Russia's Evolving Cognitive Warfare
Can these methodologies help illicit actors hide and move assets?

Whenever I speak to audiences or train my own teams on the topic of financial integrity, I highlight evolving methodologies illicit actors use to hide and move dirty money, how they converge, and how strategies must adapt.
Sanctions evasion has grown into a billion-dollar industry, with facilitators selling circumvention, especially after Russia’s full-scale invasion of Ukraine in 2022. As designations from the UK, the EU, and the United States increased in size and scope, professional enablers got rich by helping sanctioned individuals avoid scrutiny. Moscow’s Higher School of Economics last year even launched a new program teaching master’s students about sanctions and how to circumvent them.
The secret to stopping these illicit actors, I’ve always said, is enforcement—both against the enablers, and against those who employ them. However, in addition to political will and resources to enforce sanctions and other restrictions, knowledge is key.
How have methodologies to move illicit assets evolved?
What’s the best way to track them?
How do the strategies to move misappropriated assets, drug proceeds, and terrorist funds converge with efforts to evade sanctions and strategic trade controls and other financial crimes?
Illicit actors, increasingly aided by AI, are creating ever-more complex ownership and control structures to hide beneficial owners behind the assets and make them almost impossible to trace.
So how do firms and financial institutions protect themselves and their clients?
AI is only the start. As I highlighted in a podcast with Thomson Reuters’ Rabihah Butler a few months ago, AI is a tool, not a substitute for human expertise. The use of AI can make compliance more efficient, leaving simple screening and other rote tasks to the machine while using expert human resources for deeper analysis. You can watch the entire thing here.
Experts need to understand how close a particular entity or individual or potential business partner is to a sanctioned individual.
Are there business links? Are there family links? Are these links being used as proxies, which is a common sanctions evasion technique?
The more we discover, the more illicit actors evolve.
Evolving Russian cognitive warfare
A recent Bloomberg article showed that Russia’s disinformation warfare is increasing, with more sophisticated deep fakes, fabricated claims, and viral spread. The Storm-1516 influence operation that aims to exploit wedge issues and undermine western support for Ukraine is relatively easy to spot, according to the report.
Its videos showcase forged documents, staged testimonies and AI-enhanced audio or visual manipulations. Though the targets vary, the themes are consistent: allegations of election fraud, sexual abuse by officials, Zelenskiy living a life of luxury. Storm-1516 seeds its stories through websites purporting to be news media and a network of influencers, some of whom retweet posts by bots. Social media algorithms widen the audience.
The details about Russia’s Storm-1516 were exposed a few months ago, and since then, more information emerged.
Say “hello” to Project 2026 - an operation by Russia’s Social Design Agency (SDA), a PR outfit designated by the United States and other western allies a couple of years ago as part of Russia’s malign influence efforts. At the time, the US Treasury noted that Ilya Gambashidze, the founder of the Moscow-based SDA, and Nikolai Tupikin, the CEO and owner of Russian Group Structura LLC, were involved in a “persistent foreign malign influence campaign at the direction of the Russian Presidential Administration.”
SDA and Structura have been identified as key actors of the campaign, responsible for providing GoR with a variety of services, including the creation of websites designed to impersonate government organizations and legitimate media outlets in Europe [emphasis mine].
Apparently these malign influencers are still operating. Project 2026 is their latest operation, and their cognitive warfare methodologies have evolved, according to Bloomberg journalists, beyond spreading fake information, but rather building an entire “alternative ecosystem” to thwart research efforts and spread Russia’s malign influence.
Leaked documents from a private Russian agency reviewed by Bloomberg News reveal plans to build a sprawling network of Wikipedia-style reference sites, media outlets and phony think tanks to shape how people and AI chatbots understand political issues.
The usual disinformation strategies are detailed, including false claims about foreign public figures who oppose Russia. An Armenian research outlet last month detailed the Russian-language website “Yerevan1” which existed mainly to foment negative messaging against Armenian Prime Minister Nikol Pashinyan among the Armenian community of Russia. The website belongs to SDA as evidenced by the screencap below.
Those familiar with Russia’s disinformation campaign Operation Doppelgänger recognize many of the strategies above, including efforts to mimic legitimate news sites, think tanks, and government agencies. The aforementioned Structura and SDA were exposed by Meta as being behind Doppelgänger in 2023.
“Some of these spoofs were particularly elaborate,” noted Meta, with one Washington Post article based on “a faked Russian-language video which purported to show President Zelensky admitting that he was a puppet of the CIA.”
If you thought those efforts were elaborate, how about the current work to train AI to falsify information?
Bloomberg reported that internal planning documents detailed Russian efforts to build websites controlled by the Kremlin. The endeavor, according to Bloomberg, is designed to capture search traffic and influence AI chatbots with false information about politicians and current events.
