Debunk.org is one of the numerous media and organisations targeted by the Operation "Overload". In this campaign, pro-Russian actors have been flooding mostly credible outlets and fact-checking organisations with e-mail or social media tags each demanding the same - to verify the dubious content they found online. The content indeed wasn't authentic, but what CheckFirst and partner organisation have found out is that the whole campaign - from producing, sharing, then massively demanding debunks- has been run from the same source.
Russian malevolent actors have increasingly been targeting organisations through disinformation campaigns. A recent report presents an in-depth analysis of 120 e-mails received by Debunk.org as part of a targeted campaign reminiscent of the tactics employed in "Operation Overload." Similar to the coordinated efforts observed in "Operation Overload," published by Check First and partner organisations this campaign against Debunk.org reveals a fluctuating pattern of e-mail activity, with significant peaks on specific dates such as June 19, 24, 25, and 28, 2024. These spikes suggest a concentrated effort to engage or challenge Debunk.org’s mission, potentially overwhelming its team and diverting resources from addressing actual disinformation events to debunking targeted false content.
The e-mails, predominantly linking to various Telegram channels, cover a range of themes, including disinformation, political allegations, and social issues. The subject lines further categorise the nature of these e-mails, from verification requests to clickbait designed to provoke curiosity or urgency.
Additionally, the analysis of e-mail service providers highlights a dominance of Gmail, while an examination of usernames points to instances of duplicates and patterns in their construction. The timing of e-mail reception aligns with major public holidays in Lithuania and Russia, indicating persistent communicative activity even during these periods.
Moreover, the links within the e-mails emphasise Telegram’s role as a key medium for information dissemination, alongside occasional references to other platforms and news sources. This report aims to uncover the systematic disinformation attempts and the strategic targeting of Debunk.org, providing insights into the methods and tools used by those aiming to disrupt its operations.
We collected and analysed 120 e-mails sent to Debunk’s business e-mail account as part of the campaign. From the dataset provided, it's evident that the organisation experienced varying levels of e-mail activity, ranging from periods of minimal to heightened engagement. While, as mentioned in the beginning, the Debunk.org team has been receiving e-mail inquiries starting from June 9, 2023, it has been observed that a significant uptick in e-mail volume has emerged. Specifically, on June 19th, 24th, 25th, and 28th, 2024, the organisation received exactly four e-mails each day.
Additionally, notable spikes occurred on several other dates where the organisation received exactly two e-mails, including April 10th and 15th, 2024, March 8th and 12th, 2024, February 5th, 2024, December 28th, 2023, and September 6th and 11th, 2023. Furthermore, the organisation received exactly three e-mails on June 20th, 26th, and 27th, 2024.
These dates marked a period of heightened communication directed towards Debunk.org, reflecting a focused effort to engage with or perhaps challenge the organisation's mission and activities.
There seems to be a correlation between significant EU-Ukraine events and spikes in e-mail activity at Debunk.org. The commencement of EU accession negotiations and major conferences and summits are particularly aligned with periods of heightened engagement in e-mails received by the Debunk.org team. This suggests that major geopolitical events and discussions around Ukraine's EU integration likely drive public and media interest, leading to more inquiries and communications directed at Debunk.org.
The objective of this tactic is to overwhelm Debunk.org and its research team, forcing the organisation’s experts to divert their attention from actual disinformation events to verifying and debunking false content specifically crafted and disseminated to target them.
This strategy has resulted in a notable increase in e-mail volume, as evidenced by the analysed data. Several key topics and events can be identified, along with a systematic attempt at disinformation. The e-mails predominantly contain links to Telegram channels spreading various news, rumours, and allegations. The focus areas in these e-mails include 5 distinct themes.
The findings presented by Debunk.org team align closely with those documented in the Operation Overload report by ChechFirst and Reset, indicating they are part of the same disinformation campaign. Similar themes are observed, such as allegations against the Ukrainian government and military, misinformation regarding international events like the Olympics, and political scandals involving Ukrainian and international figures.
