FIMI Monitor — Global FIMI & Cognitive Warfare Monitor

Overview

KPI SUMMARY

ROW 1 — THREAT LANDSCAPE

Actors Tracked

6

RU · CN · IR · Gulf · US · IL

Active Campaigns (est.)

40+

Q1 2026

FIMI Incidents (EEAS 2025)

540

▲ +259% AI use YoY

Platform Takedowns (Q1 2026)

12

Meta CIB + Google TAG

Commercial Operators Active

8+

NSO, Black Cube + others

EEAS Coverage Gap

4/6

US, IL, IR, Gulf untracked

ROW 2 — DOCTRINAL LANDSCAPE

Framework Instruments

11

NATO · OSCE · G7 RRM · EEAS · Five Eyes · DSA · UN GDC · Viginum · BfV · GCHQ · NetzDG

Attribution Confidence (avg)

MEDIUM

Most Q1 2026 attributions

AI-Generated Content (% of ops)

47%

EEAS 2025 estimate

Election Cycles at Risk 2026

6

HU · PL · DE runoff · CZ · AU · US midterms

AI-Generated Content in FIMI Operations — Trend

⚠ Structural Coverage Note

This monitor tracks FIMI as a global cross-actor doctrine. It intentionally includes US, Gulf, Iranian and Israeli operations alongside Russian and Chinese campaigns — actors currently outside the EEAS formal tracking perimeter. Sources are drawn from NATO, OSCE, G7, Five Eyes outputs, and OSINT to compensate for that institutional gap.

Active Campaigns

Q1 2026 · 12 TRACKED

#	Campaign	Actor	Type	Target(s)	Status	Attribution	Platform	Source
01	Social Design Agency — Hungary Pre-Op	RUSSIA	Electoral interference	Hungary, Apr 12 election	ACTIVE	CONFIRMED	Multiple / Embassy-run	EEAS RAS, Mar 19
02	Doppelganger — DE/FR Narrative Seeding	RUSSIA	CIB / Fake news sites	Germany (Bundestag), France	DISRUPTED	CONFIRMED	Meta, X, Telegram	Meta CIB Feb 2026
03	Spamouflage/Dragonbridge — Indo-Pacific	CHINA	CIB / Narrative ops	Taiwan Strait, Indo-Pacific	DISRUPTED	CONFIRMED	YouTube, Blogger, X	Google TAG Q1 2026
04	United Front — Pacific Islands Outreach	CHINA	Influence-via-capture	Pacific Island states	ONGOING	ASSESSED	WeChat, community orgs	ASPI ICPC
05	IRGC — Campus Protest Amplification	IRAN	Narrative amplification	EU/US campus movements	ONGOING	ASSESSED	X, Instagram, Telegram	DFRLab Q1 2026
06	UAE — UK Parliament Influence Op	UAE	Lobbying-to-influence	UK Parliament, journalists	ONGOING	POSSIBLE	Direct / financial	Forbidden Stories/OCCRP
07	Saudi Arabia — Sports-Washing / Anti-Qatar	SAUDI	Narrative seeding	EU media ecosystem	ONGOING	POSSIBLE	Mainstream media, PR	Investigative journalism
08	Qatar — Al Jazeera Diaspora Narrative	QATAR	Soft power / media	MENA diaspora in Europe	ONGOING	POSSIBLE	Al Jazeera, social media	Academic/OSINT
09	Turning Point / Alliance of Sovereign Nations	US (MAGA-adj.)	Political influence op	European far-right parties, MEPs	ACTIVE	HIGH	Direct / AoS platform	Politico / DW, Mar 2026
10	Black Cube — Bundestag Lobbying / Profiling	ISRAEL	Commercial cog. warfare	German politicians, journalists	ACTIVE	CONFIRMED	Direct / private intel	Haaretz / Süddeutsche Mar 2026
11	Hasbara Network — Campus / Wikipedia Editing	ISRAEL	Narrative management	Campuses, online discourse	ONGOING	ASSESSED	Wikipedia, social media	Academic OSINT researchers
12	GRU — UK Political Party Funding Investigation	RUSSIA	Influence-via-capture	UK political parties	UNDER INVESTIGATION	HIGH	Financial / direct	MI5 public statement

Attribution Confidence Scale

CONFIRMED— Attributed by at least two independent institutional or platform sources

HIGH— Strong OSINT/investigative evidence; no formal institutional attribution

ASSESSED— Probable attribution based on TTPs and open-source evidence; not yet confirmed

POSSIBLE— Credible evidence from investigative journalism; officially unconfirmed

Campaign Archive

HISTORICAL RECORD

Archive — Placeholder

The campaign archive will carry concluded or dormant campaigns with full attribution records, chronology, and cross-links to platform takedown reports. Updated weekly alongside the brief. Currently populating from EEAS 2024–2025 FIMI reports, Meta CIB historical disclosures, and Google TAG archives.

