Ahead of Moldova’s 2025 elections, Russia-linked influence operations seek to undermine EU integration, discredit President Sandu, and destabilize democratic processes through coordinated disinformation campaigns and hybrid tactics.

Executive Summary

Ahead of Moldova’s September 28, 2025, parliamentary elections, Insikt Group is observing multiple active Russia-linked influence operations (IOs) seeking to destabilize the elections and derail Moldova's European Union (EU) accession. As of this writing, the IOs analyzed in this report are unlikely to have achieved any substantial successes in shaping public opinion or guiding discourse around the upcoming elections.

The Russian IOs and corresponding networks analyzed in this report — Operation Overload, Operation Undercut, Foundation to Battle Injustice, Portal Kombat, and other Russian influence assets — are consistently projecting an unfavorable view of Moldovan President Maia Sandu and the ruling Party of Action and Solidarity (PAS) to almost certainly manipulate international and domestic public perceptions by framing Moldova’s sitting leadership as corrupt and counter to Moldova’s interests. Additionally, these operations are portraying Moldova’s further integration with the EU as disastrous for its economic future and sovereignty, and Moldova as a whole as at odds with European standards and values. Further, the content being amplified by these IOs suggests that Moldova is politically and economically more closely aligned with Russia than with the EU, and that a closer relationship with the Kremlin is a more favorable alternative.

Since at least April 2025, Operation Overload (Matryoshka, Storm-1679) has almost certainly engaged in a vilification campaign against President Sandu, while also projecting Moldova as incompatible with the rest of Europe. Likewise, the Foundation to Battle Injustice has also published multiple inauthentic investigations with the key goal of damaging the credibility of President Sandu and PAS. During this timeframe, a Russia-linked IO we track as Operation Undercut has actively dedicated much of its resources to an anti-Sandu, anti-PAS, anti-European integration effort targeting Moldovan social media users, including activity we attribute to Operation Undercut on TikTok for the first time. This report also highlights recently reported covert Facebook pages associated with Moldovan oligarch Ilan Shor’s “Evrazia” organization, as well as the Shor-linked television network actively attempting to grow influence in the country, Moldova24. Finally, our research examines ongoing activities from Pravda Moldova, a pro-Russian media aggregator hyper-focused on Moldovan political affairs and part of the Portal Kombat ecosystem that was recently identified as engaging in poisoning the output of artificial intelligence chatbots.

As the September 2025 parliamentary elections approach, Insikt Group assesses that Russia-linked IOs, including both the well-documented networks discussed in this report and any newly emerging ones, will very likely scale up in volume. Despite limited evidence that these operations have meaningfully influenced voter behavior, they still pose broader risks to media integrity and public trust. Narratives undermining election security or integrity could reduce voter turnout, while media engagement with inauthentic content — rather than exposing the tactics behind it — may amplify malign messaging. To mitigate these risks, we recommend monitoring the sources identified in this report using the Recorded Future Intelligence Operations Platform to inform public messaging, bolstering election-related cyber defenses, and continuing to proactively expose malign IOs to reduce their potential impact.

Key Findings

• Multiple Russia-linked IOs are actively attempting to destabilize Moldova’s September 2025 parliamentary elections and degrade public confidence in the current pro-Western Moldovan leadership.


• Operation Overload and the Russia-based non-governmental organization (NGO) Foundation to Battle Injustice are almost certainly engaging in separate campaigns to negatively shape international opinion toward Moldova’s European integration aspirations and to decrease public support of Moldovan President Maia Sandu.


• Operation Undercut is very likely attempting to condition Moldovan audiences to expect rigged elections in favor of PAS, exploit pre-existing fears of a conventional war with Russia, and amplify economic concerns for voters.


• IOs associated with Ilan Shor’s Evrazia organization and Moldova24, a very likely Shor-sponsored Russia-state-backed television network, are disseminating anti-Sandu messages targeting Moldovan audiences through social media advertising on Meta.


• The very likely sole function of Pravda Moldova’s website is to serve as a high-volume amplifier and launderer of pro-Kremlin media content to Moldova’s Romanian-speaking population as part of Portal Kombat’s ecosystem.

Background

Moldova’s September 2025 parliamentary elections are expected to decisively influence the country’s long-term future, especially the continued trajectory toward EU integration by its 2030 target date. This strategic direction was affirmed in late 2024, when Moldovan voters narrowly approved a constitutional referendum endorsing EU membership. This referendum coincided with the reelection of incumbent President Sandu, who secured approximately 55% of the vote. However, the 2024 election was subject to substantial attempted Russian interference, including systematic vote-buying, covert financial support for pro-Russian candidates, malign IOs, hybrid disruptions targeting electoral infrastructure, and physical interference via bomb threats aimed at diaspora polling stations. With the 2025 parliamentary elections effectively a “last-chance” to slow or entirely derail Moldova’s EU membership, Russian IOs and potential destabilization activities are likely to escalate.

