Agents of Russian Disinformation
Witting or Unwitting?
The news has been all abuzz these past few days because the Justice Department has indicted two Russian individuals for Foreign Agents Registration Act violations and money laundering and seized 32 internet domains connected with Russian malign influence efforts. OFAC also has designated 10 individuals and two entities at RT—Russia’s state-funded news media outlet—that allegedly were involved in covertly recruiting unwitting American influencers in support of their influence campaigns. Included in the designations is RT editor-in-chief Margarita Simonyan, who allowed the operations of a front company to occur under the cover of RT, using a front company to disguise the involvement of the Russian government and RT in content meant to influence US audiences.
So a bunch of Russians working for RT have been caught with their pants down, using all sorts of tricks to spread disinformation, advance Russian messaging, and sow discord in the United States (and Europe).
Their influence efforts, according to the Justice Department, involved influencers, AI-generated content, paid social media ads, and social media accounts to drive traffic to cybersquatted and other domains.
What is cybersquatting?
It’s when a malign (usually) actor registers a domain intended to mimic another person or company’s website. For example, the campaign, referred to as “Doppelgänger,” which means “lookalike,” created numerous domains that mimicked legitimate media outlets, including the Washington Post, Fox News, Reuters, German Der Spiegel and Bild, French Le Monde, and others.
These domains were created to appear virtually identical to their legitimate media counterparts, including similar layout and design, as well as the same trademarks, logos, and slogans. The fake sites also attributed the false articles they published to real journalists that work for the legitimate outlet, including the journalists’ names, photographs, and bylines. So, the Washington Post (washingtonpost[.]com) was mimicked by washingtonpost[.]pm, which is very similar to the paper’s real website. Likewise, reuters[.]cfd and reuters[.]cyou can be confused with reuters[.]com – the media company’s real website address.
The exhibits provided by the DOJ are pretty damning.
The Post doppelganger is looking pretty authentic, which is why I will scroll over the web address of any link before clicking on it to ensure that I’m being taken to the real website, as opposed to a cheap copy.
Why create these twins?
According to an internal Kremlin planning document, one of the goals of the campaign is to “secure Russia’s preferred outcome in the election.” They also aim to reduce international support for Ukraine as it fights Russian aggression and influence voters in the United States and other countries.
Exhibit 8A is the “Good Old USA” project, which aims to secure victory of a [redacted] political party in the November elections, influence Americans to demand an end to the war in Ukraine ASAP, even at the cost of territorial concessions, erode support for Ukraine, and bring confidence of [redacted] Candidate B down.
How would they do it? Social media.
Don’t believe the translated screen grabs from Exhibit 8A? Here’s the original Exhibit B in Russian. Translate it.
Exhibit 9A (and 9B in the original Russian) acknowledges that in the United States there are insufficient numbers of mainstream politicians who are pro-Russia or pro-Putin. Influencers and their supporters are relatively small in strength too, so “there is no point in justifying Russia and no one to justify it to.”
So instead of focusing on support to Russia, the document says that campaign topics should include issues of interest to those who lean away from the current US president and his party. Determining which redacted party and politician is which is fairly easy in this document.
This brings me to Exhibits 10A and 10B, its original Russian counterpart. This document discusses the strategy of using social media platforms to create false personas, especially on Twitter (now X), which the creators of the document claim is the only mass platform that could currently be “utilized in the US.” To promote Russian messaging, the document proposes to create a network of 200 accounts, four in each of the 50 states - two active and two sleeper accounts. I previously discussed these dormant accounts here, explaining that they’re similar to the TV show “The Americans” in which Russian agents infiltrate US society using fake identities of dead people and work to advance Russia’s interests from within, while pretending to be regular people going about their lives.
A website I highlighted at the time, DC Weekly was created to emulate a source that has been in existence for more than 20 years.