2024 Notable Campaigns

Doppelganger — EU Parliament election pre-ops (RU)
Dragonbridge EU election targeting (CN)
GRU hack-and-leak against German Social Democrats
UAE Project Raven journalist targeting

2023 Notable Campaigns

Internet Research Agency dissolution / legacy successor networks
Spamouflage escalation post-Taiwan Strait exercises
Iran IRGC post-October 7 narrative operations
Psy-Group legacy network continued operations

2022 Notable Campaigns

Russia — Ukraine war narrative flood (war-onset)
Ghostwriter — Polish/Baltic election operations
Saudi Arabia — Jamal Khashoggi post-murder narrative suppression
NSO Group Pegasus — EU parliamentarian targeting

Russia

HIGHLY ACTIVE

🇷🇺 Russian Federation

Active Measures · Reflexive Control · Information Confrontation Doctrine

HIGHLY ACTIVE

Key Entities

GRU Unit 54777 (Psychological Operations), FSB Information Security Service, Social Design Agency (SDA), Doppelganger network, RT/Sputnik (overt + proxy), Internet Research Agency (diminished post-2022), Telegram channel networks

Primary Targets

EU elections (Hungary, Poland, Germany, France), Ukraine war narrative, NATO cohesion and western resolve, US political system, Africa/Sahel governance legitimacy

Characteristic TTPs

Doctrinal Basis

Gerasimov Doctrine (2013) — information operations as integral to conflict below kinetic threshold. Information Confrontation (информационное противоборство) as state doctrine. Reflexive Control theory: shaping adversary decision-making through information manipulation.

Recent Activity — Q1 2026

March 19, 2026: EEAS Rapid Alert System activated following confirmation that the Social Design Agency is operating from the Russian Embassy compound in Budapest, ahead of the April 12 Hungarian parliamentary election. EEAS assessment: coordinated targeting of Hungarian social media with pro-Orbán and anti-EU narratives seeded through fake local news sites.

February 2026: Meta CIB takedown removes 1,700+ assets attributed to the Doppelganger network — the largest Russia-attributed platform enforcement action since 2022. Assets spanned fake news sites cloning major German, French and Ukrainian outlets, coordinated Facebook pages, and Instagram accounts. Network targeting Bundestag election narrative and French domestic politics.

China

ACTIVE

🇨🇳 People's Republic of China

Discourse Power (话语权) · United Front Work · Three Warfares (心理战 · 舆论战 · 法律战)

ACTIVE

Key Entities

United Front Work Department (UFWD), PLA Strategic Support Force — Network Systems Department, Dragonbridge/Spamouflage network, China Global Television Network (CGTN), WeChat ecosystem, Confucius Institutes (dual-use)

Primary Targets

Taiwan unification narrative, Xinjiang/Tibet counter-narrative globally, Belt and Road recipient states, Indo-Pacific island nations, overseas Chinese diaspora community management

Characteristic TTPs

Doctrinal Basis

Three Warfares concept formalised in 2003 PLA Political Work Regulations: psychological warfare (心理战), public opinion warfare (舆论战), legal warfare (法律战). Xi Jinping's Discourse Power concept extends this to a whole-of-society mission to reshape global information environment.

Recent Activity — Q1 2026

Q1 2026: Google TAG disruption of Dragonbridge network — 2,500+ assets removed across YouTube, Blogger, and X. Network was seeding pro-PRC narratives on Taiwan Strait tensions and attempting to discredit Five Eyes intelligence community attributions of Chinese cyber operations.

Ongoing: ASPI ICPC documents continued United Front Work in Pacific Island states — engagement with community organisations, local media sponsorship, and direct relationships with regional politicians in Fiji, Solomon Islands, and Vanuatu. Pattern assessed as attempting to shift political neutrality on Taiwan and US basing rights.

Iran

ACTIVE — ELEVATED

🇮🇷 Islamic Republic of Iran

Cognitive Warfare · IRGC Psychological Operations · Information Operations

ACTIVE (elevated since Oct 7 2023)

Key Entities

IRGC Quds Force IO Unit, Ministry of Intelligence and Security (MOIS), Atlas Intelligence Group, Charming Kitten (APT35 — dual cyber/IO), Press TV (overt + proxy networks)

Primary Targets

Israel/Palestine narrative globally, anti-US sentiment in MENA and EU, pro-regime domestic narrative control, regional Shia network amplification, discrediting of Iranian diaspora opposition

Characteristic TTPs

Operational Tempo

Significantly elevated since October 7, 2023. Iran has shifted IO posture from defensive/domestic-focused to active global narrative shaping around Gaza, leveraging pre-existing relationships with pro-Palestinian activist networks.

Recent Activity — Q1 2026

Q1 2026: DFRLab documents a pro-Iran network amplifying campus protest movements across EU and US university campuses — 400+ accounts coordinating on X and Telegram, seeding narratives linking campus protests to broader anti-imperialist framing aligned with IRGC talking points.

Ongoing: Atlas Intelligence Group continues LinkedIn credential harvesting and social engineering operations targeting European defence researchers, Iranian diaspora journalists, and IAEA-adjacent contacts. Operations appear to feed both intelligence gathering and narrative suppression objectives.

Gulf States

ASSESSED ACTIVE

🇦🇪 United Arab Emirates

Strategic / targeted posture. NSO Group Pegasus client — documented journalist and activist surveillance. Project Raven: former NSA contractors (DarkMatter) conducting offensive cyber and IO operations on behalf of UAE government. Lobbying networks in UK and US parliament. Dark Matter cyber IO combining data theft with narrative operations.

Tone: Strategic and precision-targeted rather than mass CIB. Focus on high-value individuals — journalists, opposition politicians, foreign officials.

🇸🇦 Saudi Arabia

MBS-directed operations. Jamal Khashoggi surveillance and assassination — most documented case of journalist targeting by a Gulf actor. Sports-washing narrative campaign (LIV Golf, Newcastle United, Formula 1) with coordinated EU media placement. Anti-Qatar and anti-Muslim Brotherhood narrative campaigns. Troll farms documented suppressing Saudi-critical content across Arabic-language social media.