Covert IOs Seek to Bring Moldova Back into “Russian World”

Insikt Group is actively tracking multiple Russia-linked IOs that target Russian- and Romanian-speaking audiences within Moldova, as well as broader international communities. These operations are almost certainly designed to delegitimize Moldova’s electoral integrity by promoting narratives alleging electoral fraud, inflaming tensions regarding diaspora voting, and discrediting the PAS. Additionally, the operations seek to weaken public support for Moldova's EU integration, exacerbate economic anxieties among Moldovan citizens, and exploit pre-existing ethnic and linguistic divisions.

Collectively, these influence activities very likely align with the Kremlin’s strategic objectives toward Moldova, specifically advancing its post-Soviet reunification doctrine of Russkiy Mir (“Russian World”) and seeking to transform Moldova into a "second Belarus." While initially an effort to promote Russian culture and language abroad, Russkiy Mir has since evolved into an expansionist vision of uniting Russian-speaking populations in former Soviet states regardless of internationally recognized territorial boundaries. As a former Soviet state and as a result of its significant Russian-speaking minority, Moldova remains susceptible to targeted IOs. In recent years, Russian IOs targeting Moldova have included efforts to provoke separatist sentiments in the autonomous region of Transnistria and coordinated attempts ranging from social media influence to bribery tactics to influence the outcome of Moldova’s 2024 presidential elections. Meanwhile, Russia’s attempts at economic coercion, namely through the disruption of gas supplies, sought to pressure Moldova into favorable political concessions, including likely attempts to slow its path toward European integration.

Operation Overload and Foundation to Battle Injustice Vilify Maia Sandu

Russia-linked IO Operation Overload (Matryoshka, Storm-1679) and the Russia-based “Foundation to Battle Injustice” (R-FBI, FBR) are almost certainly engaging in separate campaigns to shape negative opinion among international audiences toward Moldova’s European integration aspirations and to smear the reputation of Moldovan President Maia Sandu. Currently, Insikt Group assesses that both Operation Overload and R-FBI are operating in parallel ahead of the September 2025 parliamentary elections; however, we do not have evidence to suggest that Operation Overload or R-FBI are coordinating their efforts. Further, we have not observed attempts from either network to cross-amplify content.

Operation Overload

Operation Overload is a Russia-linked IO consisting of inauthentic news and fake fact-checking content that impersonates legitimate news sources. First documented by Check First in June 2024, Operation Overload’s primary objective is to overwhelm journalists, researchers, and fact-checking organizations with non-credible leads distributed through persistent, spam-like story verification requests. As evidenced in Bellingcat founder Eliot Higgins’s recent post of Operation Overload-administered email accounts sharing falsified “egregious news” from Moldova to his inbox (Figure 1), journalists, researchers, and fact-checking organizations almost certainly remain a priority target audience for the operation. Insikt Group coverage of the operation ahead of the 2024 United States (US) election assessed that Operation Overload also sought to directly influence the general public, both through the inadvertent laundering of its claims through trusted media organizations that fact-check the operation’s content, and by directly injecting inauthentic media into the mainstream using Telegram and social media.

Narratives

Automated social media accounts engaging in coordinated inauthentic behavior (CIB) are almost certainly promoting Operation Overload content with a substantial emphasis on degrading the public reputation of President Sandu and public perceptions of Moldova with regard to European compatibility and EU integration. Since at least April 2025, inauthentic news and other media content we attribute to Operation Overload have almost certainly sought to damage President Sandu’s reputation. The operation regularly attempts to portray President Sandu as corrupt, featuring videos containing fabricated headlines and falsified investigative research that makes claims such as, “$79 million has been found on the cryptocurrency wallets of Maia Sandu’s aides,” and “Maia Sandu’s alleged mistress has $24 million in assets … that were corruptly obtained by Sandu [per fake Bellingcat research].” A video impersonating German broadcaster Deutsche Welle that Insikt Group documented in April 2025 falsely claimed that Veronica Dragalin, former head of Moldova’s Anti-Corruption Prosecutor’s Office, was preparing to distribute material implicating Sandu to “300 European media outlets.” Other inauthentic media pieces we attribute to Operation Overload sought to drive a wedge between or create the appearance of a growing political rivalry between President Sandu and EU High Representative Kaja Kallas, suggesting that President Sandu was seeking to take Kallas’s position.

