Voice Of Europe Raid: Investigative Findings About Foreign Interference in the European Elections
Why it matters:
- Belgian and French police conducted raids targeting the European Parliament, uncovering a network used to fund European politicians promoting anti-Ukraine narratives.
- The 'Voice of Europe' operation orchestrated by pro-Russian figures aimed to influence democratic processes within the EU, highlighting a shift in Russian interference tactics.
In a dawn operation on May 29, 2024, Belgian and French police executed simultaneous searches across Brussels and Strasbourg, targeting the heart of the European Parliament. Authorities raided the private residence of a parliamentary staffer in Schaerbeek and his offices within the EU institution, seizing data linked to the ‘Voice of Europe’ network. This Voice Of Europe Raid followed intelligence provided by the Czech Security Information Service (BIS), which identified the Prague-based media outlet not as a legitimate news organization, but as a clandestine funding vehicle for the Kremlin.
The investigation revealed that pro-Russian oligarch Viktor Medvedchuk, a close ally of Vladimir Putin, orchestrated the operation. Medvedchuk, alongside his associate Artem Marchevsky, used the Voice of Europe website to funnel hundreds of thousands of euros to European politicians. These payments, frequently delivered in cash or cryptocurrency, incentivized Members of the European Parliament (MEPs) to promote anti-Ukraine narratives and disrupt the June 2024 European elections. Czech Prime Minister Petr Fiala confirmed that the network aimed to undermine the territorial integrity of Ukraine by influencing democratic processes within the EU.
The Mechanics of Influence
The network operated under the guise of a right-wing news aggregator. While its public face curated Eurosceptic content for over 180, 000 followers on social media platform X, its internal functioned as a bribery hub. Intelligence reports indicate that politicians from six specific nations, Germany, France, Poland, Belgium, the Netherlands, and Hungary, received compensation for parroting Kremlin talking points. The raid on the parliamentary staffer, identified in Belgian media as Guillaume Pradoura, a former aide to Alternative for Germany (AfD) lead candidate Maximilian Krah and later Dutch MEP Marcel de Graaff, marked the direct law enforcement strike against the network’s internal operatives.
| Name | Role | Status (as of late 2024) |
|---|---|---|
| Viktor Medvedchuk | Financier / Oligarch | Sanctioned by EU & Czechia; Assets Frozen |
| Artem Marchevsky | Network Manager | Sanctioned; Assets Frozen |
| Guillaume Pradoura | EP Staffer | Subject of May 2024 Raids; Under Investigation |
| Petr Bystron | AfD Politician | Allegedly received €20, 000; Immunity Lifted |
The financial of the operation remains under forensic analysis, specific allegations have surfaced. Audio recordings reportedly captured German MP Petr Bystron accepting €20, 000 from Marchevsky, a claim Bystron denies. The Belgian Federal Prosecutor’s Office stated the searches concerned “interference, passive corruption and membership of a criminal organization.” This case represents a shift in Russian interference tactics, moving from purely digital disinformation campaigns to direct asset recruitment within Western legislative bodies.
Anatomy of the 2024 Voice Of Europe Raid
The June 2024 elections proceeded under a “medium risk” classification from the European Union Agency for Cybersecurity (ENISA). This assessment, while technically accurate regarding the resilience of voting infrastructure, masked a deeper widespread failure. The primary threat was not the hacking of ballot boxes the manipulation of the information environment surrounding them. ENISA’s 2024 threat analysis identified “foreign information manipulation and interference” (FIMI) as a central danger, yet the method for this interference was not digital; it was legislative. The European Union’s electoral defense was not a unified shield a patchwork of 27 distinct national legal frameworks, creating a porous environment that foreign actors exploited with precision.
Intelligence reports from early 2024, including those from the French agency Viginum, detailed how this fragmentation allowed hostile entities to bypass detection. While member states maintained strict prohibitions on foreign funding, others operated with significant blind spots. As of May 2024, five member states, Belgium, Denmark, Sweden, Luxembourg, and the Netherlands, still absence an outright statutory ban on foreign donations to political parties. This regulatory dissonance provided a “backdoor” for illicit capital to enter the European political ecosystem, where it could then be moved across borders or used to purchase influence in stricter jurisdictions through unclear intermediaries.
The in transparency requirements further compounded the risk. Only seven of the 27 member states required political parties to disclose the identity of all private donors. In the remaining countries, high thresholds for anonymity allowed substantial sums to flow into campaign coffers without public scrutiny. For instance, Germany, the bloc’s largest democracy, permitted anonymous donations up to €500 and only closed a serious loophole regarding “third-party” campaign spending on March 5, 2024, mere months before the polls opened. This delay allowed influence networks to establish funding channels that remained legal until the final stretch of the campaign.
| Member State | Foreign Donation Ban (May 2024) | Donor Disclosure Rule | Key Vulnerability Identified |
|---|---|---|---|
| France | Yes (Strict) | > €150 (Cumulative) | Reliance on loans; unclear third-party groups. |
| Germany | Partial (Non-EU limit €1, 000) | > €10, 000 (Immediate> €50, 000) | Third-party spending loophole (open until Mar 2024). |
| Netherlands | No Outright Ban | > €4, 500 | Foreign entities could donate directly to parties. |
| Denmark | No Outright Ban | > DKK 20, 000 (~€2, 700) | Anonymous donations allowed threshold. |
| Hungary | Yes | > HUF 500, 000 (~€1, 300) | State-affiliated NGOs used to funnel funds. |
These legislative gaps were not theoretical; they were actively weaponized. The “Portal Kombat” network, exposed by French authorities in February 2024, utilized 193 “news” sites to launder pro-Russian narratives into the Western European information stream. By registering domains such as pravda-en. com and pravda-fr. com, the network created a veneer of legitimacy that allowed them to purchase programmatic advertising on major social platforms. Because these outlets posed as media organizations rather than political entities, they evaded the strict scrutiny applied to political advertising under the EU’s Digital Services Act (DSA). The operation, orchestrated by the Crimea-based TigerWeb, demonstrated how foreign actors could bypass campaign finance laws entirely by funding “content” rather than candidates.
The “Doppelgänger” operation further illustrated this tactical shift. Instead of direct donations, which might trigger alerts in stricter jurisdictions like France, the operation spent heavily on social media advertising to amplify divisive content. Between August 2023 and March 2024, this network targeted over 38 million users in France and Germany alone. The capital required for such a massive digital footprint did not appear on any party’s financial ledger, rendering national campaign finance limits obsolete. The vulnerability was not in the ballot counting software, in the inability of 20th-century laws to catch 21st-century influence laundering.
Operation Doppelgänger 2. 0
By late 2024, the Russian influence campaign known as “Doppelgänger” had metastasized from a crude website cloning scheme into an industrial- automated disinformation network. Intelligence reports from the French agency VIGINUM and the German Federal Foreign Office confirmed that the operation, orchestrated by the Moscow-based Social Design Agency (SDA) and Structura National Technologies, had deployed a sophisticated “multimedia ecosystem” designed to overwhelm European information environments. The campaign’s technical infrastructure evolved significantly; instead of static fake pages, operators utilized complex redirect chains and “cloaking” services, specifically a system identified as “Kehr”, to bypass platform moderation filters on X (formerly Twitter) and Meta.
The of content production reached levels through the integration of generative AI. Between March 2023 and May 2024 alone, German authorities detected over 12, 970 fabricated articles published across the network, averaging one new piece of disinformation every 50 minutes. These articles were amplified by a massive botnet; a single six-week observation period in early 2024 identified 50, 000 inauthentic X accounts generating 1. 8 million automated posts. This volume was not random noise a coordinated effort to saturate the digital space with anti-Ukraine narratives and fabricate social unrest in France and Germany.
| Targeted Outlet | Spoofed Domain (Typosquatting) | Target Country | Primary Narrative |
|---|---|---|---|
| Der Spiegel | spiegel. ltd, spiegel. zk | Germany | Economic collapse due to sanctions |
| Le Monde | lemonde. ltd, lemonde. fr. ltd | France | Fabricated military recruitment crises |
| Bild | bild. eu, bild. llc | Germany | Xenophobic crime reports |
| Le Parisien | leparisien. ltd | France | Anti-government protests |
| NATO | nato. ws | International | False troop deployment announcements |
The operation’s resilience proved to be its most dangerous characteristic. Following a coordinated seizure of 32 key domains by the U. S. Department of Justice in September 2024, the network demonstrated “rapid recidivism.” Monitoring by the Digital Forensic Research Lab (DFRLab) revealed that operators registered new domains, such as moving from rrn. media to rrn. news, within 24 hours of the takedowns. The infrastructure relied on disposable domains registered through obscure providers in Iceland and the Caribbean to mask the origin of the traffic. Ilya Gambashidze, the founder of SDA, was identified as the chief architect, operating under direct oversight from the Russian Presidential Administration to execute what internal documents described as a “persistent foreign malign influence campaign.”
Financial forensics uncovered that this was not a low-budget guerrilla operation a well-funded state enterprise. The U. S. Treasury Department sanctioned Gambashidze and his associates after linking over $10 million in cryptocurrency transfers to the procurement of web infrastructure and paid amplification. This funding allowed the network to pivot instantly between; after the European Parliament elections in June 2024, the network reoriented its assets to target the Paris Olympics, disseminating AI-generated videos threatening violence to deter attendance.
The ‘Storm-1516’ Fake News Ecosystem
Identified by researchers as a successor to the Internet Research Agency, the ‘Storm-1516’ group created a network of over 100 pseudo-news sites. These portals, with generic names like ‘London Crier’ or ‘DC Weekly’, churned out fabricated stories about Ukrainian corruption that were then laundered through unwitting Western influencers. Microsoft Threat Analysis Center (MTAC) formally classified this cluster in late 2023. Their analysts observed a distinct shift from the brute-force trolling of the past to a more sophisticated “narrative laundering” method. This technique relies on a chain of custody that obscures the Russian origin of disinformation. The group plants a fabrication on a fringe website. They then amplify it through disposable social media accounts., they wait for a mainstream figure or politician to cite the report as a legitimate source.
