A large-scale Russian influence operation has leveraged hundreds of hijacked user accounts on the social platform Bluesky to spread pro-Kremlin propaganda aimed at eroding international support for Ukraine, cybersecurity and disinformation researchers have confirmed. What makes this campaign unusual is its departure from the standard playbook of using fraudulent fake accounts; instead, operatives weaponized the existing verified identities of real, often influential users to push anti-Ukraine messaging, marking a concerning new evolution in Kremlin-aligned disinformation tactics.
Researchers from Clemson University have tied the operation to Social Design Agency (SDA), a Moscow-based firm already sanctioned by Western governments for coordinated information warfare. The campaign specifically targeted high-profile users including working journalists, academics, and documentary filmmakers, with many of those affected being prominent figures based in the United States.
Multiple affected users have publicly confirmed the unauthorized activity on their accounts. Alex Ward, a reporter for *The Wall Street Journal*, reported on Bluesky that unknown actors had gained access to his profile and posted an unapproved story framing France and Ukraine in a negative light. Ward later confirmed he had reclaimed control of his account and the problematic post had been removed. Ward was not the only *Wall Street Journal* reporter affected: a database of compromised accounts compiled by an independent internet monitor tracking Russian influence operations, which was shared with AFP by a Clemson researcher, includes at least one other staff member from the outlet. Other confirmed targets include Jake Tucker, editorial director of the PC Gaming Show, who reported his account was compromised, temporarily banned, and eventually recovered; independent filmmaker Mary Beth McAndrews; and academic Ben Gilbert.
Darren Linvill, a disinformation researcher at Clemson University who tracks Kremlin-aligned operations, told AFP that while malicious actors have used stolen or hacked accounts for disinformation for years, this operation stands out for its level of targeting and unprecedented scale for Russian operatives. “I’ve personally never seen Russia use hacked accounts at this scale before,” Linvill said. While the exact total number of compromised accounts remains unclear, as Bluesky has already removed many propaganda posts and suspended affected accounts pending recovery by their owners, Linvill confirmed he has personally tracked at least a couple of hundred hacked accounts linked to the campaign, and noted the true figure is almost certainly higher.
Bluesky’s safety team has released official details about the operation, confirming that the platform’s core infrastructure was not breached. Instead, individual accounts were compromised using login credentials that had already been leaked in third-party data breaches from other services. The team noted that most of the affected accounts were older, inactive profiles, though a number of regularly active accounts were also caught up in the compromise. The platform added that it has already removed 4,907 accounts tied to state-backed influence operations so far in 2025, roughly twice the number removed in the whole of 2024. This campaign marks the first time state-backed influence operatives have attempted this tactic of compromising real accounts on Bluesky, the team confirmed.
Clemson researchers link SDA’s operation to a long-running Kremlin disinformation campaign codenamed Matryoshka, after the Russian nested doll, which is well-known among disinformation experts for its impersonation-based tactics. Joseph Bodnar, senior research manager at the Institute for Strategic Dialogue, explained that Matryoshka has a track record of stealing official branding from established media outlets, government agencies, and private companies, and using artificial intelligence to clone the voices of public figures including celebrities, law enforcement officials, academics, and journalists to spread false messaging. “Hacking into accounts to post content using someone else’s identity is a logical next step for an operation that appears to have a lot of resources and no ethical constraints,” Bodnar added.
The SDA is already a known target of Western sanctions: the United States, European Union, and United Kingdom have all imposed punitive measures on the firm for its repeated information warfare campaigns targeting democratic institutions. Earlier this month, the UK’s Foreign Office imposed new sanctions on 49 individuals employed by SDA, including writers, translators, and video producers responsible for creating and distributing deceptive pro-Kremlin propaganda. “The SDA has been tasked and funded by the Kremlin to deliver a series of interference operations designed to undermine democracy and weaken support for Ukraine,” the UK Foreign Office said in its official statement.
Despite the tactical sophistication of the operation, researchers and platform officials agree that its actual real-world impact has been extremely limited. Bluesky’s safety team confirmed that the average propaganda post from compromised accounts received only around 50 views before it was detected and removed. Bodnar noted that this limited reach aligns with the broader goals of Matryoshka, which prioritizes shaping public perception of conflict rather than actually persuading large online audiences. “Sophistication isn’t impact,” Bodnar said. “Matryoshka’s impact is driven more by public perception than by its ability to persuade audiences online. It’s a perception hack.”