Key gap: Most evidence from investigative journalism (Forbidden Stories, OCCRP, Amnesty Tech) rather than institutional attribution.

🇶🇦 Qatar

Soft power as primary instrument. Al Jazeera Arabic/English as narrative anchor for MENA diaspora communities in Europe — not covert, but functions as state-directed narrative shaping. Qatargate EU Parliament lobbying scandal (2022–ongoing): documented payments to MEPs and staff for narrative support. MENA diaspora community organisations funded through Qatar-linked foundations.

Analytical note: Least adversarial of Gulf actors toward European values; overlapping interests with EU on some Palestinian narrative positions.

Regional Assessment

Gulf state IO falls almost entirely outside EEAS formal tracking. Primary evidence base is investigative journalism (Forbidden Stories, OCCRP, IJ4EU), Amnesty Tech surveillance research, and academic OSINT. Attribution confidence is lower than for Russia and China — reflecting a genuine evidence gap rather than absence of activity. Commercial operators (NSO Group, Black Cube) serve multiple Gulf clients, creating attribution complexity where state-directed versus commercially contracted operations overlap.

United States

ASSESSED ACTIVE (near-state)

Methodological Note: US information operations fall outside EEAS formal tracking. This monitor applies the same analytical criteria to US-origin operations as to other actors: documented cross-border campaigns using covert means, foreign funding, or coordinated platform manipulation. This section does not conflate overt public diplomacy with covert interference. The three categories below — (a) overt public diplomacy, (b) near-state PAC-adjacent political influence, (c) hypothetical covert operations — are maintained as distinct analytical categories.

🇺🇸 United States

Political Influence Operations · Democracy Promotion · Narrative Management

ASSESSED ACTIVE (near-state)

Non-State / Near-State Entities (in scope)

Turning Point Action, Atlas Network / Heritage Foundation European affiliates, Alliance of Sovereign Nations (AoS), PAC-funded European far-right outreach networks, MAGA-adjacent digital operation infrastructure

State / State-Adjacent Entities (contextual)

US State Dept Global Engagement Center (counter-FIMI mandate, also narrative-shaping), ODNI open-source influence coordination, US Embassy public diplomacy networks (overt, noted for completeness)

Current Operations — Documented

Alliance of Sovereign Nations (AoS): Turning Point Action-backed European far-right coalition, launched March 5, 2026. Includes MEPs with documented Russian financial connections. Frames as pro-sovereignty; functions as network aligning European populist parties around anti-EU, anti-Ukraine-aid, and anti-migration positions simultaneously consistent with Russian and US-right narrative objectives.

Big Tech DSA regulatory capture: Coordinated lobbying and public communications campaigns targeting EU Digital Services Act enforcement, framed as free speech defence. Effectively weakens primary FIMI countermeasure framework.

Tariff coercion: Trade tariff threats used as political pressure tool on European governments, with narrative dimensions supporting US economic nationalism goals.

Not Tracked (outside scope)

Overt US public diplomacy, USAID legitimate development programmes, USAGM (Voice of America / Radio Free Europe) — overt state broadcasting. CIA historical covert operations — not evidenced in current operational period at doctrinal level.

Israel

ASSESSED ACTIVE

Methodological Note: Israeli information operations fall outside EEAS formal tracking. This monitor applies the same analytical criteria as to all other actors. The inclusion of Israeli operations reflects documented operational evidence from investigative journalism (Haaretz, NYT, Süddeutsche), academic OSINT, and Amnesty Tech surveillance research — not political equivalence with adversarial actors.

🇮🇱 State of Israel / Commercial Operators

Hasbara · Perception Management · Commercial Cognitive Warfare

ASSESSED ACTIVE

Key Entities

Black Cube (private intelligence), Psy-Group (defunct — legacy networks active), NSO Group (Pegasus spyware), ELNET (parliamentary lobbying infrastructure), Prime Minister's Office Communications Directorate, IDF COGAT media unit

Primary Targets

Diaspora/campus narrative on Gaza and October 7, European Parliament members, foreign elections (Modi 2019 — documented), Iranian regime opponents (overlapping with Israeli state interests), BDS movement and pro-Palestinian journalism

Characteristic TTPs

Commercial / Near-State Distinction

Israel presents an unusual case: commercial cognitive warfare operators (Black Cube, NSO, Psy-Group) operate as private firms but serve state and near-state clients globally, including Israeli government clients. The commercial and state layers are analytically distinct but operationally intertwined.

Recent Activity — Q1 2026

March 2026: Haaretz and Süddeutsche Zeitung report Black Cube lobbying investigation in the German Bundestag — intelligence operation targeting German politicians, their staff, and journalists covering Israeli-Palestinian affairs. Operation involved covert profiling, honey-trap approaches, and information gathering feeding into narrative management strategies.

Ongoing: Academic researchers document hasbara network Wikipedia-editing operations — coordinated accounts systematically editing articles on October 7, Gaza, Palestinian history, and related topics. Network traced to Israeli communications sector.