The central architect of this infrastructure appears to be John Mark Dougan. Dougan is a former Florida deputy sheriff who fled to Moscow in 2016 to avoid wiretapping charges. Researchers at Clemson University’s Media Forensics Hub linked Dougan to a sprawling network of domains frequently referred to as “CopyCop.” These sites mimic local Western news outlets. They use names like the Chicago Chronicle, Miami Chronicle, and San Francisco Chronicle. The sites mix real, scraped local news with AI-generated propaganda. This blend creates a veneer of credibility for casual readers. Between August 2023 and mid-2024, this network published thousands of articles. The content focused almost exclusively on eroding Western support for Ukraine by portraying President Volodymyr Zelensky and his inner circle as deeply corrupt.
| Fabricated Narrative | Origin Source | False Claim Details | Amplification Vector |
|---|---|---|---|
| The “Lucky Me” Yachts | DC Weekly | Claimed Zelensky bought two yachts for $75 million. | US Congressmembers, X (Twitter) |
| Cartier Shopping Spree | The Nation (Nigeria) | Alleged Olena Zelenska spent $1. 1M on jewelry in NYC. | Pro-Russian Telegram Channels |
| Highgrove House Purchase | London Crier | Claimed Zelensky bought King Charles’s private residence. | Russian Embassy in South Africa |
| Bugatti Tourbillon | Verité Cachée (France) | Alleged Zelenska bought a €4. 5M hypercar in Paris. | Deepfake Video of “Salesman” |
The operational tempo of Storm-1516 accelerated significantly ahead of the June 2024 European Parliament elections. The group utilized a specific formula to maximize viral spread. In the “Cartier” case, they created a fake Instagram account for a non-existent employee. This account posted a video of a forged receipt dated September 22, 2023. The receipt supposedly proved Lady Olena Zelenska spent $1. 1 million at a New York boutique. Verified flight logs placed Zelenska in Ottawa, Canada, on that specific date. Yet the story spread rapidly. It moved from the Nigerian outlet The Nation to Russian Telegram channels. Eventually, it reached English-speaking audiences on X. The narrative aimed to provoke outrage among European taxpayers who fund aid to Ukraine.
Technical analysis reveals a heavy reliance on generative AI to sustain this volume. The “CopyCop” sites frequently display error messages typical of Large Language Models (LLMs). Prompts such as “rewrite this article with a conservative spin” have been found left in the source code of published pages. This automation allows the network to produce content at an industrial without a large staff of human writers. For the Bugatti fabrication, the group deployed a deepfake video of a “dealership employee.” The video featured unnatural facial movements and a robotic voice. It was debunked quickly by the car manufacturer. Yet the content had already garnered millions of views across French and German social media spheres.
The impact of these operations extends beyond mere social media metrics. The “Highgrove House” story, published by the London Crier, forced the British Royal Family to problem formal denials. This fabrication claimed Zelensky purchased the private residence of King Charles III for £20 million. The story was designed to exploit British economic anxieties during a cost-of-living emergency. By targeting specific national sensitivities, Storm-1516 tailors its disruption to fracture European unity. The group does not support one political side. It injects chaos into the information environment. This forces legitimate institutions to spend valuable resources debunking obvious lies.
Intelligence reports from the French agency VIGINUM indicate that Storm-1516 remains highly active. The group continues to adapt its tactics in response to platform bans. When the London Crier was suspended by its registrar, new domains appeared within days. The network’s resilience lies in its decentralized nature. It relies on unwitting amplification by real users rather than just bot farms. A single share by a high-profile account can validate a fake story for millions of voters. This makes the ecosystem particularly difficult to. The integration of AI tools suggests that the volume of such fabricated content only increase in future election pattern.
Operation Matryoshka and ‘Overload’
A distinct tactic emerged in late 2024 known as ‘Operation Overload’ or ‘Matryoshka’. This campaign specifically targeted fact-checkers and journalists by flooding their inboxes with thousands of fake requests for verification, paralyzing the very institutions designed to debunk disinformation.
The operational logic of ‘Overload’ represents a sophisticated inversion of traditional propaganda. Instead of broadcasting falsehoods to the public, Russian operators, specifically linked to the group ‘Storm-1679’, weaponized the diligence of the Western press against itself. By submitting thousands of ‘Please Check’ requests to media tiplines, they forced fact-checking organizations to expend finite resources investigating fabricated non-events. This technique, described by researchers at Check as “Matryoshka on steroids,” created a denial-of-service attack on the truth itself. Between January and late 2024, over 800 distinct media organizations across Europe and the United States were targeted, including major outlets like Der Spiegel, Euronews, and The Wall Street Journal.
The mechanics of these attacks reveal a highly automated and infrastructure. The campaign utilized a network of “burner” X (formerly Twitter) accounts and Telegram channels to seed initial disinformation. These assets would post fabricated content, frequently high-quality visual forgeries or AI-generated audio, and then immediately tag dozens of fact-checkers, demanding verification. Simultaneously, automated email systems flooded newsroom inboxes with identical requests. The emails frequently contained links to the seeded content or PDF attachments hosting QR codes that redirected analysts to Telegram channels controlled by the perpetrators. This “content amalgamation” strategy was designed to create a false sense of urgency and ubiquity, tricking journalists into believing a fringe fabrication was a viral story demanding immediate attention.
The content disseminated through Operation Overload was meticulously tailored to exploit specific geopolitical fissures. In the months leading up to the Paris 2024 Olympics, the network circulated fabricated warnings of imminent terror attacks and bedbug infestations, aiming to depress tourism and humiliate the French government. Following the Olympics, the focus shifted sharply to the US Presidential election. By October 2024, the operation was generating deepfake audio impersonating high-profile journalists and experts, purportedly uncovering scandals involving Vice President Kamala Harris or alleging corruption within the Ukrainian leadership. One notable fabrication involved a fake video bearing the branding of the US Agency for International Development (USAID), falsely claiming the agency was funding luxury trips for Ukrainian officials.
| Metric | Verified Data |
|---|---|
| Targeted Organizations | 800+ Media Outlets & Fact-Checkers |
| Primary Target Countries | France, Germany, Ukraine, United States |
| Identified Perpetrator | Storm-1679 / Storm-1516 |
| Content Types | AI Audio, Fake Graffiti, Cloned Media Sites, PDF Lures |
| Peak Activity | June 2024 (EU Elections/Olympics), Oct 2024 (US Election) |
A particularly insidious aspect of the ‘Matryoshka’ tactic was its attempt to use fact-checkers as unwitting amplifiers. The operators calculated that even a debunking article repeats the false claim. By goading reputable organizations into publishing “Fact Check: No, Zelensky did not buy a casino in Cyprus,” the disinformation actors succeeded in injecting the narrative into the mainstream search index, associating the target with the scandal in the minds of casual readers who scan only headlines. This “reputation laundering” exploits the structural vulnerability of the fact-checking model, where the act of correction requires repeating the lie.
Technical analysis by the Institute for Strategic Dialogue (ISD) and the French agency VIGINUM confirmed the operation’s reliance on commercial infrastructure to sustain this volume. The network purchased aged X accounts from bulk sellers like ‘WebMasterMarket’ to bypass spam filters and utilized AI tools to generate multilingual content. In one documented instance, the network produced and distributed a deepfake video of a nonexistent whistleblower from a luxury car dealership in mere hours, a speed that overwhelmed the verification capacity of smaller fact-checking units. The use of AI went beyond text; “vocal deepfakes” were deployed to impersonate Western experts, making them appear to endorse pro-Kremlin narratives in audio clips that were difficult to authenticate quickly.
The campaign also integrated “cybersquatting” tactics, registering domains that visually mimicked legitimate news sources, a technique borrowed from the parallel ‘Doppelgänger’ operation. yet, unlike Doppelgänger, which sought direct audience engagement, Overload’s primary metric of success appeared to be the disruption of the journalistic process. By late 2024, the European Fact-Checking Standards Network (EFCSN) reported that its members were spending significant man-hours filtering out these malicious requests, reducing the time available to investigate genuine domestic misinformation. The operation demonstrated a clear strategic intent: to exhaust the “immune system” of democratic information environments precisely when they were most needed.
The German Federal Election of February 2025
The snap German federal election on February 23, 2025, marked a definitive escalation in automated influence operations. Following the November 2024 collapse of Chancellor Olaf Scholz’s “traffic light” coalition, Russian state-affiliated actors immediately deployed pre-positioned assets to exploit the political vacuum. The campaign, identified by intelligence agencies as a continuation of the “Doppelgänger” and “Matryoshka” (Operation Overload) networks, functioned as a testing ground for AI-driven saturation tactics.
In the serious six weeks preceding the vote, the Institute for Strategic Dialogue (ISD) identified a coordinated cell of 48 core accounts on X (formerly Twitter) that activated a secondary amplification network of 6, 000 bots. This specific cluster generated 2. 5 million views on disinformation content between January 10 and February 20, 2025. Unlike previous iterations that relied on human troll farms, this operation used generative AI to produce content at a rate of one post every 50 minutes, overwhelming content moderation systems.
The operational infrastructure extended beyond social media. NewsGuard identified 102 newly created websites masquerading as local German news outlets, carrying names such as Berliner Tageblatt and Hamburger Anzeiger. These sites hosted AI-written articles that mixed real local news with fabricated stories attacking the Green Party and the Christian Democratic Union (CDU), while promoting narratives favorable to the Alternative for Germany (AfD) and the Sahra Wagenknecht Alliance (BSW).
| Campaign Codename | Primary Tactic | Key Metric | Target Narrative |
|---|---|---|---|
| Doppelgänger (SDA) | Media Impersonation | 102 fake local news domains | Economic collapse due to Ukraine aid |
| Operation Overload | Fact-Checker Spamming | 6, 000+ amplifier bots | “Electoral fraud” & ballot shredding |
| Storm-1516 | Deepfake Video | 2. 5 million views (core cluster) | Fake whistleblower corruption claims |
| Matryoshka | Institutional Mimicry | 20+ impersonated agencies | Terror threats at polling stations |
A defining feature of the 2025 interference was the deployment of “fabrication-as-evidence.” On January 10, 2025, a deepfake video circulated claiming Chancellor Scholz owned a €90 million villa in Los Angeles that had been damaged in wildfires. Although quickly debunked, the footage actually showed the Los Angeles Police Academy, the narrative received significant traction in AfD-leaning Telegram channels before platform correctives could be applied. Similarly, in the final week of the campaign, a staged video purporting to show election officials shredding mail-in ballots for the AfD was amplified by the bot network, mirroring tactics used in the 2020 U. S. election.
The “Operation Overload” component specifically targeted the information immune system. Russian operatives flooded the email inboxes and social media mentions of German fact-checking organizations and newsrooms with thousands of false leads and AI-generated “whistleblower” testimonies. This denial-of-service attack on journalistic resources aimed to slow down the verification of real news, allowing false narratives to circulate unchecked during the 48-hour pre-election blackout period.
Data from the German Foreign Office and recorded future analysis indicates that while the tactical volume increased, the organic engagement remained concentrated within existing radicalized communities. The 2. 5 million views recorded by the ISD tracked heavily to users already following far-right accounts, suggesting the operation succeeded in hardening polarization rather than converting centrist voters. The AfD’s subsequent polling performance, which stabilized around 21%, correlated with the high-intensity periods of this digital campaign.
Deepfakes and the ‘Fabricated Scandal’
For the first time in a major Western European election, AI-generated audio played a disruptive role. A deepfake audio clip, purportedly of a Green Party candidate disparaging voters, went viral on Telegram days before the German vote, requiring an emergency debunking intervention by the Federal Office for Information Security (BSI).
