Geopolitics

Researchers say media outlet targeting Moldova is a Russian cutout

REST Media has garnered millions of views on social media for its content targeting Moldova’s EU-friendly leadership. Researchers say it’s a pro-Kremlin operation.

By Derek B. Johnson

September 23, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

REST Media has garnered millions of views on social media for its content targeting Moldova’s EU-friendly leadership. Researchers say it’s a pro-Kremlin operation. (Image via Getty)

Researchers say a Russian group sanctioned by the European Union and wanted by the U.S. government is behind an influence operation targeting upcoming elections in Moldova.

In a report released Tuesday, researchers at the Atlantic Council’s Digital Forensic Research Lab said that REST Media — an online news outlet launched in June whose posts have quickly amassed millions of views on social media — is actually the work of Rybar, a known Russian disinformation outfit connected to other documented influence campaigns against Western countries and Russian-foes like Ukraine.

REST’s content — spread through its website and social media sites like Telegram, X and TikTok — often hammered Moldova’s pro-EU party, the Party of Action and Solidarity, with claims of electoral corruption, vote selling and other forms of misconduct. The site also sought to explicitly cast Moldova’s anti-disinformation efforts as a form of government censorship.

While REST publishes anonymously-bylined articles on its website meant to mimic news reporting, most of its reach has come from TikTok, which accounts for the overwhelming majority of the 3.1 million views its content has received online.

“The actual scope and reach of REST’s campaign likely extends beyond what is documented in this investigation,” wrote researchers Jakub Kubś and Eto Buziashvili.

REST Media’s social media output received millions of views on platforms like TikTok, X and Telegram. (Source:Digital Forensics Research Lab)

The researchers provide technical evidence that they say shows unavoidable connection and overlap between the online and cloud-based infrastructure hosting REST and online assets from previously known Rybar operations.

For instance, the site shares “identical” server configurations, file transfer protocol settings and control panel software as Rybar’s mapping platform, while a forensic review of REST’s asset metadata found a number of file paths that explicitly reference Rybar.

“These operational security lapses appear to indicate that at least some REST content follows the same production workflow as Rybar,” Kubś and Buziashvili wrote.

Analysis of the domain for REST’s website found it was registered June 20 “through a chain of privacy-focused services that collectively create multiple layers of anonymization.” The registration was processed out by Sarek Oy, a Finland-based domain registrar company with a history of involvement with pirated websites that was denied formal accreditation by international bodies like ICANN.

The listed domain registrant for REST’s website, 1337 (or “LEET”) Services LLC, appears to be a play on common hacker slang, and DFIRLab said the company is tied to a notorious VPN service based in St. Kitts and Nevis in the Caribbean that is known for helping clients hide their identities.

Efforts to reach the site’s operators were not successful. REST’s website, which is still active, contains no information about the identities of editorial staff, regularly publishes stories with anonymous bylines and does not appear to provide any means for readers to contact the publication, though there is a section for readers to leak sensitive documents and apply for employment.

An image from REST Media detailing “electoral corruption” in Moldova targeting Maia Sandu, head of the Pro-EU Party of Action and Solidarity. (Source: Digital Forensics Research Lab)

Kubś and Buziashvili said the new research demonstrates that REST “is more than just another clone in Russian’s information operations ecosystem.”

“It provides granular detail on how actors, such as Rybar, adapt, regenerate, and cloak themselves to continue their efforts to influence,” the authors wrote. “From shared FTP configurations to sloppy metadata, the evidence points to REST being part of a broader strategy to outlast sanctions through proxy brands and technical obfuscation.”

It also underscores “that such influence efforts” from Russia are not siloed “but cross-pollinated across regions, platforms, and political contexts, seeding disinformation that resonates well beyond Moldovan borders.”

No REST from influence campaigns

REST is the latest in a string of information operations targeting Moldova’s elections that have been traced back to the Russian government over the past year, according to Western governments and independent researchers who track state-backed disinformation campaigns.

A risk assessment from the Foreign Information Manipulation and Interference Information Sharing and Analysis Center on Sept. 9 identifies what it described as “persistent Russian-led hybrid threats, including information warfare, illicit financing, cyberattacks, and proxy mobilisation, aimed at undermining the Moldovan government’s pro-EU agenda and boosting pro-Russian actors.”

The assessment pointed to Moldova’s fragmented media landscape — “where banned pro-Russian outlets evade restrictions via mirror websites, apps, and social media platforms such as Telegram and TikTok” — as a vulnerability that is being exploited by Russian actors, alongside the country’s limited regulatory resources and gaps in online political ad regulation. Russian-directed influence activities in Moldova have “evolved significantly” from funding real-life protests and other forms of paid mobilization to “increasingly technology driven operations,” including social media and newer technologies like artificial intelligence.

But such mobilization may still be part of Russia’s plans. Earlier this week, Moldovan authorities carried out 250 raids and detained dozens of individuals that they claimed were part of a Russian-orchestrated plot to incite riots and destabilize the country ahead of next week’s elections.

The goal is to create a society that feels besieged from all sides — facing not only external pressure from Russia abroad but also internal political strife that can prevent a unified front.

“This intersection of external manipulation and internal fragmentation heightens political polarisation, risks disengaging the traditionally pro-European diaspora, and fosters growing public apathy and disillusionment, outcomes that directly threaten electoral integrity and democratic resilience,” the assessment concluded.

It also comes as the U.S. federal government has — often loudly and proudly — moved away from any systemic effort to fight or limit the spread of disinformation domestically and abroad.

The State Department under Secretary Marco Rubio earlier this year shut down the Global Engagement Center, which was created by Congress and functioned as the federal government’s primary diplomatic arm for engaging with other countries on disinformation issues.

In a Sept. 17 statement, State Department principal deputy spokesperson Tommy Pigott confirmed that the department had “ceased all Frameworks to Counter Foreign State Information Manipulation and any associated instruments implemented by the former administration.”

Pigott added that the decision to shutter the office, which focused mostly on foreign disinformation campaigns waged by autocrats abroad, aligns with an executive order on free speech and freedom of expression issued shortly after Trump took office.

“Through free speech, the United States will counter genuine malign propaganda from adversaries that threaten our national security, while protecting Americans’ right to exchange ideas,” Pigott said.

In addition to the State Department, the Trump administration has shut down the foreign influence task force at the FBI and fired officials and eliminated disinformation research at the Cybersecurity and Infrastructure Security Agency.

The Foreign Malign Influence Center, a key office housed within the Office of the Director of National Intelligence, was responsible for piecing together intelligence around burgeoning foreign influence operations targeting U.S. elections and notifying policymakers and the public. According to sources familiar with the matter, the center’s work has largely ground to a halt under Director of National Intelligence Tulsi Gabbard, who is planning to eliminate the center as part of a larger intelligence reorganization plan.

Lindsay Gorman, a former White House official under the Biden administration, told CyberScoop earlier this year that the U.S. needs a way to coordinate with democratic allies and provide effective interventions when their elections and digital infrastructure are being targeted by intelligence services in Russia, China and other adversarial nations.

One way to fight back, Gorman said, is to have “eyes and ears on the ground” on those countries and “to expose covert campaigns for what they are,” something that outfits like the State Department’s Global Engagement Center were explicitly designed to do.