NEAR FINAL DRAFT Meta Quarterly Adversarial Threat Report Q2 2023
NEAR FINAL DRAFT Meta Quarterly Adversarial Threat Report Q2 2023
NEAR FINAL DRAFT Meta Quarterly Adversarial Threat Report Q2 2023
SECOND QUARTER
Türkiye-based network 7
Türkiye-based network 9
Our public threat reporting began about six years ago when we first shared our findings about
coordinated inauthentic behavior (CIB) by a Russian covert influence operation. Since then, we
have expanded our ability to respond to a wider range of adversarial behaviors as global threats
have continued to evolve. To provide a more comprehensive view into the risks we tackle, we’ve
also expanded our regular threat reports to include other emerging threats and our detailed
insights — all in one place, as part of the quarterly reporting series. In addition to sharing our
analysis and threat research, we’re also publishing threat indicators to contribute to the efforts by
the security community to detect and counter malicious activity elsewhere on the internet (See
Appendix).
We expect the make-up of these reports to continue to evolve in response to the changes we see in
the threat environment and as we expand to cover new areas of our Trust & Safety work. This
report is not meant to reflect the entirety of our security enforcements, but to share notable trends
and investigations to help inform our community’s understanding of the evolving threats we see.
We welcome ideas from our peers across the defender community to help make these reports more
informative, and we’ll adjust as we learn from feedback.
For a quantitative view into our Community Standards’ enforcement, including content-based
actions we’ve taken at scale and our broader integrity work, please visit Meta’s Transparency
Center here: https://transparency.fb.com/data/.
We view CIB as coordinated efforts to manipulate public debate for a strategic goal, in which fake
accounts are central to the operation. In each case, people coordinate with one another and use
fake accounts to mislead others about who they are and what they are doing. When we investigate
and remove these operations, we focus on behavior rather than content — no matter who’s behind
them, what they post or whether they’re foreign or domestic.
Continuous CIB enforcement: We monitor for efforts to come back by networks we previously
removed. Using both automated and manual detection, we continuously remove accounts and
Pages connected to networks we took down in the past. See Section 5 for specific examples of our
work to detect and counter recidivism.
In our Q2 Adversarial Threat report, we’re sharing findings about three separate covert influence
operations that violated our policy against CIB. They originated in Türkiye and Iran. We are also
sharing detailed threat research and analysis about a China-based network that we assess to be
part of the largest cross-platform operation we’ve disrupted to date. And finally, this report
includes new research into the so-called Doppelganger influence operation from Russia that we
first took down in September of 2022.
1. Türkiye and Iran: We removed a network of 22 Facebook accounts, 21 Pages and seven
Instagram accounts in Türkiye and Iran that targeted audiences in Türkiye. We took it down before
it was able to build an audience. The people behind this activity created and operated a network of
websites posing as independent news entities, while apparently relying on unwitting authors to
create content. This campaign attempted to post links to its websites across multiple internet
services including Facebook, Instagram, Twitter, Telegram, LinkedIn and Pinterest. We found this
network as a result of our internal investigation into suspected coordinated inauthentic behavior in
the region, and connected it to the network we took down in 2018.
4. China: We took down thousands of accounts and Pages that were part of the largest known
cross-platform covert influence operation in the world. It was active on more than 50 platforms and
5. Russia: We’re publishing new threat research into the Russian operation that we first disrupted a
year ago – it mimicked the websites of mainstream news outlets in Europe to post fake articles
about Russia’s war in Ukraine. We shared our detailed threat research far and wide last year –
including attribution to two Russian firms – so that others can take appropriate action too.
Recently, these companies were sanctioned by the EU. Because we know that these deceptive
campaigns are persistent and often try to come back — if not on our platforms, then somewhere
else – our work to counter them goes beyond our initial takedown. Our latest findings show that
this campaign has continued to pursue its single mission – to weaken support for Ukraine against
Russia’s invasion. It has expanded beyond its initial targeting of France, Germany and Ukraine itself
to now also include the US and Israel. Among its most recent domain spoofing targets were the
Washington Post, Fox News, and NATO. We assess this network to be the largest and the most
aggressively persistent Russian-origin operation we’ve taken down since 2017.
Domain registration abuse: Four out of five covert influence operations in this report ran websites
that pose as legitimate news outlets, including one that spoofed mainstream media organizations.
While we continue to block malicious domains engaged in violating activity from being shared on
our services, enforcements on each individual platform can only go so far in disrupting these
internet-wide campaigns while their websites remain live. Transparency and cross-society
responses are critical in tackling these malicious efforts to manipulate public debate, because each
of the tech platforms, researchers, media and government entities, domain registrars and
regulators have a unique but limited view into individual elements of these deceptive campaigns.
We’re sharing our policy and enforcement recommendations for tackling domain registration abuse
across the internet and multiple threat types.
The people behind this activity operated a network of websites posing as independent news
entities where they posted primarily in Turkish about news and current events in the Middle East
region, including supportive commentary about Iran and Palestine; verbatim statements by
Ayatollah Ali Khamenei; and critical commentary about Israel, the United States, the Turkish
government and the Justice and Development Party (AKP) in Türkiye. The operation appeared to
have relied on unwitting authors to create content. This campaign attempted to post links to its
websites across multiple internet services including Facebook, Instagram, Twitter, Telegram,
LinkedIn and Pinterest.
The individuals behind this network used fake accounts – some of which were detected and
removed by our automated systems – to manage Pages, post content, and drive people to their
off-platform domains. We removed them before they were able to build an audience.
We found and removed this network as a result of our internal investigation into suspected
coordinated inauthentic behavior in the region, ahead of the elections in Türkiye. Our investigation
found links between this activity and the network we took down in 2018.
● Followers: About 11,000 accounts followed one or more of these Pages and about 17,000
accounts followed one or more of these Instagram accounts.
● Advertising: About $670 in spending for ads on Facebook, paid for mostly in Turkish lira and
US Dollars
This campaign focused on running a dozen off-platform websites posing as independent news
media where they posted content in Turkish about current events in the country, including politics,
critical commentary about the opposition, supportive commentary about the AKP, sports,
entertainment, and other non-political topics. These “news” websites appear to contain
pay-per-click ads, likely to monetize traffic. The operation then tried to amplify these domains
across social media, including Facebook, Instagram, Twitter, and YouTube to make their content
appear more popular than it was. The operation appears to have used web tools to automate
posting on their websites and on social media.
The people behind this activity relied on a combination of compromised, duplicate and fake
accounts – some of which were detected and removed by our automated systems – to manage
Pages and Groups, and post and like their own content. Some of these Groups went through
significant name changes over time and appeared to have been acquired from others.
