Welcome to Memetic Warfare.
Before we begin with the main topic of this report, check out a comprehensive look at foreign interference in the US elections published at the FDD by yours truly, Max Lesser and Mason Krusch.
This long-form post is dedicated to what else but Romania.
I’m not one to usually comment on Romanian affairs, considering that my awareness of Romania as a polity exists mainly through the prism of Resident Evil Village. Reality had its way though, and here we are.
I held off on commenting or writing a post early on as the affair was unfolding (and it arguably still is) because it was unclear how the wind was going to blow. By now though, things have cleared up, and it’s time for some punditry.
For those who are unaware, in short: suspected Russian interference, initially reported on TikTok but later found on other platforms and other vectors, seems to have played a role in catapulting candidate Calin Georgescu from polling around anywhere 1 to a bit less than 10 percent to winning about a quarter of total vote.
Georgescu was a highly niche candidate to say the least, and can only be described as RFK-esque. Initial reporting, including from Romanian intelligence agencies, blamed covert networks on TikTok - coordinated at least partially on Telegram - for pumping Georgescu and leading to his meteoric jump in the polls at the cost of almost 1 million Euros.
TikTok got a TON of flak, and had to put out a pretty lame statement on IO activity in Romania, including 3 networks that it took down recently. The numbers, frankly, are unimpressive.
The interference, as shown by the Romanian government and other reports, led to the landmark decision by the Romanian supreme court to cancel the results of the election and hold a new first round in the coming months.
Since then, other research, including from CheckFirst, found previously unreported clusters of covert operations supporting Georgescu. CheckFirst found activity, funded by up to 224,083 Euros, on Meta platforms, TikTok, domains and Google Ads.
This network centralized around 24 Facebook pages, each with its own corresponding domain:
These pages have been around for a while, and have even been reported on in the past. Additionally, and this is a recurring trend, Moldova is also central to their activity:
The network does network-y things also, such as using the same style/ad copy in its ads:
The network’s domains are also easily clusterable based on a few characteristics, including the use of a shared Google AdSense ID as well as a shared SPF record - good catch from CheckFirst there.
Many of the domains also shared the same host:
CheckFirst attributed this to a digital media firm, read more about it in their report:
In terms of TikTok activity, there was more than just networks of inauthentic accounts. Politico reported that leading Romanian TikTok influencers received large sums of money from Russia-connected figures to promote Georgescu:
The numbers speak for themselves. Interestingly, some influencers chose to play dumb and admit to amplifying Georgescu, but saying they didn’t know whom they were promoting:
Many of these influencers answered an ad placed for Romanian influencers on an influencer marketing platform named “FameUp”, as per Le Monde. Another Polish digital marketing firm, which also according to Le Monde is a shell company, contacted other Romanian influencers directly via email, offering them 1,000 Euros to publish a specific video.
Due to the Romanian government inquiry, some of these influencers have fled Romania as they apparently may have committed some “light” financial malfeasance.
There’s other evidence of financial misconduct here, check out Thomas Rid’s Bluesky thread where he links to some of the more interesting developments, including:
7 million USD in crypto found in the ownership of Georgescu’s campaign finance guy
Criminal gangs campaigning for Georgescu
Translated copies of the Romanian government intelligence reports
So, let’s sum it up: a multifront, presumably (but not technically 100 percent attributed/confirmed yet) Russian operation was able to, probably, actually impact the results of the Romanian election for let’s say 1 million Euros +-.
What happened was a tactical Russian victory.
I lean more to the skeptic side when it comes to the overall impact of IO and its ability to truly drive real change, but it seems to have actually happened in this case - suspected Russian interference seems to have tangibly impacted the results of a Western election. This says some not great things about the broader state of affairs of Romania as well.
This is impactful and a victory for Russia in the short term, no matter what happens. The best case scenario for Russia would have been getting their guy as president, but the worst case scenario of undermining Romania so thoroughly by having them cancel their elections is also a solid runner up prize and worth a million Euros.
However, this could be a strategic victory for the democratic West if handled correctly. Romania, for better or for worse, is not the lynchpin of Europe and the democratic world. It’s also a comparatively small country, with less than 20 million residents.
It’s also important to state that precedent is being set here not just in the cancellation of elections due to foreign interference, but due to specific claims levied against Georgescu’s party and the influence actors themselves.
Georgescu reported having 0 lei of campaign ad spending, when in reality these networks spent hundreds of thousands of Euros on ads promoting Georgescu, and his finance manager seems to have been involved with payments to influencers as mentioned above. Election interference is tricky and hard to prove, but illicit financing has a lower threshold.
Additionally, having such an extreme response play out in a smaller country first as a testing ground for responses by the EU is easier for everyone than had it say happened in Germany or France, and that may make it easier for everyone involved to stomach the first case of a country cancelling elections due to interference.
If the EU rises to the challenge and stands by Romania’s decision while also engaging in appropriate countermeasures, it could still be a W for the West. The EU issued its first counter hybrid warfare sanctions this week against Russian actors, so perhaps they’ll finally get around to actually doing something significant when it comes to counter-IO activity.
That’s not where this week’s post end when it comes to Romanian-adjacent affairs, however!
The Moldovan government published its report on Russian election interference. The report was published in Romanian, so just throw the full PDF into Deepl.com and it’ll translate it for you.
For those of you who don’t follow Moldovan affairs closely, Moldova recently held a referendum on adding a section to the Moldovan constitution about a desire to begin the accession process to the EU. The vote passed with 50.46 percent of Moldovans saying yes to the dress.
In contrast to the Romanian report, which admittedly was prepared in a much shorter timeframe, the Moldovan report goes very much in-depth and is worth reading in its entirety. Having said that, let’s review the highlights.
