Abstract
As digital authoritarianism evolves, new tools are needed to analyse its increasingly subtle forms. This paper adopts a longitudinal analysis of under-explored secondary sources to examine coordinated inauthentic behaviour (CIB) linked to Serbia's ruling party, Serbian Progressive Party (SNS). Unlike centralised bot farms common in autocratic regimes, SNS networks evade detection longer and more effectively mimic authentic support. Drawing on sources rarely translated into English and often at risk of censorship, we contextualise these findings within the framework of third-wave autocratisation. Our research reveals that SNS coordinates CIB through public-sector personnel co-optation, leveraging state employment to incentivise participation. This form of organisation is under-explored in CIB literature. For this reason, this study offers new insights into how modern autocracies adapt their influence strategies. Moreover, the paper highlights the need for diverse methodological approaches to improve the detection and understanding of evolving digital propaganda.
Keywords
Introduction
Regime changes are cyclical and come in waves, as Huntington (1991) proposed. Each wave marks a period when one regime type out-numbers the other and is called a wave of democratisation or autocratisation (Huntington, 1991; Lührmann and Lindberg, 2018, 2019). Since 1900, there have been three waves of democratisation and, currently, we are amidst the third wave of autocratisation (Huntington, 1991; Lührmann and Lindberg, 2018, 2019; Maerz et al., 2020).
However, this wave is unlike other times when autocracies out-numbered democracies. In the past, regime change to autocracy was sudden, for example, through a coup or violent repression (Lührmann and Lindberg, 2018, 2019). In contrast, most contemporary cases of autocratisation are regimes where leaders were democratically elected. Autocrats today prefer incremental changes to the system paired with propaganda and soft censorship that makes violence logically redundant (Schneider and Maerz, 2017: 225–227). Moreover, during the twentieth century, democracies were unaffected by such trends, only oscillating within the democracy category, for example, from liberal or consolidated to electoral or flawed democracy (Cassani and Tomini, 2018; Schneider and Maerz, 2017). However, V-Dem (2023) notes that, by 2021, at least seven democracies experienced a breakdown.
Serbia and Hungary are two cases of radical regime change from democracy to autocracy, a transition previously seen as improbable (Levitsky and Way, 2010). When the third wave of autocratisation started, the democratic breakdown was considered a scenario reserved for flawed democracies (Cassani and Tomini, 2018; Lührmann and Lindberg, 2018, 2019). However, these two cases demonstrate that liberal democracies are no longer unaffected by autocratisation (Maerz et al., 2020; V-Dem, 2020).
The twenty-first century has brought about another significant transformation. With the rise of online and social media, digital platforms act as key infrastructures and play a central role in how information and news circulate in our society. Platforms have penetrated and re-shaped different economic sectors and spheres of life, and contemporary media systems are dominated by a few digital corporations (Van Dijck et al., 2018: 4). Autocrats have always considered capturing and controlling mass media as key to maintaining power (see, e.g. Dragomir, 2018; Milosavljević and Poler, 2018; Mungiu-Pippidi, 2012). However, influencing public discourse has become increasingly difficult, as digital platforms are powerful international actors that cannot be easily subdued through funding or regulation, unlike public service broadcasters or other domestic players (e.g. Keremoğlu and Weidmann, 2020). Nevertheless, media capture can now extend into the digital realm through practices such as coordinated inauthentic behaviour (CIB), which is the focus of this paper.
In new autocracies that do not close markets or abolish elections, the digital sphere can therefore be an extension of media capture (Atal, 2017) and a new source of legitimation (He and Warren, 2011; Jiang, 2010). Contemporary forms of purging undesirable voices in the digital sphere have been explored in more established autocratic regimes like China (He and Warren, 2011; Jiang, 2010) or Russia (Owen, 2020). Still, as the number and variety of autocracies grow, we must analyse more cases. Therefore, this paper explores how Serbia's ruling party skews public discourse online through CIB, a tactic well-suited to maintaining democratic facades while controlling the discourse.
