joe bodnar
I track state-backed info ops at @isdglobal.bsky.social. Cited by the Economist, AP, CNN, Washington Post, and others. Opinions mine and open to change
- Operation Overload runs the same play over and over. It's lazy clockwork. Here's a claim from a few days ago next to a claim from last year. They look a lot alike.
- Finally, we have a definitive answer to the question of whether AI, bots, and laundering tactics will improve China’s information operations. The answer is no.
- Reposted by joe bodnarAmong the many reasons you don’t kidnap a foreign head of state at gunpoint even if you have the capability, is that it sparks consequences you can neither control nor anticipate.
- Reposted by joe bodnarThe US TikTok sale has been signed. The company will be controlled by a joint venture including Oracle, Silver Lake, Andreessen Horowitz, Abu Dhabi-based MGX. Adding a UAE company really makes it clear that this was never about national security concerns. www.axios.com/2025/12/18/t...
- Graphika recently reported on a pro-CCP network attacking Missouri AG Catherine Hanaway. Finding the network wasn't hard. It's using the hashtag FuckHanaway. Here's what else it's talking about. I should stress, though, that no one is listening. The engagement is tragically low.
- Big spike in articles published by the Pravda Network site focused on Australia. More than 400% increase from Dec 13 to Dec 14.
- I believe this is Iran's Storm-2035 making a push against the Trump administration's actions against Venezuela by using the hashtag ElMundoRepudiaATrump on X. Several of these accounts are confirmed 2035.
- Meta's Threat Report essentially declared the end of Iran's Endless Mayfly operation, at least on Meta platforms. That's not entirely the case. There's a few Insta stragglers tied to IUVM and at least a dozen Insta accounts posting identical hashtags and content to X accounts flagged by OpenAI.
- The Ministry of State Security is just like us! Reminds me of one hacktivist Telegram channel that periodically shares screenshots of their TryHackMe progress.
- The names of two partial owners of contractor firms linked to China's Salt Typhoon hacker group also appeared in records for Cisco's "Networking Academy" global training program—years before those hackers targeted Cisco's devices in their sweeping spy campaign. www.wired.com/story/2-men-...
- In my work, the biggest story of 2025 has been Russian IOs pivoting away from the US. I don't have comprehensive data on all covert ops. But if we use 1516 as an example, the US was its top target in 2024 and not even a top 5 target in 2025. Anecdotally, that roughly holds for all other ops, too.
- Great news but also, how were these entities not already sanctioned? apnews.com/article/uk-s...
- Reposted by joe bodnarWow -- Russia reportedly plotted last year to plant bombs on US-bound flights (gift link) giftarticle.ft.com/giftarticle/...
- Reposted by joe bodnarArticle d’un journaliste du Figaro dont l’identité a été usurpée dans le cadre de la dernière opération informationnelle de Storm-1516. www.lefigaro.fr/internationa...
- It strikes me that people make fun of American politicians or influencers who post AI nonsense. But when Russia, China or Iran does the same thing, people act like they're sophisticated threat actors capable of shaping global opinion at will.
- I’m off this week, but I hear the MAGA influencer accounts on X that have been amplifying Russian IOs aren’t based in the US. And I’m shocked.
- It's still so cool when outlets I read every day cover research I contributed to. You can read more about ISD's findings here: www.isdglobal.org/digital_disp...
- Reposted by joe bodnar[Not loaded yet]
- There's been a lot of talk about how the Pravda network impacts LLMs. But real people are finding, reading, and citing it. Our latest piece shows that Pravda network links have appeared in reporting from reputable outlets and in commentary from high-traffic sites. www.isdglobal.org/digital_disp...
- So, we're doing AI summaries and chatbots in the middle of articles about US war plans? Journalism alive and well?
- Pro-Kremlin crowd seems pretty upset with Trump today
- Storm-1516 and Operation Overload had things to say about Angelina Jolie's trip to Ukraine. Also, here's another example of a 1516 influencer copying and pasting a DM link into their post. Seem these influencers are getting instructions sent straight to their DMs.
- This high-end 1516 film took only 2 months to produce.
- Reposted by joe bodnar[Not loaded yet]
- Reposted by joe bodnar[Not loaded yet]
- Reposted by joe bodnar[Not loaded yet]
- This Google blog begs the question: How can an organization with all the world's data provide such an incomplete view of Russian IOs? cloud.google.com/blog/topics/...
- Think about all the personal data that Saudi Arabia could gobble up with this acquisition
- Reposted by joe bodnar[Not loaded yet]
- TikTok says it removed a network of more than a quarter million accounts targeting Moldovans with content meant to promote pro-Russia candidates. That's an absolutely insane number. It'd be great to get more than three sentences on this op. www.tiktok.com/transparency...
