For years, a state-aligned operation has run a campaign that does not rely on the usual tells of disinformation. There are no obvious typos, no implausible domains, no clumsy machine translation. The operation, tracked publicly as Ghostwriter and attributed to Belarus with documented overlap with Russian information operations, succeeds because it understands something most defenders underweight: a false claim does not need to be convincing on its own. It needs to arrive through a channel the reader already trusts.
The Method: Theft First, Then Fabrication
Most influence operations start with content. Ghostwriter starts with access.
Operators begin by compromising real accounts. Email inboxes, social media profiles, and in some documented cases the content management systems behind legitimate news outlets. Credential theft, phishing, and account takeover are the entry point, not an afterthought. Once inside, the operators have something far more valuable than a botnet: they have the trust that a real byline, a real domain, or a real colleague's inbox carries by default.
Only then comes the fabrication. A false article gets planted on a legitimate-looking outlet, sometimes on the actual site of a real publication whose CMS was breached. A message goes out from an inbox the recipient has corresponded with before. The forged content can be modest in quality and still work, because the surrounding context does the persuasion. The reader is not evaluating a stranger's claim. They are reading what appears to be their own trusted source.
Why Imperfect Forgeries Still Land
This is the part worth sitting with. A forgery does not need to be perfect.
A reader who would dismiss a random link will pause on the same claim when it appears on a familiar site, or when it arrives from a known contact. The human brain treats the channel as evidence. We are trained, reasonably, to trust the publications we read and the people we know. Ghostwriter exploits that training directly. It does not try to defeat your skepticism with a flawless fake. It routes around your skepticism by borrowing a source you have already decided to believe.
That is what makes the operation hard to detect. The signals we are taught to watch for, suspicious senders and unfamiliar domains, are precisely the signals the operation removes.
The Human Angle
The defense against Ghostwriter is not primarily technical. It is a habit of mind.
When a surprising or convenient claim arrives, especially one that confirms what you already suspect or want to be true, the trusted channel it came through should not end your scrutiny. It should begin it. The more a piece of information would change your behavior, the more it is worth a second look.
This applies with particular force to leaks. Unexpected leaked documents, especially ones that seem almost too well suited to a current debate, deserve caution rather than amplification. A document that is too clean, too perfectly timed, or too neatly aligned with a known agenda is a reason to slow down, not to share faster.
What Defenders Can Do
For Individuals
Verify surprising claims through a second, independent source before amplifying them. Independent is the key word: a second outlet that simply republished the first is not corroboration. If a claim matters enough to forward, it matters enough to confirm.
Treat unexpected leaks and too-perfect documents as suspect until verified. Provenance is part of the story, not a detail to skip past.
For Organizations
Protect the publishing pipeline as carefully as you protect the data. Bylines, content management systems, and the accounts with authority to publish are now part of your attack surface. An attacker who can post under your masthead does more damage than one who merely reads your files.
That means treating editorial and publishing accounts as high-value targets: strong authentication, least-privilege access, monitoring for unexpected logins and content changes, and a clear process for confirming that a published piece actually came from its claimed author. The integrity of what goes out under your name is a security property, and it should be defended like one.
The Takeaway
Ghostwriter is a reminder that trust is infrastructure, and infrastructure can be captured. The operation works because it turns our reasonable instincts into an attack vector. The countermeasure is to add one deliberate step between receiving and believing, and to extend the same care we give our data to the channels that carry our credibility.
If this kind of analysis is useful to you, subscribe to the free weekly briefing at threatlevelhuman.substack.com. New subscribers also get our free "Social Engineering Red Flags" field guide, a quick reference for spotting the trusted-channel tactics described above.
<- back to the blog