We contribute to advancing the growing field of digital authoritarianism studies by explaining how covert control online can help maintain a legal framework that de jure ensures plurality but de facto creates a one-party state. In the paper, through a longitudinal analysis of four under-explored or inaccessible secondary sources, we demonstrate how new autocracies use CIB as an extension of media capture and a source of legitimation. We also explain how CIB has evolved in Serbia and how the ruling party continuously works to improve the coordination of inauthentic behaviour online to avoid detection and successfully skew discourse. Finally, we demonstrate how secondary source analysis complements existing knowledge on CIB and can uncover new types of CIB operations, such as those entailing the co-optation of state personnel within CIB networks.
Rethinking CIB
When CIB was first conceptualised, it was often associated with automated or semi-automated botnets, where malicious actors used fake accounts to mimic grassroots support. Earlier studies like Sebastian et al. (2014) or Pantic and Husain (2015) focused on the type of coordination of CIB, which they saw as always automated in some way, while other studies like Stieglitz et al. (2017) and Mbona and Eloff (2023) assumed that not only are the networks of CIB automated in some way, but the accounts are completely fake or co-opted through malware.
Studies like Cinelli et al. (2022), Mannocci et al. (2024), and Luceri et al. (2024) also assume this, but they focus more on how to detect inauthenticity through speed of posting, replication, and geographic clustering, which are all non-human indicators of behaviour. Nevertheless, these studies broaden the CIB definition by proposing that any network of accounts, pages, groups, and individuals can collaborate to mislead the public about the level of support or opposition to a political party, policy issue, movement, individual, or business. Therefore, there is a possibility that such accounts do not have to be fake and automated in every case.
In this paper, we argue that CIB can no longer be defined solely in terms of bots or automation, but must include other instances, such as CIB through the co-optation of Serbian state employees, which we discuss in the paper. The EU DisinfoLab (2024) offers resources on detecting CIB that align with this shift away from automation. In their resources (EU DisinfoLab, 2024), any network of accounts that promotes an idea inauthentically and is incentivised to do so is considered as CIB. Therefore, groups of accounts can be incentivised because a botmaster controls them, but the accounts can also be maintained by real people using their own names, who benefit from inauthentic behaviour financially or in some other way.
When CIB was first conceptualised almost a decade ago, it was assumed that malicious bots were coordinated from a physical location or through malware. For example, bot farms in Russia can be detected by geo-locating the headquarters from which the network is coordinated. Such networks may include both automated accounts created for spamming and real accounts belonging to people whose devices have been infected with malware (Giglietto et al., 2020; Kirdemir et al., 2022). Some users may never realise their device is compromised and that, in the background, their IP and email address are being used to spam likes and dislikes on news portals. In other cases, when account co-optation involves sending links via private messages or posting, people do realise their devices are infected. Nevertheless, they might not know how to undo the damage and continue to participate in CIB involuntarily.
However, social media platforms and news portals have become much better at detecting this behaviour, flagging it, and removing it quicker than they did a few years ago (Bradshaw et al., 2021). Consequently, the means of coordinating accounts, groups, and pages have become more sophisticated, going beyond fake and compromised accounts or coordination from one location (Burghardt et al., 2024; Saeed et al., 2022). For this reason, in this paper, we address the evolution of CIB from botnets and malware to a network of real people who behave similarly in exchange for jobs and promotions outside of the digital space.
New forms of coordination
Our analysis shows that the Serbian ruling party, Serbian Progressive Party (SNS), maintains its CIB network through public-sector personnel co-optation (PSPC), which we define as the involvement of state employees (or those seeking employment in the public sector) in CIB networks in exchange for jobs or promotions. The motivation for taking part in such digital propaganda networks is offline incentives (jobs, promotions, etc.), which distinguishes PSPC from other coercive or mercenary-based CIB operations such as those of the paid troll farms often found in Russia (Saeed et al., 2022).
