Russian ‘Bot Farms’—The New-Old Challenge to Ukraine’s National Security

Publication: Eurasia Daily Monitor Volume: 19 Issue: 56


On February 17, the Security Service of Ukraine (SSU) disrupted the activity of a network of “bot farms”—an extensive, organized effort to create “fake” (automated) social media accounts, which was found to be active across multiple regions of Ukraine. According to the SSU, the technical equipment used by the operators of these “bot farms” was supported by Russian online services. The SSU’s investigation showed that the network had registered more than 8,000 active fake accounts on different popular social media platforms. The main purpose of those bot accounts included, among other elements, spreading false information about the situation in Ukraine, instigating street protests, and subverting popular sentiments. The bots’ destructive activities specifically included dispatching fake bomb threats to critical infrastructure objects and installations in Ukraine; attacking the online accounts of top Ukrainian politicians with disinformation; as well as operating as points of sale for firearms, explosive devices and drugs to anonymous users (, February 17).

The Internet registration of these accounts was evidently made via Russian online services that provide a user with a virtual mobile (cellular) number—which is generally required for identification purposes to create an account on many social media platforms. Moreover, some of the equipment that was uncovered by the SSU investigators was used to illegally reroute mobile-phone traffic from two unlawfully established telecommunications companies, Lugacom and Fenix, which operate out of the Temporarily Occupied Territories of Ukraine (Donetsk and Luhansk “people’s republics”—DPR, LPR). According to the SSU, these broken up bot farms had actively worked on behalf of Russia and the illegal military leadership of the LPR and DPR (, February 17).

During searches in Kyiv, Kharkiv, Dnipro, Dubno (Rivne region) and Irpen (Kyiv region), the SSU found and seized computers, special equipment and telecommunications hardware (GSM-modems and gateways), and more than 22,000 SIM cards of different Ukrainian mobile operators. Based on the results of the preliminary investigation, the SSU does not rule out that the Russian intelligence services might have been directly involved in organizing and running the uncovered bot farms (, February 17).

This episode is by no means unique. On April 8, 2016, one of the largest bot networks in the world was discovered in southern Ukraine. Ukrainian Cyber Police (working together with private digital security firms ESET and Cys Centrum and the German computer emergency response team CERT-Bund) located a server in Ukraine that managed a large botnet and was administrated from Russia. The botnet in question made use of 4,000 servers belonging to private companies in 63 countries, including Ukraine. These servers had been hacked with sophisticated malware, including the Mumblehard virus. Computer security experts from ESET and Cys Centrum found that the botnet’s activities led to numerous network failures and information leaks around the world. In addition, the companies whose servers were used by hackers (33 in Ukraine alone) bore reputational risks, as their IP addresses continually ended up on various web security blacklists (, April 8, 2016).

In March 2019, the SSU uncovered another bot farm, “Sapphire.” According to Serhiy Levchenko, the head of the SSU’s military counterintelligence arm, this special information warfare unit was set up by the Russian GRU (military intelligence) in Luhansk. The Sapphire bot farm was staffed by 15 members of the LPR “people’s militia” and managed by Ukrainian national Kateryna Vasylina. Apart from that, the GRU created an agent network that operated in the territories controlled by the Ukrainian authorities. Sapphire’s main tasks consisted of preparing and conducting anti-Ukrainian information campaigns, carrying out informational-psychological operations, collecting information about Ukrainian top officials and the Armed Forces, as well as gathering general intelligence. According to the SSU investigation, the bot farm generated around 12,000 fake stories of which, perhaps, the most noteworthy was a piece of “news” alleging that the Ministry of Defense of Ukraine had “suspended all additional payments to Ukrainian servicemen.” Apart from that, their bots actively called for anti-government protests. The group’s activities increased significantly ahead of Ukraine’s presidential election campaign (, March 12, 2019). The network created 50 accounts and 130 user groups (both nominally pro-Ukrainian and pro-separatist) on such popular social media platforms as Facebook, Vkontakte, and Odnoklassniki (the latter two are particularly popular in Russia).

According to the Ukrainian Security Service, Sapphire’s main curator was Russian officer Aleksandr Sazonov (pseudonym Pavel Bodrov). The SSU ended up arresting four agents linked to the Russian operation. In the suspects’ homes, Ukrainian investigators discovered more than 20 communication devices used for espionage, photo and video recording equipment that had captured sensitive information about protective structural engineering projects of the Ukrainian Armed Forces, other military information, as well as nearly 20 Ukrainian and Russian SIM cards (, March 12, 2019). The detained individuals face charges of assisting terrorism, collecting and transferring information about the Ukrainian Armed Forces, and conducting special information operations (, March 12, 2019).

On December 4, 2019, in Kyiv, an SSU raid sized equipment used for the creation and maintenance of bot farms. The linked group of individuals had been organizing a mass registration and further promotion of fake accounts on popular social media sites on behalf of both Russia and the DPR. Their bot farm additionally managed SIM cards (including of foreign mobile operators), virtual mobile phones, text message campaigns, etc. (, December 4). Yet another bot farm was blocked in Kyiv on January 30. This group was also organized by Russian citizens and internally displaced persons (IDP) from occupied Donbas. They managed more than 500 active accounts. The ultimate goal of the network was to reduce public confidence in governmental institutions by spreading false and overtly exaggerated information online about the economic and social situation in Ukraine. The bot farm additionally disseminated false messages about bomb threats. Furthermore, it enabled extraterritorial registration of various anonymous Telegram accounts, channels and communities, which were then used for illegal sales of firearms, explosives and drugs (, January 30).

Since early 2014, Russia has carried out a number of “hybrid”/non-linear operations against Ukraine that rely heavily on an informational-psychological confrontation. In this context, so-called bot farms, particularly ones coordinated by the GRU and other Russian state institutions, pose a serious security challenge to Ukraine. As the SSU contends, such information warfare represents a key weapon in Russia’s anti-Ukrainian operations armory thanks to its immediate negative impact as well as far-reaching potential consequences, whose effects may not be instantly ascertainable.