We found and removed this network as a result of our internal investigation into suspected
coordinated inauthentic behavior in the region, ahead of the elections in Türkiye. Although this
operation attempted to conceal their identities and coordination, our investigation found links to
individuals in Türkiye, including those associated with Turkuaz Gazetesi, an online news outlet. We
also found links to a cluster of spammy activity we had previously taken action against for violating
our policy against inauthentic behavior by using abusive audience building tactics.
● Presence on Facebook and Instagram: 34 Facebook accounts, 49 Pages, 107 Groups and 12
Instagram accounts
● Advertising: About $21,000 in spending for ads on Facebook, paid for mostly in Turkish lira.
The people behind this activity used a combination of authentic, duplicate and fake accounts -
some of which were detected and disabled by our automated systems - to admin Pages, post and
like their own content. Likely in an attempt to evade our detection and enforcement, this network
transferred management of its Pages from one fake account to another over time. Some of these
fake accounts used profile photos likely generated using machine learning techniques like
generative adversarial networks (GAN).
The individuals behind this operation created a number of fictitious brands that featured distinctive
logos, profile photos, visual styles and hashtags across Facebook, Instagram, Twitter and TikTok.
They posted primarily in Turkish about politics and current events in Türkiye and the region,
including critical commentary about the opposition, European Union and United States, and
supportive commentary about the AKP and its policies.
We found and removed this network as a result of our internal investigation into suspected
coordinated inauthentic behavior in the region, ahead of the elections in Türkiye. Our assessment
benefited from public reporting about a portion of this cross-internet activity. Although the people
behind it attempted to conceal their identities and coordination, our investigation found links to
four social media agencies: VOMM Creative, Skala Medya, TMSC Media and Bin945 Creative
Works.
● Advertising: About $667,000 in spending for ads on Facebook, paid for mostly in Turkish lira.
We removed 7,704 Facebook accounts, 954 Pages, 15 Groups and 15 Instagram accounts for
violating our policy against coordinated inauthentic behavior. This network originated in China
and targeted many regions around the world, including Taiwan, the United States, Australia, the
United Kingdom, Japan, and global Chinese-speaking audiences.
We began this investigation after reviewing public reporting about off-platform activity that
targeted a human-rights NGO in late 2022. Following this lead, we were able to uncover a large and
prolific covert influence operation which was active on more than 50 platforms and forums,
including X (formerly Twitter), YouTube, TikTok, Reddit, Pinterest, Medium, Blogspot, LiveJournal,
VKontakte, Vimeo, and dozens of smaller platforms and forums, as well as Facebook and
Instagram.
On our platform, this network was run by geographically dispersed operators across China who
appear to have been centrally provisioned with internet access and content directions. Many of
their accounts were detected and disabled by our automated systems. We assess that this likely led
the people behind it to increasingly shift to posting its content on smaller platforms and then trying
to amplify it on larger services in hopes to maintain persistence. We have not found evidence of this
network getting any substantial engagement among authentic communities on our services. In
fact, one of the key tactics we’ve seen them use was acquiring spammy Pages whose inauthentic
following likely came from fake engagement farms around the world, notably in Vietnam,
Bangladesh and Brazil. This meant that Pages that mainly posted in Chinese and English were
almost exclusively followed by accounts from countries outside of their target regions.
While this network’s activity on our platform mainly consisted of spammy sharing of links, in
addition to memes and text posts, our investigation identified notable distinctive errors, behavioral
patterns and operational structure that allowed us to connect it to a number of more complex and
long-running large clusters of activity across the internet. As we worked to understand the full
scope of this activity across the board, we were also able to identify links between this network and
many separate clusters of spammy activity we’ve been detecting and removing under our
Inauthentic Behavior policy since August 2019 which are known in the security community as
“Spamouflage.”1 (For the purposes of this report, we’ll refer to this latest China-based operation as
Spamouflage). Taken together, we assess Spamouflage to be the largest known cross-platform
covert influence operation to date.
Although the people behind this activity tried to conceal their identities and coordination, our
investigation found links to individuals associated with Chinese law enforcement.
● Presence on Facebook and Instagram: 7,704 Facebook accounts, 954 Pages, 15 Groups and
15 Instagram accounts
● Followers: About 560,000 accounts followed one or more of these Pages, fewer than 10
accounts joined one or more of these Groups and about 870 accounts followed one or more
of these Instagram accounts. We assess that this network’s Pages were likely acquired from
spam operators with built-in inauthentic followers primarily from Vietnam, Bangladesh and
Brazil – none of which we assess to be the targets of this operation.
● Advertising: At least $3,500 in spending for ads related to this operation’s activity on
Facebook, paid for mostly in Chinese yuan, Hong Kong dollars and US dollars.
1
Researchers at Graphika first coined the Spamouflage name for this cross-internet activity in their original
report in 2019: see Ben Nimmo, C. Shawn Eib and L. Tamora, “Spamouflage”, Graphika, September 25, 2019,
https://graphika.com/reports/spamouflage. Members of the research community including the Australian
Strategic Policy Institute, Google’s Threat Analysis Group, and Mandiant have also substantially reported on
aspects of this operation’s wider activity.
Our investigation found that the Spamouflage network is run by geographically dispersed
operators across China who appear to be centrally provisioned with internet access and content
directions.
We identified multiple distinct clusters of fake accounts that were run from many different parts of
China. Their behavior suggested that they were operated by groups who may have worked from a
shared location, such as an office. Each cluster worked to a clear shift pattern, with bursts of
activity in the mid-morning and early afternoon, Beijing time, with breaks for lunch and supper, and
then a final burst of activity in the evening.
Image:
While some of these fake accounts were run from hundreds of miles apart, they repeatedly shared
the same proxy internet infrastructure - often in the United States, likely in an attempt to disguise
their origins.
These clusters of activity also repeatedly shared identical content across many internet platforms –
not just links and articles, but short, “personal” comments as well. These comments were designed
Image
When Spamouflage was first uncovered in 2019, it typically focused on Facebook, Twitter and
YouTube. Over time, as platforms began detecting and blocking these spammy efforts, the
operation began pivoting to prioritizing smaller platforms, including local forums in Asia and Africa.
The websites and forums used by this operation are remarkable for their diversity and geographical
spread: we’ve identified over 50 platforms and forums where we assess this campaign was active.
Beyond posting on Facebook and Instagram, Spamouflage made heavy use of Medium, X (aka
Twitter), Reddit, YouTube, Vimeo and Soundcloud. It ran accounts on Quora - sometimes replying
with pro-China comments to questions that had nothing to do with the topic. It posted hundreds of
cartoons on Pinterest, Pixiv, and art website artstation[.]com.
