In the world of security, we are obsessed with "zero days" and active breaches. We look for the explosion. But as I’ve been tracking across monitored dark web and Telegram ecosystems over the last few months, the most significant threat we’re currently facing isn't a payload it’s an infrastructure build.
The networks that will define the geopolitical landscape in 2028 are not being built then. They are being assembled now.
The "Build Phase" Problem
We are currently in the seam between the initial procurement of assets and the mass activation of influence infrastructure. Based on our latest strategic assessment at Aether Intel, we expect the large-scale reappearance of "warmed" and "aged" accounts to emerge significantly between late 2026 and Q1 2027.
Why does this window matter? Because influence operations are a logistical challenge. You cannot manufacture credible, aged social media accounts or trusted operators overnight. They have to be built, aged, and fed with authentic-looking content months or years in advance.
What We’re Observing: The Shift in Adversary Tradecraft
If you look at the chatter in the dark web marketplaces and private Telegram channels, you don't see "loud" threats. You see patience. We are tracking four key indicators of this long-term build:
Selective Recruitment: It’s no longer about bulk spamming. Adversaries are pivoting to mid-to-senior level operators selected based on reputation and operational security (OPSEC). They aren't looking for quantity; they are looking for "vouched" capability.
Recycled Criminal Proceeds: We are seeing a distinct movement where proceeds from standard cyber-criminality (like RaaS or fraud) are being diverted to fund influence infrastructure that doesn't necessarily pay for itself in the short term. This is a strategic investment in geopolitical leverage.
The Native-Language Affiliate Model: One playbook, many regional faces. Instead of translating wholesale, which triggers detection, we see regional affiliates adapting narratives to sound natively organic. This diffuse model makes attribution almost impossible.
The AI Compounding Effect: Generative AI is reducing the cost of every single component—from account aging to content synthesis by orders of magnitude.
Why This is a Geopolitical Convergence
The core takeaway of our latest Horizon Briefings series is this: Criminal infrastructure and influence operations have stopped being separate problems.
They are converging. The tools used to commit financial fraud are now the exact same tools used to run influence campaigns. The infrastructure that keeps a C2 server alive is the same infrastructure maintaining a botnet of aged, aged-to-authenticity accounts.
The Defender’s Window is Now
By the time these networks surface on the open web in 2028, the hard part for the adversary will be done. They will have bypassed the "trust filters" of major platforms because their accounts will have years of legitimate-looking history.
The window to disrupt this capability is during the Build Phase.
For us, as practitioners, this means shifting our focus from detection to predictive visibility. We need to monitor for the transition from inactivity to reappearance one of the cleanest indicators we have.
This article summarizes the key insights from our latest report, "Europe Through 2028: Strategic Threat Forecast". If you are interested in the granular technical analysis of these behavioral patterns, you can read the full report at Aether-Intel.com. - Horizon Briefings
Top comments (1)
Yeah, the build phase makes sense, old accounts are the tricky part.
Honestly, a lot of these feel overblown, simple spam still moves the needle.
AI’s just made tweaking content and localizing way cheaper.
You seeing any solid data or just chatter so far?