Back

Bluesky Accounts Compromised in Russian Disinformation Campaign

Severity: High (Score: 75.5)

Sources: Theaustralian.Au, Gigazine

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: bluesky, accounts, removed, hijacked, propaganda, campaign, public

Summary

A Russian influence campaign has hijacked hundreds of Bluesky accounts, primarily belonging to journalists and academics, to disseminate propaganda against Ukraine. Researchers from Clemson University identified the Moscow-based firm Social Design Agency (SDA) as responsible for this operation, which utilized real accounts instead of fake ones. Affected individuals reported unauthorized posts on their accounts, with at least 200 accounts confirmed compromised. Bluesky has removed 4,907 accounts linked to state-backed influence activities in 2026, a significant increase from the previous year. The compromised accounts were primarily older and dormant, although some active accounts were also affected. Bluesky clarified that their systems were not breached; rather, the hijacking occurred through leaked credentials. The campaign is part of a broader strategy known as Matryoshka, which involves impersonation and disinformation tactics. Key Points: • Hundreds of Bluesky accounts were hijacked to spread anti-Ukraine propaganda. • The campaign is linked to the Russian firm Social Design Agency (SDA). • Bluesky removed 4,907 accounts in 2026, doubling the previous year's removal rate.

Detailed Analysis

**Impact** Hundreds of Bluesky accounts, including those of influential Americans such as journalists, academics, and filmmakers, were hijacked to disseminate pro-Russian propaganda. At least a couple of hundred accounts were confirmed compromised, with Bluesky removing 4,907 state-backed influence accounts in 2026 alone, doubling the removal rate from the previous year. The campaign primarily targeted dormant and older accounts but also affected some active users. The disinformation aimed to undermine support for Ukraine amid ongoing conflict. **Technical Details** The attackers gained unauthorized access to individual user accounts using credentials leaked from prior data breaches, not by breaching Bluesky’s systems. The operation was linked to the Moscow-based Social Design Agency (SDA), associated with the Kremlin-backed Matryoshka influence campaign known for impersonation and AI-generated content. Compromised accounts were used to post anti-Ukraine narratives before being suspended or deleted. No specific malware, CVEs, or infrastructure details were provided. **Recommended Response** Users should immediately enable two-factor authentication (2FA) on their accounts and use strong, unique passwords managed via password managers. Organizations should monitor for unusual account activity and promptly suspend accounts exhibiting suspicious behavior. Bluesky and defenders should continue rapid removal of compromised accounts and monitor for credential leak sources. No patching information is available; focus should remain on credential security and account monitoring.

Source articles (2)

  • Bluesky removed 8526 'state-sponsored public opinion manipulation accounts' in one year. — Gigazine · 2026-05-28
    Bluesky has announced that it has removed 8,526 'state- public opinion manipulation accounts' since May 2025. Since May 2025, we have removed 8,526 accounts on Bluesky that were involved in state- man…
  • Bluesky accounts hijacked in pro-Russia propaganda campaign — Theaustralian.Au · 2026-05-29
    A Russian influence campaign hijacked hundreds of Bluesky accounts -- many belonging to influential Americans -- to spread propaganda, researchers said, in a striking disinformation tactic that weapon…

Timeline

  • 2025-05-01 — Bluesky begins tracking state-sponsored accounts: Bluesky initiated monitoring for accounts involved in public opinion manipulation, leading to increased removals.
  • 2026-01-01 — Bluesky escalates account removals: In 2026, Bluesky removed 4,907 accounts linked to state-backed influence activities, marking a significant increase in action.
  • 2026-05-29 — Clemson University reports on account hijacking: Researchers reveal that a Russian campaign hijacked hundreds of Bluesky accounts to spread disinformation, affecting notable figures.

Related entities

  • Data Breach (Attack Type)
  • Matryoshka (Campaign)
  • Bluesky (Platform)
  • France (Country)
  • Russia (Country)
  • Ukraine (Country)
  • United Kingdom (Country)
  • United States (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • T1078 - Valid Accounts (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed