EDELMAN × OSAVUL
Counter-Disinformation Unit
Reputational Threats on Hard-to-Monitor Platforms:
The Enterprise Risk Reality
Analysis period: June 1 – December 1, 2025 | 130 global brands across TikTok and Telegram
130 Brands Analysed | 76 Under Attack | 1,271 Narratives Detected | 25,053 Messages Linked |
~3.37 billion estimated views where reach data was available
Executive Summary
Overview
An Edelman analysis in partnership with Osavul
Reputational threats on hard-to-monitor platforms — primarily TikTok and Telegram — are now tightly bound to legal, operational, and physical risk. They can create real liability, trigger safety concerns, and cause operational disruption. In some cases, they serve as precursors to cyber or real-world harm, on top of the reputational damage most organisations are already trying to manage. Many organisations remain blind to these threats until it is too late.
This report, produced jointly by Osavul and Edelman's Counter-Disinformation Unit, analyses six months of threat data across 130 global brands. Of those brands, 76 were subjects of adverse reputational narratives. In total, 1,271 distinct narratives were detected, comprising at least 25,053 messages and generating approximately 3.37 billion views where reach data was available.
The findings reveal a corporate threat surface that is broader, faster-moving, and more closely linked to enterprise risk than most organisations are currently structured to manage. The solution is organisational: integrate communications, legal, intelligence, and security around shared detection processes, response playbooks, and measurable escalation thresholds.
This is a warning about adversarial storytelling that exploits moments of reputational vulnerability, regulatory exposure, social tension, and operational disruption — shaping perception faster than organisations can identify the threat, validate the facts, align internally, and respond with credibility.
The data points to a shift in kind, not just in volume. Reputational threats are aligning with enterprise risk in ways that challenge existing governance, escalation, and ownership models.
Methodology
How the Data Was Collected and Analysed
The underlying data collection and threat intelligence analysis were conducted by Osavul, an AI company specialising in strategic intelligence and countering hybrid threats. Osavul used its AI platform, Nebula, to carry out a three-step analytical process:
Collection of precise data from hard-to-monitor networks using Osavul's proprietary data pipeline technology.
Extraction of stable and evolving narratives from the dataset through Osavul's AI-powered narrative intelligence technology.
Identification of threats within narratives exhibiting indicators of malicious activity, using Osavul's threat intelligence capabilities.
Osavul's threat-intelligence dataset, reviewed by Edelman's Counter-Disinformation Unit, covers six months of TikTok and Telegram content relating to 130 global brands and sectors between 1 June and 1 December 2025. Of those, 76 were the subjects of adverse reputational narratives.
Each threat was categorised across multiple dimensions: target type (company, product or service, leadership, industry); threat type (legal or regulatory, physical, technical, reputational, among others); subtype themes; platform dynamics; language; and geographic indicators. Some individual threats spanned multiple categories, but the dominant patterns were consistent.
Classification
The Threat Classification Matrix
Each identified threat was classified across broad type, subtype, description of the threat behaviour, and observable objective characteristics. One threat can have several individual threat types — for example, a threat can be both legal/regulatory and technical at the same time.
| Broad Type | Subtype | Description | Objective Characteristics |
| Physical | Political/Civil unrest | Mass protests, strikes, office blockades, riots, or armed takeovers disrupting company operations. | Mentions of protests or unrest, reports of attacks on company facilities, police intervention, images/videos of disruptions. |
| Physical | Natural disaster | Earthquakes, hurricanes, floods, wildfires, or other natural events causing operational disruption. | Weather alerts, photos/videos of damage, shutdowns or delays in operations, evacuation orders. |
| Physical | Criminal activity | Theft, arson, vandalism, physical attacks against staff or facilities. | Police reports, surveillance footage, employee testimonies, damage assessments. |
| Legal/Regulatory | Lawsuit | Legal actions filed against the company or executives, including class actions or civil suits. | Court records, official case numbers, quotes from legal representatives, media reports on litigation. |
| Legal/Regulatory | Compliance violation | Breach of legal obligations, such as workplace safety, data protection, or ESG requirements. | Regulatory sanctions, inspection reports, internal audits, whistleblower disclosures. |
| Legal/Regulatory | Regulatory investigation | Formal investigations initiated by government or regulatory bodies. | Public announcements from regulators, subpoenas, company statements, media coverage of inquiries. |
| Legal/Regulatory | License revocation | Suspension or termination of permits or licenses necessary for operations. | Official regulatory decisions, affected business functions, operational halts. |
| Legal/Regulatory | New tariffs | Introduction or increase of trade tariffs affecting cost of goods, components, or operations. | Government trade announcements, cost modeling, CFO statements, supplier alerts. |
| Legal/Regulatory | Trade embargo | Official bans on trade with specific countries, sectors, or entities. | Sanction lists, customs enforcement actions, policy changes. |
| Legal/Regulatory | Foreign investment restrictions | Legal or political limitations placed on international ownership or funding flows. | Government decrees, blocked mergers, ownership caps, screening mechanisms. |
| Legal/Regulatory | Carbon tax compliance | Challenges in meeting obligations under carbon taxation schemes, resulting in penalties or cost increases. | Failure to meet emissions targets, fines, official warnings, compliance reports. |
| Technical | Data leak / stolen data | Unauthorized access to or disclosure of confidential company or user data. | Breach reports, leaks on dark web, internal investigations, legal/regulatory notices. |
| Technical | Cyberattack | Malicious digital intrusion aimed at disrupting, stealing, or compromising company systems or data. | Ransomware claims, breach disclosures, downtime logs, threat actor attribution. |
| Technical | External threats | Risks from outside actors such as hacktivists, terrorist groups, or hostile competitors. | Threat claims, intelligence alerts, unusual traffic patterns, public accusations. |
| Technical | Third-party risk | Risks arising from vendors, partners, or suppliers that affect the company. | Vendor incident reports, contract breach notices, dependency analysis. |
| Technical | Internal vulnerabilities | Weaknesses in internal systems, processes, or structures that may be exploited or cause failure. | Penetration tests, audit findings, operational bottlenecks, insider risk reports. |
| Technical | Software vulnerabilities | Technical flaws in software products or platforms that can be exploited. | CVE listings, patch advisories, third-party vulnerability reports. |
| Technical | AI risks | Risks stemming from the misuse, malfunction, or bias of AI systems deployed by or affecting the company. | Reports of algorithmic bias, regulatory scrutiny of AI use, technical failures in automated systems. |
| Technical | System incompatibility | Failure of systems to integrate properly, causing inefficiencies or breakdowns. | Integration error logs, migration failures, IT ticket volume spikes. |
| Reputational | Narrative threats | Public narratives that systematically undermine brand values, trust, or strategic position. | Framing analysis, influencer amplification, repeat mention patterns, narrative network mapping. |
| Reputational | Reputation management | Attempts to respond to and mitigate reputational harm from previous incidents. | PR campaigns, executive interviews, crisis communication strategies. |
| Reputational | Executive scandal | Misconduct, corruption, or reputational crisis involving company leadership. | Media reports, legal charges, whistleblower leaks, forced resignations. |
| Reputational | Coordinated info attack | Organized disinformation or smear campaigns targeting the brand, often involving bots or coordinated networks. | Sudden waves of similar messages, bot activity, forensic analysis indicating coordination. |
| Reputational | Consumer backlash | Widespread negative public reactions to company decisions, products, or affiliations. | Spikes in negative sentiment, review bombing, media criticism, protest actions. |
| Reputational | Negative media coverage | Widespread criticism or damaging reports in mainstream or digital media. | Headline volume spikes, sentiment analysis, media tone trends. |
| Reputational | Insider leak | Disclosure of sensitive internal information by employees or contractors. | Leaked memos, anonymous insider posts, internal security audits. |
| Reputational | Use of products/services with malicious intent | Company's tools or platforms used for illegal or harmful actions (e.g., hosting misinformation, attacks). | Law enforcement notices, NGO reports, content moderation controversies. |
| Reputational | Calls for brand boycott | Public appeals urging consumers to stop buying from or supporting a brand due to controversial actions or stances. | Hashtags, viral posts, petitions, influencer/NGO-led campaigns urging boycotts. |
| Financial | Fraud | Deceptive acts by internal or external parties to gain unlawful financial benefit. | Auditor findings, whistleblower disclosures, legal investigations, sudden losses. |
| Financial | Market manipulation | Artificial inflation, suppression, or distortion of market behavior, often affecting stock prices. | Regulator investigations, abnormal trading patterns, coordinated pump-and-dump activities. |
| Financial | Economic pressure | Adverse macroeconomic trends or policy changes that impact the company's business model or margins. | Inflation, recession data, currency volatility, central bank decisions, economic policy shifts. |