Platform Responses

Q4 2025 – Q1 2026

Platform	Date	Actor Attributed	Assets Removed	Key Finding	Report
Meta	Feb 2026	RUSSIA	1,700+ accounts, pages, groups	Doppelganger network — fake news sites cloning German/French/Ukrainian outlets. Largest Russia-attributed Meta removal since 2022.	Meta CIB Report Feb 2026
Meta	Q4 2025	IRAN	~320 assets	IRGC-linked network amplifying anti-Israel and pro-Palestinian narratives. Coordinated on Facebook and Instagram across EU and US.	Meta CIB Dec 2025
Meta	Q4 2025	MULTIPLE	~180 assets	Disinformation-as-a-service network (unnamed operators) — commercial narrative seeding across EU political audiences.	Meta CIB Nov 2025
Google TAG	Q1 2026	CHINA	2,500+ assets	Dragonbridge/Spamouflage network across YouTube, Blogger, and X. Content targeting Taiwan Strait and Five Eyes attribution discrediting.	Google TAG Q1 2026
Google TAG	Q4 2025	RUSSIA	~400 assets	Russia-linked YouTube channels and AdSense accounts running pro-Kremlin Ukraine war narratives disguised as independent news.	Google TAG Q4 2025
Microsoft MSTIC	Q4 2025	RUSSIA	Infrastructure disrupted	GRU-linked domain infrastructure used for Doppelganger content distribution. Technical disruption reported in coordination with EU partners.	Microsoft MSTIC Oct 2025
X / Twitter	Q4 2025	RUSSIA	~40 accounts	Enforcement gap flagged: Only ~40 accounts removed vs. 1,700+ removed by Meta for same Doppelganger operation. EEAS 2025 report finds 88% of flagged FIMI content remains on platform. Trust & Safety enforcement declined significantly post-2022 ownership change.	EEAS StratCom 2025 / EL INT
TikTok	Q4 2025	ASSESSED MULTIPLE	~600 accounts	Coordinated inauthentic behaviour network amplifying pro-Russian Ukraine war narratives in Western European markets. Operators assessed as state-adjacent but unconfirmed.	TikTok Transparency Q4 2025

⚠ X / Twitter Enforcement Gap

X Trust & Safety enforcement has declined significantly since the October 2022 ownership change. The EEAS 2025 FIMI report found that 88% of EU-targeted FIMI content identified by analysts remained on the platform after flagging. X did not participate in the EU DSA FIMI working group's Q4 2025 coordination exercise. This represents a structural vulnerability in the European FIMI response architecture — the platform with the highest institutional reach among journalists and politicians is the least responsive to enforcement requests.

Commercial Operators

REGULATION GAP

NSO Group

Israel · Cyber-enabled IO

Developer of Pegasus spyware — sold to 45+ government clients globally. Documented use against journalists, activists, lawyers, and politicians across EU, MENA, and beyond. Pegasus operations feed narrative suppression: device access enables advance knowledge of journalist investigations, source identification, and targeted intimidation. US Supreme Court allowed WhatsApp lawsuit to proceed (2024). EU Parliament PEGA Committee found three member states (Hungary, Poland, Spain) used Pegasus against political figures. Currently active despite US Commerce Dept blacklisting (2021).

Black Cube

Israel · Private intelligence

Former Mossad officers founded; specialises in private intelligence operations, corporate espionage, and election-related profiling. Documented operations: Harvey Weinstein (journalist honey-trapping), Harvey Weinstein accusers, Integrity Initiative, Moldovan election influence, Modi 2019 election research. Q1 2026: confirmed active in German Bundestag — profiling operations on politicians and journalists covering Israeli-Palestinian affairs (Haaretz/Süddeutsche). Clients include governments, corporations, political campaigns.

Psy-Group

Israel · Defunct (2018) · Legacy networks active

Israeli private intelligence firm, dissolved 2018 following NYT investigation and Special Counsel Mueller referral. Key staff dispersed to other firms — legacy networks and methodology remain active through successor operations. Documented capability: large-scale persona networks, social media manipulation, election influence research. Operational model influenced current commercial cognitive warfare landscape. Staff traced to successor firms operating across MENA and Europe.

Aperio Intelligence

UK · Due diligence / political intelligence

UK-based risk intelligence firm — legitimate due diligence work but noted for operating in the grey zone between corporate intelligence and political influence. Less clearly adversarial than NSO/Black Cube; included for completeness as part of the commercial cognitive services ecosystem. Regulatory status: operates under UK Companies Act; no specific FIMI regulatory framework applies to commercial intelligence firms.

Disinformation-as-a-Service Networks

Russia · Unnamed operators · Paid narrative seeding

Commercial dark-web and semi-public services offering paid narrative seeding, fake account networks, coordinated harassment, and content amplification. Russian-origin networks most documented (Internet Research Agency legacy, unnamed successors). EU DisinfoLab documented commercial DaaS networks operating targeting European audiences. Price points range from €200 for small-scale amplification to €50,000+ for coordinated multi-platform influence campaigns.

Regulatory Gap — Commercial Cognitive Warfare

Commercial cognitive warfare operators fall outside most FIMI regulatory frameworks. The EU DSA covers platforms, not operators. FARA (US) and UK foreign agent registration apply to registered foreign agents, not private intelligence contractors. The result: NSO Group can sell Pegasus to EU member state governments; Black Cube can operate election influence research in EU states; DaaS networks can sell narrative seeding services commercially — none of these activities are captured by current FIMI regulatory architecture.

Technical Vectors

TTPs & INFRASTRUCTURE

47%

AI-Generated Synthetic Media

AI-generated text (LLM-authored articles, social media posts), synthetic voice cloning, deepfake video, and AI-generated image content. 47% of operations tracked in EEAS 2025 report contained AI-generated components — up from ~8% in 2022. Lowering production cost barrier has enabled small-state and commercial-operator operations at previously state-level scale.