Although PSPC is a relatively novel approach to CIB coordination, it aligns with what we know of third-wave autocracies. Hall and Ambrosio (2017) introduce the concept of authoritarian learning, which they define as modern autocrats drawing from history and each other. The strategies of authoritarian learning involve adapting ‘based upon prior success and failures of other governments’ (Hall and Ambrosio, 2017: 143). Similarly, Schneider and Maerz (2017: 220–227) propose that new autocracies established between 1990 and 2009 are more durable due to their adaptability and democratic elements.
We consider the recruitment of public-sector personnel and their involvement in SNS's CIB networks as the result of authoritarian learning. Similar strategies for cultivating internal support, for example, have been employed by several regimes that faced protests during the Arab Spring. As reported by Heydemann and Leenders (2011), the tactic used by autocratic governments to curb protests went beyond the infamous internet shutdown in Egypt. First, governments in many Middle Eastern countries increased formal co-optation. From Algeria to the Arab Gulf, public servant salaries were increased; in Syria, full employment status was granted to temporary public servants; in Kuwait, each citizen was given around USD4000 as an incentive not to participate in protests (Heydemann and Leenders, 2011: 650–651). Then, new discourses were developed that stressed the personal cost of participation in protests, the negative consequences of regime change, and the benefits of the status quo. The message was that protests would result in sectarian violence and disorder, and the current government protects citizens from that scenario (Heydemann and Leenders, 2011).
As we discussed above, prior works on CIB have analysed networks through the dichotomy of automation. From that perspective, coordination through PSPC remains outside the discourse. However, this paper views network organisation beyond the technical aspects. Our secondary source analysis illuminates how the SNS Internet team recruits people for CIB and integrates them into the state apparatus, which is how this network has avoided detection for longer. Moreover, this aligns with how third-wave autocracies act and operate, remaining flexible and adaptable while learning from each other.
Methodology
This study employs a longitudinal qualitative analysis of four secondary sources to investigate the evolution of CIB in Serbia, particularly the networks created or commissioned by Serbia's ruling party, SNS. These SNS networks have typical authoritarian purposes, such as skewing public opinion in favour of the regime and legitimising one-party rule domestically and abroad. However, they are coordinated in novel ways and, therefore, worthy of examination.
The longitudinal approach is typically used to demonstrate changes at the individual or structural level (Kalinauskaitė, 2017). The four secondary sources were found by searching for relevant keywords on Google and Reddit in Serbian, such as ‘castle.rs’, which is the last known name of the SNS web application for CIB coordination, or ‘SNS botovi’, which translates to ‘SNS bots’, a common local reference to this type of online behaviour. Another keyword was ‘botovanje’, which is particularly interesting as it is a Serbian verb derived from the word bot, and it means to perform the service of a bot as a person, which is slowly entering the daily jargon as the practice proliferates.
The first source is an investigative journalism article on the SNS CIB network published by the independent digital-native news portal Teleprompter (2015). After the investigation was published, Teleprompter suffered a series of hacks that left the administrators unable to access the website. The hackers deleted the portal in mid-April 2015 (Redžepović, 2015). The Teleprompter investigation was referenced several times by both our second and third sources (Gerila, 2019; Milivojevic, 2020), who view it as the first evidence of this type of behaviour. We found the original article on Nova Srpska Politicka Misao (NSPM), a website version of a small local magazine. The editorial of NSPM pulled it out of the Google Cache and preserved it. 1
The second and third sources are other investigative reports that offer insights into the development of SNS CIB. The two investigations are published by Gerila (2019), a small digital-native news outlet known for its critical and independent reporting, and by the Balkan Investigative Reporting Network (BIRN), a network of non-governmental organisations (NGOs) promoting freedom of speech, human rights, and democracy in the region (Milivojevic, 2020).