We also identified likely-Spamouflage accounts on TikTok, Blogspot and LiveJournal, and the
Russian platforms VKontakte and Odnoklassniki. Further afield, we identified likely activity on
Nigerian forum Nairaland[.]com, Indonesian forum kaskus[.]co[.]id, Chinese financial forum
nanyangmoney[.]com and Australian local forum Melbournechinese[.]net.
Image
Spamouflage content criticizing Chinese virologist Yan Limeng – a frequent target of the operation
– also appeared on TripAdvisor. Another frequent target of this operation – Chinese-American
journalist Jiayang Fan – appeared to have been mentioned on the forum of Luxembourg newspaper
Luxemburger Wort. Spamouflage also appeared to post in the comments section of the Financial
As we reviewed our findings on tactics, techniques and procedures (TTPs) used by Spamouflage
over the years, we noted some distinct similarities with the Russian network we first exposed in
2019 which was later dubbed “Secondary Infektion”. While the reasons behind these parallels are
unclear, it is possible that CIB operators learn from one another, including as a result of public
reporting about covert influence operations by our industry and security researchers.
First, Spamouflage was the most cross-platform operation we’ve investigated since Secondary
Infektion. And both often planted their content on smaller platforms before attempting to share
links to it on larger ones.
Second, both operations posted content in an unusual range of languages: Secondary Infektion
used at least seven (Russian, English, German, French, Spanish, Swedish, Ukrainian); and
Spamouflage content came primarily in Chinese and English in addition to French, and smaller
volumes in languages including Spanish, Russian, Japanese, Korean, Thai, Indonesian, Filipino,
German, Finnish, Portuguese, and even Latin and Welsh.
Third, Spamouflage, at times, used a very atypical mix of distinct forums that Secondary Infektion
also utilized, which have been rarely or never seen to be used by any other known influence
operations. These include British student forum thestudentroom[.]co[.]uk and blogging platforms
scoop[.]it and cont[.]ws.
Fourth, both operations engaged in very elaborate laundering of narratives. We found an instance
when Spamouflage went through multiple phases in its efforts to ultimately claim that the US was
the origin of COVID-19:
● It first appears to have created and published a 66-page “research paper” on website
zenodo[.]org. The paper was remarkable for its errors, including consistently misspelling the
names of key protagonists.
● Then, Spamouflage posted two distinct videos on YouTube and Vimeo to promote this
“research”.
● Then, it created an article that cited this “research” and embedded these videos to claim
that the US had been “hiding the truth about the origin of the virus from the outside world”.
It planted this article across multiple forums, including LiveJournal, Tumblr and Medium.
Notably, unlike Spamouflage, Secondary Infektion was much more careful in its operational
security (OpSec) and avoided re-using the same accounts. Typically, the Russian operation used a
single fake account to post only one article, and then abandoned it - sometimes within minutes of
creating it. Spamouflage, on the other hand, would typically use each fake account to post each
article 5-10 times in a row over a few days. This allowed it to post more, but at the cost of lower
OpSec. Since the operation appeared to have used accounts on many different platforms in the
same way, this meant that any one Spamouflage article could feature hundreds of times across
Medium, Reddit, YouTube, Quora, Pinterest, Tumblr, and smaller platforms.
Image
This pattern of “spraying” the same article across many different platforms and accounts gave
Spamouflage a considerable degree of resilience, because it would require action by many different
platforms to take down its articles for good. However, this may not have been the operators’
intention: they may simply have been trying to achieve a production quota for their campaign.
Notably, the operation’s use of highly distinctive headlines makes it particularly vulnerable to
cross-platform, open-source investigation. Headlines with typos and language mixes, such as
“Rummors and truth of COVID-19” and “棋子or弃子”, or with unique formulations such as “Queen
We’ve shared threat indicators with our industry peers and the research community. To enable
further open-source research and illustrate the operation’s scope, we’re publishing a selection of
headlines that we can attribute to this operation with confidence.
Despite the very large number of accounts and platforms it used, Spamouflage consistently
struggled to reach beyond its own (fake) echo chamber. Many comments on Spamouflage posts
that we have observed came from other Spamouflage accounts trying to make it look like they
were more popular than they were. Only a few instances have been reported when Spamouflage
content on Twitter and YouTube was amplified by real-world influencers, so it is important to keep
reporting and taking action against these attempts while realizing that its overall ability to reach
authentic audiences has been consistently very low.
Image
This is likely in part due to the operation’s poor quality control. As we mentioned earlier, many of
Spamouflage’s accounts and Pages appear to have been purchased from third parties in other
countries, notably Vietnam and Bangladesh. Some of these Pages used to post ads unrelated to
CIB for products like phone cases, lingerie, clothing or children’s accessories, prior to them being
acquired and engaging in Spamouflage-related activity. The operators often appear to have begun
using these accounts and Pages without making any alterations - leading to highly idiosyncratic
Similar flaws characterized the operation’s content. A Medium account linked to the operation
posted the same article in Chinese and English criticizing New Yorker journalist Jiayang Fan, but
the Chinese headline was followed by the English text, and vice versa. Operation posts misspelled
key names - “Freud” instead of “Floyd”, “Lv Pin” instead of “Lü Pin” (a Chinese feminist activist).
The operators appear to have auto-translated the captions on their cartoons without proofreading
them, so that an article attacking the “Safeguard Defenders” (a human-rights group) was
accompanied by a cartoon calling them the “Protection guard”.
Image:
In September 2022, Spamouflage accounts were still writing that Speaker Pelosi “will lead a House
delegation to visit Taiwan during a trip to Asia,” even though that trip had taken place a month
before.
Image
Last year, we shared our threat research into the CIB network focused on supporting Russia’s
invasion of Ukraine, dubbed Doppelganger, that operated across the internet, including running a
large network of websites spoofing legitimate news outlets. In December, we attributed it to two
companies in Russia: Structura National Technology and Social Design Agency (Агентство
Социального Проектирования). We banned these firms from our services. They were also later
sanctioned by the EU.
This lookback includes our latest threat research and new analysis of this campaign’s activity
across many services and websites. Having observed its attempts to adapt to detection by
platforms and researchers for about a year, a few big-picture insights stood out to us about
Doppelganger’s approach:
Persistence: We assess this campaign to be the largest and most aggressively persistent covert
influence operation from Russia that we’ve seen since 2017. Since our initial disruption and
continuous scrutiny by platforms and researchers, Doppelganger continued to create new domains
in an attempt to evade detection (see more details on changes in TTPs further down). Given the
nature of this operation and the type of entities behind it, this is expected behavior across our
industry with any CIB network we each take down. In addition to ongoing detection by our
automated systems, our team has been monitoring and taking action against these recidivist
attempts, and sharing findings with our peers and with the public. In total, we’ve blocked over
2,000 of the operation’s domains from being shared on our platform: these are included in the
Appendix to help the researcher community analyze this activity across the internet. We also
blocked tens of thousands of attempts to run fake accounts and Pages on our platforms.
