Borrowed Legitimacy: Three Models of Credibility Abuse in Influence Operations

Several reports published recently have highlighted a noteworthy technique increasingly employed by hybrid threat actors in hostile influence campaigns (HICs).

As most Influence Defense practitioners and researchers know, the effectiveness of HICs often depends not only on the proliferated content itself, but also on the perceived credibility of the entity producing it. While clear propaganda can be easier to identify, entities that resemble research institutes, news outlets, or open-source investigation platforms may be viewed as more trustworthy by targeted audiences. As a result, the inherent legitimacy associated with these institutions is increasingly exploited and used to increase the reach and impact of malign narratives. In this context, it is worth defining credibility as the perceived reliability of information; While legitimacy refers to the perceived authority or institutional standing of the actor producing it.

This blog examines three different models of influence-driven entities that exploit borrowed legitimacy, highlights the similarities between them, and their operational importance to cognitive attack-chains.

OSINT Investigation Platforms

In April 2026, the FDD published a detailed report on a Qatar-linked influence operation called “Eekad”.[1] Active since 2020, Eekad presents itself as the Arab World’s first open-source intelligence (OSINT) platform. It operates across platforms including X/Twitter, YouTube, Facebook, and Instagram, producing content that mimics the conventions of OSINT work: satellite imagery analysis, social network visualizations, geolocation investigations, and debunking of viral content. Eekad's outputs are designed to appear credible and methodologically sound, regardless of the accuracy or integrity of the underlying analysis.

Figure 1 – An EekadFacts network graph showing “proof” of Israeli-linked accounts, allegedly amplifying anti-Hamas content online.

According to the FDD report, Eekad has repeatedly promoted misleading or false claims which were aligned with Qatari political interests: defending Qatar, targeting Saudi Arabia, the UAE, and Israel, and promoting the post-Assad Syrian government. Its Meta ads showed payments made in Qatari currency, with many ads removed for violating political advertising rules. The FDD analysis linked the operation to a professional PR firm and pointed to financial resources that appeared inconsistent with those of an independent investigative outlet of its stated size.

Eekad derives much of its perceived credibility from its presentation of investigative methodology. Rather than simply making claims, it presents them through investigative methods and formats that resemble established OSINT practices. For many audiences, this can create an impression of legitimacy. 

The FDD report goes into granular detail, mapping Eekad’s connections to Qatari state-media, its associated technical assets, inauthentic amplification of its output, and the ways in which it seems to be embedded within a broader influence infrastructure. 

‘Pink Slime’ and Impersonated News Outlets

A second model is that of news outlets which look and function like normal media organizations. However, their published content is systematically shaped by a political or state figure operating in the background.

The now-infamous Russian hostile influence campaign codenamed Operation Doppelgänger provides a clear example of this model.[2] Its core tactic was the coordinated creation of look-alike websites that visually mimicked legitimate European news outlets. These high-profile influence assets consistently published pro-Kremlin content that appeared to originate from trusted sources. Doppelgänger operators employed webpage cloning tactics, allowing them to impersonate dozens of reputable European news outlets, including prominent European outlets such as Der Spiegel and Bild, as well as major US publications including The Washington Post and Fox News. Doppelgänger relied on audiences, associating familiar journalistic brands with credibility and legitimacy.

Figure 2 - A fake Spiegel article, attributed to Russian influence campaign Doppelganger (Courtesy of CORRECTIV).[3]

A 2025 report by Logically Facts provides yet another example of trust abuse, in the form of an alleged “Pink Slime” network used to proliferate Russian propaganda through the Dubai-listed Big News Network FZ LLC (BNN) and its subsidiary entities (Midwest Radio Network and The Mainstream Media). This extensive network of “eNewspapers” is suspected of enabling sanction evasion for Russian state media outlets such as RT (formerly Russia Today).[4] A recent CRC investigation has mapped over 2,340 distinct domains linked to BNN’s infrastructure.

Figure 3 - Big News Network eNewspapers, suspected of spreading reporting by the EU-sanctioned Russia state media outlet RT.[5]  

What these inauthentic news entities share is their reliance on familiar journalistic features to appear credible. Bylines, publication dates, editorial sections, and professional layouts can all contribute to an impression of legitimacy before the content is even seen.