The final source is an independent investigation by a cybersecurity expert who used the Twitter API and prior investigations to estimate the number of Castle's monthly active users (Marković, 2023), offering insight into the scale of CIB. Although the author is an independent security consultant, rather than a journalist, his analysis is based on a known leaked list of bots published by reputable outlets like N1 (Đošić, 2023), Južne Vesti (Đukić et al., 2023), and Al Jazeera (2023). Additionally, this investigation and other similar analyses made by the expert have been covered by other established news outlets. He is cited, for example, by the Serbian daily paper Danas (Roknić, 2022) as the expert explaining possible digital election fraud and by BIRN's news portal BalkanInsight (Ispanovic, 2023) as an expert explaining how some email credentials of Serbian state employees are being sold on the dark web.
The analysis of the four secondary sources describing the structure of CIB networks is presented in the chronological order in Table 1, along with links that could be censored or unavailable at the time of publication. 2 As these sources may be unavailable, we have included the English versions of the articles, translated using Google Translate, in the online Appendix, in the chronological order.
List of secondary sources used, made by authors.
Although longitudinal qualitative analysis of secondary sources is not typically used for analysing CIB, it is more appropriate in this instance than the commonly used network analysis for two reasons. First, our study considers secondary sources that have not yet been contextualised within third-wave authoritarianism and, most of them, are inaccessible in English. Moreover, some of these sources were almost lost; we had to retrieve them from the Internet Archive, following the trail through Reddit comment sections.
Furthermore, the Internet Archive is not always accessible and was down for an extended period at the time of writing in October 2024. Therefore, these texts should be preserved so the wider academic community can discuss them. Second, this paper's purpose is not to prove that the networks exist, that much is clear. Instead, the aim is to explain how new autocracies can use CIB to avoid official censorship while maintaining control over online public discourse.
We acknowledge that editorials from now-defunct websites such as Teleprompter and Gerila may have had a strong critical stance towards SNS, nonetheless, we contend that their findings remain relevant. Commentary journalism is prevalent in Serbia (Milosavljević, 2021; Petrović, 2015), yet the presence of value judgements does not necessarily imply factual inaccuracy. BIRN corroborated the data provided by these outlets. Subsequently, large social media platforms, including Meta (Nimmo et al., 2022) and Twitter (Radio Free Europe, 2020), used this information to deactivate several thousand accounts. Lastly, the fourth source is a private individual who analysed the pre-existing list of bots to add to his online portfolio. The cybersecurity consultant's analysis was not shared for political purposes, but rather to demonstrate his capabilities to prospective clients. What matters here is not the individual's agenda, but the data itself.
Analysis
SNS is a splinter party from SRS, the Serbian Radical Party. The party splintered in 2008 over European Union accession: SNS was pro, and SRS was against. In 2012, SNS made their first significant gains in the electoral arena, notably utilising the Internet to advertise outside the permitted election period (N1, 2017). By 2014, SNS had a majority in the parliament, and the first reports of the SNS CIB were circulating.
SNS CIB is a mix of old and new tactics, which is why moving forward, the usage of the word ‘bot’ can get confusing. The novelty of SNS CIB is in the web application built to coordinate the network, and this network is used in conjunction with typical spamming malware, which is fully automated. However, as the analysis shows, often, ‘bots’ are real people who usually use their personal accounts to log into SNS websites and apps where they receive instructions. In this case, terms like ‘troll’ could seem more appropriate, alluding to common troll farms often found in Russia. Nevertheless, SNS CIB differs from troll farms.
In Serbian, the word ‘bot’ was borrowed from English and has since evolved to refer to humans who participate in incentivised political promotion and propaganda, typically for SNS. Therefore, sources in Serbia that discuss ‘bots’ also refer to people. However, it is necessary to note that referring to people as bots is not widely applicable, but a particularity of CIB in the context of the Serbian ruling party. 3 Currently, there is no consensus on how to refer to people who engage in CIB and are organised through PSPC. We suggest introducing the term ‘agent’ instead of ‘bot’. The concept of CIB agents implies some human agency, which is an important component for this type of inauthentic behaviour and could facilitate future comparative studies of similar cases outside of Serbia, where different local terms for CIB through PSPC might be used.
