generated articles and journalist profiles.
New evolutions observed: deployment of self-hosted uncensored Llama‑3 models (e.g., dolphin-2.9-llama3-8b or Llama-3-8B-Lexi-Uncensored), use of subdomains as mirrors for resilience, and higher-quality broadcast-style video assets.
Key clusters include US-themed domains hosted on IP 72[.]14[.]185[.]187, the Truefact cluster (truefact[.]news and regional subdomains), and extensive French-targeting domain clusters with associated throwaway email registrants.
Recommended mitigations include monitoring and takedown coordination, tracking amplification on social platforms, brand protection for news organizations, and LLM providers monitoring misuse of models to prevent poisoning of datasets.

MITRE Techniques

[T1584 ] Compromise Infrastructure – CopyCop registers and batches domains and hosts them (e.g., “Domains for hosting CopyCop websites are typically registered in batches on linked infrastructure…”) to deploy inauthentic websites and mirrors.
[T1609 ] Data Manipulation – AI-generated and forged documents/images are used to produce fabricated evidence and narratives (e.g., “…citing a document on Ukrainian presidential letterhead that was almost certainly forged”).
[T1195 ] Drive-by Compromise (mirroring resilience as an analogous technique) – Use of subdomains as mirrors to increase resilience and exposure (e.g., “using subdomains as mirrors… likely to increase the network’s presence and resilience”).
[T1204 ] User Execution (Malicious Content Delivery) – Distribution of fabricated videos and fake interviews (deepfakes) to social platforms to induce user engagement and belief (e.g., “produced a deepfake video… falsely accusing Armenian Prime Minister Nikol Pashinyan”).
[T1606 ] Obfuscated Files or Information – Use of AI artifacts and model “uncensoring” techniques that produce inconsistent outputs and artifacts in published content (e.g., “LLM artifacts… ‘Please note that this rewrite aims to provide a clear and concise summary…’”).
[T1588 ] Obtain Capabilities – Use and fine-tuning of self-hosted LLMs (Meta Llama‑3 variants) and access to state media content for training (e.g., “Dougan admitted asking Russian state media outlet TASS for access to articles to fine-tune LLMs”).
[T1583 ] Acquire Infrastructure – Use of third-party hosting and CDNs (Akamai/Linode) and Russian-hosted IPs for site hosting and related projects (e.g., “hosted on 72[.]14[.]185[.]187… 89[.]31[.]82[.]185”).

Indicators of Compromise

[Domain ] CopyCop infrastructure and impersonation domains – allstatesnews[.]us, truefact[.]news (and subdomains like fr[.]truefact[.]news)
[IP Address ] Hosting/linked infrastructure – 72[.]14[.]185[.]187 (Akamai/Linode hosting many US-themed sites), 89[.]31[.]82[.]185 (Russia-hosted IP tied to Dougan projects)
[Domain ] French-targeting domain cluster examples – franceavanttout[.]fr, lequotidienfrancais[.]fr (and many mirrored subdomains listed in Appendix C)
[Domain ] Canadian and other targeted sites – albertaseparatist[.]com, torontojournal[.]ca
[Email ] Throwaway registrant emails used for domain registrations – jeanmoreau90[@]proton[.]me, applefreshtaste[@]proton[.]me (and numerous Gmail/Proton/Zoho throwaway addresses)
[Domain ] Other infrastructure and projects linked to Dougan – darkpulsar[.]ai, darkquasar[.]tech, skryty[.]ru (and related chat/video subdomains like chat[.]darkpulsar[.]ai)

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print