Russian Hackers Target Bluesky with Sophisticated Disinformation Campaign
In a concerning development for online security and information integrity, research from Clemson University, alongside the internet monitoring organization dTeam, has revealed that Russian state-linked hackers have successfully compromised hundreds of accounts on the Bluesky social media platform. This infiltration is part of a broader disinformation campaign explicitly aimed at targeting Ukraine. The operation, which began to surface in waves around April 2025, has led to the removal of approximately 2,000 posts deemed harmful or misleading by the platform’s moderation team.
This emerging strategy reflects a significant tactical shift in how Russian operatives conduct disinformation efforts. Traditionally, these campaigns heavily relied on creating fake profiles filled with fictitious personas, often resorting to bizarre or poorly constructed accounts to spread false narratives. However, this latest approach marks a stark contrast. Instead of solely employing fabricated identities, the hackers have strategically targeted real, established accounts belonging to journalists, educators, pollsters, and other influential figures.
Darren Linvill, who serves as the director of Clemson’s Media Forensics Hub, pointed out that these Russian operators seem to be in a phase of experimentation following years of using fabricated profiles. "They are clearly adapting and evolving their tactics," Linvill stated, signifying that they are no longer just settling for basic deception but are instead moving towards a more refined methodology aimed at online influence.
The compromised accounts have frequently been used to disseminate AI-generated videos and fabricated news articles that mimic legitimate journalism. For instance, one striking case involved a deepfake video that falsely portrayed a Canadian police official making disparaging remarks about French President Emmanuel Macron. Another misleading post claimed that The New York Post had connected Ukraine to an alleged assassination attempt on President Trump during the White House Correspondents’ Association dinner in April 2025.
The vulnerability of the Bluesky platform was underscored by the experience of Baltimore Banner reporter Pamela Wood, who found her account compromised only after it had been suspended by Bluesky, necessitating a password reset. This incident highlights a broader issue in social media security, where even established figures can fall victim to sophisticated hijacking tactics.
Experts characterize this operation as notably more advanced than typical social media manipulation campaigns. Joseph Bodnar, a representative from the Institute for Strategic Dialogue, remarked that previous hijacking efforts on platforms like X (formerly Twitter) tended to utilize "random, obscure accounts with crazy avatars." In contrast, this campaign appears meticulously planned, deliberately exploiting accounts that are moderately well-known and respected to lend an air of credibility to the disinformation being shared. This strategy inherently taps into the trust associated with established users, making the misinformation even harder to detect.
Bluesky, which transitioned from being an invitation-only platform to public access in February 2024, has experienced notable growth, now boasting a user base of 42 million. As part of its response to this breach, the platform suspended the compromised accounts and mandated that their owners reset their passwords to regain access. In light of these troubling developments, users are encouraged to implement several best practices for their online security. This includes creating strong and unique passwords, enabling two-factor authentication whenever possible, and regularly monitoring their accounts for any unauthorized activity.
Organizations and individuals with a public presence must maintain vigilance in their online behavior, continuously reviewing their security settings to guard against potential compromises. The evolving nature of disinformation tactics underscores the urgent need for users to be proactive in protecting their identities and maintaining the integrity of information shared in the digital sphere.
The revelation that Russian state-linked actors have developed a more sophisticated method of spreading disinformation raises alarms not just for the Bluesky platform but for the broader realm of social media, highlighting the ongoing challenges faced by organizations in safeguarding their users against deception and manipulation. The implications of such operations extend far beyond individual accounts, posing a broader threat to the way information flows in our increasingly interconnected world.
As the situation develops, it is crucial for both users and platform administrators to remain aware of these tactics and work collaboratively to foster a safer online environment.