Disinformation & Influence Ops

Researchers and Armenian authorities say a large Russia-linked influence operation targeted Armenia’s parliamentary election with fake stories, manipulated videos, bot amplification, and false bomb threats at polling stations. Antibot4Navalny and the Institute for Strategic Dialogue linked the activity to the Matryoshka campaign, described as part of Russia’s broader Doppelganger operation, which impersonates trusted media and government sources to spread propaganda and election-related falsehoods over an eight-month period. — This is the kind of coordinated deception campaign that can mislead voters, intimidate the public, and erode trust in elections even without hacking voting machines. Platforms, journalists, election officials, and civil society groups should watch for cloned media sites, impersonation, bot-driven amplification, and hybrid tactics such as hoax threats around major votes.

Security researchers say more than 5,000 election-themed internet domains were registered in recent weeks ahead of the 2026 U.S. midterms, raising the risk of fake voting sites, donation scams, and impersonation of election officials. Check Point said the registrations increased sharply between April and May and coincided with roughly 17,000 exposed credentials tied to ActBlue, WinRed, GOP, Democrats.org, and USA.gov accounts, creating infrastructure and account access that could support phishing, fraud, or influence operations. — This matters because voters, donors, campaigns, and election workers could be tricked by lookalike sites or targeted through reused or stolen passwords. People should verify election and donation websites carefully, avoid links in unsolicited messages, and reset passwords if they may have been exposed.

Dutch authorities say they seized 800 servers and arrested two men linked to a hosting operation that allegedly helped cyberattacks, disruption campaigns, and online disinformation. Investigators said the action targeted infrastructure connected to Stark Industries, an EU-sanctioned hosting provider, and two Dutch companies allegedly used to keep its services running after sanctions; reporting links the network to pro-Russian DDoS, or distributed denial-of-service, activity by NoName057(16). — This matters because the seizure hits infrastructure allegedly used to support both cyberattacks and influence operations in Europe. Defenders, hosting providers, and abuse teams should watch for fallout such as service migration, replacement infrastructure, and renewed DDoS activity from the same actors.

Russia has appointed a former cybersecurity executive reportedly tied to a military intelligence hacking unit to a senior Security Council role. The Record reports that Andrei Kozlov, formerly of Rostec's RT-Information Security and a Russian cybersecurity industry association, was named an aide to Security Council Secretary Sergei Shoigu; leaked data cited by The Insider allegedly links him to GRU Military Unit 26165, widely tracked as Fancy Bear or APT28, a group long accused of espionage, credential theft and influence operations. — This matters because it may show direct overlap between Russia's state security leadership and a unit publicly tied to past hacking and disinformation campaigns. Defenders and policymakers should treat it as contextual evidence when tracking future APT28 operations, influence activity and Russian state cyber posture.