CIB

Coordinated Inauthentic Behaviour

Fake persona infrastructure at platform scale — networks of thousands of accounts coordinating to amplify narratives, suppress counter-narratives through reporting, manufacture social proof, and game algorithmic amplification. Meta's Q1 2026 Doppelganger takedown is the reference case: 1,700+ assets coordinating across Facebook, Instagram, and X around identical content.

H&L

Hack-and-Leak Operations

Cyber intrusion feeding information operations — stolen email/document content released at strategic moments to damage political targets. GRU Unit 26165 reference cases: DNC 2016, Macron 2017, Bundestag ongoing. The cyber layer is tracked in the European Strategic Autonomy Monitor; cross-linked here where the operation's purpose is primarily narrative rather than intelligence collection.

ALG

Platform Manipulation

Algorithmic gaming through coordinated engagement patterns, mass reporting of legitimate accounts, ad targeting of politically relevant audiences, and manipulation of trending/recommendation systems. Increasingly sophisticated as operators develop detailed understanding of individual platform algorithms. Particularly effective on X, YouTube, and TikTok.

NS

Narrative Seeding

Placement of false or distorted narratives in legitimate media ecosystems — through corrupted journalists (paid or coerced), "useful idiots" (unwitting amplifiers), fake expert networks quoted in mainstream media, and manufactured controversy that legitimate journalists then amplify. Most durable FIMI vector because the content acquires media legitimacy after placement.

FC

Funding Capture

Direct investment in media outlets, think tanks, political parties, and civic organisations to shift narrative at source rather than through manipulation. Most sophisticated vector — most difficult to detect and counter because the captured outlet produces content that appears entirely legitimate. Examples: RT investment in European regional media, Gulf investment in sports/cultural institutions, US PAC funding of European political networks.

Doctrinal Index

8 DOCTRINES · CROSS-ACTOR

Actor	Doctrine Name	Core Concept	Key Document	Year
RUSSIA	Active Measures (Активные мероприятия)	KGB/GRU doctrine of political warfare through deception, influence, and manipulation of foreign political processes. Covert operations to weaken adversaries without kinetic conflict.	Soviet-era doctrine; codified in GRU operational manuals; referenced in 2015 National Security Strategy	1920s–present
RUSSIA	Information Confrontation (Информационное противоборство)	State doctrine treating information environment as a continuous battlefield. Information operations as integral to military strategy below kinetic threshold. Gerasimov's "new generation warfare" framing.	Russian Information Security Doctrine (2016); Military Doctrine (2014); Gerasimov's VPK article (2013)	2013–present
CHINA	Three Warfares (三种战法)	Psychological warfare, public opinion warfare, and legal warfare as integrated doctrine. Win without fighting through comprehensive information environment dominance.	PLA Political Work Regulations (2003, revised 2010, 2022); Xi Jinping's military speeches	2003–present
CHINA	Discourse Power (话语权)	Whole-of-society mission to reshape global information environment so that China's preferred narratives become dominant. Includes media investment, academic funding, cultural diplomacy, and digital influence operations.	Xi Jinping speeches on propaganda; CCP Central Committee media directives (2015, 2018)	2012–present
IRAN	Cognitive Warfare / IRGC IO	IRGC Psychological Operations combines military IO with civil MOIS operations. Goal: undermine adversary political will, amplify internal divisions, and advance regional Shia narrative.	No public doctrine document; inferred from IRGC organisation and operational patterns. DFRLab, Mandiant attribution reports.	Post-2003
NATO	StratCom Framework	NATO Strategic Communications: coherent and timely use of communication activities to support Alliance objectives. Defensive framing — counter-FIMI, attribution, resilience-building. NATO StratCom CoE (Riga) as operational hub.	NATO StratCom Policy (2009, revised 2017); Vilnius Summit communiqué (2023)	2009–present
EEAS	FIMI Definition & Framework	Foreign Information Manipulation and Interference: pattern of behaviour that (1) is foreign, (2) is manipulative rather than persuasive, and (3) threatens democratic processes and security. Foundation for EU attribution and response architecture.	EEAS FIMI Report 2022 (inaugural); updated 2023, 2024, 2025; DSA FIMI provisions	2022–present
OSCE	Media Freedom / Disinfo Framework	OSCE approach balances media freedom obligations (HROD mandate) with state-level disinformation response. Tension between counter-FIMI measures and free expression — OSCE provides normative guardrails on state counter-measures.	OSCE Commitments on Freedom of Expression; Representative on Freedom of the Media annual reports	Ongoing