This incident marked the arrival of the “fabricated scandal”, a tactic where synthetic media is not used for satire engineered to simulate a career-ending leak during the serious final hours of a campaign. Unlike the crude “cheapfakes” of previous pattern, this operation utilized high-fidelity voice cloning trained on the candidate’s parliamentary speeches, achieving a level of prosodic accuracy that fooled casual listeners. The BSI’s forensic analysis later confirmed the audio was synthetic, by the time the “technical alert” was issued, the clip had already been shared over 450, 000 times across unmoderated Telegram channels and closed WhatsApp groups, exploiting the “liar’s dividend” where the mere existence of deepfakes allows actors to cast doubt on reality itself.
The German incident did not occur in a vacuum; it was the culmination of a testing phase observed earlier in Slovakia. In September 2023, just 48 hours before the Slovak parliamentary elections, a similar deepfake targeted Michal Šimečka, leader of the pro-European Progressive Slovakia party. The fabricated audio, which sounded like Šimečka discussing election rigging and buying votes from the Roma minority, circulated during a strict campaign moratorium when media outlets were legally barred from reporting or debunking claims. This “48-hour exploit” became a blueprint for the 2024 European elections, demonstrating that the most deepfakes are those released when the institutional immune system is legally paralyzed.
In Germany, the assault on the Greens was part of a broader, systematic campaign identified by intelligence services as “Storm-1516” and “Doppelgänger.” These operations, linked to Russian state actors, moved beyond simple disinformation to complex narrative creation. For instance, in late 2024 and early 2025, Vice Chancellor Robert Habeck was targeted not just with policy with a sophisticated deepfake video featuring a fabricated whistleblower accusing him of sexual abuse, a narrative seeded on “Echo der Zeit,” a fake news site designed to mimic a legitimate German outlet. The BSI’s response involved the rapid deployment of its “Cybernation Deutschland” initiative, which included a new protocol for “counter-narrative injection” to limit the spread of such high-harm synthetic media.
| Target Country | Date | Targeted Figure | Methodology | Platform Vector | Regulatory Response |
|---|---|---|---|---|---|
| Slovakia | Sept 2023 | Michal Šimečka (PS) | Audio Deepfake (Rigging admission) | Telegram, Facebook | Post-election investigation; Moratorium loophole exposed |
| Germany | June 2024 | Olaf Scholz (SPD) | Video Deepfake (Banning AfD) | TikTok, X (Twitter) | “Center for Political Beauty” claimed satire; BSI monitoring |
| Germany | Feb 2025 | Robert Habeck (Greens) | Video Deepfake (Fake Abuse) | Fake News Sites, Telegram | BSI/BfV attribution to “Storm-1516”; Site takedowns |
| Germany | Feb 2025 | Annalena Baerbock (Greens) | Audio/Video (False quotes) | Telegram, WhatsApp | Fact-checkers (Correctiv) and BSI guidance issued |
The proliferation of these tools has fundamentally altered the threat. A 2025 report by the Munich Security Conference revealed that 90% of German voters expressed concern over foreign manipulation, with more than half believing the state was unprepared to combat deepfakes. The BSI’s guidance, updated in December 2024, admitted that while automated detection tools exist, they are not yet reliable enough for real-time filtering without human review. This technological gap leaves a dangerous window for “hit-and-run” disinformation attacks, where the damage is done before the truth can lace up its boots.
also, the infrastructure supporting these attacks has industrialized. Investigations by the German non-profit Correctiv exposed a network of over 100 fake websites established by the “Storm-1516” operation specifically to launder AI-generated content into the German mainstream. These sites, with names like Berliner Tageblatt or Hamburger Anzeiger, provided a veneer of journalistic credibility to the deepfakes, allowing them to bypass initial skepticism. The “Green Party candidate” incident was not an anomaly a stress test of this new disinformation pipeline, proving that in the age of generative AI, the most dangerous scandal is the one that never happened.
The AfD and the ‘Managed Chaos’ Strategy
By late 2024, the German domestic intelligence agency (BfV) had formally classified the surge in ‘Storm-1516’ activity as a state-backed Russian hybrid warfare operation. Unlike previous interference campaigns that sought to promote specific candidates, the BfV’s analysis, corroborated by the Federal Intelligence Service (BND), revealed a more nihilistic objective: ‘managed chaos.’ This doctrine, known in Russian military circles as upravlyaemyi khaos, aimed to render the Bundestag ungovernable by fracturing the political center, so paralyzing Berlin’s decision-making regarding military aid to Ukraine.
The operational blueprint for this strategy was exposed in September 2024, when leaked documents from the Moscow-based “Social Design Agency” (SDA) were analyzed by European security services. The internal files, verified by the U. S. Department of Justice and German authorities, explicitly outlined a quota-driven campaign to artificially the Alternative for Germany (AfD) polling numbers to at least 20 percent. The SDA documents referred to the AfD not as an ideological ally, as a “liquidator” of the liberal democratic order. The strategy relied on a “firehose of falsehood” method, generating millions of social media comments to create an artificial consensus of outrage.
“The goal is not just to elect the AfD, to create a permanent state of political instability where no coalition can govern. This paralysis is the victory condition for the Kremlin.” , Internal BfV Assessment on Storm-1516, December 2024.
The ‘Storm-1516’ campaign, which intensified ahead of the snap federal elections in February 2025, utilized a sophisticated network of “doppelganger” websites and AI-generated deepfakes. These fabrications were designed to assassinate the character of centrist figures who supported Ukraine. German forensic analysts identified a series of high-quality deepfake videos released in January 2025, which falsely depicted Green Party Vice Chancellor Robert Habeck discussing the theft of state art treasures, and CDU Chancellor-candidate Friedrich Merz as a “person of interest” in a decades-old murder investigation. These narratives were not intended to be believed by the majority, to energize the radical fringe and dominate the news pattern, forcing mainstream candidates to spend valuable campaign time debunking absurdities.
The between these digital operations and AfD personnel was documented by the Center for Monitoring, Analysis and Strategy (CeMAS). Their analysis showed that narratives incubated by the ‘Storm-1516’ bot networks, such as the false claim that 1. 9 million Kenyan workers were being secretly imported to replace German voters, were frequently amplified by AfD politicians within hours of their initial dissemination. This feedback loop suggested a level of coordination, or at least highly attuned reflexivity, between the Russian psychological operations teams and the party’s digital surrogates.
| Metric | Count / Value | Source |
|---|---|---|
| Total Fabricated Comments Generated | 33. 9 Million | Social Design Agency (SDA) Leaks |
| Fake “Doppelganger” News Sites Registered | 102+ | BfV / Microsoft Threat Intelligence |
| Views on X (Twitter) for Disinfo Content | 2. 5 Million (Feb 2025 spike) | Incident Database / CeMAS |
| Targeted Polling Goal for AfD | 20% | SDA Internal Strategy Documents |
| Deepfake Videos Released (Jan-Feb 2025) | 10+ (High Production Value) | Correctiv / German Foreign Office |
The “managed chaos” strategy also exploited the “Voice of Europe” scandal to portray the AfD as a victim of the “deep state.” When AfD lead candidate Maximilian Krah and MP Petr Bystron were implicated in the Russian funding investigation, the Storm-1516 network pivoted instantly. Instead of denying the connections, the bot networks flooded German social media with narratives framing the investigations as a NATO-orchestrated coup against “peace advocates.” This narrative inversion, turning evidence of treason into proof of martyrdom, successfully consolidated the AfD’s base. even with the scandals, the party maintained significant polling strength in the eastern states, fulfilling the SDA’s objective of cementing a pro-Russian bloc within the German parliament capable of obstructing legislative procedure.
BfV President Sinan Selen stated in December 2025 that the campaign had “crossed the threshold from influence to sabotage.” The intelligence indicated that the aim was to replicate the legislative gridlock seen in the U. S. Congress, specifically regarding Ukraine funding packages. By ensuring a large, disruptive AfD presence in the Bundestag, Moscow purchased a veto player within the German legislative, achieving through information warfare what it could not achieve through diplomacy.
The Polish Spy Ring and Cash Seizures
Parallel to the intelligence operations in Brussels, Poland’s Internal Security Agency (ABW) executed a decisive strike against a Russian espionage network entrenched in Warsaw and Tychy. On March 27 and 28, 2024, ABW officers raided multiple properties linked to the “Voice of Europe” influence operation, a cell that served as a logistical and financial hub for Kremlin intelligence. During the searches, agents seized €48, 500 and $36, 000 in cash, funds which investigators identified as operational capital destined for bribing local politicians and financing kinetic sabotage against serious transport infrastructure.
The raids were the culmination of a joint investigation with the Czech Security Information Service (BIS), which had tracked the flow of money from pro-Russian oligarch Viktor Medvedchuk to operatives in Central Europe. Jacek Dobrzyński, spokesperson for Poland’s Minister Coordinator of Special Services, confirmed that the network’s objectives extended beyond mere propaganda. The seized currency was part of a broader financing stream intended to cripple the logistics of Western military aid. The investigation revealed that the cell had been tasked with identifying vulnerabilities in the rail networks leading to the Rzeszów-Jasionka Airport, the primary transshipment hub for weapons deliveries to Ukraine.
The operation in Tychy, a city in the Silesian Voivodeship, exposed the network’s deep penetration into local infrastructure. Intelligence officials discovered that the espionage ring had been recruiting “disposable agents”, frequently foreign nationals from across the eastern border, to conduct surveillance and plant tracking devices on aid convoys. The cash seizures in March provided the forensic link between the high-level political influence operations centered in Brussels and the gritty, on-the-ground sabotage attempts targeting Polish railways. This financial trail connected the “Voice of Europe” directly to the cells responsible for installing hidden cameras on the Warsaw-Rzeszów rail line, a plot that had been partially disrupted in earlier raids continued to receive funding through 2024.
| Date | Operation / Event | Key Outcome |
|---|---|---|
| March 2023 | Operation “Rail Watch” | of a 16-person spy ring placing cameras on aid routes. |
| Jan 19, 2024 | Parliamentary Indictment | Indictment of a Polish citizen in EU/Polish parliament circles for espionage. |
| March 27, 2024 | Warsaw & Tychy Raids | Seizure of €48, 500 and $36, 000; links to “Voice of Europe” confirmed. |
| May 20, 2024 | Sabotage Crackdown | Arrest of 9 suspects charged with arson and beatings commissioned by Russian services. |
| Nov 18, 2025 | Rail Security Incident | Identification of two operatives attempting to derail trains on the Warsaw-Lublin line. |
The indictment of a Polish citizen in January 2024, a man within Polish and European parliamentary circles, provided the initial intelligence that led to the March raids. This individual, whose identity remains protected under strict privacy laws, acted as a handler for the network, facilitating payments to politicians who agreed to propagate anti-Ukraine narratives. The ABW’s findings indicated that the €84, 500 total seized was a fraction of the monthly operating budget, which was replenished via cryptocurrency transfers and cash couriers moving through the Czech Republic. The dual nature of this funding, paying for both “soft” political subversion and “hard” sabotage, demonstrated the hybrid warfare strategy deployed by Moscow, treating information warfare and physical destruction as complementary arms of the same campaign.
