Cyber based influence campaigns 29th June – 5th July 2026 Report
- CRC
- 11 hours ago
- 28 min read

[Introduction]
Cyber-based hostile influence campaigns are aimed at influencing target audiences by promoting information and/or disinformation over the internet, sometimes combined with cyber-attacks which enhance their effect (hence force Cyfluence, as opposed to cyber-attacks that aim to steal information, extort money, etc.) Such hostile influence campaigns and operations can be considered an epistemological branch of Information Operations (IO) or Information Warfare (IW).
Typically, and as customary during the last decade, the information is spread throughout various internet platforms, which are the different elements of the hostile influence campaign, and as such, connectivity and repetitiveness of content between several elements are the main core characteristics of influence campaigns.
Hostile influence campaigns, much like Cyber-attacks, have also become a tool for rival nations and corporations to damage reputation or achieve various business, political or ideological goals. Much like in the cyber security arena, PR professionals and government agencies are responding to negative publicity and disinformation shared over the news and social media.
We use the term cyber based hostile influence campaigns, as we include in this definition also cyber-attacks aimed at influencing (such as hack and leak during election time), while we exclude of this term other types of more traditional kinds of influence such as diplomatic, economic, military etc.
During the 29th June - 5th July of June 2026, we observed, collected and analyzed endpoints of information related to cyber based hostile influence campaigns (including Cyfluence attacks). The following report is a summary of what we regard as the main events. Some of the mentioned campaigns have to do with social media and news outlets solemnly, while others leverage cyber-attack capabilities.
[Contents]
Russia
RIA Novosti Falsely Claims Lithuanian History Textbook Glorifies Hitler's Collaborators
Russia Uses Mockery and Parody to Amplify Disinformation Across Europe
Russia's Information War Against Ukraine's EU Future Threatens All of Europe
Russian IMS Exploits Mastodon and Bluesky Architecture to Launder Sanctioned Media
Ukraine
China
[ Report Highlights]
StopFake documents Russia's 'Hahaganda' strategy deploying fabricated mockery, AI deepfakes, and nine fake Charlie Hebdo covers distributed across 13 languages to undermine Ukrainian institutional credibility without direct factual contestation.
A joint EEAS-CCD report cited by StopFake documents 244,000 publications on Ukraine's EU accession generating 1.39 billion views, with over 2,600 sources displaying inauthentic coordination deploying four country-adapted narratives portraying membership as costly and conflicting.
Revelum documents at least 10,000 deepfake scam ads impersonating six football players over 12 months, with volumes surging 413% for Luis Diaz and 1,700% for Neymar during the 2026 World Cup, using identical templates pointing to centralised operations.
DFRLab found a Philippine domestic state-aligned network and China's Spamouflage simultaneously targeting the same Filipino activist Facebook pages with opposing objectives, showing unrelated state actors can exploit identical platform gaps with a compounding effect.
Google GTIG, the FBI, Lumen, and Shadowserver disrupted NetNut/Popa, a residential proxy botnet controlling 2 million compromised devices that served 316 distinct threat clusters in a single week across cybercriminal and espionage operations.
Euronews confirmed AI-generated synthetic media campaigns across six platforms in three languages during the 2026 World Cup, with one fabricated image reaching 3 million views before debunking, illustrating the amplification gap cognitive warfare operations are designed to exploit.
EUvsDisinfo documents Russia's use of FPV drones as dual-use instruments delivering both explosives and propaganda leaflets into frontline communities simultaneously, integrating kinetic and cognitive warfare in a single technological vector with Kherson as the primary documented case study.
[ Report Summary]
StopFake finds RIA Novosti's claim that a Lithuanian history textbook glorifies Hitler's collaborators is false; the textbook describes LAF activities without glorification and includes a dedicated Holocaust section that RIA Novosti systematically omitted.
StopFake documents Russia's 'Hahaganda' strategy deploying fabricated mockery, AI-generated deepfakes, and nine fake Charlie Hebdo covers across 13 languages to delegitimise Ukrainian leadership without direct factual contestation.
StopFake cites a joint EEAS-CCD report documenting 244,000 publications on Ukraine's EU accession generating 1.39 billion views, with over 2,600 sources displaying inauthentic coordination deploying four country-adapted narratives portraying membership as costly, conflicting, and elite-driven.
CheckFirst documents 'Roska Bridge,' a Russian IMS using Brid.gy to automatically synchronise EU-sanctioned media content across Mastodon and Bluesky in monthly burst operations across 10 instances, with CIB indicators linking it structurally to the Pravda Network.
NewsGuard documents RT's @RT_on_X account accumulating 6 million views within five days of its 25 June 2026 debut in apparent evasion of EU sanctions, with the European Commission confirming sanctions cover all transmission and distribution channels including platforms and apps.
EUvsDisinfo documents Russia's use of FPV drones as dual-use instruments delivering both explosives and propaganda leaflets into frontline communities simultaneously, integrating kinetic and cognitive warfare in a single technological vector with Kherson as the primary documented case study.
StopFake documents Russia's use of FIMI to conceal military setbacks through false territorial claims, logistical denial despite documented supply chain degradation, and a propaganda fracture in which Kremlin-aligned correspondents contradicted official civilian-targeting narratives.
StopFake identifies Russian channels extracting Lula's 'everyone is tired' remark from its G7 context, which also referenced Putin's supporters and called for UN diplomacy, to fabricate a false claim that Western backers specifically are seeking to end support for Ukraine.
AEI/ISW documents the PRC's enactment of an ambiguous overseas ethnic unity law, PLA-Russia joint aerial exercises near South Korea and Japan on 27th June 2026, and Japan's discovery of PRC counterfeit USB drives containing state-linked malware that compromised defence systems between March 2024 and February 2025.
