Most people outside France still have no idea what BlackCore is.

They do not know that in March 2026 a company no one had ever heard of walked into French municipal elections, ran a professional smear operation against left‑wing, pro‑Palestinian candidates, then tried to erase its own existence as soon as investigators got close.

To read this article in the following languages, click the Translate Website button below the author’s name.

Hebrew, 中文, Français, Русский, Farsi, 日本語, Italiano, Español, عربي, Dutch, Portugues, Deutsch, 한국어, Türkçe. And 40 more languages.

.

.

They do not know that BlackCore is not a troll farm or a couple of rogue consultants, but the marketing name on an industrial influence machine built out of Israeli military intelligence alumni, a Tel Aviv law office, UK shell companies, a London server and AI tools designed to manufacture social media personas and flood elections with synthetic narratives. They also do not know that the same ecosystem, on its defensive side, sells disinformation detection to Western governments and now has a former CIA director in the boardroom.

The following story is about BlackCore’s (alleged) transnational influence operations using avatar networks and disinformation, which extend beyond France to places like New York, Scotland, Angola, Togo, and likely many, many countries by the time this story is properly fleshed out. But it begins with what happened in France. It follows the trail through French state reporting, a joint inquiry by Haaretz and Libération that broke open new details, corporate records in Israel and the UK, US securities filings and the digital debris that BlackCore and its partners failed to fully clean up. It shows how a smear campaign aimed at three municipal candidates now points to a global Israeli information warfare ecosystem that touches many nations and cities around the world, the US State Department and the office of Benjamin Netanyahu.

This investigation does not just repeat what Haaretz, Libération, Reuters or Viginum have already put on the table. It adds the Sadaqah Palestine phase BlackCore used to infiltrate pro‑Palestinian circles before turning its guns on them, the Benguy escrow structure and SEC paperwork that show how real ownership can be hidden behind Afik’s law office, the Unit 8200 and Shin Bet careers that sit behind Galacticos’ avatar factory, and the mirror on the other side of the membrane where Cyabra, Cygun, Ram Ben Barak and Mike Pompeo sell detection tools that operate on the same signals as the attacks.

The first wave of coverage stayed at the surface. BlackCore was named as the firm behind anonymous websites and fake accounts targeting candidates from La France Insoumise, and Viginum, the French state service created in 2021 to monitor foreign digital interference against French interests, confirmed it was looking at a foreign operation. Then the story slid into the background. The Haaretz‑Libération work dragged it back out and into international territory, tying the operation to a technical stack in London and a cluster of companies at 103 HaHashmonaim Street in Tel Aviv.

Our investigation goes several steps further. It shows that the London server hosting BlackCore’s tools was anchored in a UK shell, SNI Ltd, that had been dissolved by compulsory strike‑off two years before the French operation yet kept serving as live infrastructure for foreign election interference. It shows that the Israeli company behind the avatar system, Galacticos Ltd, shares an address and a trustee with Benguy Escrow Company Ltd, a trust vehicle used to hold shares for others and run by the same lawyer who fronts Galacticos in the registry. It establishes that one of Galacticos’ key technical figures, Nir Benita, an expert in cyber-espionage who spent around a decade as an officer in Unit 8200, Israel’s central signals intelligence and cyber unit, and that his post‑military CV runs straight through AI and intelligence tech before landing inside this influence factory.

It then maps the mirror image on the other side of the membrane. Cyabra, a Tel Aviv‑based social threat intelligence company now listed on Nasdaq under the ticker CYAB, sells AI tools to detect fake profiles and disinformation campaigns for governments and corporations. It was founded by Unit 8200 and IDF information warfare veterans who, by their own account and by the account of people who know the sector, built fake persona networks before they built the tools to spot them. Its senior advisors include former Mossad deputy chief Ram Ben Barak, who ran the Ministry of Strategic Affairs, the Israeli government unit that coordinates campaigns against international pro‑Palestinian activism and BDS, and its board now includes Mike Pompeo, former director of the CIA. Yigal Unna, the former head of the Israel National Cyber Directorate inside the Prime Minister’s Office and before that the man running Shin Bet’s cyber and signals intelligence operations, was approached to advise Galacticos. He stepped down and now sits on Cyabra’s advisory board while running Cygun, his private consultancy, in many of the same regions where BlackCore has been accused of operating.

