Army wife Angela Ricketts was soaking in a bubble bath in her Colorado home, leafing through a memoir, when a message appeared on her iPhone from hackers threatening to slaughter her family.
"Dear Angela!" the Facebook message read. "Bloody Valentine's Day!"
"We know everything about you, your husband and your children," the message continued, claiming that the hackers operating under the flag of Islamic State militants had penetrated her computer and her phone. "We're much closer than you can even imagine."
Ricketts was one of five military wives who received death threats from the self-styled CyberCaliphate on the morning of Feb. 10, 2015. The warnings led to days of anguished media coverage of Islamic State militants' online reach.
Except it wasn't IS.
The Associated Press has found evidence that the women were targeted not by jihadists but by the same Russian hacking group that intervened in the American election and exposed the emails of Hillary Clinton's presidential campaign chairman, John Podesta.
The brazen false flag is a case study in the difficulty of assigning blame in a world where hackers routinely borrow one another's identities to throw investigators off track. The operation's attempt to hype the threat of radical Islam also presaged the inflammatory messages pushed by internet trolls during the U.S. presidential race.
Links between CyberCaliphate and the Russian hackers — typically nicknamed Fancy Bear or APT28 — have been documented previously. On both sides of the Atlantic, the consensus is that the two groups are closely related.
But that consensus never filtered through to the women involved, many of whom were convinced they had been targeted by Islamic State sympathizers right up until the AP contacted them.
"Never in a million years did I think that it was the Russians," said Ricketts, an author and advocate for veterans and military families. She called the revelation "mind blowing."
"It feels so hilarious and insidious at the same time."