NewsGuard identifies 294 coordinated Threads accounts using AI-generated profiles of attractive women targeting Taiwanese men, exhibiting CIB indicators including identical posting schedules and inaccurate Taiwan details, assessed as primed to deploy political content ahead of Taiwan's November 2026 local elections.
Euronews documented AI-generated synthetic media campaigns across six platforms in three languages during World Cup 2026, including fake images of Starmer and Netanyahu at matches, with one fabricated image accumulating 3 million views before debunking, illustrating the amplification velocity gap cognitive warfare operations exploit.
Revelum documents at least 10,000 deepfake scam ads impersonating six football players over 12 months, with volumes surging 413% for Luis Diaz and 1,700% for Neymar during the 2026 World Cup, using identical narrative templates and urgency language pointing to centralised operations with scalable infrastructure.
EDMO documents widespread unlabelled AI-generated hypersexualised content targeting World Cup fandoms across seven countries, monetised through platform revenue programmes, with investigations revealing the same infrastructure used in dual operation for far-right political propaganda distribution.
DFRLab identified a Philippine domestic state-aligned network and China's Spamouflage simultaneously targeting the same Filipino activist Facebook pages with opposing objectives, demonstrating that unrelated state actors can exploit identical platform vulnerabilities simultaneously with compounding effect.
The Disinformation Observer documents a false viral claim fabricating that 'President Sipila' approved nuclear weapons storage in Finland, and an Australian CIB operation run by Vietnamese operators impersonating established news brands on Facebook to drive advertising revenue.
Google GTIG, the FBI, Lumen, and Shadowserver disrupted NetNut/Popa, a residential proxy botnet controlling approximately 2 million compromised devices that served 316 distinct threat clusters in one week spanning cybercriminal and espionage operations, with the FBI seizing the netnut.com domain.
Memesita reports the 2026 World Cup has attracted coordinated operations using AI deepfakes, bot amplification, and sockpuppet networks blending fabricated political content with sports commentary, while noting the secondary Liar's Dividend risk of deepfake proliferation enabling dismissal of genuine evidence as AI-generated.
HAARP conspiracy mentions surged from 16,200 to 134,000 in one week as Venezuelan earthquakes killed at least 1,450 and a European heatwave killed hundreds, with viral posts falsely attributing both to US ionospheric weaponization, a claim directly refuted by HAARP's director and incompatible with seismic data.
Providers and deployers of generative AI systems subject to EU AI Act Article 50 have until 22 July 2026 at 18:00 CEST to sign the Code of Practice on Transparency, with signatories receiving presumption of conformity before enforcement begins on 2 August 2026.
Biometric Update reports three new deepfake detection product launches in June 2026, Scam.ai/Qualcomm's Halo, Bitdefender's RealCheck for 14 countries, and South Korea's KISA funding 11 new research projects, driven by Deloitte projections of USD 40 billion in US generative AI fraud losses by 2027.
[State Actors]
Russia
RIA Novosti Falsely Claims Lithuanian History Textbook Glorifies Hitler's Collaborators
A fact-check published by StopFake states that RIA Novosti alleged a Lithuanian 10th-grade history textbook glorifies Hitler's collaborators and ignores Nazi ties and antisemitism, a claim StopFake's analysis finds to be materially false through textual evidence and historical context. The textbook describes Lithuanian Activists' Front (LAF) activities in approximately two paragraphs without portraying any figures as heroes, acknowledges both independence aspirations and the movement's Nazi connections, and does not characterise Kazys Skirpa -- the principal figure referenced by RIA Novosti, as heroic, presenting him solely in the context of anti-Soviet resistance during a period when Lithuania had already been occupied under the Molotov-Ribbentrop Pact framework.
A fact-check published by StopFake states that the textbook also contains a dedicated section titled 'The Holocaust in Nazi-Occupied Europe,' complete with death camp maps, statistical data by country, and explicit documentation of Lithuanian Jewish victims, as well as a direct statement that various European nationals 'participated in one way or another in arrests, deportations, and executions', content RIA Novosti did not reference in its coverage. StopFake's analysis identifies this pattern of selective omission as the operational core of the false claim, finding that the textbook does not glorify collaborators but rather documents a contested historical period with contextual material that RIA Novosti systematically suppressed, situating the fabrication within a broader pattern of Russian state media weaponising European historical sensitivities to generate political pressure and undermine Baltic credibility in EU and NATO contexts.
Source: StopFake. RIA Novosti Fake News: Lithuanian History Textbook Glorifies Hitler’s Collaborators. [online] Published 24 June 2026. Available at: https://www.stopfake.org/en/ria-novosti-fake-news-lithuanian-history-textbook-glorifies-hitler-x27-s-collaborators/
Russia Uses Mockery and Parody to Amplify Disinformation Across Europe
An analysis published by StopFake states that Russia has developed a coordinated disinformation strategy termed 'Hahaganda', deploying mockery, satire, and parody as tactical instruments to delegitimise targets without requiring direct persuasion, to undermine institutional trust through systematic ridicule rather than factual contestation. The analysis documents three primary operational channels: AI-generated image manipulation and deepfake video production, institutional impersonation through fabricated content attributed to credible outlets such as Charlie Hebdo, and the deployment of synthetic videos depicting Ukrainian military personnel as desperate or coerced, all distributed through a standard pattern in which Telegram channels seed content that propagates across Facebook, TikTok, and X.