Taken together, these elements let us say plainly what earlier coverage only circled. BlackCore is not a freelance smear shop operating in a vacuum. It is a product of a structured Israeli information warfare ecosystem that runs on a single talent pool, a single doctrinal pipeline out of Unit 8200 and related units and a corporate and trust architecture built to keep ultimate sponsorship hidden behind lawyers and escrow accounts. On one side of the membrane sit AI tools and avatar factories used to stalk and disrupt elections in countries whose politicians criticise Israeli policy. On the other side sit AI detectors sold to governments as democracy protection, run by the same alumni and overseen by the same security elite.

.

GRAPHIC 1: The BlackCore Ecosystem
Description: A network diagram showing four bands: (1) Israeli state/intelligence (Unit 8200, Shin Bet, INCD, Ministry of Strategic Affairs, CIA/US State Dept, Viginum); (2) Offensive stack (Galacticos, SNI (IL), SNI Ltd (UK), BlackCore, Sadaqah Palestine front, London server); (3) Defensive stack (Cyabra, Cygun); (4) Targets/clients (France – LFI candidates; New York – Zohran Mamdani; Scotland – John Swinney/SNP; Angola; Togo; “19 governments”). Arrows connect individuals (Benita, Afik, Geyor, Unna, Ben Barak, Brahmy, Daar, Shraga, Pompeo) to their companies, and companies to operations. (Source: Created by Author)

.

The Hit in the French Municipal Elections

The story starts in cities that rarely make international headlines. Marseille. Toulouse. Roubaix. In the 2026 French municipals, three La France Insoumise candidates were running in districts that had become front lines in the country’s social war over Gaza, Palestine and what it still means to call yourself a left‑wing politician in France.

The three targets were Sébastien Delogu in Marseille, François Piquemal in Toulouse and David Guiraud in Roubaix. All three were vocal on Palestine. All three had positions that sat badly in parts of Paris, Brussels and Tel Aviv. And all three found themselves, in the middle of an election they had every right to contest on the merits, buried under a smear avalanche that no local rival had the resources or technical depth to produce.

What hit them was not organic backlash. It was a packaged operation. Anonymous sites appeared with names that sounded like local watchdog projects or citizen leaks. They carried detailed allegations of sexual assault, corruption, tax fraud, hidden accounts, and unnamed criminal associates. Pornographic deepfake images were slipped into the stream. Passwords and supposed tax data were dumped. The material was then pumped into social media through clusters of accounts that looked human at a glance but moved like a disciplined unit.

Ads and boosted posts kept running after the official campaign silence period began. Under French law that window is supposed to give voters a few days away from fresh propaganda. Whoever ran this operation either did not care or knew the penalty was trivial next to the damage it could do. TikTok confirmed one linked account and removed it for deceptive behaviour. Meta took down related networks for what it described as coordinated inauthentic behaviour. The platforms themselves ended up confirming what reporters and investigators were seeing.

Viginum, created in 2021 after earlier scares over foreign interference, started pulling at the threads. Its job is to watch for digital operations aimed at French interests and call out the ones that carry foreign fingerprints. Its analysts documented a foreign campaign whose technical and behavioural signatures did not match the usual mix of far‑right trolls, local smear merchants or chaotic online activism.