Subject Lines
Additionally, we have analysed the subject lines and arrived at several categorisations. For example, the subject lines in question can be categorised into various types, including verification and fact-checking (e.g., "verification," "check the post"), specific events and news topics (e.g., "U.S. Embassy in France," "Macron is resigning"), and those with an accusatory or suspicious tone (e.g., "Rfi released a fake news story," "The hockey game is fake").
On the other hand, some subject lines are repetitive or general (e.g., "check the news," "News"), while others are informative (e.g., "News from Greenpeace," "Bedbug news") or serve as a call to action (e.g., "Confirm or deny, please," "help me check for fake"). Additionally, clickbait or ambiguous subject lines (e.g., "Look at this," "a real story?") could also be observed during the analysis and appear to be designed to spark curiosity or a sense of urgency.
E-mail Service Providers and Usernames
An analysis of the e-mail dataset reveals significant insights into the usage of different e-mail service providers, specifically those that are free and allow for anonymous account creation. The dataset, comprising e-mails sent from various domains, shows a predominant use of Gmail, with 110 e-mails originating from this service. In contrast, Hotmail and Outlook, which are also free and offer similar anonymity, are much less frequently used, with only 8 and 1 e-mails, respectively. This distribution indicates a clear preference for Gmail among the e-mail senders in the dataset, highlighting its dominant position in the market compared to Hotmail and Outlook. The anonymity provided by these free services can be a double-edged sword, as it often facilitates deviant internet practices, raising concerns about their role in enabling unethical behavior online. Notably, the same e-mail providers were determined to be commonly used in the Operation Overload report by Check First and Reset, underscoring their association with suspicious activities.
The analysis of the e-mail addresses reveals a few instances of duplicate entries, notably for the usernames “isaocanaday”, “zambotommie69”, and “hillary_gracie_1996”, each appearing twice. Many usernames appear to be constructed from personal names, either as full names or as combinations of first names and last names.
Numbers are frequently appended to usernames, possibly to differentiate users with similar names or to meet unique username requirements. Examples include “duroalban539”, “catya0338”, and “briannadrake859”. A few usernames appear to include random strings of letters or initials, which may be an attempt at creating a unique identifier or could be randomly generated. Examples include “k65621255” and “zifunnywayvimer079”. Some usernames incorporate descriptive words or non-name elements that may reflect personal interests, nicknames, or other characteristics. Examples include “crayudelq”, “cokely45”, and “reglinvirginie”.
Date and Time of E-Mails
The analysis of e-mail reception data reveals significant patterns in relation to specific dates and times, particularly concerning public holidays celebrated in Lithuania and Russia. The data indicates a substantial influx of e-mails on the 24th of June 2024, which corresponds to St. John’s Day or Midsummer, a notable Lithuanian public holiday, with four e-mails received at various times throughout the day. Additionally, Labour Day on the 1st of May, which is celebrated in both Lithuania and Russia, shows a single e-mail receive. Similarly, International Women’s Day on the 8th of March, a widely recognised holiday in Russia, is marked by two e-mails received. Lastly, the Defender of the Fatherland Day on the 23rd of February in Russia also shows e-mail activity with one e-mail received. This pattern suggests a notable level of professional or communicative activity even during major public holidays, highlighting the pervasive nature of e-mail communications irrespective of public holidays.
Links and Domains
The analysis of singled out links reveals a substantial concentration originating from the domain "t.me," with a total of 362 links, underscoring Telegram's dominance as a primary medium for communication and content sharing among users. This frequency highlights the platform's pivotal role in information dissemination.