Starting July 8, 2025, Insikt Group observed a series of Operation Overload-produced deepfakes impersonating Moldovan government spokesperson Daniel Vodă, which are designed to appear as official government rebuttals of earlier “investigations” that the same network had fabricated. These deepfakes are almost certainly intended to create a closed-loop narrative undermining the Moldovan government while also attempting to lend false credibility to Operation Overload’s initial inauthentic media pieces. These videos, which repurpose authentic press material, add AI-generated audio, and weave in fabricated narratives, are very likely also intended to erode public trust in the Moldovan government ahead of the September 2025 parliamentary elections.

Beyond videos, Operation Overload’s static influence content includes deceptively edited screenshots of social media posts, manipulated headlines of print media, and fabricated graphical imagery, such as photojournalist-documented political graffiti in public spaces. For example:

• One post impersonating the statistics portal Statistica presented a falsified graph depicting President Sandu’s “plummeting approval rating” linked to increased TV appearances between January and April 2025.


• A separate post featured an edited Vogue magazine cover, falsely claiming that President Sandu had the sixth-most expensive presidential wardrobe.


• Another series of images, designed to appear as photojournalist posts for French media, depicted superimposed graffiti in public spaces showing President Sandu beneath a guillotine, in an electric chair, and with her head in a noose, with the date of June 1, 2025, beside each image. While the date appeared arbitrary, it was very likely intended to manufacture public fear by implying the possibility of unrest, a coup, or an assassination attempt against President Sandu.

Beyond character attacks on President Sandu, Operation Overload also attempts to portray Moldova as a central hub of European crime and diametrically opposed to Western values, very likely in an attempt to diminish its appeal to European audiences. For example, Operation Overload’s impersonations of Euronews and Agence France-Presse (AFP), shown in Figures 10–12, suggest that Moldova is “the largest hub for cybercriminals,” is “one of the largest logistics hubs for drug trafficking,” and is “the most homophobic country in Europe.” Similar non-credible storylines impersonating Western media remain ongoing and will very likely persist throughout Moldova’s election period.

Infrastructure

We continue to observe Operation Overload-attributed media often appearing first in Russian Telegram channels, followed by CIB amplification exclusively on one social media platform, and attempted seeding on Bluesky. Mainstream social media promotion included automated resharing, liking, and amplification through “quoted replies” toward target groups (journalists, researchers, and fact-checkers), consistent with Operation Overload’s dissemination techniques throughout 2025. Beginning in late May 2025, we observed the network posting content to TikTok. The network’s social media accounts are often suspended; however, replacements soon take their place, necessitating constant efforts to detect and report new accounts.

Insikt Group considers the overwhelming majority of Operation Overload content promoted within the network to fall in the Brookings Breakout Scale’s Category 2, including nearly all of the content specific to Moldova. There are isolated instances, however, where Operation Overload media impersonations garnered Category 3 consideration, and some have even reached what we would assess as Category 5 (amplification through celebrities and other well-known public figures).

The success Operation Overload achieves in reaching its target audience very likely emanates from the campaign’s secondary exposure from sources that debunk its non-credible stories versus organic reach from the initial posts. The corrective reports inadvertently push the operation’s artefacts out of echo chambers and into mainstream media. Even though the coverage is “hostile” to Operation Overload, this coverage nonetheless constitutes a Category 4, or cross-medium breakout, when analyzed via the Breakout Scale.

Foundation to Battle Injustice (R-FBI)

R-FBI is an ongoing Russia-based IO ostensibly dedicated to exposing alleged human rights violations and injustices committed primarily by Western governments. R-FBI poses as an “independent non-profit organization” in support of addressing “human rights violations”; the organization, however, leverages non-credible, long-form investigative reporting to accuse prominent international opposition leaders, particularly during major election cycles, of serious criminal activities, including terrorism, electoral fraud, human trafficking, and sexual abuse of minors. These reports are then laundered through a network of pro-Russian influencers and websites previously identified as promoting Kremlin propaganda, such as Jamie McIntyre’s Australian National Review (ANR, australiannationalreview[.]com ​), the London Times (londontimes[.]live), and Veterans Today (VT, vtforeignpolicy[.]com).

R-FBI was founded and initially financed in 2021 by deceased Russian oligarch Yevgeny Prigozhin, although management of the organization has since been transferred to Oksana Vovk, known now as Mira Terada. Based on Insikt Group investigations, in addition to public reporting from researchers at Clemson University and VIGINUM, R-FBI is also closely involved with a separately tracked Russian IO we refer to as CopyCop (Storm-1516).