When Viginum’s director, Marc‑Antoine Brillant, stood next to Prime Minister Sébastien Lecornu on 11 June, he did not just talk about the smear against France Insoumise. He told the country that the same modus operandi had been deployed against a municipal race in New York, against Scottish politics and in campaigns in Angola and Togo. In New York, the target was the 2025 municipal race, eventually won by Zohran Mamdani, a left‑wing, pro‑Palestinian candidate whose victory thrilled younger progressive Jews and alarmed more traditionally pro‑Israel parts of the city’s political establishment. In Scotland, the campaign locked on to First Minister John Swinney, who had described the Gaza campaign as a man‑made humanitarian catastrophe and refused to dress it up as self‑defence. In every theatre the target profile stayed the same. Elected or credible candidates who turned hard against the Gaza war or defended Palestinian rights found themselves under attack from an invisible army of avatars.

The name Viginum put on the operation was Rokh Solis/BlackCore.

[DOCUMENT: Rokh Solis – Analysis of an informational tactic targeting the March 2026 municipal elections (investigation findings translated from French to English using online translation tools). Click here to view it.]

The above Viginum’s technical report documents reveal that the BlackCore avatar accounts that targeted Delogu and Piquemal did not amplify their smears in isolation. In fact, they systematically reshared content from ELNET France, the European Leadership Network, a registered pro-Israel lobbying organisation that, since 2017, has funded all-expenses-paid trips to Israel for more than 90 French parliamentarians and is officially registered as a foreign agent of the Israeli government at the Assemblée nationale. That overlap does not establish ELNET as a client or co-conspirator of BlackCore. Still, it does mean that the same fake accounts manufacturing criminal slurs against pro-Palestinian LFI candidates were simultaneously acting as amplifiers for France’s most influential pro-Israel lobby—a convergence of purpose, whether coordinated or coincidental, that French prosecutors and the French CIA (DGSI) have been asked to examine.

What Viginum’s Classified Codename Reveals: Operation Rokh Solis

As we have established, Viginum did not just name BlackCore. It formally attributed a mode opératoire informationnel, an official state-level intelligence designation, and gave it the codename Rokh Solis. That report is now on the French Prime Minister’s desk. We now know that BlackCore is the actor and Rokh Solis is the operation. The distinction is important because it means France is not alleging corporate misconduct but is clearly attributing a foreign intelligence operation.

The forensic detail inside the report is considerably more damaging than the headlines suggested. All four smear websites, targeting Delogu, Piquemal and Guiraud, were created between 9 and 19 February 2026, shared the same IP address, the same WordPress template and, across three of the four sites, a single image author tag: “usman latif”. One person, or one team, built all of them.

The operation also went physical. Viginum documented printed tracts carrying QR codes linking to blogdesophie.com, the fake rape-accusation blog, pasted on walls at five separate locations in Marseille. This means that someone had to be on the ground in France, and further suggests that the operation was not run entirely from a server farm abroad.

The fake account network was not improvised in the week before voting. Viginum traced a coordinated wave of these accounts joining key French Facebook groups on 7 September 2025, six months before the first ballot, infiltrating groups including “Militants de Droite” and “Combat Républicain 2027” to build credibility before turning hostile. By October 2025, the same cluster had shifted into New York-focused groups, including groups backing Andrew Cuomo, before Zohran Mamdani had even consolidated as the main target. Here we have one client, two elections, planned in parallel, months in advance.

When Le Monde’s investigative report hit on 9 March 2026, the operators did not simply delete the accounts. Several renamed themselves with Israeli identities and locations: “Maxime Meireles” became “Romi Shushan” in Tel Aviv-Jaffa; “Amélie Charpentier” became “Shirel Matana” in Rishon LeZion. This forensic trace is well documented in the Viginum report, tying the account operators to Israeli-based principals managing the cleanup in real time.

Finally, Viginum identified a structurally separate Angola cluster of 48 accounts with Portuguese-sounding names, amplifying MPLA government content using identical technical signatures to the French operation.

We can conclude that BlackCore was not running one campaign. Evidence strongly imply tt was running a portfolio.

The Fake Solidarity Operation That Came First

Before BlackCore ran its smear machine against Delogu, Piquemal and Guiraud, it ran something else. Something that makes the whole thing worse. The same infrastructure that later flooded French social media with deepfakes and fabricated criminal allegations first operated a website called Sadaqah Palestine. It presented itself as a non‑political humanitarian organisation providing aid to Palestinians displaced by poverty, war and occupation. The site was live. It had an online donation form.

