Our security teams continue to focus on finding and removing deceptive campaigns around the world — whether they are foreign or domestic.
Over the past five years, we’ve shared our findings about coordinated inauthentic behavior (CIB) and other threats we detect and remove from our platforms. Today, as part of our regular adversarial threat reports, we’re publishing information about three networks we took down during the last quarter to make it easier for people to see the progress we’re making in one place. We have shared information about our findings with industry partners, researchers and policymakers.
Here are the key insights in today’s Adversarial Threat Report:
1. United States: We removed 39 Facebook accounts, 16 Pages, two Groups and 26 accounts on Instagram for violating our policy against coordinated inauthentic behavior. This network originated in the United States and focused on a number of countries including Afghanistan, Algeria, Iran, Iraq, Kazakhstan, Kyrgyzstan, Russia, Somalia, Syria, Tajikistan, Uzbekistan and Yemen. The operation ran across many internet services, including Twitter, YouTube, Telegram, VKontakte and Odnoklassniki. It included several clusters of fake accounts on our platforms, some of which were detected and disabled by our automated systems prior to our investigation. The majority of this operation’s posts had little to no engagement from authentic communities.
We found this activity as part of our internal investigation into suspected coordinated inauthentic behavior in the region. We’ve shared information about this network with independent researchers at Graphika and the Stanford Internet Observatory, who have published their findings about this network’s activity across the internet on August 24, 2022. Although the people behind this operation attempted to conceal their identities and coordination, our investigation found links to individuals associated with the US military.
2. China (originally reported on September 27, 2022): We took down 81 Facebook accounts, eight Pages, one Group and two accounts on Instagram for violating our policy against CIB. This network originated in China and targeted the United States, the Czech Republic and, to a lesser extent, Chinese- and French-speaking audiences around the world. It operated across many internet services, including Facebook, Instagram, Twitter and two Czech petition platforms.
Each cluster of accounts posted content during working hours in China rather than when their target audiences would typically be awake. Only a few people engaged with it and some of those who did called it out as fake. Our automated systems took down a number of accounts and Pages for various community standards violations, including impersonation and inauthenticity. We found this activity as part of our internal investigation into suspected coordinated inauthentic behavior in the region.
3. Russia (originally reported on September 27, 2022): We took down 1,633 accounts, 703 Pages, one Group and 29 accounts on Instagram for violating our policy against CIB. This network originated in Russia and targeted primarily Germany, and also France, Italy, Ukraine and the United Kingdom. The operation centered around a large network of websites carefully impersonating legitimate news organizations in Europe. There, they would post original articles that criticized Ukraine, praised Russia and argued that Western sanctions on Russia would backfire. They would then promote these articles, memes and YouTube videos on Facebook, Instagram, Telegram, Twitter, petitions websites Change[.]org and Avaaz, and LiveJournal.
We began our investigation after reviewing public reporting into a portion of this activity by investigative journalists in Germany. The researchers at the Digital Forensic Research Lab also provided insights into a part of this network, and we’ve shared our findings with them to enable further research into the broader operation. Throughout our investigation and after our initial reporting, as we blocked this operation’s domains, they set up hundreds of new websites, suggesting persistence and continuous investment in this activity. We’ve continued to update our original takedown report with these domains to help inform open source security research.
We know that influence operations will keep evolving in response to our enforcement, and new deceptive behaviors will emerge. We will continue to refine our enforcement and share our findings publicly. We are making progress rooting out this abuse, but as we’ve said before — it’s an ongoing effort and we’re committed to continually improving to stay ahead.
See the full Adversarial Threat Report for more information.