The Russian propaganda network known as Doppelgänger is struggling to maintain its operations amid a crackdown on its infrastructure, according to a recent report.

Following the recent disclosure that European hosting companies, knowingly or not, provided services to the Kremlin-linked disinformation campaign, Doppelgänger operators rushed to back up their systems and secure their data, according to findings by the Bavarian State Office for the Protection of the Constitution (BayLfV).

“The actor behind the Doppelgänger campaign would have had to anticipate that this disclosure could result in a termination or shutdown by the provider,” BayLfV said in a report published this week.

The agency, part of the Bavarian state government in Germany, spent several weeks quietly monitoring how Doppelgänger was operating and learned about the work methods and even the working hours of those running the network.

The Russian-language disinformation network has been operating in Europe since at least May 2022. According to BayLfV, it has created hundreds of thousands of fake profiles or identities on social media, dozens of fake websites of leading media outlets, and its own fake news portals to spread disinformation, primarily in Germany, France, the U.S., Ukraine, and Israel.

During the analysis, BayLfV found more evidence confirming Doppelgänger’s link to Russia, including the use of Russian IP addresses and the Cyrillic alphabet in commands and in the naming of campaigns. Additionally, the network’s activities were conducted during office hours in the Moscow and St. Petersburg time zones, while the threat actors took breaks on Russian holidays.

The report by German authorities followed an investigation by digital rights nonprofits Qurium and EU DisinfoLab, which uncovered infrastructure located or registered in at least ten European countries that is used by Doppelgänger.

German nonprofit journalism group Correctiv, which was also involved in the investigation, noted that German authorities were aware of the European infrastructure abuse by Doppelgänger but did not appear to be taking any action at that time.

In the latest report, BayLfV noted that Doppelgänger's recent operational overhaul was likely triggered by Qurium’s report, adding that the threat actor seemed to be acting under “significant time pressure.”