Social media accounts on X, Instagram and Facebook promoted it, with engagement patterns and follower lists that investigators recognised as fake. Same avatars. Same patterns. Same operators.

.

IMAGE: Sadeqah Palestine Fake NGO (X | Former Twitter)

.

A joint investigation by Libération and Haaretz traced the technical records of that website straight back to the BlackCore‑linked servers and domains that later hosted the avatar generator and the anti‑LFI smear tools. In parallel, Turkish and Arab press reported that the same site had been used to solicit donations under the “support for Palestine” brand while being controlled by the same Israeli entity already under investigation for interference in the French elections.

Nobody has yet established whether it pulled in real donations, harvested personal data from people who believed it, or mainly served as a cover to give BlackCore a pro‑Palestinian identity inside French Muslim and left‑wing digital spaces before turning on the politicians who shared those values.

What is already on record is enough. BlackCore did not just run an attack operation. It first posed as Palestinian solidarity, built a presence inside communities that trusted that frame, then turned the same infrastructure on the people those communities were most likely to vote for. If you want a word for that, the word is infiltration.

Viginum’s Rokh Solis report identifies one further domain connected to the BlackCore ecosystem that has attracted almost no press attention. The site “forsane-alizza.eu” was hosted on Swedish infrastructure, which investigators found was actively promoting “lalternative2026.com“, the BlackCore-operated fake site that claimed to guide Muslim voters toward LFI candidates in the French municipals. The choice of name was not accidental. Forsane Alizza (Cavaliers de la Fierté, or in English Knights of Pride), is the name of a real French Islamist group banned by the French state in 2012 after being linked to Mohamed Merah, the Toulouse gunman whose attacks killed seven people, including three Jewish children at the Ozar Hatorah school; its founder, Mohamed Achamlane, was convicted in 2015 of preparing terrorist acts and sentenced to nine years in prison.

By registering a domain under that name and using it to amplify its fake Muslim voter guidance operation, BlackCore was doing two things at once. It was borrowing the name recognition of France’s most notorious banned Islamist group to build credibility inside the communities it was infiltrating, while ensuring that any journalist or security analyst who traced the domain back would find a name synonymous with jihadist terrorism attached to content promoting LFI candidates, a poison-pill that could be detonated against the very politicians BlackCore was pretending to support.

The Company That Tried to Erase Itself

Before it panicked and scrubbed its presence, BlackCore pitched itself as an elite influence and a cyber and technology firm for the age of information warfare. Its website, caught for a moment in archives and screen grabs, promised governments, corporations and campaigns cutting‑edge strategies, advanced tools and robust security to shape narratives online.

It did not list directors or clients. It did not carry an address that matched anything in Israel’s corporate registry. The blackcore.online domain sat behind an Icelandic registrar known for anonymous ownership and was registered in August 2025, just months before the municipal campaigns ramped up for the 2026 vote.

As soon as investigations by French media began naming it, the site went down. The LinkedIn page vanished. The brand disappeared. The only reason it can still be named at all is that the infrastructure underneath it did not go dark fast enough.

The London Machine and the Four‑country Server Network

The joint Haaretz‑Libération work and Viginum’s technical report traced the operation to a deliberately distributed cluster of servers across four European jurisdictions: the United Kingdom, Germany, Finland and Lithuania. That spread is not an accident. It routes different pieces of the operation into different legal systems, fragments jurisdiction, slows down takedown requests and makes attribution painful for any one government that tries to act alone.

Click here to read the full article on 21st Century Wire.

*

Click the share button below to email/forward this article. Follow us on Instagram and X and subscribe to our Telegram Channel. Feel free to repost Global Research articles with proper attribution.

Featured image is from 21CW

Global Research is a reader-funded media. We do not accept any funding from corporations or governments. Help us stay afloat. Click the image below to make a one-time or recurring donation.