emptywheel Archives - Page 26 of 243

Columbia Journalism Review–and Now Columbia School of Journalism–Have a Russian Intelligence Problem

On Tuesday, Columbia Journalism Review quietly staged the Zoom conference intended to address the many problems with Jeff Gerth’s series on “Russiagate” [sic], which I wrote about in a long series. After they rescheduled the original date because of an illness, they did not alert those who had previously signed up, meaning a number of people missed it. Nor did they record the event. It had the feel of a formality designed to claim they had listened, without actually doing so.

Nothing demonstrates the inadequacy of the event so well as the fact that no one — not moderator and Berkeley School of Journalism Dean Geeta Anand, not Columbia Journalism School Dean Jelani Cobb, and not CJR Editor Kyle Pope — addressed the fact that Jeff Gerth had cited an unreliable Russian intelligence product as part of his attack on Hillary Clinton without informing readers he had done so.

I described that he had done so in this post, but I’m going to try to simplify this still further in hopes Columbia will understand how inexcusable this is — how badly this violates every tenet of ethical journalism.

As part of his description of Hillary’s response to being victimized in a hack-and-leak campaign, Gerth described that Clinton approved a plan to vilify Trump by making Russian interference itself a scandal.

The disclosures, while not helpful to Clinton, energized the promotion of the Russia narrative to the media by her aides and Fusion investigators. On July 24, Robby Mook, Hillary’s campaign manager, told CNN and ABC that Trump himself had “changed the platform” to become “more pro-Russian” and that the hack and dump “was done by the Russians for the purpose of helping Donald Trump,” according to unnamed “experts.”

Still, the campaign’s effort “did not succeed,” campaign spokeswoman Jennifer Palmieri would write in the Washington Post the next year. So, on July 26, the campaign allegedly upped the ante. Behind the scenes, Clinton was said to have approved a “proposal from one of her foreign-policy advisers to vilify Donald Trump by stirring up a scandal claiming interference by Russian security services,” according to notes, declassified in 2020, of a briefing CIA director John Brennan gave President Obama a few days later. [my emphasis]

The claim is a central part of Gerth’s narrative, which adopts many of the theories John Durham floated in his two failed prosecutions, suggesting that the press’ concerns about Trump and Russia stemmed exclusively from efforts — the dossier and the Alfa Bank anomaly — generated by Hillary, and not by Carter Page’s weird behavior in Moscow, Paul Manafort’s ties to oligarchs with ties to Russia, or all the lies Trump’s people told in 2017 about their own ties to Russia.

The claim is a central part of Jeff Gerth’s narrative, and it is based on a Russian intelligence product of uncertain reliability.

These are the notes of Brennan’s briefing to Obama. Here, though not in an earlier part of this section, Gerth quotes directly from the notes (though Gerth cuts the words “alleged approval”).

This is the letter John Ratcliffe wrote to Lindsey Graham about the briefing before he declassified the notes themselves. The letter quotes the notes and unlike Gerth, he does not cut the words, “alleged approval,” so there can be no doubt that that’s what Ratcliffe was addressing. Ratcliffe’s letter explicitly says that the Intelligence Community “does not know the accuracy of the allegation” or whether it was “exaggeration or fabrication.”

In late July 2016, U.S. intelligence agencies obtained insight into Russian intelligence analysis alleging that U.S. Presidential candidate Hillary Clinton had approved a campaign plan to stir up a scandal against U.S. Presidential candidate Donald Trump by tying him to Putin and the Russians’ hacking of the Democratic National Committee. The IC does not know the accuracy of this allegation or the extent to which the Russian intelligence analysis may reflect exaggeration or fabrication.

According to his handwritten notes, former Central Intelligence Agency Director Brennan subsequently briefed President Obama and other senior national security officials on the intelligence, including the “alleged approval by Hillary Clinton on July 26, 2016 of a proposal from one of her foreign policy advisors to vilify Donald Trump by stirring up a scandal claiming interference by Russian security services.”

It’s bad enough that Gerth takes out the use of “alleged” included in the notes itself and in Ratcliffe’s description of the report.

But it is inexcusable that Gerth does not tell readers this claim comes from a Russian intelligence report, one that even John Ratcliffe warned might not be reliable, might even be a fabrication! Gerth describes that “Clinton was said” to have formulated this plan, without telling readers that Russian spooks were the ones who said it. He simply adopts the accusation made by Russian spies without notice he had done so.

Before writing this up, I asked Kyle Pope about this twice, first in my general list of questions, then in a specific follow-up.

Finally, you did not answer this question.

Do you believe your treatment of the John Brennan briefing should have revealed the briefing was based on a Russian intelligence document? Do you believe you should have noted the John Ratcliffe warning that, “The IC does not know the accuracy of this allegation or the extent to which the Russian intelligence analysis may reflect exaggeration or fabrication”? Is there a reason you’re certain the date was July 26 when it’s not clear whether it says 26 or 28?

Is it your view that CJR owes its readers neither notice that it is relying on a Russian intelligence report for its interpretations about Hillary Clinton’s motives nor reveal that the IC would not vouch for the accuracy of that report?

I got no answer. Since Tuesday’s event, I’ve since asked for comment from Dean Cobb, who provided no response, as well as Dean Anand (whose assistant said she may get back to me later).

Jeff Gerth, and through him, CJR, and through CJR, the Columbia Journalism School apparently believe it is sound journalism, in a piece that demands greater transparency from others commenting on sloppy reporting about Russia’s campaign to interfere in the 2016 election, to quote from a description of a Russian intelligence report that may have been part of that campaign to interfere in the 2016 election, without disclosing that he was doing so.

There are unretracted clear errors throughout Gerth’s piece that also went unremarked in Tuesday’s event; rather than explaining why those errors remain uncorrected in a piece complaining about the errors of others, Gerth twice claimed his was a, “very factual chronological story” with no pushback. When I asked about them before doing my piece, Pope dismissed those errors as merely a matter of opinion.

But about this undisclosed use of a Russian intelligence product that could be a fabrication, there is no dispute. It’s right there in the warning Ratcliffe gave before he released the notes. “The IC does not know the accuracy of this allegation or the extent to which the Russian intelligence analysis may reflect exaggeration or fabrication.” But that didn’t stop Gerth from using it. He used it anyway, with no disclosure about who made this allegation or the IC warning about its uncertain reliability.

And Columbia University’s journalism establishment stubbornly stands by that non-disclosure.

Links

CJR’s Error at Word 18

The Blind Spots of CJR’s “Russiagate” [sic] Narrative

Jeff Gerth’s Undisclosed Dissemination of Russian Intelligence Product

Jeff Gerth Declares No There, Where He Never Checked

“Wink:” Where Jeff Gerth’s “No There, There” in the Russian Investigation Went

Columbia Journalism Review–and Now Columbia School of Journalism–Have a Russian Intelligence Problem

Dear Jeff Gerth: Peter Strzok Is Not a Media Critic

My own disclosure statement

An attempted reconstruction of the articles Gerth includes in his inquiry

A list of the questions I sent to CJR

The Testimony Jack Smith Gets This Week Builds on Work from Over a Year Ago

April 6, 2023/34 Comments/in 2020 Presidential Election, emptywheel, January 6 Insurrection /by emptywheel

Starting on Tuesday, Jack Smith’s prosecutors started getting return grand jury appearances for a set of key Trump aides who had invoked Executive Privilege in earlier appearances. In the days ahead, that same January 6 grand jury will get the testimony of Dan Scavino, Stephen Miller, Mark Meadows and — unless Trump succeeds with some kind of last minute challenge — Mike Pence.

Starting tomorrow, Secret Service agents will testify in the stolen documents case. That comes after (according to CNN), witnesses who gave voluntary testimony last summer have made subsequent appearances before the grand jury and Evan Corcoran provided crime-fraud excepted documents and testimony to the same grand jury. Multiple other lawyers already testified before the grand jury.

While there are a few outstanding items, such as the exploitation of Scott Perry’s phone, the DC Circuit decision on the application of 18 USC 1512(c)(2) to January 6, finding a way to obtain any remaining classified documents Trump has been hoarding, a verdict in the Proud Boys trial (which may dictate charging decisions for others) — all of which efforts have been pending for over six months, before Smith was appointed — the twin investigations headed by Jack Smith appear to be headed to imminent resolutions.

In recent weeks, the same TV lawyers who were wailing last summer about the January 6 investigation into Trump (the stolen documents investigation, while already laying the groundwork for charging a former President under the Espionage Act, still remained entirely unknown), have suggested that Alvin Bragg’s indictment of Trump might, “might light a fire under other prosecutors and advance the proposition that even ex-presidents must follow the law.”

It’s an obscene suggestion, that Jack Smith or his AUSAs or Merrick Garland needed some push to pursue the investigation into Donald Trump, when instead the TV lawyers simply needed a push to review what steps the investigation was actually pursuing. That’s because all of the recent developments in the Jack Smith case — the crime-fraud ruling, the Executive Privilege waiver, the testimony of Mike Pence — very obviously build on work done last year, well before Garland appointed Jack Smith. Some of those steps were even public at the time last summer when the very same TV lawyers were wailing. All of the climactic steps occurring in recent weeks were easily foreseeable by August.

Prosecutors have been building to this moment for a long time.

As I noted here, investigations in the era of cloud computing usually follow a clear logic:

Use subpoenas to obtain metadata to identify key subjects
Use metadata to obtain cloud warrants of subjects
Use cloud warrants to obtain warrants for phones (a necessary step if encrypted apps were used in furtherance of a crime, as was the case in the lead-up to January 6)
Use overt subpoenas for other witnesses to obtain evidence
Obtain grand jury testimony from witnesses

By the time the first overt subpoenas and warrants go out — which in the January 6 case was May 2022, though in the case of Sidney Powell was September 2021 — DOJ will already have obtained metadata and cloud content from key subjects of the investigation. Only after DOJ works through that covertly obtained evidence does it start doing the things that alert subjects to the scope of the investigation by subpoenaing other witnesses or seizing phones.

Even in a garden variety investigation, it can take six months from the date of seizure of a subject’s phone until an arrest. This was true even in the militia conspiracy cases, where arrests were an attempt to stave off further violence, in part because FBI was exploiting so many phones.

In the case of sensitive witnesses like lawyers, presidential advisors, and members of Congress, it takes a number of extra steps to get grand jury testimony or access content.

In Rudy Giuliani’s case, a privilege review of his phone content took nine months (though that review incorporated content relating to January 6, so it has been done since January 2022). In Enrique Tarrio’s case (largely due the security he used on his phone), it took over a year to access the content on his phone. In Scott Perry’s case, prosecutors are still working on it seven months later. In James O’Keefe’s unrelated case, Project Veritas still has one more chance to prevent prosecutors from getting evidence the FBI seized in November 2021, almost 17 months ago. You can’t skip privilege reviews, because if you do, key evidence will get thrown out during prosecution, rendering any downstream evidence useless as well.