Narratives

Between late May and mid-June 2025, R-FBI published two investigative articles accusing President Sandu of engaging in illicit activities and political corruption schemes (Figures 13 and 14, below). On May 31, 2025, VT republished an R-FBI article claiming President Sandu and “affiliated organizations” were trafficking Ukrainian orphans, “under the pretext of medical treatment and adoption” into the “hands of pedophile networks and sexual slavery” across Europe. A separate article, republished by VT from R-FBI on June 19, 2025, claimed President Sandu and political allies earned “at least $4.5 billion” via large-scale illicit schemes involving “drug trafficking, Ukrainian weapons, and modern slavery.” Both articles were written by Brazilian R-FBI contributor Lucas Leiroz, also tracked as an amplifier of CopyCop content. Leiroz has previously authored numerous articles featured in Russia state-sponsored media outlets, as well as in outlets previously assessed as associated with Russian intelligence, such as InfoBrics (BRICS Portal) and the Strategic Culture Foundation.

On July 1, 2025, R-FBI published a third investigative article on Moldova, claiming President Sandu had signed a “secret decree” dated June 4, 2025, allowing law enforcement to “kill citizens without fear of punishment.” The decree, according to R-FBI, was a deliberate decision to “suppress the expected mass protests in the fall of 2025, caused by the economic crisis and expected accusations of election fraud.” R-FBI provided an alleged copy of the decree (classified as Nr. 224-S-X), which Insikt Group found no record of on the official website of the President of Moldova. R-FBI attempted to mitigate this discrepancy by stating in its article that the document was obtained from anonymous sources in the president’s office. Additional scrutiny of the document image, particularly its off-center header and incorrectly aligned Article 2, leads Insikt Group to assess the document as very likely a forgery intended to damage President Sandu’s credibility and undermine the president’s anti-corruption platform.

Infrastructure

Likely due to the result of social media platforms’ shadowbanning direct links to R-FBI’s website, fondfbr[.]ru, R-FBI is almost certainly using secondary sources through a network of intermediaries and influencers to launder its investigations, namely via VT, but also via websites associated with ANR. Insikt Group also located limited secondary and tertiary amplification through the pro-Kremlin media publication EurAsia Daily (EADaily) and a fringe Swedish publication that sporadically re-publishes R-FBI investigative pieces called “Bakom Kulisserna” (“Behind the Scenes”).

Pro-Kremlin social media personalities who have previously amplified CopyCop content are almost certainly also the leading amplifiers of R-FBI’s anti-Sandu articles, resulting in each claim receiving hundreds of thousands of social media views. In addition to Leiroz, these individuals included Chay Bowes, Raphael Machado, and social media personalities “Johnny Midnight”, “Peacemaker”, and “Sprinter Observer”. The extent of R-FBI article amplification against President Sandu is a Category 3 on the Brookings Breakout Scale, consisting of multiple platforms with multiple breakouts. Similar to Operation Overload, R-FBI has achieved isolated instances of Category 4 amplification, given the numerous prior press coverage of R-FBI and its fabricated investigative pieces.

Operation Undercut Targets Moldovan TikTok Users

In early June 2025, Insikt Group identified a series of TikTok accounts promoting anti-PAS, anti-Sandu content in Romanian, which we currently attribute to Operation Undercut. Over the course of this investigation, we identified an additional network of approximately 70 active social media accounts (as of late June 2025) posting this content in parallel to accounts on TikTok (Appendix A). We note that many of these accounts have since been suspended; however, we continue to identify replacement accounts on a rolling basis.

Operation Undercut is an IO almost certainly conducted by the Russian company Social Design Agency (Агентсво Социального Проектирования, or “SDA”) since at least December 2023. Historically, Operation Undercut has generated very little online engagement and very likely has achieved minimal impact on its target audiences. Previously, Insikt Group observed Operation Undercut primarily using inauthentic social media and 9gag accounts likely operated by humans or simulating human activity, which includes posting during typical Moscow workday hours and halting activity during major Russian holidays.

Narratives

Operation Undercut is very likely attempting to condition domestic Moldovan audiences to expect rigged elections in favor of PAS, stoke fears of a potential conventional war with Russia, and provoke economic concerns by magnifying priority economic issues for voters, such as inflation, agricultural collapse, and child-welfare costs. This network of Operation Undercut accounts consistently publishes content that is generally negative toward the PAS and President Sandu. Themes include framing Moldova’s EU aspirations as economically ruinous, amplifying likely non-credible claims of alleged Moldovan political corruption, and predicting a future socio-political collapse should Moldova continue its current trajectory.

