Alethea logo

Stormkiller — Russian influence operation coverup

Date investigated: September 4, 2024 onward Operation: Subset of broader Russian influence operations associated with Doppelgänger / Matryoshka / Operation Overload Attribution: Moderate confidence — Social Design Agency (named in DOJ September 4, 2024 affidavit) and Microsoft-tracked Storm 1679 Persona × scenario tags:

  • CCO × reputational flare-up (geopolitical)

  • CISO × coordinated inauthentic behavior detected

  • CISO × adversarial AI-output manipulation

Executive summary

Alethea identified a network of X accounts assessed as a subset of Russia's broader influence operation infrastructure, including activity aimed at the 2024 U.S. presidential election. While investigating the network, Alethea observed a behavioral shift in some accounts that began on or shortly after September 4, 2024 — the date of a DOJ affidavit implicating Social Design Agency (a Russian firm suspected of operating at the behest of the Russian government) in operating the Doppelgänger influence campaign.

The shift included faked claims attributed to prominent disinformation experts — including Eliot Higgins (founder of Bellingcat) and Christo Grozev (former lead Russia investigator at Bellingcat) — in which the experts purportedly attributed Doppelgänger-related operations to Ukraine. This deflection tactic — attempting to shift blame from Russia to Ukraine — is the behavior Alethea named Stormkiller: based on the Microsoft "Storm" nomenclature used for tracking Doppelgänger-related groups, and the network's apparent shift to posting content with the goal of "killing" the DOJ's allegations.

The network at a glance

  • 77 accounts on X posting 113 original, often multimedia, posts

  • At least 60 of these accounts both posted and amplified network content, collectively sharing 9,000 quote posts of other assets' content

  • At least 420 additional accounts recently engaged solely to amplify content through reposts (suspected botnet of batch-created accounts)

  • 70 of the 77 original accounts remain active at time of writing; 7 suspended

Alethea assesses that most, if not all, of the accounts are inauthentic, and suspects as many as 56 of the 77 accounts were originally created by legitimate users but later "hijacked" or stolen for use in the influence operation.

Account characteristics

One subset of accounts shared:

  • A years-long gap in activity — usually starting in 2013 or 2014 and continuing until 2024, when the account resumed activity and began sharing Matryoshka content

  • A change in operating language during the gap (e.g., from Turkish, Portuguese, or Spanish to English)

  • Mismatched biographical information — conflicting gender markers, multiple listed names, references to cryptocurrency, or improbable locations

A second set of 10 accounts:

  • Created between May 5 and June 11, 2024 (four on May 5; three on May 22)

  • Generally lacking biographical detail (no profile bio, URL, or location)

At least seven of the accounts used an AI-generated profile picture; the majority used stolen or repurposed images.

The 420-account botnet

Alethea identified a suspected botnet of at least 420 batch-created accounts that:

  • All had Turkish names

  • Used a first-and-last-name as the screen name, with the user handle being a combination of letters from the two names followed by five to eight digits

  • 71% (289 of 420) had exactly 15 characters in their X handle

  • Engaged in coordinated reposting — often at the same minute — of network assets' content

The Stormkiller behavior

Following the September 4, 2024 DOJ affidavit, Alethea observed two distinct trends in network content:

  1. Production and amplification of content claiming Ukraine — rather than Russia — is responsible for conducting Doppelgänger and associated influence activities. Content alleged that experts including Christo Grozev and Eliot Higgins had retracted their original assessments and now believed Ukraine was responsible.

  2. Automated reposting by a botnet of at least 420 batch-created X accounts. Earlier campaign stages relied on established network assets amplifying content; the post-September-4 amplification leaned on synchronous botnet reposting — most of which has since been suspended.

Worked example — the September 10 Higgins video

Now-suspended network asset @salman1212120 posted a video with Microsoft branding claiming Eliot Higgins of Bellingcat had stated the "Matryoshka disinformation operation is a complex and dangerous project of Ukraine." Higgins later quote-posted the video on his own X account, condemning it as fake.

Less than half an hour after the video's publication, it was retweeted at least 76 times in under 60 seconds by the botnet. A similar pattern was observed on other dates with other expert names attached.

What this case demonstrates

Stormkiller documents a previously-undocumented deflection tactic: an influence operation pivoting in real time to attempt to discredit the analysis of its own activity. Russian efforts to mischaracterize expert work on its malign activity — particularly using the names researchers had given to the operations — is a defensive maneuver Alethea had not seen documented in related analyses prior to this investigation.

For organizations whose own analysis or expert commentary is at risk of being co-opted, faked, or repurposed, the Stormkiller pattern is operationally relevant: it shows how synthetic content attributed to named experts can be amplified within minutes via botnet infrastructure, and what the surrounding signal layer looks like.

Persona takeaways

For CCOs and corporate communications leaders: When the brand, an executive, or a named expert spokesperson is quoted falsely in viral content, the Stormkiller pattern shows the surrounding infrastructure — botnet amplification within minutes, coordinated quote-posting at legitimate news outlets, multi-platform seeding. Distinguishing this from a single bad-actor post determines whether the response is a correction, a platform escalation, or a full coordinated-campaign disclosure.

For CISOs: The forensic signatures here — batch account creation dates, character-count patterns in handles, synchronized reposting at the same minute — are the kind of structural indicators that distinguish coordinated inauthentic behavior from organic discussion. The Stormkiller report documents those indicators concretely.

For CSOs and protective intelligence teams: Operations that target named individuals with synthetic content can escalate quickly when the named individual responds. The Higgins video example — 76 retweets in 60 seconds after publication — shows the velocity. Protective intelligence workflows benefit from visibility into these patterns before the named individual is the one to identify the spread.

Source links

  • Full Alethea report (PDF) — alethea.com/hubfs/Alethea%20-%20Stormkiller%20Report.pdf

  • Insight summary — alethea.com/insights/stormkiller-a-russian-io-coverup

  • CCO-focused companion piece — alethea.com/insights/stormkiller-a-wakeup-call-for-the-modern-cco