An analysis published by StopFake states that Hahaganda operates by exploiting confirmation bias within target audiences already sceptical of Ukrainian governance, producing a false impression of widespread international condemnation and enabling coordinated narratives to circulate as apparent organic sentiment rather than as identifiable propaganda. Documented examples include at least nine fabricated Charlie Hebdo covers attacking President Zelenskyy, which prompted a Paris court complaint by the publication in May 2025, and a January 2026 deepfake video depicting a purported Ukrainian warehouse commander that spread across 13 or more languages, with the teleMarafon Facebook account alone publishing over 50 AI-generated videos since October 2023 formatted to resemble news broadcasts. StopFake assesses Hahaganda as a significant evolution in Russian information operations, enabling attribution-resistant narrative amplification that is structurally difficult for platform moderation systems to detect given the use of satirical framing to obscure coordinated political intent.
Source: StopFake. Hahaganda: How Russia Seeks to Reinforce Disinformation Narratives in Europe Through Mockery and Parody. [online] Published 30 June 2026. Available at: https://www.stopfake.org/en/hahaganda-how-russia-seeks-to-reinforce-disinformation-narratives-in-europe-through-mockery-and-parody/
Russia's Information War Against Ukraine's EU Future Threatens All of Europe
An article published by StopFake states that a joint analytical report by the European External Action Service and Ukraine's Centre for Countering Disinformation documented how Russian Foreign Information Manipulation and Interference (FIMI) operations are systematically targeting Ukraine's path towards European Union membership, with monitors observing approximately 244,000 publications on Ukraine's EU accession between January 2025 and May 2026 generating a combined 1.39 billion views, with over 2,600 sources displaying inauthentic behaviour patterns including synchronised dissemination and coordinated amplification responses. The article identifies four core destructive narratives deployed across EU member states and Ukrainian audiences: that EU accession prolongs conflict, that Ukraine is corrupt and incompatible with European values, that EU membership is costly and risky for both parties, and that European countries pursue hidden territorial or economic interests in Ukraine, with country-specific adaptations targeting Germany via economic anxieties, France via corruption narratives, and Poland through historical sensitivities and anti-refugee framing.
An article published by StopFake states that the report identifies a structural escalation in Russia's approach, finding that Moscow is no longer relying only on individual falsehoods but instead deploying generative AI, coordinated inauthentic behaviour networks, and cross-platform amplification to exhaust audiences and normalise distrust at scale, with narratives tested in the Ukrainian information space subsequently adapted for EU audiences before being reintroduced into Ukraine to create the false impression of European loss of confidence in Kyiv. StopFake situates this campaign as a direct threat not only to Ukraine's accession trajectory but to European institutional integrity itself, arguing that operations designed to degrade trust in Ukraine's compatibility with European values simultaneously corrode the foundations of democratic solidarity within EU member states, requiring not only Ukrainian countermeasures but a structural framework for shared analytical intelligence between Kyiv and European institutions as a condition of the enlargement process.
Source: StopFake. Russia’s Information War Against Ukraine’s European Future Is a Threat to Europe Itself. [online] Published 1 July 2026. Available at: https://www.stopfake.org/en/russia-s-information-war-against-ukraine-s-european-future-is-a-threat-to-europe-itself/
Russian IMS Exploits Mastodon and Bluesky Architecture to Launder Sanctioned Media
An investigation published by CheckFirst states that a Russian information manipulation set (IMS) dubbed 'Roska Bridge' has been exploiting architectural vulnerabilities in decentralised social platforms since at least September 2025, using the Brid.gy service as a technical gateway to automatically synchronise content from EU-sanctioned Russian media outlets, including Pravda Network, Russia Today, and Sputnik, across Mastodon and Bluesky simultaneously. The investigation documents operations across 10 Mastodon instances, including mastodon.social, which has over 870,000 users, with hundreds of coordinated accounts executing content in monthly burst cycles, posting intensively before disappearing and being replaced, a pattern CheckFirst identifies as a clear indicator of Coordinated Inauthentic Behaviour (CIB).
An investigation published by CheckFirst states that Roska Bridge's geographic and narrative targeting encompasses Ukraine, France, Germany, and the United States with anti-Western and anti-Ukrainian propaganda, while simultaneously promoting Max, a Russian state-backed messenger that requires Russian phone numbers, indicating that the operation runs parallel domestic and Western audience targeting tracks from shared infrastructure. CheckFirst identifies structural linkage between Roska Bridge and the Pravda Network through synchronised identical publications, suggesting these are not independent actors but components of a coordinated Russian influence infrastructure designed to route sanctioned state media content into platforms, Mastodon and Bluesky, that lack the sanctions-compliance infrastructure of major platforms, exploiting decentralisation's governance gap as a systematic distribution channel for content that cannot legally reach European audiences through conventional means.
Source: Check First. Roska Bridge: How a Pro-Russian IMS Exploits Vulnerabilities of Decentralised Platforms to Spread Propaganda. [online] Published 1 July 2026. Available at: https://checkfirst.network/roska-bridge-how-a-pro-russian-ims-exploits-vulnerabilities-of-decentralised-platforms-to-spread-propaganda/
RT Launches @RT_on_X Account
A report published by NewsGuard states that a new X account named @RT_on_X appears to be an attempt by Russian state outlet RT to bypass EU sanctions imposed following Russia's full-scale invasion of Ukraine, reaching European audiences who are legally barred from accessing RT content under EU regulations. The account debuted on 25 June 2026, accumulated 1,000 followers, and posted 631 times, with posts collectively garnering 6 million views within five days, an amplification rate consistent with coordinated boosting. NewsGuard identifies multiple indicators of RT affiliation: posts carry the official RT logo and the tagline 'Freedom over censorship, Truth over narrative,' content from the new account is routinely reposted on RT's official @RT_com account, which is itself blocked from European feeds, and the account is followed by RT's editor-in-chief, Margarita Simonyan.