In cases of privilege, DOJ first gets grand jury testimony where the witness invokes privilege, and then afterwards makes a case that the needs of the investigation overcome any privilege claim. DOJ first started pursuing privileged testimony regarding events involving Mike Pence with grand jury testimony from Pence aides Greg Jacob and Marc Short last July, then with testimony from the two Pats, Cipollone and Philbin, in August. It got privilege-waived testimony from Pence’s aides in October and from the two Pats on December 2. That process undoubtedly laid the groundwork for this week’s DC Circuit ruling that people like Mark Meadows and Dan Scavino must likewise testify to the grand jury.

By the time DOJ first overtly subpoenaed material in the fake electors plot last May, it had done the work to obtain cloud content from John Eastman and Jeffrey Clark. If DOJ had obtained warrants for the already seized phone content from Rudy — which is likely given the prominence of Victoria Toensing from the start of the fake elector subpoenas — then it would have built on content it obtained a year earlier in another investigation.

Some of this undoubtedly benefitted from the January 6 Committee’s work. I would be shocked, for example, if DOJ didn’t piggyback on Judge David Carter’s March 28, 2022 decision ruling some of John Eastman’s communications to be crime-fraud excepted. As NYT reported in August, in May 2022, DOJ similarly piggybacked on J6C’s earlier subpoenas to the National Archives (and in so doing avoided any need to alert Joe Biden to the criminal, as opposed to congressional, investigation); this is consistent with some of what Mueller did in the Russian investigation. Cassidy Hutchinson’s testimony, obtained via trust earned by Liz Cheney, has undoubtedly been critical. But the January 6 Committee also likely created recent delays in the January 6 and Georgia investigation, thanks to the delayed release of transcripts showing potentially exculpatory testimony.

But much of it preceded the January 6 Committee. I’ve shown, for example, that DOJ had a focus on Epshteyn before J6C first publicly mentioned his role in the fake electors plot. Toensing’s involvement came entirely via the DOJ track.

The path that brought us here went from the covert steps in advance of the May 2022 Clark and Eastman warrants (possibly including Rudy Giuliani warrants), to testimony from Trump’s aides, to testimony from White House Counsels, to Meadows and Pence and the rest of them.

There’s not a shred of evidence that DOJ’s prosecutors or Garland were afraid of taking these steps (FBI might be another issue). Instead, there’s a clear timeline of public steps DOJ has taken to get us to this point, which necessarily built on non-public things DOJ did to get to the point of obtaining warrants for the email accounts of several lawyers (and whatever covert steps it took with non-lawyers that won’t be public for years).

A timeline of the stolen document investigation is here.

Some key dates in the January 6 investigation are:

January 4, 2021: DC authorities seize Enrique Tarrio’s phone

January 25, 2021: Stop the Steal VIP Brandon Straka arrested; DOJ IG opens probe into Jeff Clark and others

February 17, 2021: First allegedly cooperative interview with Straka

March 17, 2021: DOJ makes first tie between Oath Keepers investigation and Roger Stone

March 25, 2021: Second allegedly cooperative interview with Straka

April 21, 2021 (Lisa Monaco’s first day on the job): DOJ obtains warrant targeting Rudy Giuliani’s cell phones in Ukraine investigation

June 23, 2021: First Oath Keeper who interacted with Stone enters into cooperation agreement

August 19, 2021: Alex Jones sidekick Owen Shroyer, who participated in Friends of Stone list and served as a communication hub between Proud Boys and others, arrested

September 2021: DOJ subpoenas records from Sidney Powell grift

September 3, 2021: SDNY makes an ultimately successful bid to review all content on Rudy’s devices for privilege (making such content available if and when DOJ obtains January 6 warrant targeting Rudy)

Fall 2021: Thomas Windom appointed to form fake elector team

October 28, 2021: Merrick Garland tells Sheldon Whitehouse DOJ is following the money of January 6

November 2, 2021: Special Master Barbara Jones releases first tranche of materials from Rudy’s phones, including content through seizure

November 22, 2021: Trump appointee Carl Nichols asks James Pearce whether 18 USC 1512(c)(2) might be applied to someone like Trump (he would go on to issue an outlier opinion rejecting the application)

By December 2021: JP Cooney starts long-invisible investigation into financial side of January 6

December 2021: NARA and Mark Meadows begin process of completing his record of PRA-covered communications

December 10, 2021: Judge Dabney Friedrich (a Trump appointee) upholds application of 18 USC 1512(c)(2) to January 6

January 5, 2022: Merrick Garland reiterates that DOJ is investigating the financial side of January 6

Mid-January 2022: DOJ finally obtains contents of Tarrio’s phone

January 19, 2022: Jones releases remaining content from Rudy’s phones; SCOTUS declines to review DC Circuit rejection of Trump’s Executive Privilege claims with respect to January 6 subpoenas

January 5, 2022: Lisa Monaco confirms DOJ is investigating fake electors plot

February 18, 2022: In civil cases, Judge Amit Mehta rules it plausible that Trump and militias conspired to obstruct vote certification, as well that he aided and abetted assaults

March 2, 2022: Oath Keeper in charge of Stone security on January 6, Joshua James, enters into cooperation agreement

March 28, 2022: Judge David Carter issues crime-fraud ruling covering John Eastman’s communications with and on behalf of Trump

May 2022: DOJ subpoenas all NARA records provided to J6C

May 26, 2022: Subpoenas for fake electors plot including Rudy, John Eastman, Boris Epshteyn, Bernie Kerik, and Jenna Ellis, among others; warrants for email accounts of Jeffrey Clark, John Eastman, Ken Klukowski, and one non-lawyer

June 6, 2022: DOJ charges Proud Boy leaders with seditious conspiracy

June 21, 2022: Second set of fake electors subpoenas, adding Mike Roman and others, warrants for NV GOP officials and GA official

June 22, 2022: DOJ searches Jeffrey Clark’s home and seizes his phone

June 28, 2022: DOJ seizes John Eastman’s phone

June 23, 2022: DOJ completes exploitation (but not scoping) of Shroyer’s phone

June 24, 2022: Ali Alexander grand jury appearance

June 27, 2022: Then Chief Judge Beryl Howell permits prosecutors to obtain emails between Scott Perry and Clark and Eastman

July 22, 2022: Marc Short appears before grand jury

August 9, 2022: Scott Perry’s phone seized

August 2022: Mark Meadows provides previously withheld PRA covered materials to NARA

Early September, 2022: Pre-election legal process includes seizure of Boris Epshteyn and Mike Roman’s phones, subpoenas to key aides including Dan Scavino, Bernie Kerik, Stephen Miller, Mark Meadows, subpoenas pertaining to Trump’s PAC spending,

October 13, 2022: Marc Short and Greg Jacob make second, privilege-waived grand jury appearance

November 18, 2022: Merrick Garland appoints Jack Smith

December 2, 2022: Pats Cipollone and Philbin make second, privilege-waived grand jury appearance

December 2022: Rudy Giuliani subpoena asks for information on his payment

February 9, 2023: Mike Pence subpoenaed

February 23, 2023: DC Circuit hears Scott Perry’s challenge to order providing access to his phone content

March 9, 2023: Judge Kollar-Kotelly orders Peter Navarro to turn over PRA-covered contents from Proton Mail account

March 28, 2023: Chief Judge Jeb Boasberg rules Mike Pence must testify (though protects some areas on Speech and Debate grounds)

April 4, 2023: DC Circuit declines to stay Beryl Howell ruling ordering testimony from Mark Meadows and others

The Espionage Act Evidence WaPo Spins as Obstruction Evidence

April 3, 2023/91 Comments/in 2020 Presidential Election, emptywheel, Leak Investigations /by emptywheel

The WaPo, with Devlin Barrett as lead byline and Mar-a-Lago Trump-whisperer Josh Dawsey next, has a report describing either new evidence or more evidence of obstruction in the stolen documents case.

Some of it, such as that investigators “now suspect that boxes including classified material were moved from Mar-a-Lago storage area after the subpoena was served,” is not new — not to investigators and not to the public. The version of the search affidavit released on September 14 showed that on June 24 investigators subpoenaed the surveillance footage for the storage room and at least one other, still-redacted location, going back to January 10, 2022, long before subpoena for documents with classification marks was served on May 11. So unless Trump withheld surveillance footage, then DOJ has known since early July 2022 on what specific dates boxes were moved. And a redacted part of the affidavit explains the probable cause the FBI had in August that there might be classified documents in Trump’s residential suite.

In other words, much of what WaPo describes is that DOJ has obtained substantial evidence since August to prove the probable cause suspicions already laid out in their August warrant affidavit. You don’t search the former President’s beach resort without awfully good probable cause, and they were able to show substantial reason to believe that Trump had boxes moved to his residence after he received the May 11 subpoena, where he sorted out some he wanted to keep, eight months ago.

They’ve just gotten a whole lot more proof that they were right, since.

Other parts of the story do describe previously unknown (to us, at least) details, and those may be significantly more important for Trump’s fate. The most intriguing, to me, is that witnesses are being asked about Trump’s obsession with Mark Milley.

Investigators have also asked witnesses if Trump showed a particular interest in material relating to Gen. Mark A. Milley, the chairman of the Joint Chiefs of Staff, people familiar with those interviews said. Milley was appointed by Trump but drew scorn and criticism from Trump and his supporters after a series of revelations in books about Milley’s efforts to rein in Trump toward the end of his term. In 2021, Trump repeatedly complained publicly about Milley, calling him an “idiot.”

The people did not say whether investigators specified what material related to Milley they were focused on. The Post could not determine what has led prosecutors to press some witnesses on those specific points or how relevant they may be to the overall picture that Smith’s team is trying to build of Trump’s actions and intent.

Remember that reports on investigations, especially ones that include Mar-a-Lago court reporters, often amount to witnesses attempting to share questions they’ve been asked with other witnesses or lawyers. Trump’s team has no idea what kinds of classified items were seized. This detail suggests that among the classified documents seized are a document or documents pertaining to Milley.

According to Bobs Woodward and Costa in Peril, Milley called China twice in the last months of the Trump administration to reassure his counterpart that the US was not going to attack China without some build-up first.

On Friday, October 30, four days before the election, Chairman Milley examined the latest sensitive intelligence. What he read was alarming: The Chinese believed the United States was going to attack them.

Milley knew it was untrue. But the Chinese were on high alert, and whenever a superpower is on high alert, the risk of war escalates. Asian media reports were filled with rumors and talk of tensions between the two countries over the Freedom of Navigation exercises in the South China Sea, where the U.S. Navy routinely sails ships in areas to challenge maritime claims by the Chinese and promote freedom of the seas.

There were suggestions that Trump might want to manufacture a “Wag the Dog” war before the election so he could rally the voters and beat Biden.