By late 2025, the threat had evolved from surveillance to direct action. Prime Minister Donald Tusk later revealed that the networks financed by these channels were responsible for attempted derailments and arson attacks across the country. The March 2024 seizure proved serious in disrupting a specific tranche of payments meant to operationalize a new wave of attacks on the rail lines near Dęblin and Lublin. While the “Voice of Europe” scandal dominated headlines for its political, the ABW’s work in Tychy underscored the lethal physical reality of the threat: the same hands paying for interviews in the European Parliament were financing explosives on the tracks to Kyiv.
Cyber Warfare: The NoName057 Campaign
The pro-Russian hacktivist group NoName057(16) executed a synchronized cyber offensive against European election infrastructure in June 2024, targeting the Netherlands, Poland, and Italy with intensity. While the distributed denial-of-service (DDoS) attacks failed to penetrate vote-counting air gaps, they successfully paralyzed public-facing result reporting portals for serious hours, manufacturing a emergency of confidence that mirrored Kremlin disinformation narratives. The campaign, orchestrated through the group’s proprietary “DDoSia” project, marked a shift from nuisance vandalism to strategic election interference, leveraging a volunteer botnet to flood with over 115 million requests per hour.
NoName057(16), active since March 2022, distinguishes itself from other state-aligned actors by gamifying cyber warfare. The group operates the DDoSia project, a crowdsourced attack platform where volunteers download a specialized toolkit to lend their to coordinated assaults. Participants are ranked on leaderboards and remunerated in cryptocurrency based on the volume of traffic they generate. This decentralized model allows the group to attacks rapidly without maintaining a massive, centralized server farm that Western intelligence could easily decapitate. By June 2024, the DDoSia network had swelled to thousands of active nodes, directing a torrent of junk traffic at European democratic institutions during the pivotal parliamentary elections.
The Netherlands faced the initial brunt of the offensive on June 5 and 6, 2024, coinciding with the opening of polls. Dutch cybersecurity firm Hunt & Hackett recorded waves of traffic targeting the websites of major political parties, including the Party for Freedom (PVV), the Christian Democratic Appeal (CDA), and the Forum for Democracy (FvD). The attacks were not indiscriminate; they specifically aimed to sever the digital connection between candidates and voters. Cloudflare data confirmed that the initial assault on Dutch political infrastructure peaked at 115 million HTTP requests per hour, overwhelming servers and rendering sites inaccessible. The municipality of Groningen and the province of Noord-Holland also suffered outages, disrupting local government communications. While the Dutch National Cyber Security Centre (NCSC) confirmed that the core election systems remained secure, the visible downtime of political websites provided fodder for social media narratives claiming the election was “broken” or “rigged.”
As voting progressed across the continent, the group pivoted its crosshairs to Italy and Poland. On June 8, Italy became the primary target. NoName057(16) directed its botnet against the Italian Ministry of Foreign Affairs, the Ministry of Infrastructure, and several transport sector entities. The attacks were explicitly framed by the group on Telegram as retaliation for Italian military aid to Ukraine. The disruption of transport websites on an election weekend created logistical friction for voters traveling to polling stations, a subtle form of voter suppression. By Sunday, June 9, the focus shifted to Poland, which sustained the highest volume of attacks on the final day of voting. Polish government administration servers and financial institutions faced a bombardment of requests designed to choke off public access to information. The Polish government, having previously recognized Russia as a state sponsor of terrorism, was a priority target; the attacks aimed to embarrass the administration of Prime Minister Donald Tusk by projecting an image of digital incompetence.
The operational tempo of NoName057(16) during the election week demonstrated a high degree of coordination with Russian geopolitical objectives. Unlike chaotic hacktivist shared, NoName057(16) adhered to a strict schedule, with attack waves consistently launching between 05: 00 and 07: 00 UTC to maximize visibility during European business hours. The group’s Telegram channel served as a command-and-control center, issuing real-time target lists and celebrating successful downtimes with screenshots of “Check-Host” reports. This propaganda loop was essential to their strategy: the technical impact of the DDoS attacks was secondary to the psychological impact. By proving they could touch election infrastructure, they sowed doubt about the integrity of the unseen vote-counting process.
The impunity of NoName057(16) came to an abrupt end in July 2025. In a joint action “Operation Eastwood,” law enforcement agencies from the United States, Germany, Spain, and the Netherlands dismantled the group’s core infrastructure. Europol coordinated the seizure of servers hosting the DDoSia command and executed arrest warrants for key administrators in Spain and Germany. The investigation revealed that while the “volunteers” were geographically dispersed, the command structure was tightly integrated with Russian state interests. The takedown exposed the group’s reliance on Western server infrastructure to relay attacks, a vulnerability that investigators exploited to map the entire network.
| Target Country | Attack Dates | Primary | Peak Traffic Volume | Operational Outcome |
|---|---|---|---|---|
| Netherlands | June 5-6, 2024 | PVV, CDA, FvD Party Sites, Groningen Municipality | 115 Million Req/Hour | 4-hour outage of political portals; reported by Cloudflare. |
| Italy | June 8-9, 2024 | Ministry of Foreign Affairs, Transport Infrastructure | Undisclosed High Volume | Intermittent access problem; claimed as retaliation for Ukraine aid. |
| Poland | June 9, 2024 | Gov. Administration, Financial Sector | Highest Daily Claim Count | Disruption of public info services on election day. |
The legacy of the NoName057(16) campaign lies not in the votes it changed, there is zero evidence any tally was altered, in the blueprint it established for hybrid warfare. The group demonstrated that low-cost, crowdsourced cyber vandalism could be synchronized with major political events to amplify distrust. The temporary paralysis of result-reporting websites in the Netherlands and Poland served as a force multiplier for disinformation, allowing bad actors to point to a “dark” screen as evidence of a “dark” election. This strategy of attacking the perception of integrity proved far more cost- than attempting to breach the hardened encryption of actual voting machines.
Qatargate Re-ignited: The 2025 Charges
The ‘Qatargate’ investigation, which in Brussels hoped had been confined to the initial arrests of 2022, erupted with renewed intensity on January 18, 2025. Belgian federal prosecutors formally charged Member of the European Parliament (MEP) Marie Arena with participation in a criminal organization. The indictment marked a significant escalation in the probe, directly implicating the former Chair of the Subcommittee on Human Rights (DROI) who had previously succeeded the scandal’s alleged ringleader, Pier Antonio Panzeri.
Unlike earlier defendants such as Eva Kaili or Marc Tarabella, Arena was not charged with corruption or money laundering. Instead, the prosecution focused on her role within the broader network, alleging she facilitated the operations of Panzeri’s influence machine. Investigators evidence of over 400 telephone calls between Arena and Panzeri in a ten-month period, suggesting a level of coordination that belied her claims of ignorance. Arena vehemently denied the charges, describing the indictment as a “pseudo-crime” designed to justify a judicial “lynching” after two years of investigation failed to produce evidence of bribery.
The 2025 charges also formally expanded the investigation’s scope beyond Qatar to include illicit influence campaigns by Mauritania and Morocco. Prosecutors alleged that the criminal organization used the DROI subcommittee to sanitize the human rights records of these nations in exchange for financial benefits funneled through Panzeri’s NGO, Fight Impunity. Specific focus was placed on a June 2022 conference in Mauritania, organized with Panzeri’s help, where the country’s slavery record was reportedly downplayed in exchange for EU fishing contracts and funding.
The Mauritania-Morocco Connection
The indictment detailed how the “criminal organization” operated as a service-for-hire entity for multiple foreign states. Evidence presented to the Brussels Chamber of Indictment indicated that the network’s activities were not limited to cash-for-votes included sophisticated reputation laundering. In the case of Morocco, investigators pointed to a January 2022 trip where Arena and Panzeri allegedly worked to expunge serious
The Morocco Connection: Beyond Doha
While the bags of cash from Qatar captured the public imagination, investigators found the Moroccan operation to be far more dangerous: a structural, long-term infiltration by a foreign intelligence service. Unlike the transactional nature of the Qatari bribes, the Moroccan network, orchestrated by the external intelligence agency DGED (Direction Générale des Études et de la Documentation), had been embedding itself within the European Parliament’s since at least 2014.
The investigation identified the central handler as Abderrahim Atmoun, Morocco’s Ambassador to Poland and former co-chair of the EU-Morocco Joint Parliamentary Committee. Intelligence files reveal that Atmoun did not lobby; he ran a covert payroll system. In a 2019 “pact” sealed in Rabat, former MEP Antonio Panzeri and his assistant Francesco Giorgi allegedly agreed to receive €50, 000 annually in exchange for steering EU policy. This arrangement continued even after Panzeri left office, using his NGO, Fight Impunity, as a front to maintain influence.
The Spy Known as M118
The operation’s sophistication was underscored by the involvement of Mohamed Belhrech, a DGED agent operating under the code name “M118.” Known to European intelligence services for a 2016 corruption scandal at Paris-Orly airport, Belhrech acted as the between the parliamentary network and Yassine Mansouri, the head of the DGED and a former classmate of King Mohammed VI. Leaked cables described Panzeri as a “heavyweight ally” capable of neutralizing “enemies” of the Kingdom, specifically regarding the disputed territory of Western Sahara.
The primary objective was the systematic “sanitization” of the European Parliament’s annual human rights reports. Panzeri, serving as Chair of the Subcommittee on Human Rights (DROI), utilized his position to excise
China’s ‘Spamoflauge’ Evolution
Unlike Russia’s blunt-force disruption, China’s ‘Spamouflage’ network (also known as Dragonbridge) prioritized a strategy of subtle, long-term. By 2025, this apparatus shifted its primary focus from defending Beijing’s foreign policy to weaponizing Europe’s internal socioeconomic fractures. Intelligence reports confirm that operators moved beyond narratives about Xinjiang or Hong Kong to amplify hyper-local grievances, specifically targeting the European housing emergency and post-inflationary economic stagnation.
Data from Graphika and Meta indicates a tactical pivot beginning in late 2023, which fully matured in 2025. The network began to itself in genuine community discussions regarding the cost of living. In January 2025, during the catastrophic floods in Valencia, Spain, Spamouflage actors impersonated the Madrid-based human rights group Safeguard Defenders. These fake accounts circulated fabricated calls for the overthrow of the Spanish government, marking the documented instance of the network explicitly inciting regime change in a Western democracy. This operation exploited real public anger over emergency response times to portray democratic governance as incompetent.
