Source Spoofing: How Fake News Sites Steal Real Outlets' Identities

Source spoofing is the creation of fake media outlets designed to look like real ones. Operators clone legitimate news websites, invent credentialed "experts," or build entire fake newsrooms — all to make propaganda look like journalism. If you trust the source, you trust the story. That's what they're counting on.

How It Works

The most common technique is website cloning. Operators register a domain that looks almost identical to a real news outlet. They copy the site's design, logo, fonts, and layout. Then they publish fake articles on the clone that push their preferred narrative.

The URLs are close enough to fool someone scrolling quickly. A dash instead of a dot. A different domain extension — .info instead of .com. A slight misspelling. These are called typosquat domains. Someone sharing a link on social media might not notice the difference. Neither will most people clicking it.

The fake articles are designed to blend in. They use the same writing style as the real outlet. They include real photos. They reference real events. But the framing, quotes, and conclusions are fabricated. A reader who lands on the page sees what looks like a legitimate news article from a trusted source.

Some operations go further. They create entire fake newsrooms — complete with staff pages, editorial guidelines, and social media accounts. These outlets have no real reporters. They exist solely to produce content that other accounts can share as "news."

Another variant is the fake expert. Operations create fictional analysts with LinkedIn profiles, academic-looking papers, and photo headshots (sometimes AI-generated). These "experts" then get quoted in real media, cited in policy discussions, or used to give fake credibility to fringe claims.

The final step is distribution. The cloned articles get pushed through social media — shared by bot networks, posted in Facebook groups, and spread through Telegram channels. Each share adds a layer of apparent legitimacy. By the time a real person encounters the link, it's been "shared by 500 people" and looks trustworthy.

Real-World Example

The Doppelganger campaign is source spoofing at industrial scale.

Uncovered by EU DisinfoLab in 2022, Doppelganger is a Russian operation that cloned at least 17 major European news outlets. The targets include Der Spiegel, Le Monde, Bild, The Guardian, Ansa, 20 Minutes, and Fox News. Each clone was a near-perfect visual copy of the real site.

The fake articles pushed pro-Russian narratives — anti-Ukraine messaging, calls to end European support for Kyiv, and stories designed to undermine EU unity. The content was then distributed through networks of fake social media accounts, primarily on X and Facebook.

The operation has been running since at least May 2022 and keeps evolving. When one batch of domains gets seized, new ones appear. In September 2024, the US Justice Department seized 32 web domains used by Doppelganger. The operation continued with new domains.

It's not just Russia. Iran's Endless Mayfly campaign, first documented by Citizen Lab in 2019, uses a similar technique. It creates fake articles on typosquat domains mimicking legitimate outlets, distributes them through social media, and then deletes the articles after they've gained traction. The articles are designed to be ephemeral — they go viral, do their damage, and disappear before fact-checkers can respond. Meta's Q2-Q3 2025 report attributed the campaign to Iran's International Union of Virtual Media (IUVM).

Iran has also created entirely fictional outlets. The "North American Eagle Broadcasting Company" (NAEBC) was designed to look like a US local news operation. It had no real staff, no real offices. It existed only to produce Iran-aligned content dressed up as American journalism.

How to Spot It

Always check the URL. Read it carefully, character by character. Spoofed sites rely on you glancing and moving on. If the domain looks even slightly off — an extra letter, a dash where there shouldn't be one, a .info instead of .com — verify it independently.

Search for the outlet's name in a separate browser tab. If you can't find the site through a normal search — if it only exists as a link someone shared — that's a red flag.

Look for an "About" page. Real news outlets have editorial teams, mastheads, and contact information. Spoofed sites either skip these entirely or fill them with generic text.

Check whether other outlets are reporting the same story. If a major claim appears on only one site and nowhere else, be cautious — especially if that site looks like a clone of something familiar.

Reverse-image search any expert photos. AI-generated headshots often have tells: blurred ears, asymmetrical backgrounds, or jewelry that doesn't quite look right.

The Scale

Source spoofing is growing. EU DisinfoLab's Doppelganger investigation documented clones of outlets across Germany, France, Italy, the UK, and Ukraine. The US Justice Department's seizure of 32 domains was just one enforcement action — the total number of spoofed domains runs into the hundreds.

Iran's Endless Mayfly has been running since at least 2019 with no sign of stopping. Meta continues to take down spoofed content quarterly. The campaigns keep regenerating.

The barrier to entry is dropping. Cloning a website costs almost nothing. Registering a typosquat domain takes minutes. AI can now generate fake expert headshots, write passable news articles, and create entire fictional organizations. What once required a state intelligence service can now be done by a small team with a laptop.

Every shared link is an act of trust. Source spoofing exploits that trust at scale.

---

This article is part of the Albis Mechanism Library — explaining how information warfare works so you can see it. Explore all mechanisms →