The introduction gets right to the point: Russia has been interfering in Moldovan internal affairs since 2022, including via an organized criminal group and Ilan Shor:
Russian activity was multivector:
Here’s where it gets specific. The report states that in early 2024, Russia set up a command center, coordinated by Ilan Shor, including a well-funded, hierarchal team based in Moscow and Chisinau.
The operation was large, with 119 territorial “cells”, reaching a core of 33,000 activists and 84,000 supporters. This outfit, called the “Victory Bloc”, also set up call centers to maintain ties and lines of communications with activists. A Telegram bot was critical here for registration and coordination:
The next step, in April of 2024, was the setup of the “Eurasia” NGO in Russia. Ilan Shor was a member of Eurasia’s council, or I guess what would be a board in other countries.
Eurasia carried out a ton of “soft power” activity targeting Moldovans, including serving as a vehicle for illicit political funding. This included paying for the visits of Moldovans affiliated with the Victory Bloc to Moscow, training for them, and even camps in Russia for Moldovan youth.
Eurasia also tried to coopt church officials:
It gets even more interesting. Eurasia also trained 115 young Moldovans in Moscow on how to organize protest actions effectively. Some of these youth later carried out “destabilizing measures” in Moldova.
Some of these participants later received more “advanced” training in Bosnia and Herzegovina for violent, kinetic action. This included drone operation, preparing what I assume is a mistranslated word for incendiary devices, blinding police officers and more:
Moldova names the Russian coordinating Eurasia as Konstantin Goloskokov, an apparently well-known Russian apparatchik.
One of the things that stuck out to me as well was the overlap of some of the training camp participants in apparently other protests and “provocations”, such as the spraying of antisemitic graffiti in France and the Ukrainian flag stunt in Germany:
Other front organizations, including the classic archetype of the Cultural center, were active in electoral fraud and apparently the funny propaganda stunt of giving out forms to apply for the much-vaunted status of “Citizen of the Republic of Moldova in the Russian Federation”.
These brochures offered not insubstantial sums for Moldovans to promote “CIS projects”:
The report also looks at illicit funding in-depth, including apparently the quote-unquote suitcases of cash transmitted by couriers and money mules, as well as payment transfer systems and even grants and employment contracts via Eurasia.
Traditional money laundering methods, including P2P laundering and the use of family members is also big. Transnistria unsurprisingly played a role here as well:
Transnistrian youth are often appealed to for P2P transactions:
Crypto, mainly USDT, also played a role:
The goal of the operation on the whole, including its financial component, was to create a large “critical mass” of Moldovans to attempt to “hijack” the results:
Cyber and other operations were employed as well. Election-related pages were DDoSed, to minor impact.
More importantly, multiple bomb threats were called in to polling stations, including to polling stations abroad in Romania, Germany and the UK. Russia pulled something similar in the US elections.
Perhaps most interestingly re cyber, Russian actors set up a series of domains imitating Moldovan official resources, which were used to then mass-email out disinformation targeting the elections. Readers of the blog may recall that at least some of these domains appeared in a recent Checkpoint report.
Unsurprisingly, the domains were registered anonymously via ProtonVPN, but more interestingly to me, the campaign utilized exposed creds of Russian residents (FR here is a translation issue, it refers to Russian Federation).
Online IO was also big of course, with activity being identified on Telegram, TikTok, Facebook and Vkontakte:
Part of this Facebook activity had been previously reported on by the DFRLab.
Ad spend on Facebook reached over 138,000 Euros as per the report.
Overall, I’m impressed by the Moldovan report and hope that we see similar serious, in-depth and data-rich reporting from government agencies in Europe and beyond in the future.
Let’s conclude with some thoughts. The above cases help drive some key points home regarding successful influence operations:
Multiplatform and multivector (i.e. online/physical/financial) is key, with each serving as a catalyst for the others if done right
Influencers and the cooption of actual people and outlets is already central to the present of the IO space.
Personally, I think that “real” voices will only be more important as generative AI creates more and more content for campaigns that people, I’m willing to bet, won’t like.
Influencers and other methods can be exploited with comparatively little money. A million dollars to significantly impact an election is nothing, making IO/interference a highly practical, asymmetrical method with a low bar for technical acumen in contrast to cyber.
Enforcement is still a problem, and it seems that like with other forms of crime, enforcing violations of financial law and regulations may be easier than actual counter-IO work targeting content.
Infrastructure used for cyber operations can and will be used for influence operations.
Secretive government agencies aren’t necessarily the best-suited to counter IO, as the layers of bureaucracy and secrecy often make it harder for them to act quickly and dynamically identify threats (looking at Romania here in particular re TikTok).
As IO and interference from Russia and other states becomes increasingly bold, the West will have to develop some form of consensus for when and where elections or other key democratic actions become invalid due to interference. There can and should be a very high bar for this, but that bar should exist. Getting something like this out ready at the federal or EU level will make counter-operations much more appealing.
Reactive countermeasures such as factchecking are doomed to be functionally irrelevant when it comes to mitigating medium to large-scale operations.
I have more to say on this even, but it’s getting a bit long in the tooth here.
These are interesting times to live in. Feel free to disagree with me in the comments below.
Thanks for reading, have a happy holiday of your choosing, and be sure to check out Telemetryapp.io.
Excellent write-up! As someone who follows Russian state intelligence operations, I rarely encounter unfamiliar aspects of their activities. Given my Slavic ancestry, I've primarily focused on Russian operations in Eastern Europe, particularly in Ukraine, Poland, and the Baltic states, where Putin demonstrates increased contempt and hostility. Your analysis has shown me the importance of broadening my perspective to examine Russian influence across all of Europe. Thank you for this insight!