A report published by NewsGuard states that the European Commission, responding to NewsGuard's inquiry with a statement dated July 1st, 2026, confirmed that EU sanctions cover 'all means for transmission and distribution,' including 'platforms, websites and apps,' and that the Commission is in contact with national authorities regarding the @RT_on_X account's operations. NewsGuard assesses this case as consistent with RT's documented pattern of sanctions evasion through infrastructure substitution, with prior documented tactics including website cloning, third-party distribution agreements, and re-labelled content farms, and notes that X's current enforcement posture under Elon Musk's ownership has significantly reduced platform-level intervention against state-affiliated media accounts, creating a structural gap between EU regulatory requirements and platform compliance that Russian state media continue to exploit systematically.
Source: NewsGuard Reality Check. RT Evades Sanctions. [online] Published 1 July 2026. Available at: https://www.newsguardrealitycheck.com/p/rt-evades-sanctions
Russia Deploys FPV Drones
An analysis published by EUvsDisinfo states that Russia has operationalised FPV (First Person View) drones as dual-use instruments in the war in Ukraine, using the same unmanned aerial vehicles both to drop explosives on civilian and military targets and to deliver propaganda leaflets into frontline communities, integrating physical violence with psychological pressure in a single technological vector. The analysis describes this as an intentional doctrinal combination: physical pressure derives from artillery, drone attacks, and infrastructure strikes that generate constant danger and exhaustion among affected populations, while information disruption operates through telecommunications collapse or restriction that simultaneously empties the information vacuum and fills it with propaganda channels, depriving communities of accurate situational awareness at moments of maximum vulnerability.
An analysis published by EUvsDisinfo states that Kherson represents the most thoroughly documented case study, having experienced Russian occupation beginning March 2022, liberation nine months later, and continuous pressure from Russian forces positioned on the occupied eastern bank of the Dnipro River following their retreat, with residents subjected to documented torture, fabricated referendums on annexation, civilian disappearances, and child kidnappings during occupation, followed by ongoing drone and artillery attacks in the post-liberation period. EUvsDisinfo situates Russia's drone dual-use doctrine within the broader framework of cognitive warfare, assessing that the deliberate combination of kinetic and information instruments represents a tactical evolution designed to maximise psychological impact on civilian populations while minimising the resources required per target, and that the integration of AI-enabled drone production with systematic propaganda distribution points to an operational model that scales both the physical and cognitive warfare components simultaneously from shared infrastructure.
Source: EUvsDisinfo. Explosives and Propaganda: Russia’s Dual-Use Drones. [online] Published 29 June 2026. Available at: https://euvsdisinfo.eu/explosives-and-propaganda-russias-dual-use-drones/
Ukraine
Moscow Deploys FIMI to Conceal Battlefield
An analysis published by StopFake states that Russia is deploying coordinated Foreign Information Manipulation and Interference (FIMI) operations to conceal military setbacks through three primary mechanisms: false territorial claims asserting the capture of locations that remain under Ukrainian control, logistical denial narratives minimising documented supply chain degradation, and threat escalation framing that recharacterises Ukrainian strikes on military infrastructure as attacks on civilians. The analysis documents repeated false declarations of victory in Kupyansk, which President Zelenskyy personally visited in November 2025 to refute, and three separate claims of liberating Mala Tokmachka throughout 2025-2026 while Ukrainian forces-maintained control, with Russian General Gerasimov declaring westward advances near Kupyansk as recently as May 16th, 2026, despite Ukrainian defensive positions holding.
An analysis published by StopFake states that Russia's information operations to conceal battlefield conditions extended to economic and logistical matters, with official propaganda claiming supply conditions remained under control while simultaneous government decisions revealed operational stress: Belarus import increases, aviation kerosene export bans implemented on June 1st 2026, and diesel restrictions following Ukrainian drone strikes degrading the Crimea land corridor. The analysis documents a propaganda fracture in which Kremlin-aligned war correspondents acknowledged Ukrainian strikes targeted fuel tankers rather than civilians, directly contradicting official denial narratives, and identifies the Kremlin's development of image-of-victory messaging since February 2026, emphasising resistance to the West and business resilience under sanctions, as evidence that Russia's information operations are increasingly designed to manage domestic and international perception rather than to report conditions accurately.
Source: StopFake. How Moscow Tries to Cover Up Its Failures on the Ukrainian Battlefield. [online] Published 1 July 2026. Available at: https://www.stopfake.org/en/how-moscow-tries-to-cover-up-its-failures-on-the-ukrainian-battlefield/
Russian Channels Strip Context from Lula's G7 Statements
A fact-check published by StopFake states that Russian information channels extracted a selective quotation from Brazilian President Lula's remarks at a G7 summit meeting with Ukrainian President Zelensky on June 17th 2026, in which Lula stated 'everyone is tired' of the war, referencing supporters of Ukraine, supporters of Putin, and those financing both sides, and removed his explicit mention of Putin's supporters and his call for intensified diplomatic efforts through UN Security Council mechanisms, fabricating a false claim that Lula had specifically declared Western backers exhausted and seeking to withdraw support. StopFake's analysis identifies this as a textbook hostile influence operation employing selective quotation and context removal, designed to fracture the Western coalition by suggesting public fatigue justifies policy recalibration without requiring any actual change in Western government positions.
A fact-check published by StopFake states that the manipulation exploits three intersecting cognitive vulnerabilities: anchoring bias, in which the factually accurate premise that fatigue exists lends false credibility to the distorted conclusion; confirmation bias among audiences predisposed to doubt Western commitment; and cognitive load effects that reduce the likelihood of audiences consulting full source materials in social media environments. Verification against Lula's official statements in Brazilian media, the Zelensky presidential office readout, and the G7 joint statement, which reaffirmed unwavering support for Ukraine including expanded air defense deliveries, confirmed that all three sources contradict the manipulated narrative, situating the operation within Russia's sustained effort to generate diplomatic pressure on Kyiv by manufacturing the appearance of Western exhaustion rather than contesting the substance of Western policy positions.