Regulatory Tracker

12 INSTRUMENTS

Instrument	Jurisdiction	Status (Q1 2026)	FIMI Relevance	Key Provision
Digital Services Act (DSA)	European Union	IN FORCE	Primary EU FIMI regulatory instrument for platforms. VLOP transparency, researcher data access, risk assessment obligations.	Art. 34/35: VLOP systemic risk assessment and mitigation; Art. 40: researcher data access; DSA FIMI taskforce coordination.
EEAS FIMI Framework / RAS	European Union	OPERATIONAL	Attribution, naming, and Rapid Alert System for FIMI incidents targeting EU interests.	RAS activation triggers coordinated EU response; EEAS annual FIMI Reports as primary attribution reference.
UK Online Safety Act	United Kingdom	PARTIAL IMPLEMENTATION	Covers illegal content and protection from harm; limited specific FIMI provisions. Ofcom enforcement beginning 2024.	Duty of care obligations on platforms; foreign state-linked disinformation partially covered under illegal content provisions.
Viginum (SGDSN)	France	OPERATIONAL	French national FIMI detection and attribution body; reports to Prime Minister. Pioneered Doppelganger attribution in 2022.	Detects and publicly attributes foreign digital interference campaigns targeting French interests; election protection mandate.
BfV / Verfassungsschutz FIMI Division	Germany	OPERATIONAL	German domestic intelligence FIMI remit; public annual reports; coordinates with EEAS RAS.	Detection and public reporting of foreign influence operations targeting German democratic processes.
NATO StratCom CoE Mandate	NATO (Riga)	OPERATIONAL	Research, training, and advisory body. Primary NATO hub for FIMI analysis and counter-narrative best practice.	Annual reports; attribution research; member state training; Vilnius Summit mandate strengthened (2023).
G7 Rapid Response Mechanism (RRM)	G7	OPERATIONAL	G7 coordination mechanism for foreign interference detection and response, particularly around elections.	Established 2018 Charlevoix Summit; coordinates national-level FIMI intelligence sharing ahead of major elections.
UN Global Digital Compact	United Nations	IMPLEMENTATION PHASE	Information integrity commitments from signatory states; non-binding but establishes normative baseline. 5 states assessed as lagging on implementation.	Commitment 7: information integrity. Implementation monitoring through UN Special Envoy for Technology office.
FARA (Foreign Agents Registration Act)	United States	ENFORCEMENT GAPS	US registration requirement for agents of foreign governments engaged in political activities. Major enforcement gap: commercial intelligence firms and PAC-adjacent activity largely exempt.	Requires disclosure of foreign principal relationships. DOJ enforcement historically weak; 2019 reform limited impact.
Australian Foreign Influence Transparency Scheme	Australia	OPERATIONAL	Registration scheme for entities undertaking political influence activities on behalf of foreign principals. More comprehensive than FARA.	Covers political and government influence activities; public register; ASPI ICPC monitoring body.
Canadian Critical Election Incident Protocol	Canada	OPERATIONAL	Panel of senior officials authorised to publicly disclose foreign interference incidents during election periods.	Five Heads of Government agreement; activated when foreign interference meets public interest threshold. G7 model.
Five Eyes FIMI Advisory Framework	Five Eyes (AU/CA/NZ/UK/US)	OPERATIONAL	Coordinated public attribution advisories for state-sponsored cyber-enabled influence operations; strongest multilateral attribution mechanism in existence.	Joint attributions; Cybersecurity Advisory publications; NCSC/ASD/CSE technical attribution framework.

Attribution Methods

ANALYTICAL FRAMEWORK

Technical Attribution

Infrastructure analysis: Domain registration patterns, hosting providers, IP clustering, SSL certificate reuse. Google TAG and Microsoft MSTIC primary practitioners.

Account behaviour analysis: Creation date clustering, posting pattern synchronisation, coordinated engagement timing. Meta CIB team methodology.

Content fingerprinting: Template matching, translation artefact detection, AI-generated content classifiers.

OSINT Attribution

Narrative alignment: Mapping content to known actor talking points and doctrinal objectives. Stanford Internet Observatory, DFRLab methodology.

Network graph analysis: Mapping relationships between accounts, websites, funding flows, and personnel. Bellingcat, EU DisinfoLab approach.

Source tracing: Following content from origin through amplification chain to identify seeding point and operator.

Institutional Attribution

Government attribution: Intelligence community assessments, EEAS RAS activations, Five Eyes joint advisories — highest confidence but rarely fully public.

Platform attribution: Meta CIB, Google TAG, Microsoft MSTIC — high technical confidence, limited government intelligence access.

Hybrid attribution: Investigative journalism corroborating OSINT with documentary evidence — Forbidden Stories, Haaretz, Süddeutsche model.

This Monitor's Attribution Standards

Attribution claims below Possible are not published without corroboration from at least two independent source categories. Confirmed requires institutional or platform attribution plus independent corroboration. High requires strong OSINT evidence without formal attribution. Assessed reflects probable attribution based on TTPs and pattern-of-life. Possible reflects credible investigative journalism evidence not yet independently corroborated.

Weekly Brief

W/C 30 MAR 2026

CRITICAL 19 Mar 2026 EEAS / RAS

Russia Social Design Agency confirmed operating from Russian Embassy Budapest — EU RAS activated; Hungary election April 12

EEAS Rapid Alert System activation confirmed SDA operating from Russian diplomatic premises. Network seeding pro-Orbán, anti-EU narratives through fake Hungarian news sites. Critical timing: 24 days to election. [EEAS StratCom East, Mar 19 2026]

CRITICAL Feb 2026 Meta CIB

Meta removes 1,700+ Doppelganger assets — largest Russia-attributed removal since 2022

February 2026 CIB takedown disrupted Doppelganger network operating fake news sites cloning major German, French and Ukrainian outlets. Network was actively targeting Bundestag election narrative and French domestic political discourse. [Meta Threat Intelligence, February 2026]

HIGH 5 Mar 2026 Politico / DW

Turning Point Action launches Alliance of Sovereign Nations — includes MEPs with documented Russian financial connections

March 5 launch of AoS European far-right coalition, backed by Turning Point Action. Network includes MEPs previously identified in Russian funding investigation. Raises questions about convergence between US-right and Russian IO objectives in European electoral context. [Politico EU / Deutsche Welle, March 2026]

HIGH Mar 2026 Haaretz / Süddeutsche

Black Cube lobbying investigation confirmed in German Bundestag — profiling of politicians and journalists

