When a drug kingpin named Microsoft tried to seize control of an encrypted phone company for criminals, he was playing right into its real owners’ hands.

Inside the Biggest FBI Sting Operation in History

YouTube remains the only major US-based social media platform available in Russia. It’s become "indispensable" to everyday people, making a ban tricky. Journalists and dissidents are taking advantage.

In December 2020, Vladimir Putin held his end-of-the-year press conference as normal. Despite the Covid-19 pandemic still raging in Russia and worldwide, the president insisted that things would be OK. He had set aside 350 billion rubles ($4.8 billion) “to give social benefits to people, families, both children, doctors, and students.”

Two weeks later and nearly 1,000 miles away, the opposition Anti-Corruption Foundation uploaded a video to its YouTube channel. In it, Alexei Navalny introduces the world to “Putin’s palace,” which he dubbed “the world’s largest bribe.”

Over nearly two hours, Navalny walks viewers through the trappings of the palatial datcha, on the Black Sea coast. A 2-million-ruble sofa, a 2-million-ruble vanity, a dining table worth nearly 4 million rubles. The ubiquitous gold leafing on the walls, a private theater, a velvet-lined hookah bar, a casino, even a _Dance Dance Revolution_ room. The construction of such a lavish abode would have cost Putin and his oligarchic backers over 100 billion rubles ($1 billion) of money pilfered from the Russian state, Navalny tells the viewer. Money that could have gone to people, families, children, doctors, and students.

The Russian-language video exploded, far surpassing anything Navalany and the Foundation had ever produced. Within weeks, it blew past 100 million views, and it has added another 32 million views since then—nearing the population of Russia itself.

The Foundation’s popularity on the world’s largest video-sharing platform had been growing massively over the preceding year—particularly as Russians were stuck indoors, and as the Kremlin intensified its crackdown on the independent press.

“Twenty years of total government control have turned television into an incessant marathon of disgraceful propaganda, lies, and censorship,” as Navalny told his viewers in a 2020 video. Behind him, a stack of TVs broadcast different clips of Russian TV presenter Vladimir Solovyov, a ubiquitous face on the Russia1 channel.

In December of that year, Navalny began his regular video dispatches with a startling introduction: “Hi, it’s Navalny. I know who wanted to kill me. I know where they live. I know where they work. I know their real names.”

Working with investigative journalism outfit Bellingcat, Navalny had posed as a Kremlin official in order to coax a confession out of one of his would-be assassins. The alleged agent recounted how the team of Russian operatives applied the nerve agent Novichok to Navalny’s underwear. Navalny recorded the whole thing and posted it directly to his YouTube channel.

In a follow-up video, Navalny continues to break down the failed murder plot in front of a wall featuring each of the men’s photos, maps of the operation, and red twine connecting everything.

In the West, Navalny’s appeal was often shortened to that of simply an opposition figure—a divisive one, for some, who became the de facto alternative to Putin after the other alternatives were killed or jailed.

But in the years leading up to his 2021 imprisonment and death in February 2024, Navalny became much more than just a politician—and the media apparatus he became the face of became bigger than him.

While Russia has grown considerably more autocratic in recent years, with its elections even more tightly scripted and its media ever more controlled by the Kremlin, YouTube remains one of the few US-based social media sites still available in the country and a reliable and effective conduit to the Russian public. It could be key to determining what happens next in Moscow—if YouTubers can stay ahead of Kremlin censorship.

“With minimal resources, we were essentially able to establish a direct competitor of Putin’s propaganda television,” says Vladimir Milov. “We are still behind them, but we are breathing down their back.”

Milov is a former deputy minister with the Russian government, a longtime Navalny associate, and a YouTube creator in his own right. I caught up with him in Vilnius, where he’s been exiled since Moscow began criminal proceedings against him. Last year, Milov was convicted by the Russian courts of disseminating “war fakes” and sentenced to eight years in prison in absentia.