[snip]

This was such a moment. While he often put a hold on or stopped various tactical and routine U.S. military exercises that could look provocative to the other side or be misinterpreted, this was not a time for just a hold. He arranged a call with General Li.

Trump was attacking China on the campaign trail at every turn, blaming them for the coronavirus. “I beat this crazy, horrible China virus,” he told Fox News on October 11. Milley knew the Chinese might not know where the politics ended and possible action began.

To give the call with Li a more routine flavor, Milley first raised mundane issues like the staff-to-staff communications and methods for making sure they could always rapidly reach each other.

Finally, getting to the point, Milley said, “General Li, I want to assure you that the American government is stable and everything is going to be okay. We are not going to attack or conduct any kinetic operations against you.

“General Li, you and I have known each other for now five years. If we’re going to attack, I’m going to call you ahead of time. It’s not going to be a surprise. It’s not going to be a bolt out of the blue.

The two Bobs also described how, in the days after January 6, Milley reviewed nuclear launch procedures with senior officers of the National Mission Command Center to make sure he would be in the loop if Trump ordered the use of nukes.

Without providing a reason, Milley said he wanted to go over the procedures and process for launching nuclear weapons.

Only the president could give the order, he said. But then he made clear that he, the chairman of the JCS, must be directly involved. Under current procedure, there was supposed to be a voice conference call on a secure network that would include the secretary of defense, the JCS chairman and lawyers.

“If you get calls,” Milley said, “no matter who they’re from, there’s a process here, there’s a procedure. No matter what you’re told, you do the procedure. You do the process. And I’m part of that procedure. You’ve got to make sure that the right people are on the net.”

If there was any doubt what he was emphasizing, he added, “You just make sure that I’m on this net. “Don’t forget. Just don’t forget.”

He said that his statements applied to any order for military action, not just the use of nuclear weapons. He had to be in the loop.

Since these details about Milley came out, Trump and his frothers have claimed Milley committed treason, in concert with Nancy Pelosi (who had expressed concerns to Milley about the safety of America’s nuclear arsenal).

The attack on Milley is the same kind of manufactured grievance — often cultivated by investigation witness Kash Patel (who was DOD Chief of Staff during the transition) — as the Russian investigation. That other inflated grievance led Trump to compile a dumbass binder of sensitive documents that didn’t substantiate his grievances. If Trump did the same with Milley, either before or after he left office, those documents might include highly sensitive documents, including SIGINT reports about China’s response to Milley’s contacts.

If DOJ were ever to charge Trump for refusing to give back classified documents under 18 USC 793(e), DOJ would select a subset of the documents to charge, probably from among those seized in August. They would pick those that, if declassified for trial, would not do new damage to national security, documents that would allow prosecutors to tell a compelling story at trial. And given WaPo’s report, there’s good reason to think there’s a story they think they could tell about documents that may be part of Trump’s grievance campaign against Milley.

WaPo also described that witnesses are being asked whether Trump shared documents, including a map, with donors.

As investigators piece together what happened in May and June of last year, they have been asking witnesses if Trump showed classified documents, including maps, to political donors, people familiar with those conversations said.

According to the story, communications from Trump’s former Executive Assistant, Molly Michael, have been key for investigators.

[A]uthorities have another category of evidence that they consider particularly helpful as they reconstruct events from last spring: emails and texts of Molly Michael, an assistant to the former president who followed him from the White House to Florida before she eventually left that job last year. Michael’s written communications have provided investigators with a detailed understanding of the day-to-day activity at Mar-a-Lago at critical moments, these people said.

Michael is likely the person in whose desk drawer at least two of the classified documents seized in August were found: the two “compiled” with messages from a pollster, a faith leader, and a book author, the kind of document you would show to donors. That document, which combines two classified documents obtained before Trump left the White House with messages from after he left, is the kind of smoking gun that shows Trump didn’t just hoard documents because of ego (as Barrett reported even after the existence of this document was made public), but because he was putting classified documents to his own personal use. We learned back in November that there was evidence that Trump had used two classified documents in what sounds like a campaign document. Perhaps one of those classified documents was a map (of Israel? of Ukraine?).

Whatever it is, this is the kind of story prosecutors might like to tell at stolen classified document trials, not just because it would show Trump putting the nation’s secrets to his own personal gain and sharing classified documents with people who never had clearance, but because it would be proof that people on Trump’s team knew of and accessed documents after they lost their need to access such documents. This document would go a long way to proving that Trump didn’t just hoard classified documents out of negligence (which is currently the explanation why both Joe Biden and Mike Pence did), but because he wanted to make use of what he took.

Molly Michael is also the person who ordered a more junior aide to make a digital copy of Trump’s schedules from when he was President, an order that led to documents with classification markings being loaded to a laptop and likely to the cloud. That’s another example of the kind of exploitation of classified documents that would make a good story at trial.

It’s also the kind of story that could expose Michael herself to Espionage Act charges, such that she might work hard to minimize her own exposure. And yes, because she was Trump’s Executive Assistant, both at the White House and after he moved back to Mar-a-Lago, she likely can explain a lot about how Trump used documents he took from the White House and brought to Mar-a-Lago, including documents used as part of his political campaigning afterwards.

Without conceding it was incorrect, WaPo notes that in November, after it was already public that Trump had self-interested reason to refuse to return documents, it reported it was all just ego (it now attributes that conclusion entirely to what Trump told his aides, not — as claimed in the first line of last fall’s story — what “Federal agents and prosecutors have come to believe”).

Such alleged conduct could demonstrate Trump’s habits when it came to classified documents, and what may have motivated him to want to keep the papers. The Post has previously reported that Trump told aides he did not want to return documents and other items from his presidency — which by law are supposed to remain in government custody — because he believed they belonged to him.

Even in a story describing prosecutors collecting evidence about at least two stories about classified records that they might tell at a trial, the WaPo remarkably suggests to readers that obstruction is the primary crime being investigated here.

The application for court approval for that search said agents were pursuing evidence of violations of statutes including 18 USC 1519, which makes it a crime to alter, destroy, mutilate or conceal a document or tangible object “with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency.”

A key element in most obstruction cases is intent, because to bring such a charge, prosecutors have to be able to show that whatever actions were taken were done to try to hinder or block an investigation. In the Trump case, prosecutors and federal agents are trying to gather any evidence pointing to the motivation for Trump’s actions.

[snip]

Investigators have also amassed evidence indicating that Trump told others to mislead government officials in early 2022, before the subpoena, when the National Archives and Records Administration was working with the Justice Department to try to recover a wide range of papers, many of them not classified, from Trump’s time as president, the people familiar with the investigation said. While such alleged conduct may not constitute a crime, it could serve as evidence of the former president’s intent.

By treating this as only an obstruction investigation, WaPo incorrectly claims that lying to NARA (as opposed to the FBI) could not be part of a crime.

Here’s my attempt to lay out the elements of offense of both crimes — what prosecutors would have to prove at trial (I wrote more about the elements of an 18 USC 793e charge here and here).

To prove obstruction, DOJ would focus on the things of which — WaPo describes — Jack Smith’s team has developed substantial proof. Most conservatively, they would pertain to a grand jury investigation, because that application would be uncontroversial. After DOJ sent Trump a grand jury subpoena (which would be presented at trial as proof that Trump had notice of the grand jury investigation, his knowledge of which Evan Corcoran’s recent testimony would further corroborate), Trump took steps to hide documents and thereby prevent full compliance with that subpoena, and so thwarted a grand jury investigation. That’s your obstruction charge.

DOJ could charge a second act of obstruction tied to NARA’s effort to recover documents as part of its proper administration of the Presidential Records Act. But such an application would be guaranteed to be appealed. So the safer route would be to charge behavior that post-dates Trump’s knowledge of the grand jury investigation (and indeed, WaPo describes a close focus on events that took place starting last May).

But Trump’s longer effort to deceive the government in order to hoard documents is proof of 18 USC 793(e). To prove that, DOJ would need to prove that the government, whether NARA or FBI, told Trump he was not authorized to have documents covered by the Presidential Records Act, a subset of which would include documents with classification marks. They would need to show that Trump had been told about why he needed to protect classified records, which Trump’s former White House counsels and Staff Secretary have described (and documented) doing. For good measure they would show that Jay Bratt affirmatively told Trump that he had been (and, the August search would prove, was still) storing classified documents in places not authorized for such storage.

To prove 18 USC 793(e) at trial, you would need to describe specific documents Trump refused to give back and explain to a jury why they fit the definition of National Defense Information, material that remained closely held that, if released, could do damage to the US. That may be why they’re asking questions about Trump’s obsession with Milley or sharing maps with donors: because it’s part of the story that prosecutors would tell at trial, if they were to charge 18 USC 793.

All of which is to say that WaPo not only reported that DOJ has collected more evidence to prove what DOJ already suspected when they did the search on August 8, but they’ve been collecting information that would go beyond that, to a hypothetical Espionage Act charge.

Charging a former President with violating the Espionage Act is still an awfully big lift, and in the same way that charging obstruction for impeding NARA’s proper administration of the Presidential Records Act would invite an appeal, charging 18 USC 793(e) in DC would invite a challenge on venue (and charging it in Florida would risk spending the next three years fighting Aileen Cannon). But in addition to developing more evidence to prove the suspicions that they already substantiated in August, WaPo describes Jack Smith’s team asking the kinds of questions — about specific documents that might be charged as individual violations of the Espionage Act — that you’d ask before charging it.

Asking whether Trump (or Molly Michael or anyone else from Trump’s PAC) showed donors a classified map in a package also showing polling and a faith leader’s support for Trump’s policy in an attempt to raise money doesn’t get you evidence of obstruction. If the map is classified, though, it gets you proof that Trump not only knew he had classified documents, but had turned to profiting off of them.

That’s not a guarantee they’re going to charge 18 USC 793e. It’s a pretty good sign they’re collecting evidence that might support that charge.

Update: CNN has a much more measured story, describing how Jack Smith’s team is locking in the voluntary testimony they got last summer.

The new details come amid signs the Justice Department is taking steps typical of near the end of an investigation.

The recent investigative activity before a federal grand jury in Washington, DC, also includes subpoenaing witnesses in March and April who had previously spoken to investigators, the sources said. While the FBI interviewed many aides and workers at Mar-a-Lago nearly a year ago voluntarily, grand jury appearances are transcribed and under-oath – an indication the prosecutors are locking in witness testimony.

[snip]

The grand jury activity – expected to continue to occur at a frequent clip in the coming weeks – builds upon several known reactions Trump and others around him had to the DOJ’s attempt to reclaim classified records last year, and which prompted the FBI to obtain a judge’s approval to search Mar-a-Lago in August for classified records.

Some of the evidence the DOJ has used to persuade a judge to allow that search is still under seal.

It also notes that Smith is still pursuing how a box including documents with classification marks came to be brought back to Mar-a-Lago after the search.

Since then, the Justice Department has pushed for answers around how a box with classified records ended up in Trump’s office after the FBI search took place.