SNS Internet team from 2014 to 2017
The Teleprompter investigation (2015), which cost the portal its domain and content, revealed that the SNS Internet team uses two automated botnets, Valter and Skynet, and an encrypted website, Fortress, for coordinating the CIB activities undertaken by human agents. Although Valter and Skynet are common malware for spamming, namely up-voting and down-voting comments on local news websites, Teleprompter received a leak from an anonymous source who reported that people intentionally infected their devices in exchange for job promotions or employment prospects.
Teleprompter's source claimed that people who received any form of employment through the party between 2014 and 2015 were asked to infect their computer and passively participate in CIB, which would help SNS achieve their goals and, in turn, secure their jobs. Some were promised jobs within the Internet team, a branch of the party's marketing team, and therefore, had to join Fortress and infect their devices. 4 Others were promised employment in the public sector or promotions within their current jobs, all of which hinged on active or passive participation in CIB (Teleprompter, 2015).
To access Fortress, recruits would contact a Facebook user, who would then ask the recruit to verify the SNS chapter they belong to, their email address, phone number, and desired username and password. Once they had access to the website, they would see daily guidelines for defending SNS and its president, Aleksandar Vučić. Further guidelines clarified whom to attack during that news cycle and which words to use (Teleprompter, 2015).
On the platform, members were subject to a ranking system: better-ranked participants were prioritised for promotion or employment opportunities. Daily, headlines with links were posted on the platform with instructions specifying what comments to post. The ranking was based on the source of the news, in the following descending order: Blic, B92, Kurir, Novosti, and a residual ‘others’ category for all remaining media. For example, commenting on Blic, a foreign-owned daily newspaper, earned users 2 points, while commenting on B92, a local anti-dictatorship radio station turned commercial TV in the 2000s, earned 1.5 points, and so on. Then, the administrator marks ‘STOP’ on the news article once the prescribed quota is reached (see Figure 1).

Teleprompter, 2015. Screenshot of Fortress.
According to Teleprompter (2015), between 500 and 600 individuals across Serbia, many of them employed in the tax administration, participated in the SNS CIB network in early 2015. The same source reports that some newspaper editors, including those at Večernje Novosti, were recruited by the SNS Internet team and instructed to relax comment-section moderation to allow arguments. However, not all civic servants participated willingly. Some were told their contracts would not be renewed by the new administration if they refused to comply.
CIB, paired with other levers a regime can use to control businesses and citizens within its territory, can function just as well as official censorship. Castaldo (2020: 1631–1633) says that between 2014 and 2015, Blic, one of the main targets on Fortress, had to remove most of its critical content. OSCE (2014) also reported that journalists from critical outlets, like Blic, were harassed and intimidated. However, at the time, SNS claimed that some restrictions on freedom of speech were necessary as Serbia faced a natural disaster, floods.
Moreover, by 2016, Fortress's second target, the broadcaster B92, had changed its entire business model. B92 used to produce several political shows, from evening and morning talk shows to infotainment, all of which were cancelled when B92 announced it would switch to entertainment (Castaldo, 2020). By 2017, B92 was sold to a foreign owner, who then re-sold it to a businessman close to the government. Today, B92 is seen as a pro-SNS outlet, while Blic has turned to tabloid content, reducing political news content to a minimum.
SNS Internet team from 2017 to 2020
The second source is an investigation published by Gerila (2019), a small digital-native news outlet, which shows how Castle replaced Fortress, using the data provided by Serbiliks (Serbian WikiLeaks). The investigation was prompted by a guest appearance on a talk show aired by the public service broadcaster RTS, during which an SNS official denied the existence of an SNS Internet team. In response, Gerila revisited the earlier Teleprompter (2015) investigation and provided an update.