Source: StopFake. Manipulation: Lula Said Ukraine’s Western Backers Are “Tired” and Want to End the War. [online] Published 23 June 2026. Available at: https://www.stopfake.org/en/manipulation-lula-said-ukraine-s-western-backers-are-tired-and-want-to-end-the-war/
China
China Enacts Transnational Repression Law
An update published by AEI and ISW states that the People's Republic of China enacted a new ethnic unity law effective 1 July 2026 creating ambiguous prosecution standards for overseas activity, with Taiwan's UK envoy warning of transnational repression risks and citing PRC's new London diplomatic facility with reported underground detention infrastructure, a development that analysts assess as an expansion of Beijing's coercive reach into diaspora communities under legally ambiguous domestic authority. The update also documents PLA and Russian joint aerial exercises conducted near South Korea and Japan on June 27th 2026, as coordinated military signaling, alongside the Chinese Coast Guard conducting three intrusive patrols around Taiwan's Pratas Island in June while maintaining continuous presence in Taiwan's eastern Exclusive Economic Zone.
An update published by AEI and ISW states that Japan's Ground Self-Defence Force discovered PRC-manufactured counterfeit USB drives containing state-linked malware that had compromised secure Japanese defence systems between March 2024 and February 2025, representing a documented cyber-enabled intelligence operation against a key US treaty ally. The update identifies a strategic recalibration in PRC military signalling, with ADIZ incursions reduced to a pre-2024 baseline of 134 sorties in June versus over 300 previously, as evidence Beijing is shifting toward normalised coercion patterns designed to reduce threat desensitisation among Taiwanese and allied populations, a pattern ISW assesses as consistent with broader Chinese grey-zone strategy that maintains continuous military pressure while avoiding escalatory incidents that could consolidate Western political will against PRC regional objectives.
Source: American Enterprise Institute (AEI) and Institute for the Study of War (ISW). China & Taiwan Update, July 2, 2026. [online] Published 2 July 2026. Available at: https://www.aei.org/articles/china-taiwan-update-july-2-2026/
Chinese Network Deploys 294 Fake Dating Profiles on Meta
A report published by NewsGuard states that a network of 294 coordinated accounts on Meta's Threads platform, which launched in May 2026, features AI-generated profiles of attractive Asian women claiming to seek Taiwanese men as romantic partners, with the accounts exhibiting multiple indicators of coordinated inauthentic behaviour: identical posting schedules, systematically similar account handles, a consistent focus on targeting Taiwanese men, and inaccurate descriptions of Taiwan-specific cultural details that suggest non-Taiwanese operators. The operation bears the hallmarks of Chinese political influence campaigns, including a December 2025 operation that used fabricated attractive Japanese influencer accounts to promote pro-China territorial claims, with NewsGuard assessing the network as primed to inject political content at a strategically timed point ahead of Taiwan's November 2026 local elections.
A report published by NewsGuard states that as of the publication date, the phony dating accounts had not yet begun posting overtly political content, a pattern consistent with Chinese influence operations that establish audience trust and follower bases through benign content before activating political messaging during peak electoral periods, a technique documented in multiple prior PRC operations across Facebook, Instagram, and X. NewsGuard situates the Threads operation within a broader pattern of Chinese influence activity that exploits the trust architecture of social connectivity platforms, where romantic and personal interest framing substantially reduces user scepticism compared to overtly political accounts, and identifies Meta Threads as an emerging target for PRC influence infrastructure that presents new moderation challenges given the platform's early-stage content enforcement systems and its integration with Instagram's audience base, which provides rapid follower scaling from existing social graph connections.
Source: NewsGuard Reality Check. Fake Dating Profiles, Real Foreign Influence. [online] Published 2 July 2026. Available at: https://www.newsguardrealitycheck.com/p/fake-dating-profiles-real-foreign (newsguardrealitycheck.com).
[AI Related Articles]
AI-Generated Images Exploit World Cup Coverage to Spread Political Disinformation
A fact-check published by Euronews states that coordinated campaigns exploiting 2026 World Cup coverage deployed AI-generated synthetic media across X, Facebook, Instagram, Threads, Reddit, and Bluesky in English, Spanish, and Russian, targeting multiple political audiences simultaneously using fabricated imagery designed to circulate within the high-engagement environment of a major global sporting event. Documented examples include falsely attributed images depicting UK Prime Minister Keir Starmer in Croatian fan attire and Israeli Prime Minister Netanyahu attending tournament matches, with the Starmer imagery derived from repurposed 2024 UEFA Championship footage, as well as a fabricated image of an Iranian player holding a pink backpack as tribute to casualties from a February 2026 airstrike, in which the depicted individual was not a member of Iran's squad, wore incorrect kit, and appeared in a stadium that did not match the actual match venue.
A fact-check published by Euronews states that verification teams employed two primary methods: reverse image searching for source authenticity and OpenAI's SynthID watermark detection, a technical marker embedded in AI-generated or manipulated images confirming artificial origin. One fabricated image accumulated 3 million views before verification could achieve comparable reach, illustrating the fundamental asymmetry between disinformation amplification velocity and debunking capacity that cognitive warfare operations systematically exploit. Euronews assesses these campaigns as demonstrating a broader operational pattern in which major international sporting events serve as optimal disinformation vectors due to high ambient engagement, multilingual audience reach, reduced critical evaluation thresholds, and the availability of emotionally resonant imagery that can be easily manipulated to carry political narrative payloads alongside organic sports content.
