Blog

Outtake for Government: Investigating Threat Actor Impersonations of U.S. Military Personnel

June 5, 2026

Noah Ringler

•

Head of Outtake for Government

In the increasingly complex digital landscape, cyber threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to achieve their strategic objectives. One alarmingly persistent and effective social engineering tactic involves the impersonation of high-ranking U.S. military officials and generals. These social engineering operations occur on social media platforms, domains, and messaging applications, and have grown so severe that the FBI’s Cybersecurity Division and the FTC issued a warning about related TTPs in December 2025. This form of impersonation is not a new phenomenon, yet its sophistication and prevalence demand continuous and rigorous cyber threat intelligence (CTI) analysis.

These social engineering campaigns, often originating from sophisticated state-sponsored groups, leverage the inherent authority, trust, and perceived access to sensitive information associated with senior military ranks to manipulate targets. Some of these impersonation accounts exist to spread financial motivated scams and fraud, including cryptocurrency related activity, while appear to entice servicemembers or members of the public into other platforms for a variety of purposes, including solicitation of information and attempted espionage activities. The issue is made more complicated due to the level of obsolete and insecure endpoints left online across the service branches, including unused or one-time accounts, forms, or other digital infrastructure still visible and unverified online. With so many legitimate accounts and no way to verify them, it becomes very difficult for the public to identify whether accounts or web content they interact with are officially representing the US government.

A malicious donation page calling for donations to the U.S. military discovered by Outtake.
Donors are routed to submit pledges and then contacted by a scammer via email.

The primary goal of these campaigns is multifaceted, including espionage, financial fraud, and influence operations (IO). By assuming the persona of an Army General, Navy Admiral, Marine Corps General, or Coast Guard Admiral, threat actors can bypass initial skepticism and leverage the target’s desire to comply with or assist a high-authority figure.

Impersonations of Former US Army Chief of Staff General Randy George detected by Outtake’s platform

Tactics and Targets: The Anatomy of an Impersonation

Impersonation campaigns targeting senior U.S. military figures typically follow a predictable, yet effective, operational cycle. For each four-star general tested, Outtake identified a minimum of more than 100, and as many as 1,500 impersonating accounts. Many of the impersonated individuals have no verified social media presence, leading other AI systems and AI search capabilities to identify the impersonating accounts as official, compounding the visibility of the threat.

Persona Development and Infrastructure

The first step the actor takes is to craft a believable digital persona. With generative AI and increasing photorealism, this can take only a few minutes. Threat actors create accounts on social media (LinkedIn, Facebook, Instagram), dating apps, and email platforms using stolen or fabricated images, often in uniform, using open source image generation tools and elements of the impersonated individual’s true digital footprint and biographical details. These profiles frequently exhibit an artificially high level of detail regarding deployments, awards, and past online activity. Information often scraped from public sources or previous victims. This contrasts with the real online footprint of high-ranking servicemembers, which is minimal or through official public facing communications offices due to the high level of operational security training provided to the force. Accounts sometimes reference spoofed domains, or legitimate U.S. military .mil websites to confer legitimacy. Other domains identified by Outtake include email domains that closely resemble official military or defense contracting organizations (e.g., dod-mil.us, or .army instead of dod.mil).

Target Selection and Engagement

Threat actors typically target three main categories of victims:

Individuals with Access to Sensitive Information: Defense contractors, researchers, academics, think tank employees, and government officials whose professional duties connect them to U.S. defense policy or technology. The pretext is often a request for "private consultation" or "collaboration" on a highly classified project.
Individuals for Financial Exploitation: Members of the public, particularly those who may be susceptible to "romance scams." The persona, claiming to be deployed abroad, will eventually solicit funds for supposed emergencies, travel, or processing of military leave.
Journalists and Influencers: Targeted for influence operations (IO), where the actor provides fabricated or distorted sensitive information to an unsuspecting journalist, aiming to leak or plant narratives that serve the threat actor's geopolitical interests.