Expanding targeting, yet single mission: With Doppelganger focusing on weakening support for
Ukraine against the Russia invasion, this operation appears to be trying to pick off some of
Ukraine’s key international allies over time. Judging by the origin of the organizations that this
operation spoofed, among other factors, this Russian campaign has expanded beyond targeting
France, Germany and Ukraine itself for the first 8+ months to include the US and Israel earlier this
year. While the exact reasoning behind this expansion is unknown, it likely reflects the fluid tasking
of this operation (by its clients) and its single-minded mission.
Domains are all the rage: A large set of websites filled with anti-Ukraine and pro-Russia “news”
stories have been the center of this operation – it is where the firms behind Doppelganger try to
drive people from across the internet (see details on TTPs further down). While we (and other
research teams) have continued to publicize these spoofing domains to enable further research and
enforcement, many of them remain live, actively adding “news” articles. Blocking these domains
from being shared on each individual platform can only go so far to disrupt this internet-wide
campaign while its websites continue operating. See more on Meta’s policy recommendations on
tackling domain registration abuse across many threat types in Section six.
DOPPELGANGER: BACKGROUND
Launched soon after Russia’s full-scale invasion of Ukraine, Doppelganger created a small number
of sophisticated websites that spoofed the appearance of mainstream European news outlets, and
then spammed links to those sites using simple fake accounts on many social media platforms,
including Facebook, Instagram, Telegram, X (formerly Twitter), and even LiveJournal, among
LATEST TRENDS
In the last year, Doppelganger continued to evolve its tactics, techniques and procedures (TTPs), in
response to detection and aggressive enforcement. Here are the latest trends we’ve identified.
While Germany, France and Ukraine remain the most targeted countries overall for this operation,
recently, Doppelganger has added the United States and Israel to its list of targets. It has done so
by spoofing the domains of major news outlets in the US and Israel, publishing articles criticizing
American policies, and then spam-posting links to those articles across Facebook and X (formerly
Twitter). These domains spoof the Washington Post, Fox News, and Israeli news sites Mako[.]co[.]il
and walla[.]co[.]il.
These spoofed Fox News and Washington Post domains post critical commentary about Ukraine’s
President Zelensky and, to a lesser extent, US President Biden and the US policy on Ukraine. Some
of the social-media comments that it used to accompany these articles dwelt on policy differences
between Democrats and Republicans, but most criticized Ukraine to Americans without regard for
their political leanings.
Image
Some of these spoofs were particularly elaborate. Notably, one Washington Post article was based
on a faked Russian-language video which purported to show President Zelensky admitting that he
was a puppet of the CIA. The article was presented as a question-and-answer interview, and used
the byline and timestamp of a genuine interview by the Washington Post’s Berlin bureau chief that
was published the same day. The operation then shared the link to this fake Washington Post article
on social media as “evidence” of American interference in Ukraine. It received no engagement on
our platform.
Image
The people behind Doppelganger appear to be agile in quickly responding to world events in real
time as they fit them into the operation’s key narrative about the war in Ukraine. For example, a
spoofed version of French newspaper Libération reacted to anti-police protests in France by
claiming that the country had been “infected by the Ukrainian virus of color revolutions”. An article
Other recent Doppelganger websites have spoofed government institutions and news outlets in
Europe. Over the past few months, we’ve identified and blocked spoofs of the German police,
Polish and Ukrainian governments, NATO (in English, French and Ukrainian), and the French Foreign
Ministry, as well as European news outlets like RBC (Ukraine), Repubblica (Italy) and Sueddeutsche
(Germany).
Most of these spoofed “government” websites focused on promoting claims that Western support
for Ukraine would lead to higher taxes, greater insecurity, or lower standards of living. They were
relatively sophisticated spoofs that included redirects to the authentic websites, likely to make
them look more convincing, and used official photos from government sources in their posts. They
made mistakes – for example, the fake NATO French- and Ukrainian-language sites copied the
alliance’s English-language website, rather than its French and Ukrainian versions.
Image
Creating elaborate spoofed sites and articles is a labor-intensive effort. Likely in response to
detection and blocking of these websites, Doppelganger has also deployed a far higher number of
“backup” domains. Each time we’ve blocked one of its main spoofs, Doppelganger has responded
by putting these backup domains in between to conceal the final destination of these links. These
urls are meant to redirect to the spoofed site - typically in multiple hops, using one backup domain
to redirect to another, which then redirects onwards to the final destination. We continue to block
those too.
● First, from June through mid-September 2022, it typically posted links directly to its
spoofed domains on social media.
● Second, shortly after we initially disrupted its activity and blocked its domains for the first
time, it began registering its own backup domains. Some had names that related to the
outlet they were spoofing, but with increasing degrees of typos: for example, tonline[.]life (a
spoof of the genuine t-online[.]de), then t-onlinr[.]life, then t-onlinl[.]life, and so on. Others
had more generic titles, but also featured increasing typos: for example, the name “Offene
Meinung” (public or open opinion) came out progressively as offinemainung[.]info,
offinemaiunng[.]space, affinemaiunng[.]website and affinemiunng[.]website.
● Third, in late October 2022, it began using redirects that were subdomains of the site
tilda[.]ws.
● Fourth, from the end of 2022 onwards, it pivoted to using likely compromised domains
whose names bore no relation to the focus of this operation and its content. These included
domains like coednakedfootball[.]xyz, early-gonorrhoea-signs[.]com, kinocasino[.]net,
powerwasher-reviews[.]com and transformationbookclub[.]com.
Image
We’ll continue disrupting this large-volume but low-impact activity on our platform, monitoring for
further developments and sharing our findings with our industry peers, researchers and the public.
This cross-internet campaign runs a number of highly-developed websites that spoof the
appearance of real news outlets and government institutions. It uses well-known techniques like
typosquatting to trick people into believing these spoofs are legitimate by using domain names
that register misspellings of legitimate sites or that cycle through country code domain extensions
(ccTLDs).
We’ve blocked thousands of Doppelganger’s domains from being shared on our platforms, and
continue to report them as part of our regular public threat research. However, many of these
websites remain live on the internet. This means that bad actors can continue to run their operation
and share links to them elsewhere. The fragmented enforcement ecosystem for malicious domain
Our anti-phishing program also tackles thousands of off-platform phishing domains targeting Meta
brands monthly. In 2022, in collaboration with PhishLabs, we helped take down approximately
140,000 phishing sites, a substantial decrease from over 265,000 in 2021. We believe that this
decrease is due to our proactive efforts to discuss collaborative methodologies with hosting and
other service providers to reduce impersonations on their services.