Joint investigation by Haaretz and Süddeutsche Zeitung confirms Black Cube private intelligence operations targeting Bundestag members and journalists covering Israeli-Palestinian affairs. Operations included covert profiling, approach attempts, and information gathering feeding into narrative management strategies. [Haaretz / Süddeutsche Zeitung, March 2026]

HIGH Q1 2026 Google TAG

Google TAG disrupts Dragonbridge Q1 2026 — 2,500+ assets across YouTube, Blogger, and X

Q1 2026 Google Threat Analysis Group disruption of Dragonbridge/Spamouflage network targeting Taiwan Strait narratives and attempting to discredit Five Eyes intelligence community attributions of Chinese cyber operations. [Google TAG Threat Bulletin, Q1 2026]

MODERATE Q1 2026 DFRLab

DFRLab documents Iran-aligned network amplifying campus protest movements across EU and US

Atlantic Council DFRLab tracks 400+ coordinated accounts amplifying campus protest movements with pro-IRGC framing, connecting legitimate protest activity to Iranian regime narrative objectives. Network active across X, Instagram, and Telegram. [DFRLab Digital Research, Q1 2026]

MODERATE 2025 Report EEAS StratCom

X enforcement gap: EEAS 2025 report finds 88% of flagged FIMI content remains on platform

EEAS annual FIMI report finds X Trust & Safety enforcement has declined to near-inoperational levels for EU-flagged FIMI content. 88% of flagged content remains on platform. X did not participate in Q4 2025 EU DSA FIMI coordination exercise. [EEAS 5th FIMI Report, 2025]

MODERATE Mar 2026 UN OICT

UN Global Digital Compact information integrity commitments under implementation — 5 states assessed as lagging

UN Office of the Secretary-General's Envoy on Technology assessment finds five signatory states (Russia, Belarus, Iran, North Korea, Venezuela) have made no measurable progress on UN GDC information integrity commitments 18 months post-adoption. [UN OICT Monitoring Report, March 2026]

Cross-Monitor Signals

SUITE-WIDE · 30 MAR 2026

This section identifies overlaps, reinforcing signals, and conflicts between the FIMI & Cognitive Warfare Monitor and other monitors in the Asymmetric Intelligence suite. It draws only on public dashboards, briefs, and methodology pages. It is updated each Thursday alongside the weekly brief. Stale flags are archived when no longer material.

→ Democratic Integrity Monitor STRUCTURAL · ONGOING

FIMI as the primary delivery mechanism for democratic erosion

The Democratic Integrity Monitor tracks electoral interference and institutional erosion; this monitor tracks the information operations that deliver those effects. Russia's Social Design Agency operation in Hungary (confirmed, April 12 election) and the Doppelganger network's targeting of German and French political discourse are documented in both monitors from different analytical angles. The distinction between foreign information operation and domestic democratic backsliding is increasingly artificial — the same transnational networks drive both. From this monitor's perspective: FIMI is not an external pressure on democracy — it is a constitutive mechanism of democratic erosion in the 2020s model.

First flagged: 30 Mar 2026 · Structural significance: high · Expected duration: persistent

→ European Strategic Autonomy Monitor (EGHTM) STRUCTURAL · ONGOING

Cognitive warfare as a precondition for European strategic paralysis

The EGHTM tracks European defence spending, NATO cohesion, and the Ukraine conflict. This monitor's documentation of Russian political technologist networks, Chinese United Front operations, and the Turning Point Action/Alliance of Sovereign Nations infrastructure reveals the cognitive warfare layer that directly degrades European strategic coherence — by fragmenting political will before hard-security decisions can be taken. The hub-and-spoke relationship between these two monitors is intentional: EGHTM retains a FIMI spoke for EU response posture; this monitor provides the global attribution depth. From this monitor's perspective: narrative dominance over European electorates is a prerequisite for Russian and Chinese hard-security objectives — FIMI is the operational preparation for strategic paralysis.

First flagged: 30 Mar 2026 · Structural significance: high · Expected duration: persistent

→ AI Governance Monitor ACCELERATING · STRUCTURAL

AI capability as FIMI force-multiplier: 47% of operations now AI-assisted

The EEAS 4th Annual FIMI Report (March 2026) finds AI-generated or AI-assisted content in 47% of tracked operations — up from near-zero in 2020. The AI Governance Monitor tracks the capability and regulatory landscape for AI; this monitor tracks the operational deployment of that capability in information warfare. Key intersection points: synthetic media for persona creation, LLM-generated narrative seeding at scale, AI-assisted translation enabling cross-lingual operations, and AI-powered micro-targeting of political audiences. Governance frameworks being tracked by the AI Governance Monitor (EU AI Act, UN GDC) have direct implications for FIMI countermeasures. From this monitor's perspective: AI governance failures are FIMI infrastructure failures — unregulated generative AI capability is directly incorporated into state information operations within months of release.

First flagged: 30 Mar 2026 · Structural significance: critical · Expected duration: persistent and accelerating

→ Other Suite Monitors WATCH

Potential cross-monitor signals under observation

The Asymmetric Intelligence suite is expanding. This flag is a standing placeholder for signals from monitors whose domains intersect with cognitive warfare — including but not limited to: Rule of Law & Judicial Independence (foreign agent laws as FIMI infrastructure), Illicit Finance & Financial Crime (covert funding of influence operations), and any future monitors covering strategic conflict, technology-society, or global governance. Cross-monitor signals from these domains will be elevated to named flags as the evidence warrants.