Execution: Social Engineering Frameworks

After establishing a target or receiving inbound communications, the threat actors employ standard social engineering appeals in order to increase likelihood of successful financial or intelligence exploitation:

Tactics Table

Tactic	Description	Target Goal
Urgency and Secrecy	Messages emphasize the sensitive and time-critical nature of the request, often referencing "Top Secret" or sensitive information	Bypassing standard security protocols and critical thinking.
Authority Appeal	Directly referencing the General's rank and position to enforce compliance (e.g., "This is a direct order to provide this brief to my secure email")	Leveraging the military chain of command structure for manipulation.
Pivots to Credential Collection	After establishing trust, the actor requests the victim to open a password-protected document, download a brief from a link, or log into a seemingly secure portal to enter CAC or military portal information or access military "benefits"	Delivering malware or harvesting login credentials.

Case Studies and Attribution

While specific attribution is challenging, Outtake analysts often link these impersonation campaigns to specific Advanced Persistent Threat (APT) groups based on the geopolitical goals and the digital artifacts (malware, infrastructure) used.

In a recent campaign observed in December 2025, a high-ranking U.S. Space Force General was impersonated on a professional networking site. The actor attempted to solicit documents from a satellite communications engineer working at a major U.S. defense contractor in Maryland. Outtake agentic analysis of the phishing emails using Recon Agent indicated use of custom URL-shortening services, identified mail (mx) records and solicitation of defense information. The language used in the emails was highly idiomatic and detailed, suggesting use of LLMs to mimic a deep understanding of military terminology.

In one example, an Outtake investigation agent fleet identified eleven fake military leave portals operating under the .army Top Level Domain (TLD), all hosted on a single server at Hawk Host Inc. in Hong Kong (IP 172.96.185.161, ASN HH-63). The .army TLD is a commercial top-level domain; it is not .mil and confers no US military affiliation. These domains were created between February 2023 and February 2026.

A Fake US Military Leave Portal Identified by Outtake Agents

Mitigation and Defensive Measures

Combating these impersonations requires a layered defense strategy focused on technical controls and robust, continuous security awareness training. These basic cybersecurity measures apply for individuals as well as the U.S. military and include:

Strict Verification Protocols: Any unsolicited communication from a senior official requesting sensitive documents or financial assistance must be verified through official channels—a known office phone number or an official, known-good email address. Do not reply to the suspicious email.
CTI Monitoring and Threat Hunting: Organizations should continuously monitor public-facing platforms for suspicious profiles impersonating their senior leadership. Automated tools can flag profiles using combinations of official names, ranks, and military imagery. This requires a dedicated threat hunting fleet of agents to schedule ongoing searches.
Harden Authentication: Implement multi-factor authentication (MFA) across all digital accounts. This remains the most effective defense against credential harvesting attacks facilitated by social engineering.
Personnel Training on Phishing Indicators: Training should specifically focus on the psychological tactics used by impersonators, such as the manufactured sense of urgency, the appeal to authority, and requests for secrecy. Individuals should be trained to recognize the red flags that precede a credential harvesting attempt.

Warning signs include moving to private chats, cross-platform, or requests for personal financial information or purchase of financial products.

These sockpuppet accounts exploiting the reputation of U.S. military leadership pose a clear and present danger to national security and economic stability. As threat actors continue to refine their social engineering skills, the responsibility falls on CTI professionals, security teams, and every individual with access to sensitive information to remain vigilant, suspicious, and proactive. The digital battlespace in the AI age demands perpetual awareness at superhuman speed, scope, and scale that treats every unsolicited contact from an unknown source, even if it appears to be from a General or senior government official, as a potential threat vector.

Outtake's approach to autonomous, persistent investigations of malicious impersonation accounts demonstrates that effective AI agents require a robust architecture to handle large datasets, manage rate limits, and ensure reliability. Using Inngest's workflows, throttling, and event-driven design, Outtake developed a long-running multi-agent cybersecurity system that processes hundreds of thousands of digital attack surfaces daily without missing a single threat.

Are you ready to surface the threat actors targeting your organization? Book a call with our experts to learn how we can help you orchestrate continuous autonomous detection of malicious activity targeting your organization’s digital infrastructure, third-party suppliers, and likeness.