One proposal outlined plans to build a reference site “cloned” from Wikipedia for Armenia that operators would optimize for search engines and insert Russia-friendly narratives into the most-read pages. The proposal was dated April 14, according to its metadata, just two months before the country’s June 7 election.
Despite Russian efforts that included three Wikipedia-style sites for Armenia created in January, Pashinyan won the election and the sites were booted by their web-hosting provider.
That’s the good news.
The bad news is that hundreds of thousands of web pages were created by the operation to target Germany (and probably other western allies), where the Russia-friendly Alternative für Deutschland (AfD or Alternative for Germany) has been gaining attention and popularity as the largest opposition party in the Bundestag.
The leaks revealed plans to edit 100 articles per month targeting search engines and “train” six AI platforms monthly using these edited articles.
“Their approach is to try to break search engines by flooding the zone with content that cross-references their content or their narratives,” said Katerina Sedova, a nonresident senior fellow at the Atlantic Council’s Eurasia Center and a former US State Department official who specializes in technology and national security. “This will be their indirect way of breaking into popular chatbots and search engines.”
How can Russian tactics be used in illicit finance?
Let’s say you’re a compliance analyst working at a large financial institution. In your enhanced due diligence (EDD) review you find that a bank client is transacting with a counterparty that has very little to no online presence, that has registration documents on record in Türkiye, and that the client owns a company that creates restricted technologies that are Tier 1 on the Bureau of Industry and Security’s (BIS) Common High Priority Items List (CHPL). This tier lists items of the highest concern due to their critical role in the production of advanced Russian precision-guided weapons systems, and includes electronic integrated circuit processors and controllers, whether or not combined with memories, convertors, logic circuits, amplifiers, clock and timing circuits, or other circuits.
This is a high-risk sector, and Türkiye is a known and critical part of Russia’s sanctions evasion infrastructure - definitely a cause to dig deeper.
You start examining the company with which your client is transacting. You discover that the entity may be based in Türkiye, but it’s connected to a vast web of shell companies located all over the globe, including in Panama, Hong Kong, the Cayman Islands, Switzerland, the British Virgin Islands, and the United States. It’s a complex network, and it will likely take you days to discover who is behind this network, the beneficial owner, whether they’re linked to any illicit actors, and whether those who ostensibly run those entities are actual people or fake online personas.
Now, imagine you’re doing counterparty research on one of the owners of one of these business entities and you click on a link that you think takes you to the person’s LinkedIn account, or their personal web page, or a well-known open-source site, such as a think tank or a government registry, and you discover that the owner is squeaky clean and an expert in their field.
You’re good to go, right?
Not so fast. What if the site that provided information about this individual was a mimic with maybe a couple of letters changed in the domain to make you believe it’s real, such as “rnicrosoft.com” or the “Carnegie Endowment for lnternational Peace.”
If you’re quickly scrolling, would you notice that the “m” in “microsoft.com” was changed to “r” and “n”? Would you notice that the capital “I” in “International” was changed to a lower case “l”?
That source you may be citing as a credible report may be a spoofed site that an illicit actor has trained an AI agent to pull up to mislead researchers and help a company or individual look legitimate and low-risk. Homoglyph domains can bypass basic filters and lead you to a fake site - they’re not just used by phishers anymore.
These tweaks can be used to mislead compliance officers, researchers, and analysts and lead them to sophisticated websites created by entities such as SDA and Structura meant to disguise illicit-actor involvement in transactions.
This is a more sophisticated effort than Internet Research Agency troll farms, which were focused on driving engagement.
Training AI and creating realistic deep fakes can help create “legitimate” business owners, and they’re becoming more difficult to detect.
Maybe the young girl in this video did not fool you. Maybe the eyes and her blinking struck you as a bit “off.” Was her face too smooth? Were there other signs that set off your Spidey senses?
But after scrolling through several dozen of these videos, would you be able to discern its veracity as easily?
Corroboration is key
The best piece of advice I can give is to find corroboration. Use the tools at your disposal. Do you have an AI agent created by your company that can help you identify flaws in documents or videos? Has a particular report already been debunked by Internet sleuths? Copy the domain name and paste it into NotePad. You can see spoofs more clearly there.
Look for the latest developments in cognitive warfare. These reports pop up nearly daily, and they detail various methodologies that can be used to fool you. These strategies may not be directly aimed at money laundering, sanctions evasion, or violation of trade controls, but they certainly can be adapted to those activities, so you’ll need to think outside the box and use your imagination.
If you were a bad actor, how would you adapt new technologies to help you move funds, hide assets, or transfer restricted goods and services?
Don’t take anything you find on the web for granted. Illicit actors are evolving and so should your methods for detecting their activity.





Regarding fake domains... You know people who stop others from going there...
In fact we have an entire infrastructure devoted to identifying such sites.
We should probably talk about that and some other related things
"But... but... Hunter Biden!"