| Financial | Financial losses due to boycott | Revenue decline attributed to organized consumer or institutional boycotts. | Quarterly financial reports, analyst commentary, CEO statements, retail sales data. |
| Financial | Free access to goods/services caused by malicious acts | Unauthorized access or distribution of paid content or services, e.g., piracy or hacked platforms. | Pirated content listings, botnet use, internal revenue loss detection, dark web listings. |
| Operational | Supply chain disruption | Interruptions in the flow of goods or services due to internal or external factors. | Shipment delays, supplier issues, logistics cost spikes, inventory shortages. |
| Operational | Equipment failure | Breakdown or malfunction of critical machinery or operational equipment. | Downtime logs, maintenance alerts, operational delays, production losses. |
| Operational | Labor shortage | Insufficient workforce to maintain normal operations or growth trajectories. | Job vacancy surges, unmet service SLAs, missed project deadlines, industry-wide trend reports. |
| Operational | Product malfunction | Failure of a product to perform as intended, causing harm or business disruption. | Customer complaints, recall notices, warranty claims, regulator fines. |
| Health & Safety | Pandemic impact | Health crises affecting operations, supply chains, or demand due to global pandemics. | Public health advisories, lockdown announcements, absenteeism, logistics delays. |
| Health & Safety | Workplace safety | Unsafe conditions or incidents affecting employees in the workplace. | Accident logs, OSHA citations, internal whistleblowing, injury reports. |
| Health & Safety | Customer safety | Product or service defects that may cause harm to users or customers. | Injury reports, product recalls, safety advisories, legal claims. |
| Health & Safety | Mental health crisis | Psychological harm to employees caused by stress, overwork, or traumatic work environments. | HR reports, staff turnover, wellness audits, anonymous staff testimonies. |
| Global | Geopolitical escalation | Rising global tensions or conflicts affecting company operations, supply chains, or markets. | Conflict outbreak, military deployments, travel bans, supply disruptions. |
| Global | Large-scale ecological/industrial disaster | Major environmental or industrial incidents with large-scale impact (e.g., oil spills, chemical leaks). | Disaster declarations, satellite imagery, environmental watchdog reports, fines. |
| Global | Deterioration of international relations | Geopolitical tensions impacting the company's international operations or market access. | Sanctions, diplomatic rifts, restrictions on cross-border operations or partnerships. |
| Global | Global malfunction | Simultaneous or systemic disruption of global infrastructure (e.g., internet, satellite, finance). | Cross-sector service outages, multi-country impact, global coordination failure alerts. |
Number of Individual Threats by Type
The threat types can be separated by the categories. Each individual category has its own count in the report. One threat can have several individual threat types. For example, the threat can be both legal/regulatory and technical at the same time.
The number of the individual threat types is the following: legal/regulatory individual threats totals 909, physical threats 713, reputational threats 239, technical 145, global threats 38, operational 35, financial 27, health and safety 13.
This puts legal/regulatory threats in the top of the number of individual threat types together with physical threats. These threat types can come together with other threat types or come solely.
| Threat Category | Count |
| Legal / Regulatory | 909 |
| Physical | 713 |
| Reputational | 239 |
| Technical | 145 |
| Global | 38 |
| Operational | 35 |
| Financial | 27 |
| Health & Safety | 13 |
Industry Analysis
Threat Overview by Industry
The 1,271 threats were distributed across 42 industries. The Technology sector was by far the most targeted, generating 8,024 threat messages — more than double the volume of the next closest sector. E-commerce and Cloud Computing followed with 2,903 messages. Defense and Aerospace & Defense featured prominently, with 2,330 and 1,740 messages respectively, reflecting sustained threat activity against critical infrastructure.
| Industry | Messages |
| Technology | 8,024 |
| E-commerce & Cloud Computing | 2,903 |
| Defense | 2,330 |
| Aerospace and Defense | 1,740 |
| Energy | 1,543 |
| Financial | 1,427 |
| Retail | 1,381 |
| Automotive | 1,098 |
| Electronics | 845 |
| Financial Services | 659 |
| Healthcare | 320 |
| Telecommunications & Technology | 310 |
| Biopharmaceutical | 190 |
| Banking & Financial Services | 180 |
| Insurance | 158 |
Legal and Physical Narratives Dominate the Threat Landscape
Legal and compliance threats were the most common form of adverse narrative, appearing in nearly three out of four cases (71%). Physical-world risks — including civil unrest and criminal activity — featured in more than half of all cases (56%).