…the domain was inactive in late 2018 and did not reappear until April 2021, when the current website began operating (with a different WordPress skin but with the same stories). At its relaunch in 2021, the dcweekly.org domain pointed to an IP address that was shared with many other unusual domains, all of which are affiliated with John Mark Dougan, a former police officer and conspiracy theorist who fled to Russia in 2016 and has since reinvented himself as an independent pro-Russian journalist in Donbass covering the Russian invasion of Ukraine. These included his own personal website (badvolf.com), its Russian version (badvolf.ru), a gossip website related to Dougan’s time in the Palm Beach Sheriff’s Office (PBSOTalk.org), the website for the "Syndicate of Independent International Journalists,” two websites marketing Dougan’s books(Leaveukrainewar.com and botbook.us), two ”news“ sites (Worldnewsdesk.press and Newsdesk.press), and a security firm (Falcon Eye Tech) that offers “off-shore security monitoring services.” Some of these websites arenow defunct, while others have moved to Cloudflare (as has DC Weekly). An early “Whois” record also listed “Mark Dugan” as the owner of the dcweekly.org domain. There are two other connections between DC Weekly and Falcon Eye Tech. First, they share an SSL certificate for https encryption. Second, they are both built on a Wordpress blog technology stack, with a first author named “Devlin.”
The Doppelganger domains took care to cover up the Russian footprint, and the document specifically proposed a strategy of multi-level protection of the infrastructure. “It will contain VPN services, physical servers located in the United States.”
So what about these unwitting tools at TENET media?
The Russians exploited influencers, in accordance with their published strategy, to disseminate the Kremlin’s messaging. The Justice Department this week indicted RT employees Kostya Kalashnikov and Lena Afanasyeva on charges of conspiracy to violate the Foreign Agents Registration Act (FARA) and conspiracy to commit money laundering. The two allegedly spent $10 million in a scheme to create and distribute content to US audiences with hidden (and in some cases, not so hidden - here’s looking at you, screeching ski cap guy) Russian government messaging.
Over at least the past year, RT and its employees, including Kalashnikov and Afanasyeva, deployed nearly $10 million to covertly finance and direct a Tennessee-based online content creation company (U.S. Company-1). In turn, U.S. Company-1 published English-language videos on multiple social media channels, including TikTok, Instagram, X, and YouTube. Since publicly launching in or about November 2023, U.S. Company-1 has posted nearly 2,000 videos that have garnered more than 16 million views on YouTube alone. Many of the videos posted by U.S. Company-1 contain commentary on events and issues in the U.S., such as immigration, inflation, and other topics related to domestic and foreign policy. While the views expressed in the videos are not uniform, most are directed to the publicly stated goals of the Government of Russia and RT — to amplify domestic divisions in the United States.
The US persons and US company involved are redacted, but it didn’t take Internet sleuths long to determine that there’s only one Tennessee-based online creation company that employs online personalities who repeatedly promote Kremlin propaganda: TENET media, which counts the aforementioned, screeching ski cap guy Tim Pool, YouTuber Benny Johnson, commentator Dave Rubin, and Lauren Southern, who took a picture looking all cute with Putin’s “brain,” Aleksandr Dugin a few years ago.
The indictment describes the US company as a corporation established under the laws of Tennessee. Founder-I has described US Company-I as the US subsidiary of Founder-1’s Canadian company, Canadian Company-I. On its website, the company describes itself as a "network of heterodox commentators that focus on Western political and cultural issues" and identifies six commentators, including Commentator-I and Commentator-2, as “talent.”
Care to guess how TENET describes itself on its website? Yep! “A network of heterodox commentators that focus on Western political and cultural issues.” And they’ve now been dropped by YouTube.
The aforementioned creators now claim they were victims of the Russians.
Pool, a popular podcaster with more than 2 million followers on X, said “should these allegations prove true, I as well as the other personalities and commentators were deceived and are victims.”
TENET never disclosed to its viewers that it was receiving funds and direction from RT, or even any Russian entity, according to the indictment. Nor did the company or its founders register as foreign agents, as required by US law. Did they know that the millions of dollars in payments they were receiving came from the Kremlin? They should have at the very least known that something was sketchy.
Between in or about October 2023 and in or about August 2024, RT sent wire transfers to U.S. Company-1 totaling approximately $9.7 million, which represented nearly 90% of U.S. Company-1’s bank deposits from all sources combined. The wires were sent from shell companies in Turkey, the United Arab Emirates, and Mauritius, and were often accompanied by wire notes ascribing the payments to the purchase of electronics. For example, the wire note for a $318,800 wire payment from a shell entity in Turkey to U.S. Company-1 on March 1, read: “BUYING GOODS-INV.013-IPHONE 15 PRO MAX 512GB.”