Infrastructure

Insikt Group identified at least four Operation Undercut TikTok accounts attempting to impersonate Moldovan citizens or Romanian-speaking individuals in Eastern Europe. One account, “Bella Popescu”, claimed to be a photographer and film editor. The second account, “dorinrobu5”, dedicated its account to “news,” “reviews,” and “relevant, fresh information.” The third account, “Gergely Dezir”, described itself as an account dedicated to “peace and politics.” A fourth account we assess as likely part of the network, “moldova457u”, began posting similar Operation Undercut-style AI-generated videos in late June 2025. Each of the TikTok videos we observed stated in their descriptions that the videos were constructed using CapCut, a video editing software popular with video creators and social media influencers. This network is also very likely using VEED’s “Gen-AI studio” avatars, “Aisha”, “Elena”, and “Marcus”, to periodically narrate and lend credibility to Operation Undercut content.

Each of the clips posted to TikTok contains hashtags very likely chosen to garner potential viewers interested in Moldova and Moldovan politics (#stirimoldova, #moldovaștiri, #UE), as well as generalized hashtags used to reach a broader audience, such as #TikTokNews, #Trump2020, and #gaza. The posts’ associated captions, however, reflect an anti-EU perspective and are consistent with pro-Russian messaging targeting domestic audiences that seeks to erode trust in Western institutions and sow disillusionment with European alignment.

Compared to the curated TikTok accounts, the secondary network of social media accounts we identified on mainstream social media contained usernames incorporating Indian, Bangladeshi, and Sanskrit names and posted content in Romanian. Several of these accounts also held verified badges, indicating that their administrators had paid for premium features on the social media platform. After these accounts were suspended by the platform, replacement accounts with Western names, still posting in Romanian, took their place in late June 2025. Based on rolling platform suspensions and the emergence of new accounts, Insikt Group assesses that the administrators of Operation Undercut will likely continue attempting to establish a persistent presence on social media.

Although these accounts did not have a notable following, we observed the network persistently attempting to engage in hashtag hijacking to increase the visibility of its posts to wider audiences. To do so, Operation Undercut almost certainly continues to engage in localized hashtag use to identify and hijack trending hashtags among Romanian-speaking audiences in Moldova, very likely using commercial off-the-shelf social media monitoring tools. While the accounts do regularly achieve more than 100 views per post, we have not observed any meaningful engagement with broader audiences. However, viewership statistics of Operation Undercut activity on TikTok specifically indicate that the posts regularly receive thousands of views each; one post from Bella Popescu calling on President Sandu to resign garnered more than 113,000 views.

Although the operation continues to fail in its attempts to significantly impact public opinion, it likely has improved its online engagement since our prior investigation through its expanded social media use on TikTok. Operation Undercut activities are currently a Category 2 on the Brookings Breakout Scale, consisting of a multiplatform operation with no recorded breakout beyond the network.

Facebook Pages Linked to Ilan Shor and “Evrazia”

In May 2025, Moldova-based think tank WatchDog.MD published a report highlighting 146

anonymous Facebook Pages it determined to be affiliated with fugitive Moldovan oligarch Ilan Shor, and used to promote pro-Shor political advertisements, in addition to another 315 “stand-by” pages. In all, WatchDog.MD identified this network as part of a larger network consisting of 2,167 auto-generated Facebook pages created to “influence political processes in the Republic of Moldova and other European states.” Many of these pages have randomly generated names, incorporating photos later found to have been stolen from Eastern European dating websites. WatchDog.MD attributed this activity to Russia-based actors.

Narratives

WatchDog.MD’s preliminary investigation determined that networks of anonymously operated Facebook pages running commercial advertisements and likely connected to Shor presented themselves as media or news pages with patriotic names similar to other Moldova-related pages Meta disclosed in October 2024, such as “Authentic Moldova”, “Today’s Chișinău”, “Гагаузия вперед” (“Gagauzia Forward”), “Moldova вперед” (“Moldova Forward”), “My Dream Moldova”, “Orhei Today”, and others. Posts and paid ads praise Ilan Shor and Shor-managed organizations, such as “A New Life”, the “National Salvation Committee”, and the “Movement for the People”, while labelling PAS as corrupt or incompetent. WatchDog.MD indicated that between October 2022 and November 2024, Shor spent nearly 470,000 euros across over 1,400 Facebook advertisements, cautioning that the “actual amount may be even higher.”

Infrastructure

Automated infrastructure very likely powers the entirety of the miscellaneous pro-Shor Facebook Pages. WatchDog.MD traced 2,167 Facebook pages built from randomly concatenated keyword strings (“Gourmet Gurus Crafty Creations Motivational Moments”, “Travel Junkies Business Builders Neighborhood News”, or “WealthWave Innovations”), with dozens of clones sharing the exact same title. Profile photos are likely misappropriated from Eastern European dating and “cam sites,” and the same images frequently resurface across multiple page aliases. Early iterations of the network were openly administered from the Philippines, Vietnam, Timor-Leste, and the United Arab Emirates (UAE), with ads paid in USD or Polish zloty, indicators which WatchDog.MD used to attribute the network as operating outside Moldovan jurisdiction.