Castle, the updated version of the web application to coordinate CIB, retained the core functionality of Fortress. Its primary purpose was to host continuously updated headlines with links, accompanied by guidelines on how agents should engage with each news story. However, Castle introduced a new ‘social media’ section and a revised ranking system, which we discuss in the following paragraphs.
Users were instructed to link their Facebook and Twitter profiles to Castle and could download an Android app to participate in CIB on multiple devices. Castle's ‘social media’ section contained news articles from friendly news outlets to be shared on personal social media profiles. The linked profiles also enabled the SNS Internet team to monitor the number of likes and views each post received, which in turn affected the user ranking (Gerila, 2019). Therefore, while rankings on Fortress were based on the targeted news outlet, rankings on Castle combined activity on private social media accounts, the resulting engagement, and comments posted on news websites.
Linking social media accounts seems more beneficial. As shown in Figure 2, the interface displays two columns of comments: ‘reported comments’ (in red), which earn fewer points than ‘published comments’ (in blue). Based on the evidence provided by Gerila (2019), which is limited to the observation of a single day of Castle monitoring, ‘reported comments’ appear more polarising than published ones. For example, some comments in the red column are ‘the opposition has lost their minds, nothing good can come out of it’ while, the blue comments discuss protests by adopting softer stances, for example, ‘There will never be social unrest in Serbia because Serbia stands for peace’.

Gerila, 2019. Screenshot of comments posted on social media and engagement on Castle.
Despite the changed ranking system and new social media section, the core purpose of SNS CIB remained the same: the news cycle should be disrupted and overloaded with support for SNS. Figure 3 shows an example of instructions for engaging with news stories, which are quite similar to Fortress. In 2019, one of the daily articles shared was ‘Vučić condemns insulting Jerkov if someone did insult Jerkov, Jerkov does not accept’, and the instructions below the headline are ‘on this news we write comments like’: ‘he did not apologise because there was no need for him to apologise. He disagrees with insults, as he would with anyone, unlike the opposition, who supports people who call women derogatory names. Jerkov is stuck up anyway and a liar. Write in your own words DO NOT COPY THIS GUIDELINE!!!’

Gerila, 2019. Screenshot of instructions on Castle.
Gerila (2019) also confirms Teleprompter's (2015) discovery that those participating in SNS CIB were not directly compensated, as it normally would happen with participants in troll farms, but were offered the prospect of employment or promotion. One of the screenshots of Castle shows a leaderboard, which Gerila (2019) investigated further, and found that most active users worked in local governments. Over 60 municipalities across Serbia participated in CIB, and as Gerila pointed out, that means that, effectively, the taxpayers in Serbia pay for SNS CIB, which raises multiple legal issues (Gerila, 2019).
Gerila's investigation re-kindled interest in the topic, which brings us to our third source. Milivojevic (2020), from BIRN, further investigated Castle, drawing from previous sources and incorporating accounts from online activists. BIRN, as a regional journalism and NGO networks, had more resources to devote to the investigation than the two outlets previously mentioned. BIRN obtained information on the SNS CIB network from a semi-anonymous source, Robin Xud, an activist referred to only by their Twitter username, and a series of interviews and confessions from Castle users recorded by Južne vesti, a Niš-based digital news portal. Robin Xud provided proof that Castle was registered as a mobile app in March 2016 at the same address as the SNS Belgrade headquarters for that year's parliamentary elections (Milivojevic, 2020).
Milivojevic (2020) confirms that Castle agents were predominantly public servants, however, two types of agents appear to exist within the network: individuals who engage in CIB either part-time or full-time. This distinction seems to depend on whether their job titles were essentially nominal (serving to mask full-time activity on Castle) or whether they held additional duties as part of their public servant jobs, such as issuing building permits or working in municipal archives. During the brief period of access to Castle, BIRN and the activists estimated that approximately 1500 users engaged with Castle daily (Milivojevic, 2020). In the final section of the analysis, we discuss how the number of users is likely far greater.