Research Institutes and Intellectuals

A third model of credibility abuse consists of pseudo think tanks and research institutes that spread state-dictated narratives under the guise of analytical observations. Audiences exposed to the content generated by these seemingly independent entities might be unaware of the underlying agendas.

The approach taken by the People’s Republic of China (PRC) regarding the South China Sea public discourse serves as a clear example of this technique in action. A recent CRC report mapped an emerging influence infrastructure comprised of multiple PRC-linked entities that present themselves as research organizations. However, these organizations consistently promote narratives that support Beijing’s territorial claims in the region. The discovered influence campaign was observed employing networks of amplification assets on X/Twitter to proliferate the PRC-aligned narratives accusing Western powers and other regional actors as the primary aggressors in the contested region, while diverting attention from repeated Chinese violations of international maritime law.[6]

Figure 4 – X accounts linked to PRC-aligned research institutions forming an emerging influence infrastructure.

Crucially, ongoing PRC influence operations continue to demonstrate a centrally coordinated approach, integrating both authentic and inauthentic behavior, together with civilian, academic, and state actors, within a multi-layered influence architecture. Inspired by Soviet and Russian political warfare doctrines, recently-identified PRC information manipulation and interference efforts highlight the growing operational complexity of modern cognitive threats.

Figure 5 – A structural mapping of the emerging PRC-attributed influence infrastructure, consisting of three inter-connected activity clusters (content generators, amplifiers, and research institutions)

The Operational Role of Exploited Credibility

The above-mentioned models all exhibit the same operational logic. They maximize their efficacy by abusing pre-existing trust, the veneer of credible information outlets, and the perceived legitimacy assigned to inauthentic operational assets posing as trustworthy entities.

“Independent” OSINT research teams, viewed as credible data verification platforms, are leveraged to spread misleading or biased narratives. Meanwhile, impersonation of legitimate and reputable news sources helps threat actors spread information disorder and sow distrust in media coverage. The employment of state-aligned research institutes and individual intellectuals provides a solid base of validity to multi-layered influence architectures.

To counter these highly effective adversarial TTPs, counter-influence efforts must dissect documented cases of credibility abuse and apply scrutiny to all kinds of information sources, media outlets and research entities. Defensive measures, including cognitive resilience capacity building, must be scaled and adapted to better inform targeted audiences of novel cognitive threats as they emerge. Reinforcing societal resiliency means providing vulnerable information to consumers with basic awareness and sufficient tools to critically evaluate claims, fighting the common instinct to trust an outdated notion of legitimacy.

[References:]

1. Foundation for Defense of Democracies. Qatar Influence Operations: Unmasking a Suspected Network. [online] Published 27 April 2026. Available at: https://www.fdd.org/analysis/2026/04/27/qatar-influence-operations-unmasking-a-suspected-network/ (fdd.org)

   
   

2. Cyfluence Research. Visibility as Victory: The Strategic Logic of Doppelgänger. [online] Published 12 May 2025. Available at: https://www.cyfluence-research.org/post/visibility-as-victory-the-strategic-logic-of-doppelg%C3%A4nger
   

3. CORRECTIV. Inside Doppelganger: How Russia Uses EU Companies for Its Propaganda. [online] Published 22 July 2024. Available at: https://correctiv.org/en/fact-checking-en/2024/07/22/inside-doppelganger-how-russia-uses-eu-companies-for-its-propaganda/ (correctiv.org)
   

4. Logically Facts. Behind the Network of Pink Slime Sites Sharing Sanctioned Content to EU Readers. [online] Published 28 May 2025. Available at: https://web.archive.org/web/20250528135617/https://www.logicallyfacts.com/en/analysis/behind-the-network-of-pink-slime-sites-sharing-sanctioned-content-to-eu-readers
   

5. Big News Network. Big News Network – Global News Service, Web Directory. [online] Available at: https://www.bignewsnetwork.net/
   

6. Cyfluence Research Center (CRC). From Pseudo-Research to Narrative Superiority: Mapping an Emerging PRC Influence Campaign in the South China Sea. [online] Published 11 May 2026. Updated 12 May 2026. Available at: https://www.cyfluence-research.org/post/from-pseudo-research-to-narrativesuperiority-mapping-an-emerging-prc-influencecampaign-in-the-south