Trump’s People Have Attempted to Cover Up That He Cheated to Cover Up Cheating in 2016 at Least Six Times

March 31, 2023/176 Comments/in 2016 Presidential Election, emptywheel, Financial Fraud /by emptywheel

Among the things Trump said in his tweet yesterday complaining that he had been “indicated” is that his criminal prosecution was “a continuing attack on our once free and fair elections.”

Thanks to the former President for reminding us what the charges against him, in part, are about: That he cheated to win.

Whether it would have made a difference or not, Donald Trump believed it sufficiently important to lie to American voters about fucking two women– both Karen McDougal and Stormy Daniels — that both were paid in the last months of his 2016 campaign to prevent voters from finding out.

Paying his former sex partners to hide from voters that he cheated on Melania is not, itself, illegal.

Having corporations pay sex workers for the purpose of benefitting a political campaign is. The company that owned the National Enquirer paid for the first payment, to McDougal; Trump Organization, by reimbursing the payment that Michael Cohen made, eventually paid for the second payment, to Daniels.

The charges brought against Trump in NY reportedly relate, at least in part, to the second payment — to the treatment of the reimbursement to Cohen as a legal retainer rather than a reimbursement for a political donation. That is, the cheapskate billionaire, who could have legally paid off the women himself, allegedly covered up his cover-up.

Trump’s eponymous corporate persons have already been found guilty of serving as personal slush funds. In 2019, he admitted the Trump Foundation had engaged in self-dealing. And last year, a jury convicted Trump Organization of compensating employees via untaxed benefits rather than salary.

The new charges against Trump aren’t so much unprecedented, as they simply charge Trump’s biological person with the same crimes for which his corporate persons have already been convicted.

But there’s more history here, too. On multiple occasions, agents of Donald Trump reportedly engaged in further attempts to cover-up this cover-up.

Trump Organization withheld multiple documents from investigators. Most known documents that were withheld — such as the email showing Cohen had a substantive conversation with a Dmitri Peskov aide during the election — pertain to Russia, but it’s certainly possible they withheld others.

In 2018, in the days after SDNY seized phones that included recordings of conversations about the hush payments, Trump is suspected of floating a pardon to Cohen to keep him quiet, about this and about the impossibly lucrative Trump Tower deal both had lied to hide from voters in 2016.

In an email that day to Cohen, [Robert] Costello wrote that he had spoken with Giuliani.1026 Costello told Cohen the conversation was “Very Very Positive[.] You are ‘loved’. . . they are in our corner. . . . Sleep well tonight[], you have friends in high places.”1027

Cohen said that following these messages he believed he had the support of the White House if he continued to toe the party line, and he determined to stay on message and be part of the team.1028 At the time, Cohen’s understood that his legal fees were still being paid by the Trump Organization, which he said was important to him.1029 Cohen believed he needed the power of the President to take care of him, so he needed to defend the President and stay on message.1030

Cohen also recalled speaking with the President’s personal counsel about pardons after the searches of his home and office had occurred, at a time when the media had reported that pardon discussions were occurring at the White House.1031 Cohen told the President’s personal counsel he had been a loyal lawyer and servant, and he said that after the searches he was in an uncomfortable position and wanted to know what was in it for him.1032 According to Cohen, the President’s personal counsel responded that Cohen should stay on message, that the investigation was a witch hunt, and that everything would be fine.1033

Note that the payments for Cohen’s legal fees — which stopped after he pled guilty — are another expense that Trump Organization may not have accounted for properly.

Later in 2018, during the period where he was feigning cooperation with Mueller’s prosecutors but really just stalling past the midterm elections, Paul Manafort attempted to lie about some aspect of a different investigation

Manafort gave different versions of events surrounding an incident in the summer 2016 that was potentially relevant to the investigation: one version that was more incriminating was given prior to signing the plea agreement (on September 13, 2018), and another that was more benign was made after on October 5, 2018, after his plea. When confronted with the inconsistency by the government and his own counsel, Manafort largely retracted the second version.

A footnote in that discussion cites the Cohen plea, suggesting the 2016 conversations that Manafort lied to prosecutors in an attempt to spin pertained to these hush payments.

83 See United States v. Cohen, 18-cr-602 (S.D.N.Y. 2018); Information, United States v. Cohen, 18-cr602 (S.D.N.Y Aug. 21, 2018) (Doc. 2).

Unlike Cohen, of course, Manafort did get a pardon.

In the months after Cohen’s plea, Main DOJ attempted to interfere in the Cohen investigation repeatedly, as laid out in Geoffrey Berman’s book. They did so first on Rod Rosenstein’s orders, by demanding the SDNY rewrite Cohen’s statement of offense to hide the degree to which Trump ordered the hush payments (Rosenstein’s deputy, Ed O’Callaghan tried to eliminate all reference to Individual-1).

We then sent a copy to Rod Rosenstein, informing him that a plea was imminent. The next day, Khuzami, who was overseeing the case, received a call from O’Callaghan, Rosenstein’s principal deputy.

O’Callaghan was aggressive.

Why the length, he wanted to know. He argued that now that Cohen is pleading guilty we don’t need all this description.

[Robert] Khuzami responded, What exactly are you concerned about? O’Callaghan proceeded to identify specific allegations that he wanted removed, almost all referencing Individual-1.

It quickly became apparent to Khuzami that, contrary to what O’Callaghan professed, it wasn’t the overall length or detail of the document that concerned him; it was any mention of Individual-1.

[snip]

The team was tasked with the rewrite and stayed up most of the night. The revised information, now twenty-one pages, kept all of the charges but removed certain allegations, including allegations that Individual-1 acted “in concert with” and “coordinated with” Cohen on the illegal campaign contributions. The information now alleged that Cohen acted in concert and coordinated with “one or more members of the campaign.” But in the end, everything that truly needed to be in the information was still there.

Then, after Bill Barr came in, he amazingly tried to order SDNY to dismiss the charges against Cohen entirely, the functional equivalent of what he tried with Mike Flynn, undoing a successful criminal prosecution after the fact.

When Barr took over in February 2019, he not only tried to kill the ongoing investigations but—incredibly—suggested that Cohen’s conviction on campaign finance charges be reversed.

Barr summoned Rob Khuzami in late February to challenge the basis of Cohen’s plea as well as the reasoning behind pursuing similar campaign finance charges against other individuals. Khuzami was told to cease all investigative work on the campaign finance allegations until the Office of Legal Counsel, an important part of Main Justice, determined there was a legal basis for the campaign finance charges to which Cohen pleaded guilty—and until Barr determined there was a sufficient federal interest in pursuing charges against others.

Barr had Steven Engel write up an OLC opinion about the charges (which is likely one of the reasons SDNY didn’t charge Trump).

About six weeks later, Khuzami returned to DC for another meeting about Cohen. He was accompanied by Audrey Strauss, Russ Capone, and Edward “Ted” Diskant, Capone’s co-chief. Barr was in the room, along with Steven Engel, the head of the Office of Legal Counsel, and others from Main Justice. A fifteen-page memo, drafted by Engel’s office, had been provided to our team the day before, which they were still analyzing. I learned later that it was an intense meeting.

When SDNY refused to dismiss the case against Cohen, Barr tried to transfer the case to EDNY, under Richard Donoghue, so he could kill it.

About a week after our office tussled with Barr and Engel, Barr attempted to do just that. Word was passed to me from one of Barr’s deputies that he wanted Richard Donoghue, the US Attorney for the Eastern District of New York (who would later transfer to Main Justice to work under Barr), to take over supervision of anything I was recused from.

At the same time that Barr was trying to cover up that Trump cheated to win in 2016, Republicans on the FEC were joining in the cover-up. After FEC’s General Counsel recommended acting on several complaints about the payments, Republican Commissioners Sean Cooksey and Trey Trainor refused to do so because, they said, Michael Cohen had already been prosecuted for it and, thanks to Trump’s own actions, there was a backlog of other complaints.

Before the Commission could consider the Office of General Counsel’s (“OGC”) recommendations in these matters, Mr. Cohen pleaded guilty to an eight-count criminal information,2 and in connection thereto admitted, among other things, to making an excessive contribution in violation of the Act by making the Clifford payment from his personal funds. 3 The plea hearing transcript includes a step by step review of how U.S. District Judge William Pauley verified the plea, confirming that a federal judge was sufficiently satisfied with the circumstances surrounding the plea deal and the responses given by Cohen at the hearing, including the explanations given by Cohen, count by count, during his allocution.4 Ultimately Mr. Cohen was sentenced to three years in prison and ordered to pay $1.39 million in restitution, $500,000 in forfeiture, and $100,000 in fines for two campaign finance violations (including the payment at issue in these matters) and other charges. In sum, the public record is complete with respect to the conduct at issue in these complaints, and Mr. Cohen has been punished by the government of the United States for the conduct at issue in these matters.

Thus, we concluded that pursuing these matters further was not the best use of agency resources.5 The Commission regularly dismisses matters where other government agencies have already adequately enforced and vindicated the Commission’s interests.6 Furthermore, by the time OGC’s recommendations came before us, the Commission was facing an extensive enforcement docket backlog resulting from a prolonged lack of a quorum, 7 and these matters were already statute-of-limitations imperiled.

This was one of 22 credible campaign finance allegations against Trump that Republicans refused to consider, nothing less than a partisan effort to make the leader of their party immune from all campaign finance rules.

There’s a lot of shite being written about how the indictment of a former President — for actions that stem from cheating to win — will test democracy.

But Trump’s serial cover-ups of his own actions in this and other matters already threaten democracy.

Trump is right: This is about free and fair elections. This is, like most of his allegedly criminal behavior, about his refusal to contest elections fairly. It’s about his corruption of the entire Republican Party, from top to bottom. And it’s about one of at least six times that Trump and his agents have tried to cover up that he cheated to win in 2016.

Donald Trump, Accused Criminal

March 30, 2023/254 Comments/in emptywheel /by emptywheel

NYT reports that Trump has been indicted. CNN has confirmed.

A Manhattan grand jury voted to indict Donald J. Trump on Thursday for his role in paying hush money to a porn star, according to four people with knowledge of the matter, a historic development that will shake up the 2024 presidential race and forever mark him as the nation’s first former president to face criminal charges.

The felony indictment, filed under seal by the Manhattan district attorney’s office, will likely be announced in the coming days. By then, prosecutors working for the district attorney, Alvin L. Bragg, will have asked Mr. Trump to surrender and to face arraignment on charges that remain unknown for now.

These are just the training wheel charges.

The Yahoos in Brazil Identified in Sergey Cherkasov’s Complaint

March 30, 2023/29 Comments/in emptywheel, EO 12333, FISA /by emptywheel

There’s a detail in Greg Miller’s profile of Sergey Cherkasov, the Russian accused of posing under an assumed Brazilian identity and using a SAIS degree to get an internship at the ICC, that confirms something I’ve long assumed: the US has had a hand in the recent roll-up of Russian spies, mostly in Europe.