SNS Internet team from 2020 to 2023
Our final source gives us insight into the magnitude of CIB and how much money from the state budget is potentially spent on these activities. Before discussing the fourth source, some context is needed. SNS CIB was in the spotlight briefly after a major outlet like BIRN picked it up. In April 2020, Twitter removed 8558 Serbian accounts and over 40 million posts for engaging in CIB that promoted Serbia's ruling party (Radio Free Europe, 2020). Moreover, Jeremic and Nikolic (2020) wrote that some of these Tweets were quoted in incumbent-friendly media as proof of public support for SNS.
In late 2022, Meta removed 5374 Facebook accounts, 12 groups, and 100 Instagram accounts (Nimmo et al., 2022). Meta stated that the BIRN investigation had helped them trace the CIB network, although the app used to coordinate it has not yet been traced. They found the network through cross-referencing followers and spamming, as BIRN/Milivojevic (2020) proved that CIB agents must follow high-ranking SNS officials and the party's social media profiles. However, Meta (Nimmo et al., 2022) found that 350 genuine accounts had joined the Facebook groups created by SNS bots and CIB agents, and that around 26,000 people unknowingly followed these accounts.
Although the number of genuine accounts engaging with this content is low, considering Serbia has around 6.6 million citizens, any engagement raises questions about the extent of authentic online support for SNS. To shed further light on this, we draw on the findings of Marković (2023), a cybersecurity consultant and our fourth source, who conducted a series of independent investigations based on the leaked bot list published by N1 (Đošić, 2023), Južne Vesti (2023), and Al Jazeera (2023) in July 2023. Using the Twitter API, Marković (2023) calculated that, during work hours between 2 and 7 June 2023, 3410 inauthentic accounts posted close to 60,000 times on Twitter.
As discussed earlier, available evidence suggests that many participants in SNS CIB are government employees who engage in these operations either full-time or alongside their regular duties. Regardless of the intensity of engagement in CIB, they receive a monthly public-sector salary. According to the Serbian Department of Statistics, the average monthly salary is RSD95,804 or EUR818.38 (RTS, 2024). If, for illustrative purposes, we assume that each of the 3410 accounts is operated by a distinct public-sector employee earning at least the average salary, the state budget devoted to these operations would amount to roughly 2.8m euros monthly, or about 33.5m euros annually.
These figures should be interpreted as upper-bound, order-of-magnitude estimates rather than precise measures of state spending on CIB. We do not know what proportion of these accounts is operated by public-sector employees, nor whether individual agents manage multiple accounts. Moreover, even where CIB participation is rewarded through employment or promotion, these salaries typically also remunerate regular and legitimate job functions. We are, therefore, unable to determine the exact share of public-sector remuneration directly attributable to CIB activities. In addition, our calculations do not account for other costs, such as party or government spending on online advertising. Meta, for instance, reports that SNS spent at least USD150,000 on ads on its platforms alone (Nimmo et al., 2022: 11). Furthermore, the numbers can fluctuate annually; the number of public-sector employees participating in CIB was much lower a decade ago, and social media was not as widespread. Nevertheless, these rough estimates suggest that maintaining CIB networks with several thousand active accounts is unlikely to be cost-free or marginal. Even if CIB represents only one component of public-sector employees’ workload, the organisational effort and public resources involved point to a routinised, rather than sporadic, practice of online manipulation. This, in turn, creates a feedback loop: public-sector structures that are already subject to political control may be further mobilised to simulate online support for the ruling party, thereby reinforcing the informational environment that helps sustain that control.
CIB what now?
As the number and variety of autocracies grow, we should explore new methods to analyse how they interact with digital spaces. In this paper, we opted for a longitudinal analysis of secondary sources. These sources were under-explored or inaccessible to the international research community. This method was effective in complementing typical network analyses of CIB. Through it, we saw how the CIB in new autocracies serves the same purposes of control and censorship. We also saw how the coordination of CIB has evolved to avoid detection by using PSPC instead of paid troll farms.