Source: Euronews. Fact Check: Were You Fooled by These AI-Generated Images of the World Cup? [online] Published 26 June 2026. Available at: https://www.euronews.com/my-europe/2026/06/26/fact-check-were-you-fooled-by-these-ai-generated-images-of-the-world-cup
Coordinated Deepfake Ad Campaigns Impersonate Football Stars
An investigation published by Revelum states that at least 10,000 deepfake scam advertisements impersonating professional football players were identified over 12 months, with 2,736 confirmed ads across six players and campaign intensity rising sharply during the 2026 World Cup, Luis Diaz experiencing a 413% surge in daily ad volume, Neymar a 1,700% increase from his baseline, and Cristiano Ronaldo reaching 8.1 ads per day during the tournament. The operations follow a standardised template that repeats across different players and countries: a fabricated local character, a delivery worker, teacher, or single mother, claims improbable financial returns through the targeted player's supposed investment app or platform, with player names, local currency, and media branding swapped while the narrative structure, psychological pressure elements, and urgency language remain identical.
An investigation published by Revelum states that three consistent tactical elements appear across nearly all documented campaigns: fabricated authority narratives using local characters designed to interrupt user scrolling before critical evaluation occurs; borrowed credibility through fake news broadcasts mimicking legitimate national media aesthetics such as Colombia's Noticias Caracol or institutional bank notifications from entities including Banco Pichincha in Ecuador; and deliberate urgency manufacturing using the phrase 'This offer is only available for the next 72 hours' appearing verbatim across multiple campaigns. Revelum's analysis identifies the reuse of identical app names, Joker Jewels appearing in both James Rodriguez and Luis Diaz campaigns, shared narrative structures, and synchronised urgency tactics as evidence of centralised operations with significant advertising infrastructure budgets, and assesses the underlying deepfake tooling and social media network architecture as reusable across sectors and public figures well beyond football, representing a scalable threat to institutional trust and individual financial security.
Source: Revelum. World Cup, World Scam: The Deepfake Ads Impersonating Football Stars During the 2026 FIFA World Cup. [online] Published 2 July 2026. Available at: https://revelum.ai/insights/world-cup-deepfake-scam-ads-2026/
AI-Generated Hypersexualised Content Targets World Cup Fandoms Across Seven Countries
An analysis published by EDMO states that social media platforms experienced widespread distribution of unlabelled AI-generated images depicting hypersexualised female football supporters across multiple national team fandoms, with fact-checking organisations across Belgium, Germany, Argentina, Switzerland, Mexico, Spain, and Brazil identifying fabrications, indicating coordinated cross-platform distribution rather than isolated incidents. The primary monetisation mechanism identified by EDMO is platform revenue optimisation: content creators generate income through viral engagement on platform monetisation programmes before redirecting audiences to secondary platforms, including paid subscription services, with the synthetic content designed to attract engagement through sexual appeal while functioning as audience-capture infrastructure.
An analysis published by EDMO states that investigations have documented a dual-use pattern in which AI-generated hypersexualised content serves both commercial monetisation objectives and political distribution ends, with prior documented cases showing the same infrastructure used to attract and lure users into networks that disseminate far-right nationalist political propaganda and xenophobia mixed with soft-core pornography. EDMO identifies measurable psychological and social harms from this content type, including unrealistic expectations among young male audiences and documented links to anxiety and depression among female audiences who do not conform to AI-generated beauty standards, and documents a platform enforcement asymmetry in which sexualised AI content is tolerated at scale while other forms of World Cup disinformation are removed, suggesting that inconsistent moderation policy creates structural opportunities for actors using synthetic sexual content as an influence operation delivery mechanism.
Source: European Digital Media Observatory (EDMO). The World Cup of Hypersexualized Fakes? [online] Published 26 June 2026. Available at: https://edmo.eu/publications/the-world-cup-of-hypersexualized-fakes/
[General Reports]
Domestic and Chinese Influence Networks Simultaneously Target Philippine Facebook Pages
An investigation published by DFRLab states that two distinct coordinated inauthentic behaviour (CIB) networks simultaneously targeted the same Filipino activist Facebook pages in 2026 with opposing strategic objectives: a domestic state-aligned operation conducting red-tagging to publicly associate leftist organisations including the League of Filipino Students and Kilusang Mayo Uno with the Communist Party of the Philippines, while Chinese Spamouflage profiles used the identical activist pages as comment sections to distribute anti-Marcos government narratives and amplify political opposition messaging. The domestic operation was assessed with moderate confidence to be linked to the 2nd Civil-Military Operations Battalion of the Armed Forces of the Philippines, based on circumstantial evidence including military account engagement patterns and profiles displaying Civil-Military Operations insignia, with six interconnected Facebook pages created between February and April 2026 serving as content hubs.
An investigation published by DFRLab states that the Chinese Spamouflage component, 50 profiles identified across the activist pages, part of a broader multi-platform operation attributed to Chinese law enforcement, employed AI-generated imagery and formulaic comments addressing government corruption, unverified claims about President Marcos's health, and political rivalries, with some accounts posting material calling for more Molotov cocktails during protest activity. DFRLab identifies the convergence as revealing a critical platform enforcement vulnerability: a single post by Kilusang Mayo Uno received simultaneous comments from both networks pursuing contradictory objectives, demonstrating that identical infrastructure and activist Facebook pages can be weaponised by uncoordinated state and foreign actors pursuing unrelated strategic goals, multiplicatively degrading information ecosystem integrity while the platform enforcement gap that allowed Meta's 2020-era takedown targets to reconstitute remains unaddressed.