- This is why Russian ops have created 700 million stories about Zelensky misusing US funding for Ukraine
- I know several people who had some evidence linking REST to Rybar, but the DFR Lab provides definitive proof here. Really amazing domain analysis. dfrlab.org/2025/09/23/s...
- The amount of Russian interference in Moldova is staggering.
- Reposted by joe bodnar[Not loaded yet]
- Great reporting from the BBC. They uncovered a pro-Russia op paying Moldovans to post disinfo. The DFR Lab apparently did some digging and found a TikTok network linked to the op that's gained 55M views. www.bbc.com/news/article...
- As someone from Georgia, it’s very cool to see my name in the AJC, even if they’re republishing an AP article. I’ll take it! www.ajc.com/news/2025/09...
- Oh, come on, what an awesome find: "Frames from Dougan’s interview with French media show a Python script calling Ollama (via a function named restart_ollama()), an LLM inference framework used to run local or self-hosted LLMs." www.recordedfuture.com/research/cop...
- Reposted by joe bodnar[Not loaded yet]
- The Utah governor's claim that Russian bots are exploiting Kirk's death seems true but overblown. I've seen limited activity from operations like Overload, Undercut, Doppelganger. Pravda published 100+ articles. A few dozen Copy Cop sites posing as local outlets published 90 articles. Nothing viral
- Pretty interesting to see a 1516 video break out so long after it was seeded. Just spotted a Newsmax correspondent amplifying it.
- Reposted by joe bodnar[Not loaded yet]
- There's a small, apparently coordinated network of X accounts attacking Rubio and defending Venezuela:
- So we’re doing this now, huh? www.reuters.com/world/europe...
- Reposted by joe bodnar[Not loaded yet]
- Been out for a couple days and see Operation Overload migrated to YouTube. The videos I've seen have less than 50 views. The op keeps expanding and keeps being ignored.
- Reposted by joe bodnarA United States Senate investigation has identified more than 500 credible reports of human rights abuses in US immigration detention since January, including alarming allegations of mistreatment of pregnant women and children.
- Corporate needs you to find the differences between Russia's Foreign Ministry and a Storm-1516 influencer
- Reposted by joe bodnar[Not loaded yet]
- Interesting to see leaked docs from a company that claims to be revolutionizing Chinese info ops with AI. Less interesting to see the NYT take those claims at face value. I've seen no evidence AI has meaningfully improved info ops. www.nytimes.com/2025/08/06/u...
- Odd that this story doesn't mention Galloway's work for Russian and Iranian propaganda outlets. It also doesn't mention how often Bridgen promotes pro-Kremlin lines. Those two former MPs weren't duped. They spread this type of content intentionally.
- Archiving sites have been giving me absolute hell. I wonder how much malicious content is going undocumented, at least in public repositories, because there's no easy, quick way to do so.
- Reposted by joe bodnar[Not loaded yet]
- Z-Alliance and NoName057(16) are now using an APT28 logo in videos purporting to show them hacking critical infrastructure. Very fancy.
- Big IO takedown numbers from Google. But why even release this bulletin? There's no way for anyone to make sense of who controlled the channels, what narratives they promoted, or how impactful they were from something like this. blog.google/threat-analy...
- Bragging about your Russia ties is a good way to unwind after a long day of fabricating quotes.
- Interesting detail in here about how Afrique Media, which has ties to the Wagner Group and collaborates with RT, bought and repurposed a YouTube channel with 1.2M subscribers. indicator.media/p/buy-sell-y...
- This lines up with Operation Overload's anti-LBGTQ+ content targeting Moldova. The lead up to their September election is going to be chaotic.
- "Not good! This is a pit!" might be my favorite Spamouflage quote
- Leaders of the African Initiative were also sanctioned here. That initiative is behind at least three sites targeting the UK: britishattitudes[.]com, britishtalks[.]com, and euronewstop[.]co[.]uk
- I've seen hundreds of Overload posts over the past year, and I can count on one finger the number of times it went viral. Here's our report on Overload's Q2 activities. Takeaways: platforms stepped up, and unless something changes, we should be strategically silent www.isdglobal.org/digital_disp...
- Reposted by joe bodnarNew from me: Chinese government-backed hackers have become even more aggressive in breaking into U.S. government networks and companies, powered by a private industry liberated to choose targets themselves. Free link with email etc. wapo.st/4kFltKM
- Interesting find. There appear to be nine TrueFact subdomains so far. In a very Pravda-like move, the subdomains are named after specific countries or regions. They share TSL certificates with known Dougan sites like the Boston Times and Miami Chron, according to crt[.]sh.
- The Iranian site that claims to have crowdfunded $40M for a bounty to assassinate Trump has only had 1,300 visitors. Weirdly, all that traffic is from Canada. 75% of bounced. So, we're looking at roughly 300 Canadians who love Iran enough to donate a collective $40M. Seems plausible.
- Same energy