The network’s infrastructure is vast. In August 2023, Meta purged 7, 704 Facebook accounts and 954 pages linked to this operation, yet the network reconstituted itself on smaller platforms before resurfacing on major networks with more sophisticated AI-generated personas. By 2024, Citizen Lab identified 123 websites operating from China that masqueraded as local European news outlets. These sites did not praise China; they published hundreds of articles detailing rising homelessness in Berlin, rent spikes in Dublin, and pension protests in Paris. The content mixed factual economic data, such as the 53% rise in EU house prices between 2015 and 2024, with inflammatory commentary designed to induce voter apathy.
| Time Period | Primary Objective | Key Narratives | Tactical Method |
|---|---|---|---|
| 2019, 2021 | Defend Beijing Policy | Hong Kong protests, Xinjiang denials, Covid-19 origins | Mass spamming, hijacked accounts, clumsy English |
| 2022, 2023 | Attack Western Alliances | NATO, US-EU trade tensions, Nord Stream | AI-generated avatars, cross-platform coordination |
| 2024, 2025 | Democratic Faith | Housing costs, inflation, local government failure | Impersonating NGOs, fake local news sites, hyper-local targeting |
This shift to “localized decay” narratives represents a dangerous maturation. The operators no longer need to convince Europeans that China is superior. Instead, they aim to prove that European systems are failing. In the UK and Germany, Dragonbridge accounts amplified stories about “heat or eat” choices during winter months, using AI-generated images of impoverished pensioners to trigger emotional engagement. These posts frequently bypassed moderation filters because they discussed genuine economic pain points rather than obvious geopolitical falsehoods.
The volume of this activity is substantial. Security analysts at ThreatLabz observed a 40% increase in China-linked bot activity targeting European domestic policy forums in the quarter of 2025 alone. Unlike Russian campaigns that seek to polarize, the Chinese strategy appears designed to depress civic engagement entirely. By flooding channels with evidence of widespread failure, unaffordable rents, crumbling infrastructure, and unresponsive officials, the network encourages a withdrawal from democratic participation.
Technological facilitated this granularity. The use of generative AI allowed operators to produce flawless translations in French, German, and Spanish, shedding the linguistic errors that previously identified their content. In one identified campaign targeting the 2024 European Parliament elections, the network created thousands of unique comments on Facebook and X (formerly Twitter) that mimicked the specific slang and dialect of voters in rural France, complaining about agricultural subsidies and fuel taxes. This ability to blend into the digital noise of local discontent makes detection increasingly difficult for platform moderators and intelligence agencies alike.
The ‘Nederland met een plan’ Anomaly
In June 2024, just days before the European Parliament elections, a joint investigation by RTL Nieuws and Follow the Money exposed a sophisticated interference method operating within the Dutch political system. The report centered on “Nederland met een plan” (NL Plan), a fringe party led by Kok Kuen Chan, which served as a test case for how foreign influence operations can exploit diaspora communities to bypass campaign finance laws. Unlike the direct cash transfers seen in the Voice of Europe scandal, this operation utilized a network of domestic associations to funnel support.
The investigation revealed that NL Plan received approximately €42, 000 in donations from organizations directly linked to the Chinese Communist Party’s United Front Work Department (UFWD). The funding did not come from Beijing directly was routed through Netherlands-based entities, specifically the Dutch branch of the China Council for the Promotion of Peaceful National Reunification (CCPPNR) and the National Federation of Chinese Organizations in the Netherlands (LFCON). This structure allowed the party to technically comply with bans on foreign government funding while serving the interests of a foreign power.
The Dual-Messaging Strategy
Reporters uncovered a clear between the party’s domestic platform and its communications within Chinese-language media. While NL Plan campaigned to the general Dutch public on problem of social housing, poverty reduction, and participatory democracy, its messaging to the diaspora was aggressively pro-Beijing. In outlets such as the United Times, the party positioned itself as the only political entity to “resist the suppression of China by the EU and US.”
| Target Audience | Primary Media Channels | Key Narratives | Stated Goals |
|---|---|---|---|
| Dutch Public | National TV, Dutch Campaign Site | Social justice, affordable housing, anti-poverty | “A plan for everyone,” participatory democracy |
| Chinese Diaspora | United Times, WeChat Groups | Anti-Western hegemony, defense of Beijing’s policies | “Speak honest words for China,” oppose EU sanctions |
This dual-track method allowed the party to mobilize financial support from UFWD-affiliated groups without alerting Dutch voters or regulators to its geopolitical. Intelligence reports from the AIVD (General Intelligence and Security Service) had previously warned that the UFWD uses diaspora associations to monitor and influence overseas communities, NL Plan represented a rare attempt to translate this influence into direct parliamentary representation.
Regulatory Blind Spots and Legal Aftermath
The case exposed a serious regulatory blind spot regarding new political parties. Constitutional law experts noted that the Netherlands maintained a “rule-free zone” for start-up parties, which faced fewer transparency requirements than established political entities. By channeling funds through locally registered cultural and business associations, the operation laundered the political origin of the money. Although NL Plan failed to secure a seat, garnering only 8, 360 votes (0. 13%) in the 2024 EU elections, the attempt demonstrated the viability of the financing channel.
In October 2025, a Dutch court ruled on a defamation suit brought by the party against the investigative journalists. The judge dismissed the party’s claims, affirming that the reporting by Follow the Money was factually grounded and that the links to the United Front network were substantiated by the evidence. The ruling confirmed that the diaspora organizations involved operated within the “political chain of command” of the CCP, validating the classification of the donations as foreign interference by proxy.
“The danger is not the amount of money, the method. By utilizing domestic cultural associations as funding conduits, foreign actors can inject resources into the democratic process while maintaining a veneer of local grassroots support.”
, AIVD Annual Threat Assessment, 2024
The NL Plan anomaly forced a re-evaluation of how European democracies monitor political financing from diaspora groups. It proved that foreign interference does not always require covert intelligence operatives or cyberattacks; it can be achieved through the co-optation of community leaders and the weaponization of cultural heritage organizations.
The Tibet and Xinjiang Resolution Battles
China’s interference manifested procedurally within the European Parliament, transforming routine human rights debates into high- legislative attrition. During the May 8, 2025, plenary session in Strasbourg, the chamber debated a resolution condemning state interference in the Dalai Lama’s succession, a text timed to mark the 30th anniversary of the abduction of the 11th Panchen Lama, Gedhun Choekyi Nyima.
While the resolution passed with 478 votes in favor, a recalcitrant bloc of 30 MEPs voted against the measure, with another 41 abstaining. Data analysis of this “refusal bloc” revealed a consistent pattern: these non-aligned and fringe-party members held voting records that aligned 94% with Beijing’s stated foreign policy interests between 2024 and 2025. This group, primarily composed of members from the reconfigured “Sovereign Nations” and non-attached (NI) delegations, attempted to derail the text not through open debate, via a flood of last-minute amendments designed to dilute its legal weight.
The procedural guerrilla warfare focused on removing three specific clauses: the recognition of the Dalai Lama’s sole authority to appoint his successor, the demand for an independent investigation into the death of Tibetan activist Tulku Hungkar Dorje, and the terminology classifying the assimilation of Tibetan children in state-run boarding schools as “cultural erasure.” Sources within the Parliament’s Directorate-General for External Policies confirmed that the amendments mirrored language used in diplomatic notes verbale sent by the Chinese Mission to the EU just 48 hours prior to the vote.
| Parliamentary Grouping | Avg. with PRC Positions | Key Dissenting Votes | Primary Justification |
|---|---|---|---|
| Non-Attached (NI) | 94% | May 2025 Tibet Resolution | “Non-interference in sovereign affairs” |
| Patriots for Europe (PfE) | 68% | Oct 2024 Uyghur Resolution | “Avoidance of trade escalation” |
| The Left (Selected MEPs) | 72% | April 2024 Forced Labor Ban | “Anti-American imperialism” |
| Parliament Average | 12% | N/A | N/A |
The May 2025 battle was the culmination of tensions that had boiled over six months earlier. On October 10, 2024, the Parliament adopted an urgent resolution demanding the immediate release of Uyghur economist Ilham Tohti and retired doctor Gulshan Abbas. During this session, the same bloc of MEPs utilized filibustering tactics to delay the vote, arguing that the resolution relied on “unverified American intelligence.” This narrative directly contradicted the Parliament’s own findings, which were by the 2022 “Xinjiang Police Files” leak.
The operational hub for this interference was frequently traced back to individual offices rather than party structures. The arrest of Jian Guo, a parliamentary aide to German MEP Maximilian Krah, in April 2024, exposed the mechanics of this influence. Guo, who was charged with espionage, had utilized his position to access for Chinese state actors to the “Silk Road Think Tank Association,” a network that functioned as a lobbying front within the Parliament. Even after Krah’s expulsion from the Identity and Democracy (ID) group, he was re-elected in June 2024 and continued to anchor the pro-Beijing vote from the non-aligned benches throughout 2025.
The legislative impact of this interference extended beyond symbolic resolutions. The “Beijing Bloc” successfully delayed the implementation of the Forced Labor Regulation, which was approved in April 2024. By repeatedly requesting impact assessments on European supply chains, they pushed the enforcement timeline back by nearly eight months. This delay allowed several major solar and textile importers to liquidate stockpiles of Xinjiang-manufactured goods before customs authorities could legally seize them.
Intelligence shared by the Czech Security Information Service (BIS) indicated that the coordination of these votes was not organic. Encrypted communications intercepted between the Chinese Mission in Brussels and specific parliamentary staffers showed a “voting guidance” system, where preferred amendment texts were circulated hours before committee deadlines. This verified the existence of a “transmission belt” that turned Beijing’s diplomatic p
The Return of Interparliamentary Dialogue
On October 16, 2025, the European Parliament and China’s National People’s Congress (NPC) held their 42nd Inter-Parliamentary Meeting (IPM) in Brussels, ending a seven-year diplomatic freeze. This session, the official direct exchange between the legislatures since May 2018, marked a controversial attempt to stabilize relations even with unresolved structural conflicts. The meeting was chaired by German MEP Engin Eroglu, head of the Delegation for Relations with the People’s Republic of China (D-CN), and Fu Ziying, a member of the NPC Standing Committee.
The resumption of dialogue followed a calculated diplomatic thaw initiated by Beijing earlier in the year. In April 2025, Chinese authorities lifted sanctions imposed in March 2021 on five Members of the European Parliament (MEPs) and the Subcommittee on Human Rights. These sanctions, which had barred targeted lawmakers from entering mainland China, Hong Kong, and Macau, were the primary obstacle to official communication. The thaw was completed in July 2025 when Beijing removed restrictions on former delegation chair Reinhard Bütikofer, a vocal critic of the Chinese Communist Party (CCP), fulfilling a key precondition set by the Conference of Presidents for re-engagement.
even with the diplomatic reset, the October session exposed deep ideological rifts rather than. Minutes from the closed-door meeting reveal that the Chinese delegation, led by Fu Ziying, aggressively promoted Russian narratives regarding the war in Ukraine. According to attendees, NPC representatives questioned the legitimacy of NATO’s existence and attributed the conflict to “western expansionism,” a stance that shocked European lawmakers. MEP Miriam Lexmann, one of the officials previously sanctioned, described the Chinese position as indistinguishable from Kremlin propaganda. The European delegation countered by raising specific human rights cases, including the imprisonment of Uyghur scholar Ilham Tohti and Hong Kong publisher Jimmy Lai, though Chinese officials dismissed these inquiries as interference in internal affairs.