He was due to start a six-month internship there last year — just as the court began investigating Russian war crimes in Ukraine — only to be turned away by Dutch authorities acting on information relayed by the FBI, according to Western security officials.

[snip]

His arrest last April came at the outset of an ongoing roll-up of Russian intelligence networks across Europe, a crackdown launched after Russia’s invasion of Ukraine that officials say has inflicted greater damage on Kremlin spy agencies than any other effort since the end of the Cold War.

The FBI and CIA have played extensive behind-the-scenes roles in this wave of arrests and expulsions, according to Western officials.

As Miller describes, the Dutch realized that Russians stationed in the Hague were preparing to welcome a new agent, but by then, the US already had an incredibly detailed dossier on him.

On March 31, as he boarded a flight to Amsterdam, neither Cherkasov nor his GRU handlers seemed aware of the net closing in on him. By then, the Dutch intelligence service had picked up its own signals that the Russian Embassy in The Hague was making preparations for the arrival of an important new illegal, according to a Western security official.

Authorities in the Netherlands then received a dossier from the FBI with so much detail about Cherkasov’s identity and GRU affiliation that they concluded the bureau and the CIA had been secretly monitoring Cherkasov for months if not years, according to a Western official familiar with the matter.

Until DOJ charged him last week, this had been largely a European story, with Dutch intelligence crowing about their success at foiling his plans and Bellingcat serially unpacking his public life (though CNN published this story at the time). Significantly, the Dutch published his legend and an explanation of how it might be used, with translations into Dutch and English from the original Portuguese.

As noted below, the US would later source its own possession of the legend to devices seized from Cherkasov on arrest in Brazil.

However, as Brazil gets closer to extraditing Cherkasov back to Russia on a trumped up narcotics trafficking charge, the US stepped in to make their own claim with the criminal charges: multiple counts of fraud, as well as acting as an unregistered foreign power. It’s not yet clear how Brazil will respond to the competing charges. Contrary to some reporting on the charges, DOJ has not yet indicted the case. The complaint has not yet been docketed.

Which is why I wanted to look at the sourcing for the complaint.

Many of the sources in the complaint come via way of Brazil, temporally after the Dutch deported him and the Brazilians arrested him, and so long past the time the US shared “a dossier” from the FBI reflecting months if not years of review. Brazil-sourced evidence includes:

A picture taken on Cherkasov’s 2011 immigration into Brazil
His Brazilian birth certificate
The details behind Brazil’s identity theft charges
Items collected — as if for the first time — from devices Cherkasov had with him when he arrived in Brazil, including:

- The hard drive
  - His legend
  - His 2018 acceptance into SAIS
  - His 2018 receipt of visa
- Thumb drive 1
  - November 29, 2021 draft message about US policy in advance of Ukraine invasion
- Thumb drive 2
  - December 21, 2021 electronic communications about conversations with US persons, including about Ukraine
- Thumb drive 3, including:
  - March 2022 emails of unknown provider with details about a dead drop
  - Details about his dead drop site
  - March 2022 emails about paying for false Portuguese citizenship
  - March 2022 mails about establishing a meeting place
- Samsung Galaxy Note phone
  - His mother’s Kaliningrad contact
  - 90 contacts with someone whose Telegram account and VKontakte account lead to a 2011 picture of Cherkasov in military uniform and a 2008 picture with friends
  - Contacts from one of those friends to a posted picture in military uniform (a picture also shown in the original Bellingcat profile)
Devices collected from the dead drop shared by Brazilian authorities
Correspondence between Brazil and Russia about Cherkasov
Audio messages between Cherkasov and his fiancée from immediately after his arrest in the Netherlands
Post-arrest communications between Cherkasov and his one-time fiancée, at least some of which were photographs of hand-written notes
Validation of Cherkasov’s ID in certain photos from FBI agents who met him in 2022 (though these meetings are not explicitly described to have taken place in Brazil)
A Bellingcat story debunking the Russian narcotics charges against Cherkasov

The focus on the phone, especially, cites evidence that would be fairly easily collected via other sources, but attributes that evidence to analysis the FBI did only downstream from the Brazilian arrest, and with the assent of Brazil. The complaint doesn’t explain whether these devices were encrypted or even what messaging applications were used, at least on the thumb drives including communications with his handlers. But there’s at least some reason to believe Brazil let FBI take the lead on exploiting those devices.

To be sure, there are items that the US could have collected in the US, whether before or after Cherkasov flew to the Hague, such as an Uber receipt timed to his travel to the dead drop in Brazil and IP addresses tied to US-based cloud providers like Yahoo and Google. Just once does the complaint reference using legal process — a 2017 video from a Moscow airport restaurant, obtained using legal process, reflecting Cherkasov saying goodbye to his mother — though it doesn’t describe what kind (it sounds like it could be iCloud content).

Still, the emphasis on material obtained with subpoenas and investigative steps done while Cherkasov has been in Brazilian custody — whether or not that was the first that FBI obtained such evidence — is one reason I’m interested in the outliers.

This is a document that could form basis to extradite Cherkasov to the US — it seems more than sufficient to make that case. But it’s also a document that might reflect on the kinds of investigations that have contributed to efforts to roll up spies outside of the US.

First, there are details about communications that Cherkasov had, while studying at Trinity College in Ireland and so not a US person at all — via known Section 702 participant, Yahoo!!! — with a tour agent who wrote recommendations for Cherkasov then later worked in Russia’s Consul General and, apparently, the General Consul himself.

CHERKASOV used the Yahoo 1 Account on multiple occasions to contact individual “C2” who was communicating with CHERKASOV from Brazil. C2 communicated with CHERKASOV on numerous matters, including financial matters, between at least July 22, 2016, and December 27, 2019. According to a translation of C2’s curriculum vitae, C2 worked in Brazil at “The General Consulate of the Russian Federation,” for “General Consul [M.G.]”

[snip]

35. Other emails show C2 took direction from another person, M.G., about financial payments that C2 sent to CHERKASOV. In correspondence between C2 and M.G., C2 refers to M.G. as “Mikhail” and the email address is identified in C2’s contacts as “MikhailRussia.” For example, on or about November 30, 2016, C2 forwarded M.G. correspondence from CHERKASOV that indicated another payment to CHERKASOV was imminent. M.G. responded by sending an email to C2 instructing C2 to make a payment to CHERKASOV: “Friend; thank you very much. Let’s do another one on the 14th of December.” According to further correspondence, CHERKASOV was able to receive the original transaction intended via MoneyGram. However, after corresponding to CHERKASOV that C2 would attempt to make transactions via Western Union the following day, financial records indicate C2 attempted to make two separate transactions via Western Union shortly after on December 16 and 18, 2016, for $842.65 and $867.55, respectively, but the funds were never transferred to CHERKASOV. CHERKASOV corresponded on December 19, 2016, that Western Union would not work properly and moving forward, the transactions should be made via Moneygram. C2 corresponded back to CHERKASOV on December 20, 2016, that C2 had sent €750 again via Moneygram to CHERKASOV.

36. C2 also stated in other emails that C2 previously owned a travel agency in Brazil, and that the Russian Federation was one of C2’s best clients. C2 later moved to the Russian Consulate after C2 closed the travel agency.

37. On or about March 8, 2017, C2 wrote a letter of recommendation for CHERKASOV for a university located in Canada. In the letter, C2 indicated FERREIRA worked as a travel consultant for C2 from May 2014 until March 2017, and as a senior event manager in

It’s possible that something Cherkasov did while at SAIS triggered a larger investigation that worked its way back to two likely Russian spies in Brazil. It’s also possible that the investigation started from known subjects in Brazil and thereby discovered Cherkasov.

But one thing these two references do — aside from identify the travel agent later made part of the official Russian delegation, aside from making Cherkasov’s tie to Russian government officials necessary for the 18 USC 951 charge — is put both Brazil and Russia on notice that the US is aware of these two suspected intelligence officers who were or are in Brazil.

Both C2 and the Consult General would have been legal targets for the entirety of the period in question and (as noted) Cherkasov was while he was in both Ireland or Brazil.

Another of the relatively few pieces of evidence unmoored from the Brazil arrest pertains to collection Cherksov shared after taking a SAIS trip to Israel. The details around the reporting — the single use email directing Cherkasov to fly to the Philippines to meet — definitely give the story spy drama.

Just as interesting, however, are the descriptions of the identifiable US (and Israeli) subjects targeted by Cherksov’s collection.

45. On or about January 16, 2020, CHERKASOV, using his D.C.-based phone number, texted with M.S. at a Philippines-based number for M.S. the following:

CHERKASOV: Hey [M],7 I arrived…Where do you want to meet?

[M.S.]: Grab a taxi and ask to drive via skyway.

CHERKASOV: On my way. Will be there in approx. 15 min.

[M.S.]: Ok. Here

CHERKASOV: I can’t find it

[M.S.]: Names?

CHERKASOV: Yea, I’ll text you then when I’m in the airport.

CHERKASOV: Texting you the names.

CHERKASOV: Sent you a list there. Now whom we met.

CHERKASOV: All people from the Jerusalem Embassy, literally every single one, even LGBTQ advisor. [N.G.]8 – security expert, local. I think he is a spook. [?.L.]9 kingmaker’ – [Israeli political] party leader

CHERKASOV: The previous list didn’t sent [sic], I’ll retype it.

CHERKASOV: Can I send it to you email?

CHERKASOV: This SMS shit kills me

[M.S.]: Sure.

46. On or about January 17, 2020, CHERKASOV sent M.S. an email with a screen shot of names, mostly U.S. persons (“USP”), stating the following: Just a list of interesting people that I was talking to you about Experts side: [USP 1]10– DoS, middle Eastern direction advisor the president admin, former [University 1] student.

[USP 2]11– FDD, military security adviros [sic] to the Congress Committee on Intelligence, [USP 3]’s12 assistant. [“TT1”] 13 group: [USP 4]14– [USP 5]15 chair, came only for a day though, [USP 6]16– main guy to call shots, Israeli expert came with small team of his own. [University 1, University 2] student leader: [USP 7]17– Anapolis [sic] Naval Academy Cyber Sec instructor

While just one of the people involved in Cherkasov’s targeting — his SAIS professor, Eugene Finkel — has explicitly spoken out about being duped by Cherkasov, virtually all of these people (and a bunch more described later in the complaint) are likely to be able to identify themselves.

There are a few I suspect I recognize and, if I’m right, they’ve been apologists for Trump’s propaganda about Russia.

Notably, this messaging involved a US-based phone, one not obviously included among the devices seized from Cherkasov when he returned to Brazil. The FBI Agent who wrote the affidavit couldn’t have obtained the messaging in real time — he or she has only worked at the FBI since 2021, and the messaging dates to early 2020. But the affidavit does reference “surveillance that I have conducted.”