Milov’s regular updates, which tend to focus on economics and finance, go out to his 500,000-plus subscribers, and often rack up around a million views. Leonid Volkov, another Navalny associate who helps run the Anti-Corruption Foundation, boasts another 165,000 followers. Dasha Navalnaya, Alexei Navalny’s daughter, has her own channel where she interviews GenZ Russians about the state of their country.

Above that, independent media have found a second home on YouTube as well. Meduza, an independent media organization that had to decamp to Latvia after being declared a “foreign agent” under Russian law, has nearly 800,000 subscribers. The BBC’s Russian service, which left the country amid a 2022 media crackdown, broadcasts regularly to its 2.5 million subscribers.

Cobbling together the analytics across these various channels, Milov says these opposition YouTubers have about 10 million to 15 million dedicated viewers inside Russia—while another 20 million viewers may stumble across their content from time to time.

​”Our message gets through to the Russian people,” Milov says. “We are serving as a very effective alternative broadcasting tool that really competes with Putin's propaganda.”

VCIOM, a pollster loyal to the Kremlin, has found that a plurality of Russians still prefer to get their news from heavily censored Russian television, but their trust in the format has plummeted, from nearly 50 percent in 2016 to just 25 percent today. Meanwhile, trust in online news has jumped by roughly the same degree.

Meanwhile, as Western programming becomes rarer and rarer, many Russians are turning to YouTube for their primary source of entertainment—especially for kids’ programming. Eight of the 10 most-subscribed Russian YouTube channels, according to rankings compiled by analytics firm Socialblade, are targeted at young children.

So Russians are losing faith in the state-approved TV news, increasingly trusting of online media, and are looking to YouTube for entertainment. It has delivered tens of millions of people right at the opposition’s doorstep.

Even if most Russian YouTube users are looking for content to pacify their children, bringing them on the platform has enormous benefits, Milov says. “There's this magical black box which is called YouTube recommendations.” He says plenty of his followers don’t even watch his videos—they listen. If Russians are letting the algorithm choose their next video while they cook dinner or fold laundry, it increases the chances his voice will reach a Russian who has never heard him before.

Milov stresses that YouTube isn’t just a one-way service: Because it allows users to comment and chat anonymously, it provides an extraordinary chance for regular Russians to express themselves without fear of censorship.

“The amount of our feedback is enormous,” he says. “Just myself, alone, I literally get messages, every day, from at least hundreds of people from across the country. When something serious happens? Thousands.” Sometimes, Milov says, his first indication that something terrible has happened in Russia is seeing just how many unread messages he has in his YouTube inbox.

Milov says this feedback reinforces the idea, supported even by Kremlin-approved pollsters, that opposition to the war in Ukraine is growing. But it also provides some important details and nuance. “So this is like, I would say, an enormous focus group, with which you can also communicate. You can ask them questions back.” He chuckles, thinking of the notorious Russian security and intelligence agency: “You know, the FSB would kill for this kind of information.”

“Obviously, the question is, why didn’t Putin shut down YouTube?” Milov says. “It’s easier said than done.”

In recent years, Moscow has deployed an array of strategies to cow and kill independent media and the open internet in Russia. Platforms like Facebook, Twitter, and TikTok have been blocked altogether. Independent media like Meduza, TV Rain, and The Insider have been declared “undesirable” or labeled “foreign agents.”

Through it all, YouTube has survived.

Milov says the Kremlin was too slow to move on YouTube. By the time Moscow was banning other popular Western platforms, the Google-owned video platform had become indispensable to everyday Russians. “They kind of let the genie out of the bottle,” Milov says.

“YouTube is mommies showing cartoons to kids, teenagers are watching music videos, people are watching comedians, elderly folks watching old Soviet movies, which are widely available there, and so on,” he says. “And you shut it all down? So you have these empty evenings now, from this point on.”

Unable to disrupt YouTube, the Kremlin tried desperately to compete with it.