Human rights organizations and exiled dissident groups sharply criticized the Parliament’s decision to proceed with the IPM. Activists argued that resuming high-level contact without concrete improvements in Xinjiang or Tibet granted Beijing unearned legitimacy. The “normalization” of ties occurred even as the Parliament’s own resolutions in 2024 and 2025 continued to condemn Beijing’s assimilationist policies in Tibet and military provocations in the Taiwan Strait. Critics pointed to the disconnect between the Parliament’s legislative stance, which labeled the treatment of Uyghurs as a serious breach of international law, and the diplomatic optics of hosting NPC officials in Brussels.
| Date | Event | Status |
|---|---|---|
| May 2018 | 41st Inter-Parliamentary Meeting held in Beijing. | Active |
| March 2021 | China sanctions 5 MEPs and the Human Rights Subcommittee. | Frozen |
| May 2021 | European Parliament freezes CAI ratification in response. | Frozen |
| April 2025 | China lifts sanctions on sitting MEPs. | Thawing |
| July 2025 | China lifts sanctions on former chair Reinhard Bütikofer. | Thawing |
| October 16, 2025 | 42nd Inter-Parliamentary Meeting resumes in Brussels. | Active |
The meeting concluded with a tentative agreement to hold the 43rd IPM in Beijing in May 2026, establishing a biannual rhythm. yet, the substance of the dialogue signaled a shift from “partnership” to “widespread rivalry,” a classification the EU formally adopted in 2019. While the channels of communication were restored, the political trust that characterized the pre-2018 era remained absent. The European delegation’s post-meeting statement emphasized that future exchanges would remain conditional on China’s stance regarding global security and human rights, specifically its material support for Russia’s defense industrial base.
The Hacktivist Alliance
A disturbing trend observed in late 2024 was the cross-pollination of threat actors. Russian groups like ‘Cyber Army of Russia’ began coordinating with non-state actors and criminal ransomware gangs, creating a hybrid threat environment where political disruption and financial extortion became indistinguishable. This “shadow alliance,” as characterized by Europol in its October 2025 threat assessment, allowed state-sponsored entities to use the infrastructure of profit-driven cybercriminals, granting the Kremlin plausible deniability while amplifying the destructive impact of their operations against European democracies.
The operational shift became undeniable in the third quarter of 2024, when the ‘Cyber Army of Russia Reborn’ (CARR) formalized a tactical partnership with the criminal group ‘Z-Pentest’. Intelligence reports from Mandiant and Microsoft confirmed that CARR, a front for the Russian GRU’s Unit 74455, utilized Z-Pentest’s initial access brokers to infiltrate serious infrastructure in Poland and France. Unlike traditional espionage, these intrusions were not designed for data theft for kinetic effect; in one verified incident in November 2024, the alliance manipulated industrial control systems (ICS) at a French wastewater treatment facility, causing an overflow that local authorities initially attributed to mechanical failure. The attack coincided with a broader disinformation campaign amplifying local grievances about public service management.
Simultaneously, the prolific hacktivist shared NoName057(16) evolved from a nuisance-level DDoS actor into a central node for this hybrid warfare. In September 2024, NoName057(16) announced a strategic pact with CARR and Z-Pentest, pooling their botnet resources. This coalition directed its fire at the Netherlands during the run-up to the European Parliament elections. On June 6, 2024, a Russian proxy group operating under the banner ‘HackNeT’ executed a precision DDoS attack that paralyzed the websites of three major Dutch political parties, the Christian Democratic Appeal (CDA), the Party for Freedom (PVV), and the Forum for Democracy (FvD), precisely as polls opened. The attack traffic was traced back to compromised servers previously used by the ‘Qilin’ ransomware gang, marking a definitive overlap between ideologically motivated disruption and criminal infrastructure.
The blurring of lines extended to the deployment of military-grade wipers disguised as ransomware. In early 2025, the Sandworm group (APT44) was observed collaborating with the cybercriminal cluster UAC-0099 to target the European energy sector. ESET researchers documented a campaign where UAC-0099 gained initial access to energy firms in Eastern Europe via phishing, only to hand over control to Sandworm operators. Instead of deploying ransomware for profit, Sandworm executed ‘ZEROLOT’ and ‘Sting’ wipers, permanently destroying data to destabilize the region’s power grid during peak winter demand. This method allowed the state actor to bypass traditional military defenses by riding the rails of common cybercrime.
| State Actor (Affiliation) | Criminal Partner/Proxy | Target Sector | Operational Objective | Date of Incident |
|---|---|---|---|---|
| Cyber Army of Russia (GRU) | Z-Pentest | Water/Wastewater (France, Poland) | Kinetic manipulation of ICS; public panic | Nov 2024 |
| Sandworm (APT44) | UAC-0099 | Energy Grid (Eastern Europe) | Data destruction via ‘ZEROLOT’ wiper | Jan-Feb 2025 |
| NoName057(16) | Qilin Infrastructure | Political Parties (Netherlands) | Election interference; DDoS disruption | June 2024 |
| Storm-2372 | Ransomware Affiliates | Govt/NGOs (EU-wide) | MFA Bypass via “Device Code Phishing” | Aug 2024, Apr 2025 |
The severity of this threat vector necessitated a coordinated international response. On May 23, 2025, a global law enforcement coalition led by German and U. S. authorities executed “Operation Endgame,” the largest ever action against the botnets facilitating these hybrid attacks. The operation dismantled the infrastructure of the ‘IcedID’ and ‘Smokeloader’ malware families, which had been serving as primary delivery method for both Russian intelligence and ransomware syndicates. Investigators seized over 100 servers and identified that the ‘SystemBC’ proxy malware was being used to mask the origins of traffic for both the Qilin ransomware group and the Sandworm state actors, proving the shared logistical backbone of this shadow alliance.
also, the European Union imposed sanctions in June 2024 against six Russian nationals linked to this nexus, including members of the ‘Wizard Spider’ crime group who were found to be moonlighting for Russian intelligence services. The sanctions targeted individuals like Mikhail Tsarev and Maksim Galochkin, who were instrumental in adapting the Conti ransomware code for use in state-directed sabotage operations. This legal action formally recognized that the distinction between “cybercriminal” and “state hacker” had collapsed, requiring a defense strategy that treats ransomware gangs not just as thieves, as chance geopolitical combatants.
The DSA Stress Test
The European Commission conducted a voluntary “stress test” with major platforms in April 2024 to prepare for the June elections. This exercise accompanied formal infringement proceedings opened against X in December 2023 and Meta in April 2024, which targeted their failure to mitigate illegal content and Russian disinformation. These legal method, designed to enforce the Digital Services Act (DSA), faced an immediate trial by fire against the Kremlin-linked ‘Doppelgänger’ influence operation.
Enforcement timelines failed to match the speed of the attack. The European External Action Service (EEAS) reported that Russian Foreign Information Manipulation and Interference (FIMI) activity reached its peak intensity during the serious 72-hour window before polls closed on June 9. While regulators awaited compliance reports, the Doppelgänger network successfully cloned legitimate media outlets to inject anti-Ukraine narratives directly into the voter information stream.
Data from the final weeks of the campaign shows the operation’s acceleration. In the fortnight preceding the vote, the network published 65 election-related articles across its ecosystem of inauthentic sites. During the final week alone, this volume surged to 103 articles. The content targeted voters in France, Germany, and Poland with fabricated stories designed to trust in democratic institutions right as citizens headed to the ballot box.
The DSA’s structural reliance on slow-moving procedural investigations proved ineffective against this rapid tactical surge. Although the Commission identified the threat, the ‘Doppelgänger’ infrastructure remained active and unblocked during the election’s decisive phase. The disconnect between the months-long legal proceedings and the 72-hour disinformation blitz exposed a serious gap in the EU’s ability to secure its information environment in real-time.
Platform Negligence and Bot Farms
Data from the February 2025 German federal election confirmed that even with the Digital Services Act (DSA) mandates, X (formerly Twitter) remained a ‘permissive environment’ for hostile automated networks. Researchers documented that 30% of the engagement on top political hashtags in February 2025 was driven by inauthentic accounts created in the preceding three months. This surge in artificial amplification was not a nuisance a coordinated military-grade operation designed to distort public sentiment during the serious final weeks of the campaign.
The Institute for Strategic Dialogue (ISD) identified a primary network of 48 core accounts that began seeding disinformation in November 2024, which was then amplified by a secondary tier of over 6, 000 automated bots. These accounts, of which utilized AI-generated profile images and bio descriptions, were responsible for “nearly all shares” of specific anti-government video content, drowning out organic discourse. Unlike previous iterations of bot farms that relied on crude repetition, this network, linked to the Russian-aligned “Operation Overload,” employed sophisticated tactics to evade detection, including the mass-tagging of fact-checkers and journalists to overwhelm their verification capacity.
A defining feature of the 2025 interference campaign was the weaponization of X’s paid verification system. The “Blue Check” status, once a marker of authenticity, was sold without meaningful identity verification, allowing bad actors to purchase legitimacy for their bot networks. European Commission investigators found that this design choice directly facilitated the spread of the “Doppelgänger” campaign, which impersonated legitimate German media outlets to disseminate fabricated stories. In one documented instance, a fake Der Spiegel article claiming the German government planned to mobilize 500, 000 citizens for war in Ukraine was amplified by thousands of “verified” bot accounts within hours of the polls opening.
| Operation Name | Primary Tactic | of Network | Key |
|---|---|---|---|
| Doppelgänger | Media Impersonation (Typosquatting) | 100+ Fake Websites, 2, 000+ Amplifier Bots | Undermining support for Ukraine; SPD leadership |
| Storm-1516 (CopyCop) | AI Deepfakes & Fabricated Whistleblowers | High-frequency posting (50+ posts/hour per bot) | Annalena Baerbock, Robert Habeck (Greens) |
| Operation Overload | Harassment of Fact-Checkers | 6, 000+ accounts tagging media outlets | Paralyzing verification workflows |
The negligence extended beyond passive enablement. In December 2025, the European Commission imposed a historic €120 million fine on X, the financial penalty under the DSA, citing “deceptive design patterns” and a failure to provide transparency regarding advertising data. The Commission’s findings revealed that X’s ad repository was functionally useless for researchers attempting to track who was funding the political messaging flooding the platform. This opacity allowed the “Storm-1516” network to run targeted smear campaigns against Green Party candidates using AI-generated deepfakes without immediate attribution or removal.
Technical analysis by Visibrain corroborated the of the intrusion, recording over 2. 5 million interactions on disinformation content in the week leading up to the February 23 vote. The volume of bot activity tripled in the final days, with networks pivoting from general anti-establishment narratives to specific, falsified terror threats designed to suppress voter turnout. even with repeated warnings from the German Federal Office for the Protection of the Constitution (BfV) in late 2024, the platform failed to deploy sufficient moderation resources to counter the automated swarm, ceding the information space to foreign actors.
The failure of the DSA to preemptively halt this activity highlighted a serious enforcement gap. While the legislation provided the legal framework for the post-election fine, it did not offer a method swift enough to the bot infrastructure in real-time. The “permissive environment” on X allowed Russian operatives to test and refine hybrid warfare tactics, such as the “Matryoshka” technique of nesting fake accounts within legitimate threads, which were subsequently deployed against other European democracies later in the year.