Source: Digital Forensic Research Lab (DFRLab). Two Coordinated Networks, One Domestic, One Foreign, Target the Same Philippine Facebook Pages. [online] Published 30 June 2026. Available at: https://dfrlab.org/2026/06/30/two-coordinated-networks-one-domestic-one-foreign-target-the-same-philippine-facebook-pages/
Finland Nuclear Weapons Disinformation and Australian Fake News Network Documented
A digest published by The Disinformation Observer states that a false claim posted by an X account named Megatron_ron on June 27th 2026 asserted that 'President Sipila' approved importing and storing nuclear weapons in Finland, fabricating both the signatory's identity and the law's scope, as it was President Alexander Stubb who signed the amendment on June 26th 2026, and the law explicitly forbids manufacture and detonation of nuclear weapons, with the government stating no peacetime deployment is planned. The digest assesses the operation as exploiting a real parliamentary vote of 125 to 61 on June 17th to anchor false claims, using mushroom-cloud imagery and BREAKING framing for engagement amplification, in a context where only 18% of Finns support nuclear deployment domestically, representing a structurally exploitable public vulnerability that information operations can activate without requiring a credible underlying claim.
A digest published by The Disinformation Observer states that the same reporting period documented an Australian coordinated inauthentic behaviour operation in which three Facebook pages impersonating The Australian, Australia Times, and The Australian Bulletin fabricated political stories from March 2026, with one post falsely claiming that politician Pauline Hanson collapsed in parliament and prompting genuine constituents to contact her office. Attribution identified 12 operators based in Vietnam and one in Indonesia managing the pages through Vietnamese page-management services FbTarget and Bee Up, with the pages having inherited audiences from prior life as soap-opera fan pages to lend false legitimacy, a case the digest classifies as financially motivated coordinated inauthentic behaviour with operators directing traffic for advertising revenue, illustrating how automation and AI-generated content have reduced production costs to a level that enables commercial actors to conduct sustained brand impersonation operations without ideological motivation.
Source: The Disinformation Observer. This Week in Disinformation: 28 June 2026. [online] Published 28 June 2026. Available at: https://thedisinformationobserver.substack.com/p/this-week-in-disinformation-28-june (thedisinformationobserver.substack.com).
Google GTIG and FBI Disrupt NetNut Proxy Botnet Controlling Two Million Devices
A report published by BleepingComputer states that a coordinated operation involving Google's Threat Intelligence Group (GTIG), the FBI, Lumen Technologies, and The Shadowserver Foundation disrupted NetNut, also known as Popa, a residential proxy botnet controlling approximately 2 million compromised devices globally, including Android phones, smart TVs, and streaming boxes hijacked through trojanised applications and the Badbox 2.0 botnet. Google's analysis identified 316 distinct threat clusters using suspected NetNut exit nodes within a single week, encompassing both cybercriminal and espionage operations, with the service's robust reseller programme enabling whitelabelling that made it one of the largest proxy networks serving hundreds of threat actors seeking to route malicious traffic through residential IP addresses to obscure operational attribution.
A report published by BleepingComputer states that enforcement actions included Google disabling command-and-control accounts on its infrastructure, using Google Play Protect to automatically warn users and disable infected applications, and the FBI seizing the netnut.com domain, while technical infrastructure details were distributed to law enforcement and cybersecurity researchers to enable ongoing monitoring. BleepingComputer notes that the disruption represents part of a broader systemic challenge: the proxy industry operates through interconnected reseller networks where operators purchase and redistribute botnet capacity, meaning disruption of a major provider typically forces threat actors to migrate to competing services rather than cease operations entirely, a structural limitation of infrastructure-level takedowns that leaves the underlying demand and operational incentives for residential proxy abuse unchanged.
Source: BleepingComputer. NetNut Proxy Network Disrupted, 2 Million Infected Devices Cut Off. [online] Published 3 July 2026. Available at: https://www.bleepingcomputer.com/news/security/netnut-proxy-network-disrupted-2-million-infected-devices-cut-off/
AI Deepfakes, Bots, and Sockpuppet Networks
An analysis published by Memesita states that the 2026 FIFA World Cup has attracted coordinated disinformation operations using three primary AI-enabled tactics: synthetic media fabrications of players and officials designed to carry geopolitical narrative payloads, automated bot amplification systems disseminating false content across social platforms faster than fact-checking infrastructure can respond, and sockpuppet networks blending fabricated political grievances with legitimate sports commentary to evade detection. The analysis identifies the global audience scale of the tournament, spanning multiple geopolitical fault lines across North America, Europe, and the Middle East, as structurally optimal for influence operations seeking simultaneous multilingual reach and reduced critical evaluation thresholds among entertainment-focused audiences.
An analysis published by Memesita states that the tournament environment creates a secondary vulnerability through what the article terms the Liar's Dividend: as deepfake synthetic media involving football players and officials becomes more widely circulated, actors gain increasing capacity to dismiss genuine documentation or evidence as AI-generated, creating conditions for epistemic collapse that undermine accountability mechanisms in both sports and political contexts. Memesita acknowledges significant uncertainty regarding conversion rates, noting that it is currently unclear how much of this disinformation successfully alters the perception of the tournament among casual viewers, a limitation that reflects the broader measurement challenge in assessing influence operation effectiveness, in which the volume and velocity of disinformation output can be quantified while the cognitive impact on target audiences remains difficult to isolate from ambient political conditions.
Source: Memesita. 2026 World Cup Faces Surge in AI Disinformation and State Propaganda. [online] Published 3 July 2026. Available at: https://www.memesita.com/2026-world-cup-faces-surge-in-ai-disinformation-and-state-propaganda/ (memesita.com).
HAARP Conspiracy Surges to 134,000 Mentions
A report published by NewsGuard states that as devastating twin earthquakes struck Venezuela and extreme heat scorched Europe in late June 2026, mentions of HAARP, the High-frequency Active Auroral Research Program, a US ionospheric research facility in Alaska, surged from 16,200 to 134,000 per week, a roughly eightfold increase driven by viral social media posts attributing both natural disasters to deliberate US government weaponisation of weather and seismic conditions. A 25th June post on X from a Mexico-based account asserted that 'The United States used its HAARP system against Venezuela to destroy its infrastructure. To more easily plunder its oil,' accumulating 60,000 views and 1,000 likes, while a 28th June French-language TikTok video claimed HAARP was 'a project aimed at controlling natural phenomena such as tsunamis, heat, wind, rain, earthquakes, etc.' across multiple countries.