Moscow had high hopes for Rutube, a long-suffering YouTube clone which was relaunched in 2020 after a merger with the media arm of state-controlled energy giant Gazprom. If the site’s “top videos” section is to be believed, it hasn’t worked—some had racked up view counts in the mid-thousands.

VK, Russia’s answer to Facebook, has fared slightly better with its video-sharing platform, and it is rife with pro-Kremlin broadcasters. But even its most popular channels have just a tiny fraction of the biggest Russian-language YouTube accounts.

“It's like a big room, but it's empty,” Milov says of these Kremlin-backed alternatives.

Having failed to compete with his online critics, Milov believes Putin opted for a more direct strategy. Just days before I arrived in Vilnius, thugs appeared outside the home of Leonid Volkov, former chair of the Anti-Corruption Foundation and Nalvany chief of staff. Armed with hammers, they savagely beat him. Lithuanian intelligence believe the men arrested were operating on orders from Russia. A week after the attack, Volkov was back on YouTube, his arm in a sling, “I am not going to stop—although I will gesticulate less in the coming weeks,” he said.

Milov emailed me the day I arrived to apologize that, due to his new security protocols, he wouldn’t be able to show me around his home broadcast studio.

Last November, the YouTube channel Volgograd Watch uploaded a new video trying to answer a difficult question: “When will the mobilized be returned?”

Subscribers of the channel were asking when Russia’s conscripts on the front line might return home. Evgeny Kochegin, host of the channel, responded by providing a litany of links recommending anti-war groups and resources on how to dodge the draft. Kochegin himself fled conscription and was convicted in absentia for disseminating “fake news.”

In exile, Kochegin has tried to help others avoid being pressed into military service, and took to YouTube to do it, racking up a modest 30,000 subscribers. In May, however, Kochegin found YouTube to be an unreliable partner. His video was blocked for Russian viewers.

Agents Media, an independent Russian news outlet, reviewed four different removal notices targeting human rights and anti-war YouTube channels. The news outlet obtained emails from YouTube’s legal team, threatening to take offline an entire channel. In the email to the OVD-Info channel, YouTube wrote that the channel had violated Russian Law #149-FZ and that “if you do not remove the content, Google may be required to block it.”

According to a company transparency report, Google has received hundreds of thousands of removal requests from the Russian government since 2022, including nearly 67,000 on the grounds of “national security,” over 200 for “government criticism,” and one for violating the electoral law.

More than 1,000 applications from Moscow specifically cited Law #149-FZ, asking for the removal of nearly 1 million pieces of content—which could include channels, videos, or comments. Google reports that it approved more than 80 percent of those removal requests.

An open letter published in May, signed by major Russian NGOs and Reporters Without Borders, called on Google to stop adhering to these requests from Moscow. “We are very concerned that the company appears to be helping the Russian censor to silence human rights and anti-war voices,” they wrote.

In a statement, a spokesperson for YouTube insisted that if the company has concerns that legal requests are being used to silence dissidents, “we will push back”—noting that Russian courts have fined Google in the past for refusing to comply with its orders.

YouTube says it has removed more than 12,000 channels and over 140,000 videos relating to the war in Ukraine for violating the platform’s policies—including pro-Putin propagandists, Kremlin-controlled media outlets, and content from the Russian Ministry of Foreign Affairs.

The YouTube spokesperson, however, ignored questions as to why it has been so willing to respond to requests under Law #149-FX.

Whether their channels are at risk from legal requests from Moscow, or whether Moscow blocks their channels entirely—the Russian dissidents are always making contingency plans. “They will not kill us by just shutting down one thing and making the other cooperate with the regime,” Milov says. “We'll navigate through.”

One such plan is to wind up right where the problem began: on TV.

Not long after Russia invaded Ukraine in February 2022, a group calling itself the Denis Diderot Committee began calling on major satellite television providers to stop beaming Kremlin propaganda into Russia and Europe — and replace it with real news.