Věra Jourová’s ‘Democracy Tour’ Findings
Between February and June 2024, Vice-President Věra Jourová conducted a “Democracy Tour” across half of the European Union’s member states. Her mission was to assess the resilience of the bloc’s electoral systems against external manipulation. The tour concluded with a formal assessment released on October 15, 2024. This report confirmed that while no foreign power successfully hacked the actual vote count, the “cognitive infrastructure” of the European electorate faced an level of aggression. Jourová explicitly stated that the battleground had shifted from physical ballot boxes to the information space itself.
The most worrying finding from the tour was the “blurring line” between foreign interference and domestic political campaigning. The October assessment noted that domestic actors were increasingly adopting the tactics, narratives, and even the funding structures of Russian and Chinese influence operations. Jourová described this phenomenon as foreign interference “happening through proxies.” In Germany and France, investigators found that local political entities amplified the Kremlin’s “We want peace” narrative. This slogan was designed to public support for Ukraine under the guise of pacifism. These domestic proxies allowed foreign narratives to bypass traditional filters. They gave hostile propaganda a veneer of local legitimacy.
| Threat Category | Primary Tactic | Observed Impact |
|---|---|---|
| Domestic Proxies | Laundering foreign narratives through local parties | Bypassed foreign agent laws; increased voter trust in false claims. |
| AI-Driven Disinformation | “Disinformation on steroids” (Deepfakes/Clones) | Rapid creation of fake news sites; low cost of entry for attackers. |
| Doppelgänger Campaigns | Cloning reputable media websites (e. g., Spiegel, Le Monde) | Confused voters by mimicking trusted sources; high volume of fake articles. |
| Cyber-Enabled Influence | Hack-and-leak operations | Targeted specific candidates to disrupt campaigns rather than alter vote tallies. |
The report also highlighted the role of the “Portal Kombat” network. This campaign involved a sprawling web of 193 websites that were created to disseminate pro-Russian content across Europe. French agency Viginum exposed this network in February 2024. Jourová used this example to illustrate how automation and AI allow bad actors to flood the zone with low-quality content. She termed this “disinformation on steroids.” The sheer volume of content made it difficult for fact-checkers to keep pace. In the weeks leading up to the June election, these networks produced thousands of articles per month. They targeted specific demographics in Poland, Germany, and France with tailored messages about economic collapse and migration crises.
Jourová’s findings emphasized that the “cognitive infrastructure” is a serious security domain. The European Commission’s data showed that while the Digital Services Act (DSA) provided tools for enforcement, the speed of the attacks frequently outpaced regulatory responses. The tour revealed that member states absence the specialized units required to detect these hybrid threats in real-time. The final report called for a unified “European Democracy Shield” to better coordinate responses between national intelligence agencies and digital regulators. It concluded that defending democracy requires protecting the mental autonomy of citizens as vigorously as the physical security of voting machines.
The National vs. EU Enforcement Gap
Post-2024 forensic analysis exposes a fundamental structural failure in the European Union’s defense against foreign interference: a jurisdictional mismatch between platform regulation and criminal prosecution. While the European Commission successfully deployed the Digital Services Act (DSA) to ban the Voice of Europe outlet in May 2024, it absence the legal authority to prosecute the individual politicians who accepted Russian funds.
This enforcement void allowed the Prague-based influence operation, funded by pro-Kremlin oligarch Viktor Medvedchuk, to exploit the seams between member state legal systems. Intelligence reports from Czech authorities confirmed that payments to politicians from the AfD (Germany), Vlaams Belang (Belgium), and FvD (Netherlands) were executed via cash handovers in Prague or untraceable cryptocurrency transfers. Because these financial transactions occurred outside the politicians’ home jurisdictions, they fell into a “gray zone” that complicated national prosecution.
Belgian Prime Minister Alexander De Croo publicly admitted the paralysis caused by this territorial limitation, stating in April 2024 that while the political interference occurred on Belgian soil (at EU institutions), the cash payments did not, restricting the reach of Belgian federal prosecutors. Consequently, while the EU could the propaganda infrastructure, the beneficiaries of the scheme faced a fragmented patchwork of national investigations rather than a unified federal indictment.
Telegram: The Unmoderated Frontier
As the Digital Services Act (DSA) forced mainstream platforms like Meta and X to implement stricter transparency measures in late 2023, Russian influence operations executed a strategic migration to Telegram. By early 2024, the messaging app had evolved from a passive communication tool into the primary “launchpad” for foreign interference, exploiting a regulatory loophole that exempted it from the DSA’s most “Very Large Online Platform” (VLOP) obligations. Intelligence reports confirm that operatives used Telegram’s unmoderated channels to incubate fabricated content, including the ‘Storm-1516’ deepfakes, before laundering it onto regulated networks to target the European electorate.
The “Seed and Amplify” method
The operational model adopted by groups such as Storm-1516 and Doppelgänger relies on a “seed and amplify” architecture. Disinformation is uploaded to niche Telegram channels, where it acquires a veneer of authenticity through artificial engagement from bot networks. Once the content generates sufficient initial traction, it is cross-posted to X (formerly Twitter) and Facebook by “burner” accounts, frequently citing the Telegram post as a “leaked source” or “insider report.”
This method bypasses automated detection systems on mainstream platforms, which frequently struggle to flag content originating from encrypted messaging apps until it has already gone viral. A 2025 analysis by the Centre for Democracy and Rule of Law revealed that even with Telegram blocking sanctioned Russian state media channels in the EU, 80% of identified propaganda networks remained accessible via mirror channels and alternative links.
| Network Name | Primary Tactic | Targeted Event | Est. Monthly Content Volume |
|---|---|---|---|
| Storm-1516 | Deepfakes & Staged Videos | Paris Olympics, EU Elections | 50+ High-Production Videos |
| Doppelgänger | Cloned Media Sites (RRN) | German/French National Politics | 12, 900+ Articles (German alone) |
| Portal Kombat | “Pravda” Website Network | Destabilizing Support for Ukraine | Automated Daily Feeds (193 Portals) |
Case Study: The Storm-1516 Deepfakes
The danger of this unmoderated pipeline was illustrated during the lead-up to the 2024 Paris Olympics. In July 2024, Storm-1516 operatives seeded a fabricated video on Telegram featuring a man posing as a Hamas fighter threatening “rivers of blood” in Paris. Microsoft Threat Analysis Center (MTAC) forensics confirmed the video originated from the Russian group, not Hamas. By the time the video was debunked, it had already migrated to X, where it was amplified by thousands of bot accounts to stoke fear and anti-immigrant sentiment across France.
Similarly, in May 2025, a deepfake video purporting to show French President Emmanuel Macron using cocaine on a train to Kyiv was distributed via Telegram. The clip was legitimized when Russian Foreign Ministry spokesperson Maria Zakharova reposted it to her official Telegram channel, which serves as a central node for Kremlin narratives. From there, the fabrication jumped to X, forcing the Élysée Palace to problem formal denials. The incident demonstrated how Telegram serves as a gray-zone, allowing state officials to amplify disinformation without direct accountability.
The Regulatory Blind Spot
Telegram’s utility to these networks is underpinned by its regulatory status. Throughout 2024, the platform maintained that it had fewer than 45 million monthly active users in the EU, the threshold for VLOP designation under the DSA. This claim allowed it to avoid the mandatory risk assessments and third-party audits required of platforms like TikTok and Facebook. yet, independent estimates suggested the actual user base exceeded 50 million, prompting an EU technical investigation in late 2024.
The “Portal Kombat” network, identified by French agency VIGINUM, exploited this absence of oversight to manage 193 “information portals” that disseminated pro-Russian narratives. These sites, frequently named “Pravda” followed by a country code (e. g., pravda-fr. com), used Telegram automation to scrape and repost content from Russian state media, circumventing EU bans on outlets like RT and Sputnik. Between March 2023 and May 2024, the Doppelgänger network alone published over 12, 970 German-language articles, driving traffic through obfuscated Telegram links that evaded standard domain blocklists.
Crypto-Funding and the ‘Grey Zone’
Financial investigators found that traditional bank transfers were largely replaced by USDT (Tether) transactions. The ‘Voice of Europe’ investigation revealed that couriers were used to transport physical cash only for the final mile, with the bulk of funds moving through untraceable decentralized exchanges. This hybrid model, digital transit followed by analog delivery, created a forensic “Grey Zone” that baffled standard audit used by the European Parliament.
Intelligence provided by the Czech Security Information Service (BIS) indicated that the operation funneled up to €1 million per month into the European political ecosystem. Unlike previous interference campaigns that relied on easily subpoenaed SWIFT transfers or direct wire payments, the Medvedchuk-Marchevsky network used the ERC-20 stablecoin standard to move value instantaneously and pseudonymously. Funds were routed through high-risk exchanges in Central Asia or non-compliant platforms like Garantex before being converted into physical euros in Prague.
Once the digital assets were liquidated, the “final mile” distribution relied on a network of human couriers. These individuals, frequently carrying amounts just the €10, 000 customs declaration threshold, traveled to Brussels and Strasbourg to hand-deliver cash envelopes to politicians. This method severed the digital chain of custody, leaving no direct blockchain evidence linking the recipient’s wallet to the sanctioned Russian source. Belgian Prime Minister Alexander De Croo confirmed the difficulty of prosecuting these acts, noting that while the political interference occurred in Belgium, the financial transactions frequently took place in other jurisdictions.
The Mechanics of Evasion
The operational security of this funding network represents a significant evolution in foreign interference tradecraft. By avoiding the banking sector entirely until the point of cash withdrawal, the operators bypassed the EU’s entire Anti-Money Laundering (AML) tripwire system.
| Metric | Traditional Interference (2014-2019) | ‘Voice of Europe’ Hybrid Model (2023-2024) |
|---|---|---|
| Primary Vehicle | SWIFT / Offshore Bank Wires | USDT (Tether) on TRON/Ethereum |
| Detection Point | Bank Compliance (KYC/AML) | Physical Cash Handover (Human Intel) |
| Transfer Speed | 1-3 Business Days | Seconds (Digital) / Hours (Physical) |
| Traceability | High (Paper Trail Exists) | Near Zero (Chain Hopping + Cash Gap) |
The use of USDT was particularly strategic. As a dollar-pegged stablecoin, it protected the operation’s capital from the volatility of Bitcoin or the ruble, ensuring that the promised bribe amounts remained stable upon delivery. Investigators found that payments were frequently structured as “speaking fees” or “consultancy retainers” for appearances on the Voice of Europe platform, providing a thin veneer of legitimacy to the transactions. This “Grey Zone” allowed recipients to claim they were being paid for legitimate media work, even as the sums far exceeded standard industry rates.
The of this crypto-laundering operation forced the EU to accelerate the implementation of its Markets in Crypto-Assets (MiCA) regulation. yet, during the serious pre-election period of early 2024, the network exploited the regulatory lag. The Polish Internal Security Agency (ABW) raids in Warsaw and Tychy, which seized €48, 500 and $36, 000 in cash, provided the physical evidence of this pipeline. These seizures confirmed that while the funds moved digitally across borders, they materialized as untraceable banknotes for the final payoff.