Insikt Group’s independent review found that in mid-May 2025, the majority of these Facebook Pages remained dormant, with little information from which to discern plans of potential future activity or planned purposes. We did find, however, that several of the previously mentioned WealthWave Innovations-named pages were advertising a “Discover Russia 2025” program, facilitated by the Shor-backed Russian NGO “Evrazia.” In October 2024, the Organized Crime and Corruption Reporting Project (OCCRP) concluded that Evrazia was bribing Moldovan citizens to vote against the EU referendum. In all, OCCRP stated that $15 million USD in illegally transferred funds from Evrazia was used to attempt to bribe 130,000 voters to vote against the referendum, organized through Telegram. Shor reportedly argued he was engaging in legal activity, stating he was paying Moldovans “salaries” in return for their work in “explaining to people the advantages of the Eurasian economic space.”

Russian State Media Provides Infrastructure Support to Pro-Kremlin Moldova24

Since February 2025, Insikt Group has tracked the growth of Moldova24 (MD24), a Russia-based and likely Kremlin-backed television network geared toward Russian-speaking individuals living in Moldova. MD24’s Russian connections and attempts to reshape opinion in Moldova were first detailed during the October 2024 election cycle when the Security and Intelligence Service of Moldova (SIS) ordered national internet service providers (ISPs) to block two of MD24’s primary news domains, moldova24[.]online and pwa[.]moldova24[.]online. Moldovan authorities later also blocked Telegram accounts belonging to Russian oligarch Shor, which included Telegram accounts associated with MD24.

Narratives

MD24 launched in September 2024 with the almost certain aim of influencing Moldovan public opinion among Russian speakers favorably toward pro-Russian policies and a closer diplomatic relationship with Moscow. MD24 news articles and its 24/7 broadcast platform, which are hosted on its core website, moldova-24[.]online, frequently criticize Western policies, highlight Moldova’s economic difficulties, and question the West's motives in deepening its ties with Moldova. MD24 news coverage often includes biased reporting, emotional language, and selective coverage, and very likely seeks to promote skepticism toward Western institutions, particularly the EU and the US.

An emerging theme emanating from MD24, consistent with shared narratives from pro-Kremlin sources, is to undermine public confidence in Moldova's electoral process and the credibility of PAS specifically. MD24 has published multiple articles promoting skepticism, distrust, and suspicion regarding Moldova’s voting procedures with the diaspora vote, which accounted for one-fifth of the total vote during the October 2024 election and leans heavily toward Sandu. MD24 has amplified allegations of intended or planned electoral fraud among diaspora voters, asserting a deliberate PAS strategy to artificially inflate votes from abroad. Simultaneously, MD24 claimed PAS was intentionally discriminating against or otherwise suppressing pro-Russia Moldovan voters, specifically those residing in Russia and Transnistria. Domestically, MD24 published articles suggesting PAS was intimidating opposition figures and, with help from the EU, sought to bribe the electorate in order to win votes.

Infrastructure and State-Sponsored Support

Insikt Group assesses that Russia's state-sponsored media outlet RT has very likely supported the development of MD24 through covert means. This includes actively hosting its website and website mirrors through IP space that is not currently directly associated with RT or its parent organization, RIA Novosti, but is the same IP space that hosted RT content dating back more than five years, in addition to content created by RT personnel. Furthermore, it is likely that RT personnel supported the launch of MD24 and its ongoing operations through physical means, such as providing suitable studio space in Moscow, equipment, and possibly guidance on broadcast operations. MD24 is also likely under RT’s editorial influence, using minimal direct citations between the organizations to maintain a veneer of independence despite clear ties to shared infrastructure.

In February 2025, Insikt Group provided Recorded Future customers with a Threat Actor Profile of MD24 and its connections to Russian state media infrastructure, several months ahead of findings published by other research groups. Independent public reporting from the Atlantic Council’s DFRLab in June 2025 corroborates our initial findings of MD24 as largely supported by the Russian government and pro-Kremlin actors. According to Insikt Group’s investigation, MD24 was available in more than a dozen domains initially hosted at the Russia-based IP address 91[.]218[.]228[.]51, owned by AS210079, which is operated by Eurobyte LLC. This has since been updated to a different Eurobyte-owned IP address, 95[.]181[.]226[.]185, as of July 2025.

