Capture the Flag
On the night of November 5-6, Facebook announced that it had taken down a network of over 300 inauthentic Instagram accounts and a handful of Facebook assets that originated in Iran and targeted Israel, Saudi Arabia and the United States - all frequent targets of earlier Iranian operations. Many of the accounts impersonated activists from the so-called “Black Flag” protests in Israel. Facebook attributed the network to an Iranian IT company, EITRC.
The fake accounts were created in batches and operated in separate phases of activity. In the first phase of the operation, in late 2019, they posted content in Arabic that criticized Saudi Arabia and then, from January 2020, the United States, following the killing of Iranian General Qasem Soleimani. Beginning in February 2020, the assets in this set criticized the Israeli government’s response to Covid-19. From July onwards, they posted in Hebrew about the “Black Flags” protest movement in Israel, supporting their campaign against Prime Minister Benjamin Netanyahu.
Most of the operation’s accounts were thinly disguised fakes; one batch used profile pictures that were taken from Getty Images, with the Getty watermark still visible. The accounts do not appear to have gained a significant audience or to have spread to other platforms.
The most remarkable feature about this operation was its kangaroo nature. Its targeting, including its use of language, jumped from attacking Saudi Arabia in late 2019, to defending Iran and focusing on Israel’s struggles to cope with COVID-19 in early 2020, to attacking Netanyahu and supporting the protests against him for the remainder of 2020. All have been the focus of Iranian influence operations at different times; the way this operation switched from one to the next showed the operators’ thematic flexibility, but also limited their ability to build an audience. Establishing a loyal audience for any operation, overt or covert, takes time. Switching country, topic and language every few months undermined this operation’s ability to build a persona.
Léa Ronzaud
Senior Analyst
Léa Ronzaud leads monitoring and investigations into the detection and tracking of Russian influence operations and violent extremist groups. She also researches nihilistic violent extremism and hacktivism. Léa’s work has helped disrupt efforts by extremists in multiple countries to orchestrate real-world harm and exposed the inner workings of nation-state influence operations from Russia, China, and Iran.
Ira Hubert
Analyst
Ben Nimmo
Head of Investigations
Ben Nimmo was Head of Investigations at Graphika, where he led an expert team of OSINT investigators in detecting, identifying and analyzing inauthentic behavior and information operations online. He specializes in analyzing patterns of online disinformation and influence operations across varying platforms and geographical regions. He is now the Principal Investigator, Intelligence & Investigations at OpenAI.
Download the complete PDF
The full report includes the complete network graph maps, raw attribution indicators, cross-platform topology analysis, and the full takedown timeline with platform-level data.
- Full network graph visualizations
- Attribution indicators with confidence scores
- Raw behavioral modeling data
- Takedown coordination timeline
Related Reports
Free Money & Pig Butchers: Crypto Fraud and Scams on Social Media
An examination of nine common cryptocurrency-related scam and fraud schemes.
Read the Report
Character Flaws
School Shooters, Anorexia Coaches, and Sexualized Minors: A Look at Harmful Character Chatbots and the Communities That Build Them
Read the Report
The #Americans
Chinese State-Linked Influence Operation Spamouflage Masquerades as U.S. Voters to Push Divisive Online Narratives Ahead of 2024 Election
Read the ReportSee How Graphika Can Help Your Team Act on This Intelligence
This report is one of 600+ investigations Graphika’s team has published. Our platform gives your analysts continuous access to the same intelligence — plus the tools to apply it to your specific threat environment.