Russian state-linked hackers have compromised hundreds of accounts on the Bluesky social media platform to spread disinformation targeting Ukraine, according to research from Clemson University and internet monitoring group dTeam. The campaign, which began appearing in waves in April 2025, resulted in approximately 2,000 posts being removed by Bluesky. Researchers have traced the operation to the Social Design Agency, a Moscow-based organization previously associated with Kremlin influence campaigns.
The attack represents a tactical shift in Russian disinformation operations. Rather than creating fake accounts with fictitious personas, the hackers specifically targeted legitimate accounts belonging to journalists, professors, pollsters, and other influential users. Darren Linvill, director of Clemson's Media Forensics Hub, noted that Russian operators are "clearly still experimenting" after years of relying on fabricated profiles, suggesting an evolution in their approach to online influence operations.
The compromised accounts were used to post AI-generated videos and fabricated news reports designed to appear as legitimate journalism. One notable example involved a deepfake video purportedly showing a Canadian police official criticizing French President Emmanuel Macron. Another post falsely claimed The New York Post had linked Ukraine to an attempted assassination of President Trump at the White House Correspondents' Association dinner in April 2025. Baltimore Banner reporter Pamela Wood discovered her account had been compromised only after Bluesky suspended it, requiring a password reset.
Security researchers describe the operation as more sophisticated than typical social media manipulation campaigns. Joseph Bodnar from the Institute for Strategic Dialogue noted that previous hijacking operations on X (formerly Twitter) typically used "random, obscure accounts with crazy avatars," whereas this campaign deliberately targeted moderately known and respected users to lend credibility to the disinformation. The strategy appears designed to exploit the trust associated with established accounts.
Bluesky, which opened to the public in February 2024 after operating as an invitation-only platform, has grown to 42 million users. The platform suspended compromised accounts and required owners to reset their credentials. Users should implement strong, unique passwords and enable two-factor authentication where available. Organizations and individuals with public profiles should regularly monitor their accounts for unauthorized posts and review security settings to prevent similar compromises.
Source: https://www.independent.co.uk/tech/russia-hacking-disinformation-bluesky-social-media-b2981455.html