In general, the FBI is revealing almost nothing obtained via sensitive sources and methods — that’s one reason the reliance on evidence obtained via Brazil is of interest to me. Given how the US has allowed European countries to take credit for these stings, I find it interesting that the US almost creates the misimpression that it only discovered Cherkasov — that it accessed his legend that the Dutch had upon his arrest — when he arrived in Brazil.

But in just a few spots, the affidavit gives a glimpse of what else the US Intelligence Community might know.

The US has not really taken much credit for helping a bunch of European countries roll up Russian spies (though they’re likely reminding them of the role Section 702 plays in the process). But this document, seemingly released because they had reason to exert legal pressure with a country that is fairly close to Russia, likely serves multiple purposes. While it doesn’t give away a lot, it does hint at far more.

Update, 4/6: The Guardian reported that two suspected Russian illegals, one presenting as Brazilian and the other presenting as Greek-Mexican, disappeared in January.

Halfway through a trip to Malaysia in January, Gerhard Daniel Campos Wittich stopped messaging his girlfriend back home in Rio de Janeiro and she promptly launched a frantic search for her missing partner.

A Brazilian of Austrian heritage, Campos Wittich ran a series of 3D printing companies in Rio that made, among other things, novelty resin sculptures for the Brazilian military and sausage dog key chains.

[snip]

The Brazilian foreign ministry and Facebook communities in Malaysia mobilised to look for the missing man. But Campos Wittich had simply disappeared.

Greece believes Campos Wittich was a Russian illegal with the surname Shmyrev, said the official, while his wife, “Maria Tsalla”, was born Irina Romanova. She married him in Russia before their missions began and took his surname, the Greeks claim. She left Athens in a hurry in early January, just after Campos Wittich left Brazil. Neither have returned.

If I’m right that the FBI chose to use the Cherkasov complaint in part to identify those in Brazil who were running illegals, it may be because the disappearance of another Brazilian illegal in January led the US Intelligence Community to believe Russia had figured out what the US knew.

Donald Trump’s Dumbass Russia Binder

March 29, 2023/54 Comments/in 2016 Presidential Election, 2020 Presidential Election, emptywheel, Leak Investigations, Mueller Probe /by emptywheel

There is some tie between Donald Trump’s effort — as one of his last acts as President — to declassify a binder of materials from the Crossfire Hurricane investigation and his hoarding of still-classified documents that could get him charged under the Espionage Act.

It’s not yet clear what that tie is, though.

On May 5 of last year, Kash Patel offered the declassification effort as an alibi, claiming Trump had declassified a bunch of materials, including not just the Crossfire Hurricane materials, but everything else discovered in boxes returned to NARA in January 2022. Kash’s claim would be included in the search affidavit for Mar-a-Lago and ultimately lead to his compelled testimony in the investigation.

Last fall, at a time when Alex Cannon and Eric Herschmann would have been under some scrutiny for their role in Stefan Passantino’s dubious legal advice to Cassidy Hutchinson, Maggie Haberman told a story in which the Trump lawyers heroically warned Trump about the risks of holding classified documents. That story claimed Trump had offered to swap the documents he did have for the Russian-related documents the former President believed NARA had.

It was around that same time that Mr. Trump floated the idea of offering the deal to return the boxes in exchange for documents he believed would expose the Russia investigation as a “hoax” cooked up by the F.B.I. Mr. Trump did not appear to know specifically what he thought the archives had — only that there were items he wanted.

Mr. Trump’s aides — recognizing that such a swap would be a non-starter since the government had a clear right to the material Mr. Trump had taken from the White House and the Russia-related documents held by the archives remained marked as classified — never acted on the idea.

The story doesn’t mention Cannon’s role in a fall 2021 inquiry to NARA about the Russian documents. Nor does it say that National Archives General Counsel Gary Stern told Cannon and Justin Clark that NARA had 2,700 undifferentiated documents, but that the binder Trump wanted declassified had been rendered a Federal Record when it got sent back to DOJ.

That’s what NARA told John Solomon on June 23, 2022 — that Trump’s lawyers had requested the binder in fall 2021 — in Stern’s first explanation for why NARA didn’t have the binder.

John, fyi, last fall Justin Clark, another PRA representative of President Trump, also asked us for a copy of this declassified binder. Upon conducting a search, we learned that the binder had been returned to the Department of Justice on January 20, 2021, per the attached memo from Chief of Staff Mark Meadows to the Attorney General, titled “Privacy Act Review of Certain Declassified Materials Related to the FBI’s Crossfire Hurricane Investigation.”

Accordingly, we do not have the binder containing the declassified records. As we explained to Justin, what we were able to locate is a box that contains roughly 2700 undifferentiated pages of documents with varying types of classification and declassification markings, but we could not be certain of the classification status of any of the information in the box. We are therefore obligated under Executive Order 13526 to treat the contents of the box as classified at the TS/SCI level.

Then on August 9 and again on August 10 last year, immediately following the search on Mar-a-Lago, Solomon asked for all correspondence between Cannon and NARA up until days before the search.

Gary, John: My research indicates there may be a new wrinkle to the Russian declassified documents. As part of my authorized access, I would like to see all correspondence between NARA and attorney Alex Cannon between December 2020 and July 31, 2022. I think the information will have significant value to the public regarding current events. Can that be arranged?

[snip]

Checking back on this. It’s time sensitive from a news perspective. Can you accommodate?

Stern, no dummy, likely recognized that this information would not just have news value, but would also have value to those under criminal investigation; he responded with lawyerly caution. As NARA representative for Trump, he explained, Solomon was only entitled to access Presidential records — those that predate January 20, 2021 — and communications between Cannon and NARA post-dated all that. But, Stern helpfully noted, Cannon was cc’ed on the request for the Russian binder.

It’s important to clarify that, as a designated PRA representative of President Trump, you may receive access to the Presidential records of the Trump Administration that have been transferred to NARA, which date from January 20, 2017 to January 20, 2021.

Alex Cannon has represented President Trump on PRA matters (along with Justin Clark) only since the summer of 2021, principally with respect to the notification and review process in response to special access requests. Accordingly, there would not be any Trump Presidential records between NARA and Alex Cannon.

FYI, in my June 23 email to you (which is below within this email thread), I noted that “last fall Justin Clark, another PRA representative of President Trump, also asked us for a copy of this declassified binder.” Alex Cannon was cc’d on Justin’s request and our response. I am not aware of any other communications that would exist between NARA and Alex about this matter. [my emphasis]

That would be the only communications “about this matter,” seemingly distinguishing the Russian binder from the missing Presidential records.

At the time Maggie was distracting the chattering classes with the swap story, ABC had a very thorough story that revealed some of what Stern had explained to Solomon last year. That story suggests the month-long focus on the Russian binder had led overall compliance with the Presidential Records Act to be lacking. As Hutchinson tells it, it was worse, with 10 to 15 NSC staffers madly copying classified documents in the last days Trump was in office, with two sets of four copies — one still classified, one less sensitive — circulating to who knows where.

The tie between the Russian documents and the documents Trump stole may be no more than the alibi Kash tried to use them as, an attempt to claim that the limited declassification was instead a blanket effort. Perhaps it was also a failed effort to use Kash and Solomon as moles to figure out what NARA got back. Or perhaps some of these materials madly copied at the last moment were among the classified documents Trump took with him. Perhaps some of those materials were among the still-classified documents Trump took and hoarded in a storage closet with a shitty lock.

But that tie is one of the reasons I read the version of the binder released earlier this year in response to a Judicial Watch FOIA closely (release 1, release 2).

That is one dumbass binder. If you’re going to expose yourself and your assistants to Espionage Act prosecution, this is one dumbass document to do so over.

Having reviewed it — even with great familiarity with the unending ability of certain frothers to get ginned up over these things — I cannot believe how many people remain obsessed about this document.

The document, as released to Judicial Watch, is little more than a re-release of a bunch of files that have already been released. Perhaps the only released documents I hadn’t read closely before were memorializations that Andy McCabe wrote of conversations he had in the wake of Jim Comey’s firing with and about Trump, including the one that described Rod Rosenstein offering to wear a wire to meetings at the White House.

And because DOJ subjected the documents to a real Privacy Act review, unlike declassifications effectuated by Director of National Intelligence John Ratcliffe when Kash babysat him as his Chief of Staff, a number of the documents actually are more redacted than previous versions, something that will no doubt be a topic of exciting litigation going forward.

Mark Meadows ordered DOJ to do a Privacy Act review and as a result great swaths of documents were withheld, page after page of b6/b7C exemptions as well as b7D ones to shield confidential information.

Here’s what got released to Judicial Watch, along with links to the previous releases of the documents:

Request 1: Pending with DOJ
Tab 2: Christopher Steele 302 [25 withheld]
Communications about the Steele dossier
CHS reporting (probably Steele)
[75 pages withheld]
CHS reporting (probably Stefan Halper)
CHS
Andrew McCabe, Jim Comey, Peter Strzok, Lisa Page, and Bill Priestap text and Lync messages, all previously released to Congress
Request 5: Pending with DOJ
Request 6: Pending with DOJ
Flynn 302s (but not equally damning ones from later in 2017)
[10 pages withheld]
Andrew McCabe memorialization of conversations with Trump
[8 pages withheld]
Bruce Ohr 302s [all but one previously released — also to Judicial Watch! — here]
Memorialization of Flynn briefing [less redacted version here]
Request 14 (for Sussmann or other Perkins Coie lawyers): No collection pertaining to Crossfire Hurricane
Mifsud 302 [previously released here]
Request 17 (meeting with Ohr and Weissmann): Pending with DOJ
[95 pages withheld]
Mike Rogers 302 [previously released here]
June 29, 2017 Carter Page application [previously released here]

The Bruce Ohr 302s are the only documents that include much newly released materials, mostly reflecting Igor Danchenko’s subsequent public identification. Both the candidate briefing and the Carter Page FISA application include significantly more redaction (and those are not the only interesting new redactions); given the redactions, it doesn’t look like Trump contemplated disseminating any Page material that was sequestered by the FISA Court, which would have been legally problematic no matter what Trump ordered, but references to the sequestration were all redacted.

As noted above as Requests 1, 5, 6, 14, and 17, there were five things Trump asked for that were still pending at DOJ when Trump left office. Two of those are identified: A request for materials on Perkins Coie lawyers, which (DOJ informed Trump) had no tie to Crossfire Hurricane, and a request for details on an August 2016 meeting involving Bruce Ohr, Andrew Weissmann, and one other person “concerning Russia or Trump.”

There were a number of communications between Ohr, Weissmann, and others later in 2016, including communications potentially relating to an effort to flip Dmitry Firtash, as well as October 2016 communications between Ohr and McCabe. But the jumbled timeline of Ohr’s communications has often been used to insinuate that the Crossfire Hurricane team learned of the Steele allegations earlier in the investigation than the September 19 that DOJ IG reflects. In any case, some of these meetings likely touched on Oleg Deripaska and some might touch on the suspected Egyptian donation Trump used to stay in the race past September 2016, not the dossier.