These narratives gain their potency from plausibility. They are built on storylines that are hard to quickly disprove and capable of triggering real-world consequences: regulatory investigations, litigation, protests, and safety incidents. Looking at specific allegation types, compliance violations were the most frequently occurring at 532 instances, followed by political or civil unrest (501), regulatory investigations (404), criminal activity (361), and lawsuits (306).
Threat Subtypes by Occurrences
| Threat Subtype | Occurrences |
| Compliance Violation | 532 |
| Political & Civil Unrest | 501 |
| Regulatory Investigation | 404 |
| Criminal Activity | 361 |
| Lawsuit | 306 |
| Negative Media Coverage | 185 |
| Natural Disaster | 124 |
| Cyberattack | 86 |
| Data Leak / Stolen Data | 61 |
| Software Vulnerabilities | 56 |
| Calls for Brand Boycott | 33 |
| Geopolitical Escalation | 31 |
| Fraud | 21 |
| External Threats | 20 |
| Trade Embargo | 19 |
Message Volume by Threat Type Combination
The 1,271 narratives produced 25,053 messages in total. Threats focused purely on legal and regulatory matters generated the highest single-category volume at 5,775 messages. The next four most common types each combined multiple high-impact areas, underscoring how threat actors layer risks to maximise pressure.
| Threat Type Combination | Messages |
| Legal / Regulatory (standalone) | 5,775 |
| Physical + Legal / Regulatory | 4,251 |
| Legal / Regulatory + Reputational | 3,269 |
| Legal / Regulatory + Physical | 3,149 |
| Physical (standalone) | 3,129 |
This picture points to a threat environment increasingly grounded in real-world consequences — legal action, government fines, operational disruption, and safety incidents — rather than purely image-based attacks.
The Grey Zone
This pattern challenges a common organisational assumption: that defending against adverse narratives is mainly about debunking outright lies. The modern threat environment is far murkier. Organisations today face a mix of selectively true claims, exaggerated accusations, videos or quotes stripped of context, and the deliberate amplification of unresolved issues. None of these tactics require a single demonstrably false statement to keep an organisation permanently on the defensive.
Target Analysis
Adversarial Narratives Often Centre on Products and Operations
The threat landscape is overwhelmingly focused on two primary targets: the organisation as a whole and its product offerings — not individual executives.
| Target Type | Messages | Share |
| Company (broad operational / reputational attacks) | 23,619 | 52.8% |
| Product / Services | 17,342 | 38.8% |
| Leadership | 3,040 | 6.8% |
Adversarial narratives focus on the institution in 1,196 instances, linked to 23,619 messages and approximately 3.33 billion views. Narratives targeting products and services span 876 instances, linked to 17,342 messages and approximately 2.03 billion views, with some narratives spanning both categories.
These narratives travel so effectively because they make abstract reputational themes feel tangible. They align with real-world anxieties and force organisations into responding to complex issues across functional boundaries — questions of safety, ethics, legality, and trustworthiness.
| Implication for leaders: Adverse narratives now act as a product and operational risk multiplier, amplifying scrutiny and accelerating decision pressure across the organisation. |
Leadership Targeting: Lower in Volume, Higher in Impact
Narratives focused on leadership and executives appear less frequently than those focused on companies or products — but when they do occur, their impact is significant. The dataset includes 142 narratives targeting individual leaders, generating 3,040 messages and approximately 787 million views.
Leadership narratives compress complex organisational issues into simple storylines that are easier to personalise, weaponise, and mobilise around. They travel efficiently in short-form video formats and can escalate quickly into harassment, intimidation, and physical security risks.
| Implication for leaders: Personal risk monitoring and protective intelligence should be treated as essential capabilities, not as discretionary or reactive measures. |
Geographic & Language Analysis
The Ecosystem Is Multilingual and Cross-Border by Default
Threat amplification occurs across multiple languages, led by English, Italian, and Russian, followed by German, Spanish, Portuguese, Ukrainian, Romanian, and French. Narratives can move across platforms, borders, and languages before appearing in mainstream channels — while it remains hard to identify, attribute, and track specific threat actors.
| Implication for leaders: Monitoring limited to English-language content or mainstream platforms may miss early warning signals, upstream narrative formation, and coordination activity. |
Message Volume by Language
| Language | Messages |
| English | 4,408,974 |
| Italian | 2,792,326 |
| Russian | 2,621,362 |
| Others | 1,473,056 |
| German | 641,847 |
| Spanish | 587,460 |
| Portuguese | 568,519 |
| Ukrainian | 454,637 |
| Romanian | 289,767 |
| French | 212,437 |
| Chinese | 188,966 |
| Turkish | 169,756 |
| Persian | 148,057 |
| Arabic | 108,429 |
Threat Longevity
Threat Longevity: The Window Is Narrow
Most threats burn out quickly. The median lifespan is just 2 days, with three-quarters of all threats fading within 3 days. Nine out of ten are gone within four days. Cases that stretch beyond a week — the longest running lasted 77 days — are rare outliers. The distribution is overwhelmingly concentrated in the first few days.