A report published by NewsGuard states that HAARP director Jessica Matthews directly refuted the claims, stating the facility cannot generate or amplify weather events or earthquakes, with a University of Colorado-Boulder research scientist adding that HAARP's radio waves penetrate less than 1 centimetre into the ground while earthquakes typically originate miles below the surface, a physical incompatibility that directly contradicts the conspiracy's mechanism. The Venezuela earthquakes originated 6 and 13 miles below the surface, triggered by the shifting of the Caribbean and South American tectonic plates. NewsGuard situates the surge within a documented pattern in which catastrophic natural events reliably activate deep-state conspiracy frameworks, with HAARP serving as a persistent attribution target since its construction in the 1990s, a pattern that represents a structurally exploitable vulnerability in crisis information environments, where attribution pressure, grief, and political grievance combine to reduce critical evaluation thresholds precisely when accurate situational information is most consequential.
Source: NewsGuard Reality Check. Blaming the Deep State for Earthquakes and Heatwaves. [online] Published 30 June 2026. Available at: https://www.newsguardrealitycheck.com/p/blaming-the-deep-state-for-earthquakes
[Appendix - Frameworks to Counter Disinformation]
EU AI Act Code of Practice Signatories Ahead of August Enforcement
An article published by ActReady states that providers and deployers of generative AI systems subject to Article 50(2) or 50(4) of the EU AI Act have until 22 July 2026 at 18:00 CEST to sign the Code of Practice on Transparency of AI-Generated Content, with initial signatories receiving the presumption of conformity, a legal benefit that shifts the compliance burden by allowing organisations to reference the Code rather than independently constructing arguments demonstrating that their approach satisfies transparency requirements. The deadline is structurally significant because Article 50 transparency obligations become directly enforceable from August 2nd 2026, meaning organisations that sign after 22 July may not have the presumption established before enforcement begins and will not appear on the initial published signatory list.
An article published by ActReady states that eligible parties include providers of generative AI systems capable of producing synthetic audio, image, video, or text, as well as deployers who use such systems to publish content on matters of public interest, including deepfakes and AI-generated text, and that practical implementation steps involve confirming organisational status as provider, deployer, or both, reviewing the Code's measures for operational feasibility, and integrating compliance work into August 2 readiness planning. ActReady situates the deadline within the broader context of the EU AI Act's phased enforcement schedule, noting that the Code of Practice represents a voluntary mechanism carrying a significant legal incentive, and that organisations already planning to sign have no regulatory or strategic reason to delay submission, a framing that positions the July 22nd deadline as a de facto obligation for any generative AI operator seeking to establish a favourable compliance baseline before the transparency regime becomes fully active.
Source: ACT Ready. Want the Presumption of Conformity? You Have Until July 22: EU AI Act Code of Practice Signatory Deadline. [online] Published 22 June 2026. Available at: https://getactready.com/blog/eu-ai-act-code-of-practice-signatory-deadline-july-22
Consumer Deepfake Detection Market Expands
An article published by Biometric Update states that three new deepfake detection products launched in June 2026 reflect an expanding market in which detection capability is shifting from enterprise-specific tools toward consumer-accessible platforms, driven by Deloitte projections of generative AI fraud losses reaching USD 40 billion in the United States by 2027. Scam.ai and Qualcomm released Halo, an on-device deepfake detection model for video conferencing on desktop that operates locally without cloud infrastructure and was specifically optimised for Qualcomm-powered devices, with Scam.ai co-founder Dennis Ng stating that on-device processing curbs attacks from the source by eliminating the latency and privacy exposure of cloud-based detection. At the same time, Bitdefender launched RealCheck for Android and iOS, a tool that analyses submitted videos to distinguish malicious deepfakes from satirical content and provides reports on the likelihood of manipulation and deceptive intent, available in 14 countries.
An article published by Biometric Update states that South Korea's Korea Internet and Security Agency simultaneously announced 11 new research projects focused on deepfake detection and fraud suppression as part of broader efforts to enable safe personal data use in AI applications, situating the product launches within a government-industry co-investment pattern in which regulatory concern and commercial incentive are converging around detection infrastructure development. Biometric Update assesses these launches as evidence that deepfake detection is transitioning from a specialised enterprise security function toward a consumer necessity, a structural shift driven by the growing accessibility of voice-cloning and facial synthesis tools that have enabled large-scale fraud operations, including the coordinated investment scam deepfake campaigns documented targeting World Cup audiences during the same period, and that the absence of standardised detection benchmarks across national jurisdictions remains a significant gap in the emerging detection ecosystem.
Source: Biometric Update. New deepfake detection product launches reflect expanding market. [online] Published 30 June 2026. Available at: https://www.biometricupdate.com/202606/new-deepfake-detection-product-launches-reflect-expanding-market
[CRC Glossary]
The nature and sophistication of the modern Information Environment is projected to continue to escalate in complexity. However, across academic publications, legal frameworks, policy debates, and public communications, the same concepts are often described in different ways, making collaboration, cooperation, and effective action more difficult.
To ensure clarity and establish a consistent frame of reference, the CRC is maintaining a standard glossary to reduce ambiguity and promote terminological interoperability. Its scope encompasses foundational concepts, as well as emerging terms relating to Hostile Influence and Cyfluence.
As a collaborative project maintained with input from the community of experts, the CRC Glossary is intended to reflect professional consensus. We encourage you to engage with this initiative and welcome contributions via the CRC website.
_edited.png)
.png)