Standing watch · Updated as new monitors publish

Sources

PRIMARY SOURCE REGISTRY

Institutional

EEAS StratCom Task Force — FIMI Reports (annual), RAS alerts
NATO StratCom Centre of Excellence, Riga — research reports, attributions
OSCE HROD — media freedom / disinformation monitoring
G7 Rapid Response Mechanism — election interference coordination
Five Eyes joint advisories (NCSC/ASD/CSE/CISA/GCSB)
EU Digital Services Act enforcement reporting (VLOPs)
UN Special Envoy on Technology — Global Digital Compact

Platform Reports

Meta CIB Reports — quarterly coordinated inauthentic behaviour disclosures
Google Threat Analysis Group (TAG) — quarterly bulletins
Microsoft MSTIC — threat intelligence reports
TikTok Transparency Reports — enforcement data
X / Twitter Trust & Safety — (noted: declining publication rate)
Telegram — minimal transparency reporting (noted as gap)

Academic & Think Tank

Stanford Internet Observatory (SIO)
Atlantic Council DFRLab
ASPI International Cyber Policy Centre
EU DisinfoLab
Disinfo Lab Brussels
Bellingcat (OSINT verification)
Oxford Internet Institute
Carnegie Endowment for International Peace

Investigative Journalism

Forbidden Stories (international consortium)
IJ4EU — Investigative Journalism for Europe
OCCRP — Organised Crime and Corruption Reporting Project
Haaretz — Israeli investigative coverage
Mediapart (France)
Süddeutsche Zeitung Investigativ
Der Spiegel / SPIEGEL International
The Guardian / Guardian Investigations

National Agencies

Viginum / SGDSN (France) — national FIMI agency
BfV / Verfassungsschutz (Germany) — annual threat reports
GCHQ / NCSC public statements (UK)
MI5 public assessments and annual threat reports
AIVD (Netherlands) — annual reporting
SUPO (Finland) — annual threat assessment
SÄPO (Sweden) — foreign influence reporting

About This Monitor

v1.0 · MARCH 2026

What this monitor is

The Global FIMI & Cognitive Warfare Monitor tracks Foreign Information Manipulation and Interference (FIMI) as a global cross-actor threat doctrine — not as a regional European concern. It covers campaign attribution, actor doctrine, platform responses, and the evolving institutional and regulatory frameworks through which states and multilateral bodies are attempting to detect, name, and counter information operations.

It is the hub of a hub-and-spoke architecture. Other monitors in the asym-intel.info suite track FIMI effects within their domains — electoral interference in the Democratic Integrity Monitor, StratCom responses in the European Strategic Autonomy Monitor, narrative operations in the AI Governance Monitor. This monitor tracks the underlying capability, infrastructure, and doctrine that produces those effects.

What this monitor is not

It is not a disinformation fact-checking service. Fact-checking individual false claims is important work conducted by others (AFP Fact Check, Full Fact, EUvsDisinfo). This monitor tracks the infrastructure, doctrine, and actor behaviour that produces false narratives at scale — the operational layer rather than the content layer.

It is not an advocacy product. The inclusion of US and Israeli operations alongside Russian and Chinese ones reflects operational reality and methodological consistency, not political equivalence. All actors are assessed by the same criteria: documented cross-border information operations using covert means, foreign funding, or platform manipulation.

Publication Cadence

Weekly brief — published every Thursday. Core format: 6–8 items across the campaign, platform, doctrine, and actor dimensions. Severity-coded (Critical / High / Moderate). Each item carries attribution confidence where relevant.

Campaign alert — ad hoc, 200–300 words, published mid-week when a time-sensitive development demands faster response: a major CIB takedown, a confirmed attribution of an active election interference campaign, or a significant doctrinal shift.

Dashboard — persistent, navigable summary of active campaigns, actor status, platform responses, and framework developments. Updated weekly alongside the brief.

Relationship to Other Monitors

Democratic Integrity Monitor — elections under active FIMI interference are cross-linked. Attribution detail and actor infrastructure live here; the Democratic Integrity Monitor carries the electoral and institutional consequences.

European Strategic Autonomy Monitor (EGHTM) — retains a FIMI spoke covering EU and Member State response posture only: RAS activations, StratCom operations, DSA enforcement. Actor attribution, campaign anatomy, and doctrine cross-link to this hub.

AI Governance Monitor — AI-generated synthetic media, LLM-powered influence operations, and the use of AI in attribution are tracked here; the AI Governance Monitor carries the governance and regulatory response.

Methodology and Attribution Standards

Primary sources in priority order: (1) Platform takedown reports and CIB disclosures; (2) EEAS StratCom and Rapid Alert System; (3) Five Eyes public advisories; (4) Academic and think-tank OSINT (Stanford IO, DFRLab, ASPI ICPC, Disinfo Lab, Bellingcat); (5) Investigative journalism (Forbidden Stories, IJ4EU, Haaretz, Mediapart, OCCRP); (6) NATO StratCom CoE and OSCE reporting; (7) National government disclosures (Viginum, BfV, GCHQ, MI5).

Attribution confidence is explicitly labelled on each item. The monitor does not publish attribution claims below "Possible" without corroboration from at least two independent source categories.

Methodology

The analytical standards, source hierarchy, attribution confidence framework, and actor inclusion criteria governing this monitor are set out in full in the standalone Methodology document. The companion scope document covers what is tracked, what is not, and the relationship to other monitors in the suite.

Created with

Created with Perplexity Computer. Part of the Asymmetric Intelligence open-source intelligence suite. Published under the asym-intel.info editorial framework.