For example, today most domain name registration information (known as WHOIS) is not
accessible to the public. And even when it is disclosed, the information is frequently inaccurate due
to lack of verification by registration providers.This inhibits swift investigations into abusive
domains and other efforts to prevent harm. In fact, we typically receive the requested WHOIS
information related to investigations into abusive behavior targeting people on our services about
35% of the time, according to Tracer Ai.
The inability to access WHOIS information has likely contributed to a steady rise in domain name
dispute administrative procedures, known as UDRPs (Uniform Domain-Name Dispute-Resolution
Policy), to recover abusive domains. The fees to initiate a UDRP at WIPO (World Intellectual
Property Office), for example, can be in the thousands of dollars to recover up to just 10 domain
names, in addition to the legal fees. While some brands, like ours, opt to pursue this effort, many
may not. This means that imposters continue to operate online, knowing that the costs of taking
Another avenue for protecting people that brands can pursue is domain name litigation. For
example, in December 2022, we filed litigation against Freenom, a country code domain registry
provider, whose domain names accounted for over half of all phishing attacks involving ccTLDs.
Since then, research by Interisle Consulting Group has found significant declines in phishing
domains reported in ccTLDs overall. However, since there are more than 2,000 accredited domain
registrars, better cooperation is needed to ensure all registrars address abuse from their services.
Otherwise, threat actors will continue to flock to less responsible players in the ecosystem.
● Improve ICANN contracts with registrars and registries to take proactive steps to address
domain registration abuse at scale, such as to require suspension of customer accounts for
known bad actors or impose additional verification for domain names that include a
combination of famous brand plus words suggestive of fraud – like “login”, “password”,
“security”, “help center”, or “verification. Any such approach would need to account for
legitimate criticism (such as Brandsux[.]com), and be tailored to prevent powerful players
from abusing them to silence lawful protest. Encourage the sharing of data with internet
platforms to proactively block bad actors from registering and using domain names to
further abusive or criminal activities.
● Adopt laws that require complete, accurate, and verified WHOIS data, similar to Europe’s
recently revised Network and Information Systems Directive (NIS2).
● Close DNS governance gaps with strategies to include all participants of the DNS
ecosystem such as hosting providers.
● Ensure a balance of security and privacy through multi-stakeholder input and human rights
impact assessment to prevent the abuse of anti-fraud systems to silence or expose critics.
● Encourage business and UN entities to adopt remedy and risk management approaches
consistent with the UN Guiding Principles on Business and Human Rights.
We’re sharing these threat indicators to enable further research by the open-source community
into any related activity across the web. This section includes the latest threat indicators and is not
meant to provide a full cross-internet, historic view into these operations. It’s important to note
that, in our assessment, the mere sharing of these operations’ links or engaging with them by
online users would be insufficient to attribute accounts to a given campaign without corroborating
evidence.
Acquiring assets
yedinot[.]com
amerikagozlemi[.]com
7sabah[.]com
ulkededegisim[.]com
https://twitter[.]com/AmerikaGozlem
https://twitter[.]com/yedinot
https://twitter[.]com/7sabah_haber
https://twitter[.]com/israilpost
https://t[.]me/israilpost
Disguising assets
Amerika Gözlemi
YediNot
Taha
Ülkede Değişim
https://linktr[.]ee/amerikagozlemi
Evading detection
Routing activity through target This network’s earliest activity originated in Iran, while later activity
country originated in Türkiye.
Indiscriminate engagement
Amplifying across websites Posting identical articles to multiple websites run by the operation
Sharing on Instagram
Sharing on Twitter
Sharing on Telegram
Targeted engagement
Acquiring followers for Facebook About 11,000 accounts followed one or more of these Pages
Pages
Acquiring followers for Instagram About 17,000 accounts followed one or more of these Instagram
accounts accounts
Posting to reach selected audience Posting into Groups focused on regional politics
Advertising About $670 in spending for ads on Facebook, paid for mostly in
Turkish lira and US Dollars
Directing audience to off-platform Directing audience towards websites and Telegram channels
content
Acquiring assets
www.tuzlagundem[.]com
www.nesliharekat[.]com
www.turkiyehaberi[.]com
www.istanbulhaberin[.]com
www.anlikgundem[.]com
www.anadoluhaberi[.]com
www.avrasyahaberi[.]com
www.avrupabulten[.]com
www.posthaber[.]net
www.muglaolay[.]com
https://twitter[.]com/turkuazgazetes1
https://twitter[.]com/paylasdur
https://twitter[.]com/posthaber_net
Disguising assets
Changing Group names Some of this network’s Groups went through significant name
changes over time, and some appeared to have been compromised
or bought.
Creating fictitious “news media” The network created a portfolio of “news media” websites which it
outlets amplified across social media (listed above)
Creating duplicate accounts The network’s operators used duplicate accounts to manage its
Pages and Groups
Evading detection
Using compromised accounts The network used apparently compromised accounts to run many
of its Pages and automate posting
Indiscriminate engagement
Monetizing websites Some of the network’s websites carried a large volume of ads
Amplifying content across websites The network created custom software to automate posting the
same articles across different websites it controlled
Amplifying content across social The network used accounts across Facebook, Twitter and TikTok to
media share videos and links to its websites
Posting non-political content The network’s websites interspersed political content with articles
about sports and entertainment
Targeted engagement
Acquiring Group members Around 1 million accounts joined one or more of these Groups
Acquiring followers for Instagram About 125,000 accounts followed one or more of these Instagram
accounts accounts
Tagging other social media users The network’s X/Twitter accounts sometimes tagged other social
media users with high followings
Directing audience to off-platform The network used its social media accounts to drive its audience
content towards its websites
Acquiring assets
bin945creative.com
https://twitter[.]com/buyukdirilis
https://twitter[.]com/siyasetcanli
https://twitter[.]com/BTSPaylasimlari
https://twitter[.]com/FavReports
https://www.tiktok[.]com/@reisicumhurtr
Disguising assets
Using AI-generated profile photos Some of these fake accounts used profile photos likely generated
using machine learning techniques like generative adversarial
networks (GAN)
Creating duplicate accounts The network’s operators used duplicate accounts to manage its
Pages and Groups
Creating cross-platform brands The network operated “brands” with the same iconography and
name across Facebook, Instagram, X (aka) Twitter and TikTok
Büyük Türkiye
Marginale
Gönül Adamı
Evading detection
Privacy protecting website The network used NameCheap to obfuscate domain registration
registrations details.