Beyond "t.me," other domains were identified, though with markedly lower frequencies. Notably, "twitter.com" and "x.com" were found 29 and 11 times, respectively, suggesting occasional sharing of tweets and related content. The presence of "pravda-fr.com" (4), "pravda-es.com" (2), "pravda-it.com" (1), "pravda-de.com" (1), and "pravda-en.com" (1) reflects the distribution of Pravda news articles across different language-specific domains, indicating a multilingual dissemination of news. The domain "youtu.be," appearing twice, highlights the sharing of YouTube videos, while "ok.ru," with one link, points to the use of the Russian social network Odnoklassniki. Additionally, the single occurrences of "russianfreepress.com" and "rmc.bfmtv.com" suggest the sharing of content from independent Russian news sources and French media outlets, respectively. The inclusion of "m-herson.tsargrad.tv" further indicates the use of Tsargrad TV, a Russian news channel, as a source.
ABCDE Framework
A – Actor:
The actors involved in this campaign appear to be individuals or groups using predominantly Gmail accounts to send e-mails. The use of duplicate usernames suggests organised efforts possibly involving multiple accounts operated by the same entities. Additionally, the links within the e-mails point to significant activity on Telegram channels, indicating coordinated efforts across specific platforms.
B – Behaviour:The activities exhibited include the systematic sending of e-mails to Debunk.org, particularly during significant dates, to overwhelm and distract the team. The e-mails contain links to disinformation and provocative content, suggesting a deliberate attempt to mislead and engage the organisation in verifying false claims.
C – Content:The content distributed through these e-mails includes themes such as disinformation about the Ukrainian military and government, political allegations, social issues, and security threats. The subject lines range from verification requests to clickbait, designed to provoke urgency or curiosity, thus increasing the likelihood of engagement from Debunk.org's team.
D - Degree:The impact is significant, affecting Debunk.org by diverting its resources from genuine disinformation events to debunking targeted false content. This strategy disrupts the organisation's operations and reduces its effectiveness in addressing actual disinformation. The heightened e-mail activity during major geopolitical events and public holidays further exacerbates the disruption.
E – Effect:The systematic targeting and overwhelming of Debunk.org through e-mail campaigns lead to decreased efficiency in Debunk’s primary mission. By forcing the team to respond to fabricated and misleading content, the campaign hampers organisation’s ability to combat real disinformation, ultimately affecting the broader public who rely on Debunk.org for accurate information.
Conclusion
This comprehensive analysis of the 120 e-mails received by Debunk.org as part of a targeted campaign reveals significant insights into the tactics and strategies employed by those aiming to disrupt the organisation's mission. The fluctuating patterns of e-mail activity, with notable spikes on specific dates, underscore a concerted effort to engage or challenge Debunk.org. This deliberate timing aligns with major public holidays and geopolitical events, suggesting a strategic approach to maximise disruption and divert resources from genuine disinformation challenges. Key findings:
Patterns of E-mail Activity: Significant peaks in e-mail activity were observed on dates such as June 19, 24, 25, and 28, 2024. These spikes indicate periods of concentrated effort to overwhelm Debunk.org, coinciding with major geopolitical events and public holidays in Lithuania and Russia.
Themes and Subject Lines: The e-mails predominantly linked to Telegram channels and covered various themes, including disinformation, political allegations, social issues, and international events. Subject lines ranged from verification requests to clickbait designed to provoke curiosity or urgency, reflecting a systematic attempt to engage Debunk.org's resources.
E-mail Service Providers and Usernames: The analysis revealed a dominance of Gmail among the e-mail senders, with a significant number of duplicate usernames and patterns in their construction.
Timing and Correlation with Events: The timing of e-mail reception aligns with major events related to EU-Ukraine relations, such as the commencement of EU accession negotiations and significant conferences. This correlation suggests that geopolitical developments drive public and media interest, leading to increased communication directed at Debunk.org.
Links and Domains: The prevalence of Telegram links emphasises the platform's role in information dissemination. Other domains, though less frequent, also contribute to the spread of news and content, reflecting a diverse range of sources used in the campaign.