This has a direct implication for how organisations respond. By the time a threat has been escalated internally, reviewed by communications and legal teams, and a response has been drafted, the moment may already have passed. Organisations that lack pre-approved response frameworks, ready-made holding statements, and clear escalation protocols are effectively arriving late to every incident. Speed is not just an advantage — in most cases, it is the deciding factor.
| Metric | Value |
| Median threat lifespan | 2 days |
| 75% of threats fade within | 3 days |
| 90% of threats gone within | 4 days |
| Longest-running outlier | 77 days |
Risk Exposure Reflects Sector Sensitivity and Company Prominence
Threat activity is not evenly distributed across the corporate landscape. It concentrates around organisations that combine high public visibility with exposure to politically or socially sensitive issues.
In the dataset, the five most-targeted brands account for more than half (59%) of detected threats. These organisations are typically large, well-known companies operating in sectors that attract regulatory scrutiny, geopolitical attention, or public controversy. Global technology platforms, infrastructure providers, and companies in strategically sensitive industries feature prominently.
This concentration reflects how adversarial actors allocate attention and resources. They focus where narratives are most likely to resonate with existing public debate, spread quickly across platforms, and exert pressure on companies through stakeholders, regulators, or political actors.
| Implication for leaders: Risk exposure is shaped not only by company prominence but also by sector dynamics and the sensitivity of particular issues. Organisations operating in contested or highly regulated sectors may face heightened narrative risk regardless of their scale. Leaders should assess their exposure accordingly. |
Recommendations
What Senior Leaders Should Do Now
If reputational threats are converging with enterprise risk, organisations' responses must mirror this. Fragmented ownership slows response and compounds the problem.
1. Create a cross-functional narrative response cell
High-performing organisations align communications, intelligence, legal, and security teams around a shared view of the threat landscape. Siloed decision-making is the single greatest enabler of slow response.
2. Map narrative exposure like a risk register
Recurring themes — compliance, investigations, unrest, criminality, and cyber activity — should be treated as predictable attack vectors, not surprises. Organisations can often pre-bunk these narrative attacks by communicating counter-arguments to their key audiences in advance.
3. Invest in advanced monitoring and detection
Standard social media monitoring cannot effectively track content on TikTok, Telegram, or similar platforms. You need to see it to analyse it. Adversarial content can go viral quickly, and organisations need to know what they can safely ignore versus where they need to intervene early.
4. Develop and test platform-appropriate playbooks and content
The reach and speed of hard-to-monitor platforms demand rapid, credible, and appropriate responses. Organisations should simulate adverse narratives appearing on these platforms and spreading to mainstream channels to stress-test their plans before an incident occurs. Rapidly deployable digital assets should be prepared in advance.
5. Establish rapid decision-making procedures
Narrative attacks move quickly, but organisational decision-making often does not. Companies should predefine escalation triggers, decision authority, and response ownership across communications, legal, and security teams. When these pathways are clear in advance, organisations can respond faster and with greater confidence.
Conclusion
The Bottom Line
The appearance of adverse narratives on hard-to-monitor platforms is not a niche concern. It acts as an accelerant, attaching itself to issues around legal exposure, operational disruption, physical safety, cyber vulnerability, and stakeholder trust.
Organisations that continue to treat this as a separate social media problem will remain in a reactive crouch. Those that recognise it as an integrated enterprise threat — and respond with early detection, cross-functional authority, and disciplined decision-making — will be better positioned to protect trust, reduce harm, and sustain resilience in an increasingly volatile information environment.
Key Statistics at a Glance
130 brands analysed; 76 showed identifiable threats
1,271 hostile narrative threats detected across six months
25,053 messages linked to those threats
~3.37 billion views recorded where reach data was available
~71.5% of threats carried legal or regulatory signals
~56.1% carried physical-world risk signals
Top five brands account for ~59% of all threats
Median threat lifespan: just 2 days