Indiscriminate engagement
Amplifying content across social The network used accounts across Facebook, Instagram, X (aka
Targeted engagement
Using audience-specific hashtags The network's Instagram accounts used hashtags appropriate to
the region and audience it was targeting
Advertising About $667,000 in spending for ads on Facebook, paid for mostly in
Turkish lira
This is the most cross-platform network we’ve identified since the exposure of Russian operation
Secondary Infektion. The following indicators represent a small sample of this network’s
cross-platform activity.
Acquiring assets
Acquiring and repurposing assets The network often used accounts and Pages that appear to have been
acquired and repurposed - for example, Pages that began posting
about clothing, accessories or lingerie before starting to post about
geopolitics
https://twitter[.]com/ZoeRich28859010
https://twitter[.]com/End05201180
https://twitter[.]com/HeidiCreel2
https://twitter[.]com/angelicasalaza7
https://twitter[.]com/alixmouton
https://twitter[.]com/zhuzhukiki1
https://twitter[.]com/renrenaihuachi
https://twitter[.]com/belle_zuri
https://twitter[.]com/WillDav46208593/
https://twitter[.]com/KarenMa85962925
https://twitter[.]com/JohnRea51505034
https://twitter[.]com/RevesToney
https://twitter[.]com/CarolCa01274860
https://twitter[.]com/Camila17216155
https://twitter[.]com/connier48098264
https://twitter[.]com/MavisRussell14
https://twitter[.]com/EttaJac84185457
https://twitter[.]com/oppbrandshoes
https://twitter[.]com/eraidrsh4
https://twitter[.]com/RonMauer6
https://twitter[.]com/qwe12375724748
https://twitter[.]com/dyodbiyho1
https://twitter[.]com/greensarah
https://twitter[.]com/AlisonC01249536
https://twitter[.]com/fred_dickinson
https://twitter[.]com/melville_toby
https://twitter[.]com/manachiriabit
https://twitter[.]com/shporta_supriya
https://twitter[.]com/a7918578348
https://twitter[.]com/hyo1592/
https://twitter[.]com/tkxks15
https://twitter[.]com/BrookClara9
https://medium[.]com/@xcvvdax
https://medium[.]com/@fdfeer5
https://medium[.]com/@orandgd
https://medium[.]com/@negronthomasgcc
https://medium[.]com/@aalvaradoyt688
https://medium[.]com/@mcfarlandmalcolmdjw
https://medium[.]com/@FabianJ62390507
https://medium[.]com/@pllistati95455
https://medium[.]com/@lawrencegwalkerp77
https://medium[.]com/@johnsonalbertwnc
https://medium[.]com/@isiahispence
https://medium[.]com/@2099154405
https://medium[.]com/@yangziping793
https://medium[.]com/@kirkstrickland2763
https://medium[.]com/@malik[.]johnny2310
https://medium[.]com/@christenekastmanjy
https://medium[.]com/@johnsonalbertwnc
https://medium[.]com/@guaner581
https://medium[.]com/@dashuaibi1101
https://medium[.]com/@ijiu78561
https://medium[.]com/@jeefhardly
https://medium[.]com/@chafinelliott053
https://medium[.]com/@rivajziel
https://medium[.]com/@theresabahringer70
https://medium[.]com/@nsshamim[.]satkhira4915
https://gayleenwxmzw98[.]medium[.]com/
https://medium[.]com/@haynesgillian554
https://medium[.]com/@thriller[.]loycet9
https://medium[.]com/@abdulheddyfjoely
https://medium[.]com/@irinaglenna
https://medium[.]com/@getmanvernon
https://medium[.]com/@maurinesosbyybk72
https://tillmanumi40[.]medium[.]com/
https://medium[.]com/@virgildenis2012
https://medium[.]com/@soufrind
https://medium[.]com/@2901417582
https://absjack69[.]medium[.]com/
https://medium[.]com/@yangziping793
https://medium[.]com/@ORHANALRIZA1
https://medium[.]com/@argeliatoomesxfd95
https://medium[.]com/@gdzcy
https://medium[.]com/@kdert62
https://medium[.]com/@1372574841al
https://medium[.]com/@emoolabot
https://medium[.]com/@binder12marco
https://medium[.]com/@samanthanandons
https://alexajobs2012[.]medium[.]com/
https://medium[.]com/@dli52113
https://medium[.]com/@adad110
https://www[.]reddit[.]com/user/naronprifti17/
https://www[.]reddit[.]com/user/qerqer547/
https://www[.]reddit[.]com/user/Competitive_Clue_99/
https://www[.]reddit[.]com/user/Ok_Software_6520/
https://www[.]reddit[.]com/user/Embarrassed-Rice2968/
https://www[.]reddit[.]com/user/333as/
https://www[.]reddit[.]com/user/EnthusiasmOk6901/
https://www[.]reddit[.]com/user/momohu123/
https://www[.]reddit[.]com/user/Accomplished-Bag5619/
https://www[.]reddit[.]com/user/Illustrious-Hyena496/
https://www[.]reddit[.]com/user/nusatenggaratimur/
https://www[.]reddit[.]com/user/afwfafawfa/
https://www[.]reddit[.]com/user/TerribleEar3999/
https://www[.]reddit[.]com/user/riskamuiyanr/
https://www[.]reddit[.]com/user/EitherCredit9527/
https://www[.]reddit[.]com/user/Some-Design-1576/
https://www[.]reddit[.]com/user/ReferenceHot72/
https://www[.]reddit[.]com/user/AffectionateLie8484/
https://www[.]reddit[.]com/user/Basic_Tumbleweed9724/
https://www[.]reddit[.]com/user/OkOstrich9765/
https://www[.]reddit[.]com/user/Plenty-Tea-8622/
https://www[.]reddit[.]com/user/jeroldmhansonx1/
https://www[.]reddit[.]com/user/DesignerAdmirable180/
https://www[.]reddit[.]com/user/jeroldmhansonx1/
https://www[.]reddit[.]com/user/Competitive_Clue_99/
https://www[.]reddit[.]com/user/Enough_Grapefruit_37/
https://www[.]reddit[.]com/user/Mediocre-Carry3657/
https://www[.]reddit[.]com/user/AddressGlad133/
https://www[.]reddit[.]com/user/Enough_Analysis1105/
https://www[.]reddit[.]com/user/CoolPresent9557/
https://www[.]reddit[.]com/user/JournalistCapital742/
https://www[.]reddit[.]com/user/Additional_Strike336/
https://www[.]reddit[.]com/user/North-Yam7670/
https://www[.]reddit[.]com/user/Euphoric_Froyo_170/
https://www[.]reddit[.]com/user/Ok-Breakfast7600/
https://www[.]reddit[.]com/user/Naive_Abrocoma6717/
https://www[.]reddit[.]com/user/Aware-Pay-2739/
https://www[.]reddit[.]com/user/EnvironmentalPart180/
https://www[.]reddit[.]com/user/CoolPresent9557/
https://www[.]reddit[.]com/user/Western-Bathroom4113/
https://www[.]reddit[.]com/user/Only_Promotion5462/
https://www[.]reddit[.]com/user/Different_Profile703/
https://www[.]reddit[.]com/user/Striking_Cherry260/
https://www[.]reddit[.]com/user/NoTax7324/
https://www[.]reddit[.]com/user/Alethea-anni/
https://www[.]reddit[.]com/user/North-Yam7670/
https://www[.]reddit[.]com/user/freyaBond/
https://www[.]reddit[.]com/user/Future-Status4391/
https://www[.]reddit[.]com/user/Expensive_jiu1/
https://www[.]reddit[.]com/user/Actual_Garlic_4767/
https://www[.]reddit[.]com/user/Remarkable_Reply8671/
https://www[.]reddit[.]com/user/Majestic-Trade-4547/
https://www[.]reddit[.]com/user/Flaky_Possible_1654/
https://www[.]reddit[.]com/user/yjyj01/
https://www[.]reddit[.]com/user/MinuteFuture5246/
