Alethea logo

Storm-1516 — Russian influence operation targeting Ukrainian leadership

Date investigated: October 27–30, 2025 Operation name: Storm-1516 (Microsoft "Storm" nomenclature) Attribution: Kremlin-linked; active since at least late 2023 Persona × scenario tags:

  • CCO × reputational flare-up (geopolitical)

  • CCO × deepfake / synthetic media circulating

  • CISO × coordinated inauthentic behavior detected

  • CSO × named executive / political-figure targeting

What Storm-1516 is

Storm-1516 is a Russian influence operation that crafts and disseminates high-impact false narratives across the United States and Europe, often targeting elections and political figures. The group's signature tactics:

  • Forged "whistleblower" videos

  • Staged actors

  • Fake news websites

  • AI-generated media

  • Laundering through networks of social media accounts that get picked up by pseudo-media outlets to create the appearance of independent reporting

Storm-1516 has frequently targeted Ukrainian President Zelenskyy to seed corruption narratives and weaken Western support for Ukraine. The group has attempted to tie Zelenskyy to at least 13 prior mega-million-dollar real estate deals — all of which were proven false. The group has also broadened its focus to Western democratic politics, targeting figures including former U.S. Vice President Kamala Harris and Governor Tim Walz with corruption accusations and viral content alleging electoral fraud.

French agency Viginum and U.S.-based research labs assess that the group meets the criteria of foreign digital interference, given its scale, sophistication, and focus on undermining trust in institutions.

The Pathfinder Ranches narrative — what Artemis observed

On October 27, 2025, posts appeared on X with an embedded video claiming Zelenskyy had purchased the Pathfinder Ranches in Wyoming for $79 million through an offshore company named Davegra Ltd. The video mimicked actual real-estate marketing materials, pairing fabricated narrative with doctored visuals — a tactic frequently used to create a veneer of legitimacy.

Artemis confirmed the operation's signature by surfacing, in its Domains panel, a website (swanlandco[.]us) created to impersonate the legitimate realtor for the Pathfinder property. The fraudulent domain was first registered on October 21, 2025 — six days before the start of the influence campaign — signaling clear forethought and pre-planning consistent with prior Storm-1516 campaigns.

Platform-to-platform acceleration

Artemis collected 3,538 instances of content related to the narrative between October 27 and October 30, across:

  • 10 monitored social media platforms

  • 8 news sources

  • Outbound links to YouTube, Bitchute, TikTok, Facebook, and Instagram

Lifecycle observed:

  • 11:42 AM CT, October 27 — first instance of the video on X by account @Its_the_Dr, previously linked to Storm-1516 content

  • 1:20 PM CT, October 27 — second X post from @MrPotatoHeadUSA; 11 additional posts and reposts followed before the narrative jumped platforms

  • Same window — two large language models on X (@Grok and @AskPerplexity) were queried about the claims; both questioned validity with varying degrees of detail and hinted at similarities to previous malign influence operations

  • 3:03 PM CT, October 27 — content appeared on a second platform, three hours and 21 minutes after the original post

What this case demonstrates

For organizations seeking to maintain information integrity and public trust, the Storm-1516 case illustrates why visibility into the mechanics behind false narratives is operationally necessary. Artemis exposed:

  • The earliest signal — the spoofed domain registered six days before the first post

  • The propagation path — platform-to-platform spread within a three-hour window

  • The actor network — accounts previously linked to Storm-1516, identified at the moment of first post

  • The mitigation opportunity — visibility into pushback patterns that show how timely intervention can blunt a campaign's spread

Persona takeaways

For Chief Communications Officers and Heads of Corporate Communications: When a narrative naming the brand, an executive, or a leader of a partner organization begins circulating, the operationally relevant question is whether the activity shows the structural signatures of a known influence operation. Artemis surfaces those signatures — pre-registered impersonation domains, previously-attributed accounts, the platform-jump timing — alongside the surface content.

For Chief Information Security Officers: Coordinated inauthentic behavior leaves forensic traces in domain registration timing, account history, and cross-platform propagation. The Storm-1516 case shows the detection chain that pairs those traces with content-layer evidence.

For Heads of Physical Security and Executive Protection: Online narratives targeting named executives often precede off-platform escalation. The Storm-1516 pattern — pre-planned impersonation, rapid cross-platform amplification, narrative repetition across geographically distinct accounts — is one of several indicators that warrant a protective-intelligence response.

Source links

  • Full Alethea analysis — alethea.com/insights/artemis-ai-risk-management-storm-1516

  • External technical report — SGDSN / VIGINUM Technical Report on Storm-1516

  • Related Alethea coverage — Stormkiller (a separate Russian IO with overlapping infrastructure)