Table 1: MD24-associated domains (Source: Recorded Future)

RT is very likely to have covertly supported the administration of these domains, based on historical registration data indicating shared infrastructure between MD24 and RT-affiliated websites. Most of these domains do not rely on RT’s or typical affiliated DNS infrastructure (nsX[.]rttv[.]ru, nsX[.]sputniknews[.]ru, nsX[.]rian[.]ru), nor do they display registration details linked to ANO TV-Novosti or Rossiya Segodnya, which are typically associated with RT and its affiliates. Some of these websites include:

• poiskblizkih[.]com (an RT database to reconnect Donbas families impacted by Russia’s war against Ukraine)


• putinspeaks-rt[.]com


• RTdoc[.]tv (a website for RT Documentary content launched in early June 2024, very likely to coincide with the 2024 International Documentary Film Festival)


• ktech[.]team — notably, ktech[.]team belongs to KTEX, an organization that advertises various IT solutions, and its Taxpayer Personal Identification Number (INN), 9710109376, is registered to Sergei Kukota, director of RT Balkan

Beyond its network of websites, MD24 also maintains YouTube and TikTok accounts used to share its various news segments.

In addition to the above, Insikt Group identified both active Facebook and Instagram accounts affiliated with MD24 that ran more than 210 Meta advertisements combined between mid- and late June 2025 (According to the Ad Library, this number is approximately 440 total advertisements as of August 2025). Based on available data of more than 300 advertisements, Insikt Group can estimate that as of August 2025, MD24 advertisements have reached at least six million impressions since June 2025 –– reflecting the number of times the ad was displayed on a screen, which may include multiple views by the same person –– the majority of which were reportedly located in Chișinău, Gagauzia, and Transnistria, per Meta’s Ad Library. The majority average payment per advertisement reportedly was less than 100 euros.

MD24’s Facebook account, used to sponsor political advertisements and post MD24 news content, launched March 29, 2025, initially under the name “Frumusețea Pământească SPO” (“Earthly Beauty SPO”) before updating with the name “Moldova24” and MD24 graphics. Its associated Instagram account has the handle @alinanorman9, despite using MD24 graphics, and exclusively posts MD24 news segments. This account is likely a disposable profile used entirely for hosting posts that will be used as ads on Instagram.

The Instagram-specific ads included hashtags such as #moldova, #md24, and a number, which, based on @alinanorman9’s posts, indicates its position in a series of internally tracked numbered ads. The advertisements on Facebook included captions such as “People support Hutsul,” “PAS is a gathering of impostors,” “Sandu humiliated the children of Gagauzia,” and “Moldova will be better off without PAS.” Per Meta policy for political advertising, the administrators were required to provide additional contact information; Insikt Group found that they had used disposable contact information, including the email address jasonrobertson1978[@]antimmail[.]com.

Portal Kombat Presses On in Moldova

Portal Kombat is a Russia-aligned influence network targeting international audiences with pro-Kremlin influence content, aggregated primarily through networks of websites, most notably its “Pravda” ecosystem of hyper-localized websites. Its flagship website in Moldova, md[.]news-pravda[.]com (Pravda MD) is a fully automated news aggregator that systematically scrapes and republishes articles, posts, and official communications from a curated list of pro-Kremlin sources ranging from Russian partially or wholly state-controlled media outlets, such as RT, Sputnik, Pravda[.]ru, TASS, and RIA Novosti. The network also republishes official press releases and communications from Russian government ministries, local administrations, and other state institutions, and regularly republishes commentary from pro-Russian Telegram sources and pro-Kremlin “bloggers.”

Narratives

Pravda MD very likely functions as a high-volume amplification node that launders Russian state media and other pro-Kremlin narratives to Romanian-speaking audiences in Moldova. The website and broader Portal Kombat sources do not produce original reporting, but rather republish content plagiarized from the above-mentioned, Russia-aligned sources. The content from these sources consistently questions President Sandu’s credibility, anti-corruption measures, and PAS’s broader political platform. Likewise, these sources erode support for EU integration and attempt to further drive social fragmentation while laying the groundwork to delegitimize Moldova’s September 2025 parliamentary elections should the Kremlin view the results as unfavorable.

Notably, Pravda MD, in line with Russia’s broader objectives, very likely seeks to exploit Moldova's internal ethnic and regional fault lines, particularly in the autonomous region of Gagauzia and the Russia-controlled breakaway region of Transnistria. Insikt Group further assesses that the underlying goal is to fuel separatism, undermine the authority of the central government in Chișinău, and create internal crises that Russia can leverage in pursuit of drawing Gagauzia and Transnistria closer into Russia’s geopolitical orbit. Further, according to the European Council on Foreign Relations (ECFR), citing a May 2025 interview with a high-ranking Moldovan government official, Pravda MD and the Pravda ecosystem at large were assessed as being used as a tool in Russian attempts to engage in the “online penetration of the [Moldovan diaspora].”