Hundreds of thousands of dollars coming from known high-risk jurisdictions for Russian sanctions evasion and other illicit financial activities, claiming to be electronics? If they didn’t know, their mental capacity should be questioned by anyone with half a brain cell.
The founders of TENET are both US residents. They also both used to work directly for RT. Hard to believe they didn’t know their former employer’s tactics. In addition, in private correspondence, while working directly for RT pursuant to Founder-1’s written contract, Founder-1 and Founder-2 regularly referred to their sponsor (i.e., RT) as the “Russians.”
The indictment also indicates that the founders of TENET and their RT handlers obscured the source of funding (RT) that paid its already ideologically aligned content creators by portraying the source of funds as a private investor “Eduard Grigoriann.” When one of the creators asked for details about “Eduard Grigoriann,” a fictional persona purporting to be Grigoriann’s representative sent along a one-page profile describing the alleged “investor” as an “accomplished finance professional” who had held various positions in Brussels and France at a multinational bank, including “Director of Private Banking [D]ivision and Wealth Management.” That appeased the content creator, and they proceeded to make 130 videos without further due diligence.
They performed a Google search, couldn’t find anything, and left it at that.
And let’s not pretend that “Grigoriann’s” credentials were in any way credible. the profile that was sent over was anything but.
The financial institution listed on his “profile” never heard of him. A simple call would have confirmed that something wasn’t right. Lack of an online presence is another red flag I tell all my students to take seriously. In this day and age, when a simple Google search turns up nothing about the individual with whom you’re dealing, it’s time to be concerned.
There were other red flags as well.
The “Grigoriann” persona communicated with these people during what was obviously Moscow time.
And once again, the amounts. These people were to be paid $400,000 per month, plus a $100,000 signing bonus to create videos that reflected the Kremlin’s talking points I outlined above. When a client offers to pay you amounts of money that are much higher than the usual pay for comparable content, it’s time to take a closer look. Unusually large transactions, especially ones with links to high-risk jurisdictions (and in this case, the Kremlin messaging and the references to “the Russians” were just that), are a red flag for money laundering and other financial crimes.
The client for TENET’s services was listed as a Hungarian shell company - another red flag, especially given Hungary’s propensity to cuddle close to Putin these days. Another shell company in Czechia transferred $8,000 in February 2023 to a Canadian company (Lauren Chen, one of the founders of TENET is Canadian) and requested an invoice for “consultation services” - a common methodology Russians use to move funds. In addition, the communications that followed misspelled “Eduard Grigoriann’s” name as “Grigorian.” Either way, the Armenian last name should have given these people some pause, but no. After some haggling, the agreed-upon price for Russian messaging content was $100,000 or so per episode.
I don’t know many content creators who get $100,000 for one episode, do you?
And the push for Russian messaging should have been another red flag. Tucker Carlson’s trip to a Russian supermarket that felt like “overt shilling” and the demand that the attack on Crocus City Hall that was claimed by ISIS be blamed on Ukraine and the United States should have been and was a red flag for the content creators and the TENET founders.
So what happened? The Russians were authorized to post content directly to the platform, circumventing the creators.
A cursory look at the wire transfers that were coming to TENET should have raised alarms because the funds were coming from various shell entities in high-risk jurisdictions and none came from the UK shell company that was the contracted counterparty.
Bottom line: I cannot for sure assess that Johnson, ski-cap guy, and the others knew they were dealing with the Kremlin and were being paid to promote Russian propaganda. I always tell anyone I train that unless you have direct evidence, whether written or recorded, that demonstrates the subject acknowledged the problem or directly referenced it, assessing motive is difficult.
That said, they should have known. They should have been suspicious. The reporting about the Kremlin’s Doppelganger project and its goals are vast. A simple Google search would have turned out a significant body of reporting from credible sources, grey literature, etc. The similarities between the content TENET was asked to create and the Russians’ strategy is undeniable, and not knowing or recognizing them indicates either willful ignorance or outright stupidity.
One doesn’t have to be a financial crimes expert to spot suspicious behavior.
The TENET founders and “creators” were either too lazy or too greedy to perform the due diligence.
And … surprise, surprise. Looks like Founder 1? Founder 2? was a contributor to RT.
https://www.rt.com/op-ed/authors/lauren-chen/
The domain typosquatting stuff was, IMHO, a lot of work for limited results. You can't get a fake story go viral from such a source because people will notice and when they do that ends up discrediting the whole site.