Between other then-pending requests and big chunks of withheld information (I’ve noted the biggest chunks above, but it would be around 300 pages total), there are things I would have expected to see in this binder that are not there. For example, almost none of the material released as part of DOJ’s attempt to undermine the Flynn investigation (links to which are in this post) is included here. Most of that stuff constitutes information that would never normally be released. It was egregiously misrepresented by Barr’s DOJ. Some of the files were altered. If these were requested, I can think of a number of reasons it would take DOJ a while to provide the materials. Even still, though, the materials didn’t persuade Emmet Sullivan to overturn Flynn’s prosecution, and documents left out of this bunch — such as Flynn’s later 302s, including some where he obviously told the same lies he had told in January 2017, would easily rebut any claims Trump might offer with the Flynn documents.

The documentation showing Strzok learning of a Russian intelligence product claiming not very damning things about Hillary is not in here. That, too, is something that would never have been released with a normal DNI not being led around by Kash Patel and it’s one that would take DOJ a good deal of time to clear. But as I laid out here, the report came after Trump had already demonstrably started pursuing files stolen by Russia. By the time Hillary purportedly decided to call out Trump for encouraging the Russian hack, Trump was encouraging the Russian hack.

Given that Mike Rogers’ 302 from the Mueller investigation is included here, you’d expect those of Trump’s other top intelligence officials to be included as well. Dan Coats and Mike Pompeo were interviewed in the weeks after Rogers. Coats’ aide Mike Dempsey and NSA Deputy Director Rick Ledgett were also interviewed about Trump’s March 2017 effort to get the IC to deny he had a role in Russian interference, as was Trump’s one-time briefer Edward Gistaro (Gistaro was interviewed a second time in 2018, in an interview treated as TS/SCI, which likely pertained to his involvement in briefing at Mar-a-Lago during the transition). Details of these interviews show up in the Mueller Report, and his request only helps to make Trump look more guilty.

It doesn’t include materials released as part of the failed Sussmann and Danchenko prosecutions. But like Barr’s effort to overturn the Flynn prosecution, none of that evidence sustained Trump’s conspiracy theories either. Indeed, during a bench conference in the Danchenko trial, Durham fought hard to keep the substance of the discussions — ostensibly about energy investments — between Sergei Millian and George Papadopoulos starting in July 2016 out of the trial because, “it certainly sounds creepy.” The Sussmann trial showed how justified people were in wondering about Trump’s Russia ties in the wake of his “Russia are you listening” comment. It provided a glimpse of how time-consuming being a victim of a nation-state hack had been for Hillary in 2016. Durham even demonstrated that FBI badly screwed up the Alfa Bank investigation. When subjected to the rules of evidence, none of Trump’s hoax claims hold up.

The point is, nothing in this binder — particularly as released — supports Trump’s claims that the investigation into him wasn’t independently predicated and didn’t lead to really damning information implicating at least five of his top aides and his own son.

Trump keeps trying to collect some set of evidence that will make go away the far more damning ties to Russia that his National Security Advisor, his Coffee Boy, his personal lawyer, his campaign manager, and his rat-fucker all lied to hide. And in this case, it may have led Trump to do something far dumber, to defy a subpoena and hoard highly classified documents.

Which possibility only makes the dumbass Russia binder even more of a dumbass Russian binder.

“That’s How … You End Up as a Defendant in a Court Room:” Some Days in the Life of a Named-and-Shamed Former GRU Hacker, Ivan Ermakov

March 27, 2023/5 Comments/in 2016 Presidential Election, emptywheel, Mueller Probe, Russian hacks /by emptywheel

In early 2018, Ivan [Y]Ermakov,* one of the hackers alleged to have stolen John Podesta’s emails two years earlier, was living it up.

For his April 10 birthday that year, he went on a stunning heli-ski trip with his future co-conspirator, Vladislav Klyushin (Ermakov is on the left in this picture, Klyushin, on the right and in the Featured Image picture).

In summer 2018, they were enjoying the Sochi World Cup together, too.

Just days after this trip to Sochi, however, on July 13, 2018, Robert Mueller would indict Ermakov, along with eleven of his former GRU colleagues, for hacking the DNC, DCCC, Hillary Clinton, election vendors, and registration websites, as well as orchestrating the release of the stolen files.

By the time of that first indictment against him — the first of three known indictments against the Russian hacker so far — Ermakov had already made one of the fatal slip-ups that would form part of the proof against Klyushin at trial, this time for a hack-and-trade scam. On May 9, 2018, Yermakov received three updates from his Apple iTunes account to the IP address 119.204.194.11. Just four minutes later, someone using that IP address downloaded an SEC filing using credentials stolen from a Donnelly Financial employee named Julie Soma. That download occurred hours before the report would be publicly filed with the SEC, one of dozens of such thefts of SEC filings that formed the basis of the hacking and securities fraud charges against the men.

So months before Mueller’s indictment alerted Ermakov that the FBI had discovered who he was and that they believed he was one of the hackers behind the 2016 hack, he had already left proof in US-based servers that would tie to him to a follow-up crime, the hack-and-insider trading conspiracy for which Klyushin was convicted in February.

Klyushin has challenged the verdict, largely based on a technical challenge to the venue of the charges in Massachusetts.

Per trial testimony, Ermakov left those tell-tale forensic tracks four months before Klyushin would first get involved in the hack-and-trade scheme, in August 2018. The scheme was doomed from the start — at least, it would be doomed if any of the identified co-conspirators traveled to a jurisdiction that would extradite to the US, as Klyushin did in March 2021.

In fact, there’s something curious about that.

One thing submitted as evidence at trial was a picture of a May 22, 2017 Reuters article reporting the US sentence for Ukrainian hacker Vadym Iermolovych, one of ten people prosecuted for a hack-and-trade conspiracy similar to the one for which Klyushin was convicted.

According to the FBI agent who introduced the exhibit, the picture itself was taken in August 2018. Someone printed out the article and packaged it up in a plastic folder over a year after the fact. That suggests Klyushin was in discussion with a very well-connected friend about the possibility of such charges in the same month that Klyushin first got involved in the scheme.

The possibility of prosecution hung over the conspiracy from the start.

Thanks to Klyushin’s promiscuous storage of damning evidence in his iCloud account, from which many of the pictures and chats in this post were obtained by the FBI, the Klyushin case offers an unprecedented public glimpse into the effect that US indictments against nation-state hackers like Ermakov might have on one of the target’s lives. In Ermakov’s case, it didn’t stop him from hacking US targets. Indeed, it’s possible that others used the indictments to pressure Ermakov to use his hacking skills for them.

Since 2014, DOJ has been indicting nation-state hackers in what have always been assumed to be name-and-shame documents, indictments that would never lead to trial. Indeed, that’s what the two earlier indictments of Ermakov have always been assumed to be: a public accusation that would never lead to Ermakov’s imprisonment. The wisdom of indicting nation-state hackers has never been obvious. Yevgeniy Prigozhin’s exploitation of his own name-and-shame indictment has revealed the potential perils of the policy. And Russian denialists brush off the July 2018 indictment charging Ermakov and others with the election year hack (as Matt Taibbi did in his recent congressional testimony), arguing that since the indictment will never be tested at trial, it could be mere government propaganda.

At least in the case of the 2016 Russian operation, the indictment has done little to persuade denialists, who simply refuse to read about the many places where the hackers left evidence.

In a follow-up, I’ll show how DOJ proved their case against Klyushin using the same kind of evidence they used in the earlier indictments against Ermakov and his colleagues, largely metadata and content obtained from US-based and a few foreign servers. DOJ may never get a chance to prove the first two indictments against Ermakov, but using the same investigative techniques, they did prove the case against Ermakov’s co-conspirator, Klyushin.

This case, where a sealed complaint ultimately led to the trial of one co-conspirator of a hacker previously charged, also provides a glimpse of what happened after one nation-state hacker got name-and-shamed in the US.

It’s not clear from the trial record when Ermakov left the GRU or who his formal employer was before he joined Klyushin’s M-13, an information services company with ties to Putin’s office that offered, among its services, pen testing.

The FBI found a contact card for Igor Sladkov, with whom Ermakov may have started the hack-and-trade scheme at least as early as October 2017, in Ermakov’s own iCloud account, one of the only interesting pieces of evidence they found there. It was dated November 16, 2016, just over a week after Donald Trump got elected with Ermakov’s help. Sladkov — whose iCloud OpSec was just as shoddy as Klyushin’s — had a bunch of photos of Ermakov in his iCloud account, including the hacker’s passport, a 2016 picture of Ermakov sitting before an enormous plate of some animal flesh, and a picture from Ermakov’s 2018 ski trip, as well as a picture of Klyushin’s yacht that Ermakov had shared.

Before trial, Klyushin’s team argued that Ermakov never worked for Klyushin’s company, bolstering the claim with a chat from May 2019 in which Ermakov bitched about his job to Klyushin and a certificate from the Russian tax service claiming that [Y]Ermakov never worked at M-13.

But days after that chat, per another pre-trial filing, Ermakov spoke longingly of being able to travel like Klyushin could. Klyushin responded that he would get Ermakov new identity papers so the two could travel to Europe together, but not — Klyushin conceded — London or America. Klyushin seemingly used that discussion as background to press Ermakov to get back to work, with the implication being he should get back to the hack-and-trade scheme.

That is, Ermakov appears to have included Klyushin in the hack-and-trade scheme while still working for someone else. And Klyushin seems to have used his promise to help Ermakov mitigate the risks created by those earlier indictments to pressure Ermakov to keep hacking. If that’s right, the vulnerability created by the earlier indictments gave Klyushin leverage to get Ermakov to keep hacking.

But Ermakov did eventually join M-13, at least informally. The government introduced an M-13 employee list reflecting Ermakov’s participation in specific project at trial. And they submitted a picture, from December 2019, showing Ermakov with an M-13 sticker, within days of the time when a staging server similar to the one used in the 2016 hack of the Democrats was set up.

Klyushin may have even incorporated Sladkov into M-13. The FBI found a proposal for a data analysis service, dated September 4, 2019, which M-13 would introduce on October 28, 2020, as well as encrypted communications from an M-13 chat application, in Sladkov’s iCloud account.

Klyushin fought hard to exclude one of the most telling pieces of evidence that the hacking scheme came to be tied to M-13 — the four Porsches that, Klyushin bragged to an investor, he had bought for himself, Ermakov, and one other co-conspirator with the proceeds of the insider trading.

But this currency — expensive gifts — seems to have been at least part of the way Erkamov was compensated for his role in the scheme.

Ermakov did not engage in any trading himself. Instead, two men in St. Petersburg, two associated with M-13 (including Klyushin himself), and three clients of M-13, profited off documents [Y]Ermakov seems to have stolen.