“That's the ultimate goal of our effort—to actually provide alternative media channels into the Russian television space that are not controlled by the Russian government,” Jim Phillipoff, one half of the committee, told WIRED at the time.

Two years on, the committee scored a huge win. Satellite provider Eutelsat took up the committee’s challenge and inked a deal with Reporters Without Borders to broadcast 11 channels of independent Russian news and content into the region, with the option to add 14 more. They call it the Svoboda Satellite Package—using the Russian word for “freedom.”

Phillipoff told WIRED this week that they have begun broadcasting into 4.5 million households in Russia, and another 61 million households in the broader region—and they hope to grow that number by securing space on other regional satellites.

While the satellite is simply rebroadcasting some existing channels, Philipoff says they’ve also created some channels from scratch—in some cases made up of dissident Russians’ YouTube content. They’ve been in talks with Volkov to help rebroadcast some of the work from the Anti-Corruption Foundation and other opposition groups. (They have also explored how to cooperate with eQsat, a like-minded effort to broadcast digital news files using satellites, which WIRED revealed last September.)

While Russian television remains under the thumb of the Kremlin, and Google remains willing to block content at its behest, Svoboda exists to reject the censorship altogether, Phillipoff says.

“The goal of our project is to circumvent this control.”

Russians Love YouTube. That’s a Problem for the Kremlin

A Reflected Cross-site scripting (XSS) vulnerability located in htdocs/compta/paiement/card.php of Dolibarr before 19.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the facid parameter.

**Reflected Cross-Site Scripting (XSS) in Dolibarr**

Moderate severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 4, 2024

GHSA-hv2j-6654-x74q: Reflected Cross-Site Scripting (XSS) in Dolibarr

Failing to sanitize content from unauthenticated  website visitors, the form component is susceptible to Cross-Site Scripting.

**TYPO3 Cross-Site Scripting (XSS) in form component**

Moderate severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 3, 2024

GHSA-5j86-5xvg-7q93: TYPO3 Cross-Site Scripting (XSS) in form component

Failing to sanitize content from editors, the legacy form component is susceptible to Cross-Site Scripting. A valid editor account with access to a form content element is required to exploit this vulnerability.

**TYPO3 Cross-Site Scripting in legacy form component**

Moderate severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 3, 2024

GHSA-vgm8-r9gm-fw59: TYPO3 Cross-Site Scripting in legacy form component

Failing to sanitize content from editors, the link validator component is susceptible to Cross-Site Scripting. A valid editor account with access to content which is scanned by the link validator component is required to exploit this vulnerability.

**TYPO3 Cross-Site Scripting in link validator component**

Moderate severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 3, 2024

GHSA-cg4m-qjjp-7497: TYPO3 Cross-Site Scripting in link validator component

Failing to properly encode editor input, several frontend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML.

**TYPO3 Multiple Cross-Site Scripting vulnerabilities in frontend**

Moderate severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 3, 2024

GHSA-6fc6-cj2j-h22x: TYPO3 Multiple Cross-Site Scripting vulnerabilities in frontend

A flaw in the database escaping API results in a SQL injection vulnerability when extension dbal is enabled and configured for MySQL passthrough mode in its extension configuration. All queries which use the DatabaseConnection::sql_query are vulnerable, even if arguments were properly escaped with DatabaseConnection::quoteStr beforehand.

**TYPO3 SQL Injection in dbal**

High severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 3, 2024

GHSA-9895-53fc-98v2: TYPO3 SQL Injection in dbal

Failing to properly encode editor input, the search result view of indexed_search is susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML.

**Cross-Site Scripting in TYPO3 component Indexed Search**

Moderate severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 3, 2024

GHSA-wh8q-72cp-p5wf: Cross-Site Scripting in TYPO3 component Indexed Search

The flashplayer misses to validate flash and image files. Therefore it is possible to embed flash videos from external domains.

**TYPO3 is susceptible to Cross-Site Flashing**

Moderate severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 3, 2024

Tag

#git