Infrastructure

The European External Action Service (EEAS), in its third Report on Foreign Information Manipulation and Interference Threats, highlighted three Portal Kombat domains created to target both Russian and Romanian-speaking audiences in Moldova, md[.]news-pravda[.]com, moldova[.]news-pravda[.]com, and the now-defunct pravda-md[.]com. The outlet also maintains a Telegram channel; however, the subscriber account currently only has nineteen subscribers.

Despite the volume of generated articles, Pravda MD’s viewership is likely low; Similarweb statistics indicated that md[.]news-pravda[.]com only received 86 visits in April 2025. In comparison, its host page, news-pravda[.]com, received more than 365,500 website visits, with over 42% of its social media traffic originating from Reddit. It is possible that these page views are cumulative across all of Pravda’s localized webpages.

While the results of Pravda’s website viewership are mixed, there are broader concerns about the volume of content created by the network potentially poisoning secondary sources, particularly large-language models (LLMs) with access to the internet. Joint research by DFRLab and Check First found hyperlinks to Pravda-network domains on Wikipedia rose sharply after February 24, 2022, reaching 1,907 links on 1,672 pages in 44 languages; specific Moldova-related content at the time of the analysis was limited. The same study counted more than 3.7 million Pravda articles on the open web. Analysis from The American Sunlight Project (ASP) categorizes this technique as “LLM grooming.” Without remediation, ASP argued, LLM grooming “poses a growing threat to the integrity and reliability of the open internet.”

According to Recorded Future data, we identified at least one occasion in which a Portal Kombat domain was cited as a source in a mainstream news report; however, due to numerous investigative pieces highlighting the Pravda ecosystem, we therefore assess that Portal Kombat’s typical breakout scores no higher than a Category 4 on the Brookings Breakout Scale.

Mitigations

• Customers can use the Recorded Future Intelligence Operations Platform to track each of the IOs discussed in this report, including Insikt Group coverage of these operations’ emerging narratives, tactics, techniques, and procedures, which is provided with access to the Recorded Future Geopolitical Intelligence module.


• To minimize unintended amplification of IOs, media and research organizations should archive infrastructure to preserve forensic evidence without boosting visibility and reach, and strip viral content of engagement-boosting elements, such as hyperlinks, hashtags, or other media.


• Organizations deploying public-facing AI chatbots or other large-language models should integrate multilayer content-filtering frameworks that block or flag inputs from domains linked to known IOs.


• Impersonated entities, particularly media organizations, should continue engaging with social media companies and domain registrars to seize or remove content impersonating their brand, or leverage services provided by Recorded Future to request takedowns of brand impersonation attempts.

Outlook

As the September 28, 2025, parliamentary elections approach, Insikt Group assesses that Russia-linked IOs, including both the well-documented networks discussed in this report and any newly emerging ones, will very likely scale up in volume. Insikt Group assesses that these operations are likely less intended to secure a clear pro-Russian majority than to decrease voter turnout, particularly among the diaspora vote, fracture the pro-European bloc, and cast doubt on the legitimacy of the result should such a result be unfavorable to Russia’s foreign policy objectives. International-facing IOs, coupled with coordinated intimidation of diaspora voters through polling place bomb-threat hoaxes and narratives discrediting overseas voting — mirroring Moldova’s 2024 presidential election — are very likely poised to suppress a constituency that historically tilts strongly toward PAS.

In conjunction with IOs, Moscow will very likely use other forms of Russian hybrid warfare aimed at coercing Moldovan voters, building off recent operations. Gazprom’s winter gas cut-offs, previous targeted cyberattacks against the Central Election Commission, a documented surge in Russia-attributed cyber intrusions against Moldova’s 2024 election cycle, and intelligence warnings of a manufactured crisis in Transnistria and Gagauzia all signal a readiness to amplify economic hardships and security anxiety in Moldova in the hope of tilting the balance of the election in the Kremlin’s favor.

Current polling still shows PAS leading by a margin large enough to form a governing bloc, and Chişinău has invested heavily in cyber defense, energy diversification, and enhanced, robust policing. These resilience measures make a decisive electoral victory in favor of the Kremlin unlikely. Nevertheless, even in the wake of an election result perceived by the Kremlin as unfavorable, Russia may pivot toward more overt destabilization activities aligned with its broader Russkiy Mir objectives, such as inciting protest violence in Russian-speaking regions like Gagauzia and Transnistria, or exploiting regional instability to further consolidate territorial control consistent with its post-Soviet reunification ambitions.

Appendix A: Key Infrastructure Observed

Operation Undercut Social Media Handles

Foundation to Battle Injustice

RT- and MD24-Affiliated Domains Hosted on 95[.]181[.]226[.]185

Portal Kombat’s Pravda MD

Source: RecordedFuture
Source Link: https://www.recordedfuture.com/research/russian-influence-assets-converge-on-moldovan-elections