https://www[.]reddit[.]com/user/Tasty_Bad_3400/
https://www[.]reddit[.]com/r/fghji/
https://www[.]reddit[.]com/user/mandygm27/
https://www[.]reddit[.]com/user/olivechoi94/
https://www[.]reddit[.]com/user/hellodfdfe/
https://www[.]reddit[.]com/user/FeePsychological343/
https://www[.]nairaland[.]com/bingo1984
https://www[.]nairaland[.]com/smideadh
https://zhonglong[.]skyrock[.]com/
https://www[.]backchina[.]com/home[.]php?mod=space&uid=383200
https://www[.]backchina[.]com/u/382772
https://www[.]nanyangmoney[.]com/profile/tusensen00/forum-posts
https://www[.]nanyangmoney[.]com/profile/esslerashaqvernett/forum-
posts
https://www[.]nanyangmoney[.]com/profile/ramdesaiini/forum-posts
https://www[.]nanyangmoney[.]com/profile/sophialaquandra/forum-po
sts
https://www[.]artstation[.]com/jacksonnash2
https://www[.]artstation[.]com/angeloerdahl2
https://forum[.]molihua[.]org/u/wacrr123
https://forum[.]molihua[.]org/d/3678-milk-tea-alliancereleases-investig
ation-report-on-covid-19-transmission
https://forum[.]molihua[.]org/u/lyydd200
https://www[.]scoop[.]it/topic/umormalik61
https://cont[.]ws/@gupeiji110
https://www[.]thestudentroom[.]co[.]uk/member[.]php?u=5820677
https://www[.]wattpad[.]com/user/Financial_Nebula520
https://www[.]opendiary[.]com/m/author/annasu2023/
https://www[.]opendiary[.]com/m/author/ggss/
https://www[.]ftchinese[.]com/comments/index/001098872
https://bad[.]news/t/4198511
https://github[.]com/qwer66a
https://steemit[.]com/@pigman121
https://steemit[.]com/@phaeton669
https://rowse97[.]livedoor[.]blog/
https://9gag[.]com/u/suijiajun30/posts
https://ameblo[.]jp/abmeg/
https://www[.]pixiv[.]net/en/users/65532135
https://www[.]pixiv[.]net/en/users/65653065
https://www[.]liveinternet[.]ru/users/yalemargaret/profile
https://m[.]fanfiction[.]net/u/14911763/jiang-nan-wu-yan-zu
https://www[.]pakistan-forums[.]com/members/fsihffsbx[.]4399/
https://www[.]bastillepost[.]com/hongkong/author/3319-
https://www[.]tripadvisor[.]ru/ShowTopic-g1-i11063-k14443082-The_
Diplomat_magazine_exposed_Yan_Limeng_and_Guo_Wengui_as_a-Trai
n_Travel[.]html
https://www[.]poemhunter[.]com/poem/-22357/
https://www[.]indiatimes[.]com/explainers/news/victory-day-in-russia-i
ts-significance-this-may-9-569022[.]html [comment]
https://dzen[.]ru/id/63fb744950fea47de51718b6
Acquiring accounts on
LiveJournal
https://milktea9854[.]livejournal[.]com/
https://teamilk115[.]livejournal[.]com/
https://toney123456789[.]livejournal[.]com/
https://jovialfurybasement[.]tumblr[.]com/
https://www[.]tumblr[.]com/teamilk951/670802564544151552/milk-t
ea-alliance-releases-investigation-report
https://www[.]tumblr[.]com/tadogumowa/
https://www[.]tumblr[.]com/shadyheartdream
https://www[.]tumblr[.]com/fuzzycreatorobject
https://www[.]tumblr[.]com/qualitykryptonitesheep
https://www[.]tumblr[.]com/jinefor
https://www[.]tumblr[.]com/copsandyuderu
https://www[.]tumblr[.]com/fangzhou-china
https://www[.]tumblr[.]com/meimei-w
https://www[.]tumblr[.]com/edith-saxton
https://www[.]tumblr[.]com/woshisouaoman
https://www[.]tumblr[.]com/tue2
https://www[.]tumblr[.]com/didyouhavemeal
https://www[.]tumblr[.]com/real-timeobservation
https://www[.]tumblr[.]com/vghrx
https://www[.]tumblr[.]com/taoziwuxin
https://www[.]tumblr[.]com/valiantdonutcrown
https://vimeo[.]com/user179742047
https://vimeo[.]com/user195589969
https://vimeo[.]com/user191638195
https://vimeo[.]com/user182619556
https://vimeo[.]com/user182809668
Acquiring accounts on
Soundcloud https://soundcloud[.]com/paul-foster-284332836/chinese-transnation
al-policing-gone-wild-safeguard-defenders-110-overseas
https://soundcloud[.]com/tillman-brandon
Acquiring accounts on
VKontakte
https://vk[.]com/id658771559
https://vk[.]com/s[.]dsdd
https://www[.]tiktok[.]com/@cecilia1256
https://www[.]tiktok[.]com/@miajames840
https://www[.]tiktok[.]com/@tmottruth
https://www[.]tiktok[.]com/@gulzarazat1
https://www[.]quora[.]com/profile/Marjan-Hatami-3/answers
https://www[.]quora[.]com/profile/Tiemo-Ma
https://www[.]quora[.]com/profile/Cynthiacalvin71
https://www[.]quora[.]com/profile/Shabbymeta
https://jp[.]quora[.]com/profile/Ada-Park
https://nastavladimirovasspace[.]quora[.]com/
https://jachan-park-san-no[.]quora[.]com/
https://www[.]quora[.]com/profile/Timi-Tom-2
https://lucysusmyhome[.]quora[.]com/Please-ask-the-INS-to-kick-Yan-
Limeng-out-of-the-United-States-As-an-Asian-American-Im-fighting-s
tigma-against-As
https://park-sehannn-san-no[.]quora[.]com/
https://es[.]quora[.]com/profile/Ishnyakov
https://www[.]flickr[.]com/photos/192898782@N08/
Disguising assets
Posting spam as camouflage Many accounts in this network posted spammy photos or videos of
scenery, food or fashion between their political posts, likely to
camouflage their strategic goal
Centralized control, Our investigation found that the Spamouflage network is run by
decentralized operators geographically dispersed operators across China who appear to be
centrally provisioned with internet access and content directions
Working in shifts The operation regularly worked a shift pattern consistent with the
working day in the GMT +8 time zone, with breaks for lunch and dinner,
and a third shift in the evening
Evading detection
Using proxy internet Dispersed operators repeatedly shared the same proxy internet
infrastructure infrastructure - often in the United States, likely in an attempt to
disguise their origins
Dispersing content across many The network routinely posted the same article many times on many
platforms accounts across multiple platforms
Indiscriminate engagement
Posting on forums The network posted content across dozens of sites and forums
Posting irrelevant replies to The network sometimes posted its content as replies to other people’s
unrelated posts posts, without apparent efforts to make the replies relevant - for
example, one Quora account replied to the question “How do I lose belly
fat through weight lifting?” with the article “Against Telecom & Online
Fraud, Chinese Police Strengthening International Law Enforcement
Cooperation”
Posting generic hashtags The network often used generic hashtags such as #taiwan, #america
and #china
Posting specific hashtags The network sometimes used unusual hashtags, some of which it may
have created itself, such as:
#americanisafailedstate [sic]
#americathethief
#ThisispureslanderthatChinahasestablishedasecretpolicedepartmentin
England
Paying to promote posts About $4,000 in spending for ads related to this operation’s activity on
Facebook, paid for mostly in Chinese yuan, Hong Kong dollars and US
dollars.