SNS networks avoid geographic detection by using an encrypted website and app accessible only to party members. Agents engage in CIB from multiple locations, and they do not post the same things, but are encouraged to use their own words. Moreover, the platform avoids detection based on established ‘follow the money’ tactics, where suspicious money is distributed to individuals working on troll farms. In the case of SNS CIB, there is essentially no transaction trail, as these individuals participate in exchange for legitimate jobs or career advancement in a seemingly unrelated sector.
In new autocracies, CIB allows governments to exercise control over online discourse while maintaining a legal framework that, on paper, protects freedom of speech and safeguards against censorship. The line between genuine and artificial support online and offline is challenging to measure, and CIB makes it even harder. Suppose we measure legitimacy as engagement and support expressed in comment sections. In that case, one-party domination in Serbia accurately represents people's desires. After all, elections are not abolished, parties are not banned, and outlets are not officially censored.
However, as estimated, millions are spent each year to generate, at best, a few thousand organic engagements. Moreover, because economic opportunities (Amnesty International, 2024) and prospects for upward mobility (World Bank Group, 2018) are limited in Serbia, participation in CIB is likely to remain an attractive and relatively stable avenue for employment and career advancement. SNS has created a feedback loop in which authoritarian practices, which limited economic opportunities in the first place, now also serve as a recruitment mechanism for new CIB participants, thereby helping to maintain the status quo.
Lastly, when CIB is coordinated through the co-optation of public employees, it can be just as effective as official censorship, if not more. Instead of banning publications, individuals, and groups, all criticism can be buried under layers of comments and dislikes. Ironically, even reports on the CIB network can be discredited or deleted by the network. Therefore, CIB, through PSPC, can supplement traditional censorship in the digital space.
Moreover, CIB, through PSPC, adds a layer of plausible deniability for the autocratic party. Unlike in China (Yang et al., 2015), where those who engage in CIB can often be traced back to state-run training institutions such as commentator academies, or in Russia, where trolls are based in the same location, CIB networks in Serbia appear more authentic and distributed. Furthermore, global social media platforms are banned or limited in autocracies like Russia and China; therefore, the CIB operation does not need the same level of sophistication.
However, because of the effectiveness of SNS CIB through PSPC and the dynamics of authoritarian learning (Hall and Ambrosio, 2017), such structures could become the standard for new autocracies. This is why we need new terms like ‘agents’, rather than ‘bots’, to capture the human agency central to coordinating and implementing more sophisticated forms of CIB. By co-opting public employees, SNS can control domestic public discourse without banning social media platforms. This type of operation might be more costly than paying for comments or troll farms, but it is more effective in the long term for maintaining the democratic façade, which is more profitable than autocratic isolation, especially for smaller countries.
Supplemental Material
sj-docx-1-ejc-10.1177_02673231261422076 - Supplemental material for Beyond detection: How Serbia's SNS party mimics authentic support through coordinated inauthentic behaviour
Supplemental material, sj-docx-1-ejc-10.1177_02673231261422076 for Beyond detection: How Serbia's SNS party mimics authentic support through coordinated inauthentic behaviour by Ana Jovanovic-Harrington and Alessio Cornia in European Journal of Communication
Footnotes
Ethical approval and informed consent statements
This research did not involve human participants or personal data and therefore did not require ethical approval or informed consent.
Funding
This work was supported by the DCU Faculty of Humanities and Social Sciences through the Postgraduate Research Conference and Presentation Grant and by the DCU School of Communications through the Conference Travel Scheme. This support enabled the presentation and refinement of this work at the ICA 2025 conference in Denver, USA.
Declaration of conflicting interests
The authors declared no potential conflicts of interest with respect to the research, authorship, and/ or publication of this article.
Data availability statement
Supplemental material
Supplemental material for this article is available online.
