Active since at least September 2025, this IMS has disseminated several coordinated campaigns by strategically exploiting architectural flaws in the decentralised Fediverse (Mastodon) and uses the Brid.gy service to cross-post simultaneously on Bluesky and on Mastodon. Targeting countries such as Ukraine, France, Germany and the United States, the content related to this IMS also promotes Max, a Russian state-backed messenger requiring a Russian phone number to operate, suggesting it targets domestic Russian audiences as well as Western ones.
By laundering content from EU-sanctioned Russian media outlets (such as the Pravda network, Russia Today, and Sputnik) and using automated accounts with seemingly AI-generated features, this IMS has managed to establish a highly organized and coordinated infrastructure to circumvent content moderation and legal regulations. During our investigation, we found hundreds of Mastodon accounts during our research, “bridging” all their publications to Bluesky in coordinated waves, with new batches of accounts activated each month, remaining active for short, intense bursts, before disappearing and being replaced. Those accounts are still running on ten Mastodon instances, including the original instance mastodon.social, which gathers over 870,000 users, and bridged to hundreds of accounts on Bluesky.
The architecture of these decentralised platforms makes it harder to detect, track and flag Foreign Information Manipulation and Interference (FIMI). Threat actors exploit this environment by using technical gateways like Brid.gy to leverage cross-network connectivity, allowing them to automatically synchronise and scale their campaigns across these decentralised platforms. Consequently, these alternative social networks have become a critical new front in the fight against FIMI.
Our investigation demonstrates how these malicious actors are exploiting this new backdoor to spread disinformation to other audiences. We reached out to Bluesky’s moderation team and Mastodon instances’ administrators for comment, as well as Brid.gy creators. Two Mastodon administrators responded and reaffirmed their commitment to combating misinformation through enhanced manual moderation. Although the Brid.gy team is aware of Portal Kombat’s use of bridging and says to be cooperating with Bluesky’s Trust & Safety team, they have also underlined their lack of human and technological resources to moderate content efficiently.
The evidence gathered in this investigation points to a broader, more organised operation than it first appears. The synchronisation of identical publications across Roska Bridge and the Pravda Network constitutes clear indicators of Coordinated Inauthentic Behavior (CIB) and strongly suggests a structural link between Roska Bridge and Portal Kombat, even in the absence of formal proof.
CheckFirst empowers its partners to navigate today’s complex online information ecosystem and equips decisionmakers with customisable solutions to combat online harms.
Our story