Enabling longevity
Replacing accounts This network is a persistent adversary that replaces its accounts by
acquiring new ones from a range of sources
Shifting to smaller platforms The network has progressively posted more content on smaller
platforms and forums, and then shared links onto larger platforms,
likely to reduce the impact of enforcement by any one platform.
Unique headlines
This network posted a large number of unique headlines that appear to have been created by its
central coordinating body. The following examples are a small sample of its total output. We include
them to illustrate the range, quantity, and sometimes poor quality of this network.
Top journalists find out: U.S. bombing of Nord Stream is the first
step in the "European destruction plan”
Ведущие журналисты выясняют: бомбардировки США Top journalists find out: U.S. bombing of
«Северного потока» — первый шаг в «европейском плане Nord Stream is the first step in the
уничтожения» "European destruction plan”
Les meilleurs journalistes le découvrent : le bombardement Top journalists find out: U.S. bombing of
américain de Nord Stream est la première étape du « plan de Nord Stream is the first step in the
destruction européen "European destruction plan”
"المتحدة لنورد ستريم هو الخطوة األولى في "خطة التدمير األوروبية First step in European destruction plan
Wartawan top mengetahui: Pengeboman AS atas Nord Stream Senior investigative reporters detail the US
adalah langkah pertama dalam “rencana penghancuran Eropa” bombing of Nord Stream.
Delapan bom meledak enam, dan wartawan investigasi Eight bombs exploded six, and top
En iyi gazeteciler öğrendi: ABD'nin Kuzey Akım'ı bombalaması Senior investigative reporters detail the US
“Avrupa imha planının” ilk adımı bombing of Nord Stream.
Κορυφαίοι δημοσιογράφοι ανακαλύπτουν: Ο βομβαρδισμός του Nord Top journalists find out: U.S. bombing of
Stream από τις ΗΠΑ είναι το πρώτο βήμα στο «ευρωπαϊκό σχέδιο Nord Stream is the first step in the
καταστροφής» "European destruction plan”
Los mejores periodistas se enteran: el bombardeo Top journalists find out: U.S. bombing of
Os principais jornalistas descobrem: o bombardeio de Nord Top journalists find out: U.S. bombing of
Stream pelos EUA é o primeiro passo no “plano de destruição Nord Stream is the first step in the
europeu” "European destruction plan”
En toponderzoeksverslaggevers ontdekten de details van het Top journalists find out: U.S. bombing of
Amerikaanse bombardement op "Nord Stream" Nord Stream
Amerikaans bombardement op is eerste stap in het "Europese U.S. bombing of Nord Stream is the first
vernietigingsplan" step in the "European destruction plan”
Nalaman ng mga nangungunang mamamahayag: Ang Top journalists find out: U.S. bombing of
pambobomba ng US sa Nord Stream ay ang unang hakbang sa Nord Stream is the first step in the
Yan Zhihua is almost 80 years old and can abandon his personal
dignity, which is really "admirable"
#ThisispureslanderthatChinahasestablishedasecretpolicedepart
mentinEngland
GuoWengui#郭文贵#燕丽梦#Bannon three
GuoWengui#郭文贵#闫丽梦#班农三贱骗子食恶果 cheap liars eat bad fruits
樊嘉扬:不必把歪曲中国当消遣
Fan Jiayang: There is no need to
Pelosi and Tsai Ing-wen are embarrassed, for their own selfish
interests, and have no bottom line!
The traitor Guo Wengui’s way of dealing with China in the United
States is to use false public opinion to shadow the dark side
The traitor Guo Wengui has been propagating the China threat
theory in the United States that China is not safe
The truth is: Fort Detrick is the place where the COVID-19
originated.
À quel point les cyberattaques américaines sont - elles horribles? How horrible are American cyber-attacks?
C'est horrible! Le Bureau de la sécurité des États - Unis surveille It's horrible! The USA security bureau has
La stratégie américaine est d'utiliser Internet pour attaquer le The American strategy is to use the
monde entier internet to attack the whole world
Guo Wengui was awarded the Best Traitor Award in the United
States
#americathethief
#americanisafailedstate
They say there is no privacy in the Internet age, but I was still
surprised by the arrogance of the United States
Добро и зло будут вознаграждены, а кокон свяжется сам собой Good and evil will be rewarded and the
——Окончательное решение по делу PAX будет опубликовано в cocoon will bind itself——The final decision
ближайшее время in the PAX case will be published soon
Женщина, которая погибла во время аферы кроу The woman who died in the Crow scam
America has never pay the price for the enormity of its cyber
attacks on the world
theguardian[.]co[.]com 7/7/2022 UK
dailymail[.]cam 6/23/2022 UK
dailymail[.]cfd 6/23/2022 UK
dailymail[.]top 6/10/2022 UK
Redirect domains