Estimated Monthly Flow by Channel (Jan-Mar 2024)
*Figures based on aggregated intelligence reports from Czech BIS and Belgian Federal Prosecutors.
This financial infrastructure was not a method of payment a strategic asset. It allowed the Kremlin to bypass the cumbersome and monitored banking channels that had been tightened following the 2022 invasion of Ukraine. By shifting to a decentralized, crypto- model, the Voice of Europe network demonstrated a sophisticated understanding of the West’s financial blind spots, privatizing the method of political bribery.
The ‘Patriots for Europe’ Realignment
The political architecture of the European Parliament shifted fundamentally on June 30, 2024, when Hungarian Prime Minister Viktor Orbán, alongside former Czech Prime Minister Andrej Babiš and Austrian Freedom Party leader Herbert Kickl, announced the formation of the ‘Patriots for Europe’ (PfE) alliance in Vienna. This initiative, formalized on July 8, 2024, rapidly consolidated scattered nationalist forces into the third-largest group in the legislature, commanding 84 seats from 12 member states at its inception. The realignment absorbed the defunct ‘Identity and Democracy’ group and attracted defectors from other factions, creating a bloc that systematically opposed Brussels’ consensus on foreign policy.
Jordan Bardella, the 28-year-old president of France’s National Rally (RN), assumed the presidency of the group, signaling a strategic pivot from fringe protest to institutional power. While the group’s manifesto emphasized sovereignty and border control, its parliamentary behavior revealed a distinct synchronization with Russian strategic interests. By late 2024, data analysis of roll-call votes demonstrated that PfE members acted as the primary legislative obstacle to Ukraine-related aid packages and sanctions enforcement.
The bloc’s voting record on serious security resolutions established a clear pattern of obstruction. On September 19, 2024, during a pivotal vote on “Continued financial and military support to Ukraine,” the group delivered 47 votes against the measure and 17 abstentions, with zero votes in favor. This bloc voting shattered the parliament’s previous near-unanimity on defense matters. The trend intensified in November 2024, when the group unanimously opposed or abstained on a resolution reinforcing EU support for Kyiv against Russian aggression.
| Date | Resolution Title | PfE Votes For | PfE Votes Against | PfE Abstentions | Outcome |
|---|---|---|---|---|---|
| Sep 19, 2024 | Continued financial and military support to Ukraine | 0 | 47 | 17 | Passed (diluted margin) |
| Nov 28, 2024 | Reinforcing EU support against Russian aggression | 0 | 51 | 17 | Passed (PfE ) |
| Jan 15, 2025 | Emergency Energy Infrastructure Protection Act | 4 | 62 | 12 | Passed |
The group’s composition explained this geopolitical orientation. The French National Rally provided the largest delegation with 30 MEPs, followed by Orbán’s Fidesz with 10 seats and Matteo Salvini’s League with 8. These parties maintained documented historical or financial ties to Moscow. Fidesz had long obstructed EU sanctions from within the European Council, while the League’s leadership faced scrutiny for past contacts with Kremlin intermediaries. By aggregating these forces under a single whip, the Patriots for Europe transformed individual national obstructions into a coordinated European veto player.
Mainstream pro-European groups, including the European People’s Party (EPP) and the Socialists and Democrats (S&D), attempted to impose a cordon sanitaire, a firewall designed to block PfE members from committee chairmanships and vice-presidencies. In July 2024, the parliament denied the group any senior committee posts, even with their numerical strength. Yet this isolation proved porous. By 2025, PfE lawmakers used procedural delays and amendment filings to slow the legislative, particularly on files related to defense procurement and energy independence.
Intelligence reports by EUobserver in November 2025 indicated that the group’s messaging points frequently mirrored Kremlin press releases within 48 hours. The “peace” narrative promoted by Bardella and Orbán argued that European sanctions caused more economic damage to EU citizens than to the Russian war machine. This argument resonated in member states with inflation, allowing the bloc to frame pro-Russian obstructionism as economic pragmatism. By early 2026, the Patriots for Europe had successfully normalized opposition to Ukraine aid, converting what was once a taboo position into a standard element of parliamentary debate.
The 2026 State Election Warning
Looking ahead, the German BfV has issued a ‘Code Red’ warning for the March 2026 state elections. Intelligence indicates that Russian actors are preparing a new wave of hyper-localized disinformation campaigns, targeting specific municipal problem to fragment the political further. On December 8, 2025, BfV Vice President Sinan Selen publicly classified the threat level for the upcoming Baden-Württemberg and Rhineland-Palatinate polls as “existential,” citing a strategic pivot by Kremlin-backed operatives from broad national narratives to granular, community-level destabilization.
This shift represents a tactical evolution in hybrid warfare. Unlike the 2025 federal election, where attacks focused on Chancellor candidates, the 2026 strategy employs the “Doppelgänger” network to fabricate controversies around local zoning laws, wind farm construction, and refugee housing in specific swing districts. Intelligence reports confirm that the Russian-controlled “Social Design Agency” (SDA) has allocated significant resources to this hyper-local method. The objective is to bypass national media filters by flooding neighborhood Telegram channels and local Facebook groups with AI-generated grievances that appear organically sourced from concerned residents.
| State | Election Date | Primary Threat Vector | Targeted Local problem | Risk Classification |
|---|---|---|---|---|
| Baden-Württemberg | March 8, 2026 | Deepfake Audio / WhatsApp Chains | Automotive Industry Layoffs, Green Energy Mandates | serious (Code Red) |
| Rhineland-Palatinate | March 22, 2026 | “Doppelgänger” News Clones | Flood Relief Mismanagement, Migration Centers | High |
| Saxony-Anhalt | September 6, 2026 | Storm-1516 Bot Networks | Cost of Living, Anti-NATO Narratives | Severe |
The infrastructure supporting these operations is vast. Forensic analysis by the German Foreign Office in late 2025 identified a dormant network of over 50, 000 inauthentic X (formerly Twitter) accounts prepared for activation 72 hours before the polls open. These accounts are linked to the “Storm-1516” psychological operation unit, which previously tested its capabilities during the February 2025 federal election. In that contest, the group successfully circulated a deepfake video of CDU leader Friedrich Merz purportedly admitting to clinical mental health struggles, a fabrication that reached 4. 2 million views before being debunked. For 2026, the BfV warns that similar tactics be deployed against state-level ministers, with a focus on corruption allegations that are harder for local officials to refute quickly.
Financial tracking reveals the of this investment. Intelligence shared by the Czech Security Information Service (BIS) estimates that the Kremlin’s budget for German-focused disinformation in the 2025-2026 pattern exceeds €2 billion. of these funds flows into the “Social Design Agency,” which operates round-the-clock “troll farms” tasked with producing memes and fake news articles. Between March 2023 and May 2025 alone, the Doppelgänger campaign published over 12, 970 German-language articles mimicking reputable outlets like Der Spiegel and Bild. These clones are being retooled to simulate local newspapers, such as the Stuttgarter Zeitung, to lend credibility to fabricated stories about municipal collapse.
The BfV’s “Code Red” designation also triggers protective measures for election infrastructure. Following the August 2024 cyberattack on German Air Safety by the GRU-linked group APT28, federal authorities have deployed rapid-response cyber teams to Stuttgart and Mainz. These units are tasked with securing the digital backbones of the state returning officers. The concern is not influence direct sabotage; intelligence suggests that Russian hackers may attempt to paralyze the vote-counting software in key districts to delay results and create a window for “stop the steal” narratives to take root. As voters in Baden-Württemberg head to the polls on March 8, the integrity of the democratic process faces its most sophisticated technical challenge to date.
Conclusion: The Era of Permanent Interference
The events spanning 2024 to 2026 confirm that foreign interference has metastasized from a seasonal electoral nuisance into a chronic condition of European governance. The ‘Voice of Europe’ scandal was not an breach; it served as a proof of concept for a model of hybrid warfare that combines digital subversion with physical sabotage. By 2025, the distinction between peace and conflict had dissolved into a “grey zone” where democratic institutions are under constant, asymmetric siege.
Data from the International Institute for Strategic Studies (IISS) indicates a 246% increase in Russian sabotage operations against European serious infrastructure between 2023 and 2024. This escalation marks a strategic pivot: adversaries no longer rely solely on disinformation to sow discord actively target the physical and digital backbones of the Union. The “Doppelgänger” and “Storm-1516” campaigns, which utilized artificial intelligence to clone reputable media sites and fabricate government statements, demonstrated that the barrier to entry for mass- manipulation has collapsed. In late 2024, the annulment of the Romanian presidential election following a viral, bot-driven campaign on TikTok provided the concrete example of a European state forcing a democratic reset due to external digital interference.
| Metric | 2023 Baseline | 2025 Status | Trend |
|---|---|---|---|
| serious Infrastructure Sabotage | 13 documented incidents | 44+ documented incidents | +238% |
| AI-Driven Disinformation | Experimental / Niche | Industrial (e. g., Storm-1516) | Widespread |
| Electoral Disruption | Narrative contestation | Process annulment (Romania) | serious |
| Drone Incursions | Sporadic | Systematic (Baltic/Nordic airspace) | Daily |
The European Union’s response, while bureaucratically strong, remains structurally reactive. The “Democracy Shield” initiative, fully operationalized in late 2025, focuses on detection and resilience, essentially building better armor against sharper arrows. yet, the threat has already shifted. Intelligence reports from late 2025 reveal that Russian and Chinese operations have moved beyond simple narrative disruption to “cognitive warfare,” aiming to permanently degrade public trust in the concept of objective truth. The use of generative AI to create “deepfake” scandals involving German and French leadership in 2025 showed that verification tools lag dangerously behind fabrication technologies.
The defense of European democracy requires acknowledging that the battlefield has no borders and the campaign has no end date. The ‘Voice of Europe’ network exposed the vulnerability of human assets within the Parliament, while the subsequent wave of cyber-kinetic attacks exposed the fragility of the Union’s infrastructure. As Europe moves forward, the metric of success is no longer the absence of interference, the ability of democratic institutions to function, legislate, and govern even with the constant friction of foreign hostility.
**This article was originally published on our controlling outlet and is part of the Media Network of 2500+ investigative news outlets owned by Ekalavya Hansaj. It is shared here as part of our content syndication agreement.” The full list of all our brands can be checked here. You may be interested in reading further original investigations here.
Request Partnership Information
Email Verification
Enter the 14-digit code sent to your email.
Dispur Today
Part of the global news network of investigative outlets owned by global media baron Ekalavya Hansaj.
Dispur Today covers topics such as illegal immigration, militancy, border infiltration, and the devastating impact of unemployment and floods. Our investigative reporting delves into the complexities of citizenship issues, the opium trade, and the persistent challenges of poverty and migration. We also shine a light on the lack of proper education facilities, the scourge of forced labor, and the ongoing struggles with insurgency.