But in addition to the Porsche, on August 17, 2020, ten days before the delivery of the Porsches, Ermakov took possession of a Moscow house worth millions, the loan agreement for which Klyushin reportedly ripped up. Months earlier, Klyushin had tied paying for the house with continued hacking — which, Klyushin joked, amounted to just turning on the computer and thinking about making money.

Ermakov was effectively printing money for Klyushin, and his reward was that house.

In September 2020, the hack-and-trade scheme would be shut down for good.

Throughout the time it was going, however, those co-conspirators knew of the indictment against Ermakov. Sladkov downloaded Ermakov’s wanted poster from the FBI website on October 5, 2018, just a day after Ermakov was charged in the 2016 hack-and-leak of anti-doping agencies while Ermakov was still a GRU officer.

And on October 4, 2020, Klyushin took a screencap of Ermakov’s wanted poster from the FBI website.

By the time Klyushin took this screencap, the victim filing agencies had finally shut down Ermakov’s access to the site, after eight months of trying. Perhaps Klyushin was contemplating what that would mean or how it had happened? According to trial evidence, DOJ didn’t identify the hack-and-trade scheme by tracking what Ermakov was doing. Rather, the investigation started when the SEC started tracking some large-scale trading by a bunch of Russians together, then asked the filing agencies if they had been hacked. At least according to the public record, the involvement of Ermakov was disclosed only after working backwards from the forensic evidence. But in October 2020, Klyushin may have considered the risks of entering into a hack-and-trade scheme with a hacker whose habits were already known within the FBI.

By then it was too late. Indeed, Ermakov had already warned his boss about his shoddy OpSec. On July 18, 2019, Kluyshin asked Ermakov and the other M-13 co-conspirator Nikolai Rumiantcev how the hack-and-trade was going. He included pictures of two of the M-13 investors. In response, Ermakov warned his boss that that kind of OpSec is the kind of thing that would land him as a defendant in a courtroom.

Q. Okay, thank you. And now can we move to 3980, please. And this date is?

A. This is July 18 of 2019.

Q. Would you begin with 3980.

A. “Vladislav Klyushin: So what did we earn today?”

Q. And then there’s an attachment?

A. Correct.

Q. And then he says what?

A. Ermakov responds: “About 350 and another 350 in the mind. Sasha the most among the rest. “Klyushin: Our comrades are wondering.”

MR. FRANK: Could we stop right there, and I realize it’s hard, Ms. Lewis, because we’re in the Excel, but could you please display Exhibits 52 and Exhibit 50.

Q. Those are the attachments, Special Agent. Have you had an opportunity to review those?

A. Yes.

Q. Who’s depicted in Exhibits 52 and 50?

A. On the left, 52 is Sergey Uryadov. On the right is Boris Varshavksiy in Exhibit 50.

MR. FRANK: I offer 52 and 50. (Exhibits 50 and 52 received in evidence.)

Q. Okay. So those are the two attachments Mr. Klyushin has just transmitted in the chat?

A. Yes.

Q. Can we go back to the chat and pick up where we left off. So Mr. Klyushin says, “What did we earn today? Our comrades are wondering.” Could you continue, please, at 3987.

A. After sending those pictures we just looked at, Ermakov replies: “Vlad, you are exposing our organization. This is bad.” Nikolai Rumiantcev: Vlad, stop sending to Threema.” Klyushin replies, “So sorry.” “Ermakov: And that’s how they get you and you end up as a defendant in a courtroom.”

Q. How does Mr. Klyushin respond?

A. Klyushin responds, “Removed. Open a chat with us already. “Ermakov: Go ahead and create. It was a bad move now. “Klyushin: Sorry. Did a dumb thing. “Rumiantcev: I suggest to recreate the chat with the deletion of attachments in Threema, or switch to ours if ready. “Klyushin: I will delete this one on my end.”

Klyushin did delete this chat. Rumiantcev left it in his iCloud account, where the FBI found it.

At the time, the men appear to have been shifting their trading discussions to the encrypted M-13 chat application found in all their iCloud accounts, finally taking measures to cover their tracks going forward, over eighteen months into the hack-and-trade conspiracy. Going forward, those working with Ermakov might not exhibit the kind of abysmal OpSec that produced abundant trial evidence against his co-conspirator. Maybe they learned their lesson, and they’ll be able to exploit Ermakov’s skill more safely going forward.

It remains to be seen whether the prosecution of Klyushin, with his ties to high even higher ranking Russians, does more than hold him accountable for millions in fraudulent trades. But that may have little effect on the life of John Podesta’s suspected hacker.

* The government has used two different transliterations for [Y]Ermakov’s last name. In 2018, they used the one that aids in pronunciation. In 2021, they used the direct transliteration from the Cyrillic. Because evidence submitted at Klyushin’s trial uses the initials “IE” to refer to Ermakov, I’ll adopt that spelling here.

On Joshua Schulte’s Alleged Substantial Amount of CSAM … and Other Contraband

March 23, 2023/20 Comments/in Cybersecurity, emptywheel, WikiLeaks /by emptywheel

Yesterday, Judge Jesse Furman docketed a letter, impossibly dated March 23, updating him on the investigation into the Child Sexual Abuse Material allegedly found on WikiLeaks Vault 7 source, Josh Schulte’s discovery computer, six months ago (see this post for an explanation).

It described more about the CSAM material found on Schulte’s computer: The FBI had found “at least approximately 2,400 files on the laptop … likely containing CSAM.”

With respect to assertions that Joshua Schulte, the defendant, has made about the discovery laptop—that the laptop does not contain CSAM, that any CSAM appears only in thumbnails, or that the CSAM was maliciously or inadvertently loaded onto the laptop by the Government. See, e.g., D.E. 998 at 3 (pro se letter to the Court dated Dec. 21, 2022), 5 (pro se letter to the Court dated Jan. 5, 2023)—the Government is able to confirm the following: at least approximately 2,400 files on the laptop have been identified to date as likely containing CSAM. Those files include full images, and are not limited to thumbnail images. Moreover, the Government did not copy discovery materials onto the defendant’s laptop. In 2021, former defense counsel copied discovery and trial materials onto the laptop, which was then reviewed by personnel from the U.S. Attorney’s Office for security compliance before making a file index and providing the laptop to the Metropolitan Correctional Center (“MCC”), where the defendant was then in custody. The CSAM on the laptop was not provided by the Government or the result of Government action.

That, by itself, doesn’t tell us a lot more than we learned in an October filing, which explained that the FBI had found, “a substantial amount” of suspected CSAM.

Indeed, the letter focuses on debunking two counterarguments Schulte has made since, which is one of the reasons Furman docketed it after DOJ submitted it ex parte: “[T]his letter responds directly to assertions by Mr. Schulte,” Furman observed.

The government was debunking a claim made by Schulte that the government had caused the CSAM — but only thumbnails — to be loaded onto his discovery computer by “connect[ing] a child pornography drive to the laptop during setup.”

Schulte repeated and expanded — at great, great length — that theory in a set of filings dated March 1 but just loaded to the docket today.

The government response, effectively, was that they made an index of the files as the computer existed when it was turned over to MCC in 2021, calling Schulte on his claim that he was framed with CSAM.

Ultimately both sides will be able to present their claims to a jury.

But there are several other reasons I’m interested in the letter and related issues.

The government’s working theory when they first revealed this last fall, was that Schulte got a thumb drive into the SCIF and from that accessed the CSAM allegedly found on his home computer six years ago, presumably just to have it in his cell for his own further exploitation of children.

there is reason to believe that the defendant may have misused his access to the SCIF, including by connecting one or more unauthorized devices to the laptop used by the defendant to access the CSAM previously produced.

That’s because in August, they found a thumb drive attached to the SCIF laptop.

On or about August 26, 2022, Schulte was produced to the Courthouse SCIF and, during that visit, asked to view the hard drive containing the Home CSAM Files from the Home Desktop. The hard drive was provided to Schulte and afterwards re-secured in the dedicated safe in the SCIF. The FBI advised the undersigned that, while securing the hard drive containing the Home CSAM Files, they observed that an unauthorized thumb drive (the “Thumb Drive”) was connected to the SCIF laptop used by Schulte and his counsel to review that hard drive containing the Home CSAM Files. On or about September 8, 2022, at the Government’s request, the CISO retrieved the hard drive containing materials from the Home Desktop from the SCIF and returned it to the FBI so that it could be handled pursuant to the normal procedures applicable to child sexual abuse materials. The CISO inquired about what should be done with the Thumb Drive, which remained in the dedicated SCIF safe.

But in a little noticed development, during the period when FBI has been investigating how a defendant held under SAMs managed to get (we’re now told) 2,400 CSAM files onto his discovery computer, CNN reported that the network of FBI’s NY Field Office focused on CSAM had been targeted in a hacking attempt.

The FBI has been investigating and working to contain a malicious cyber incident on part of its computer network in recent days, according to people briefed on the matter.

FBI officials believe the incident involved an FBI computer system used in investigations of images of child sexual exploitation, two sources briefed on the matter told CNN.

“The FBI is aware of the incident and is working to gain additional information,” the bureau said in a statement to CNN. “This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.”

FBI officials have worked to isolate the malicious cyber activity, which two of the sources said involved the FBI New York Field Office — one of the bureau’s biggest and highest profile offices. The origin of the hacking incident is still being investigated, according to one source.

DOJ still insists that former CIA hacker Josh Schulte found a way to access a whole bunch of CSAM. And in the same period, reportedly, the servers involved with CSAM investigation in the NYFO were hacked.

And while the letter released yesterday doesn’t tell us — much — that’s new about what Schulte allegedly had on his laptop, it does tell us, by elimination, which of the sealed filings in his docket are not related to the CSAM investigation.

Since the October update on the investigation into Schulte, sealed documents have been filed in Schulte’s docket on the following days:

December 15: Sealed document
January 19: Ex parte update on CSAM investigation
January 26: Sealed document
March 9: Sealed document
March 13: Sealed document

Only the January 19 letter — along with yesterday’s letter — have been unsealed. That, plus the flurry of filings in September and October, are it for the CSAM investigation. There’s something else going on in this docket, four sealed documents worth.

Indeed, in those very long set of filings mentioned above, both dated February and finalized March 1, both docketed today, Schulte alluded to something beyond CSAM.

Judge Furman has begun claiming that there are other vague misuses or misbehavior on the laptop.

He must not have read the September and October letters very closely, because they describe there was a warrant that preceded the discovery of the CSAM.

The warrants that we know of include the following:

July 27: Contempt and contraband
September 22: CSAM expansion warrant
October 4: MDC cell and devices
October 4: CSAM devices (for the devices used in the SCIF)
October 5 and 6 (authorized by protective order): Log files for devices in SCIF

Since late September, this investigation was about the “substantive” amounts of CSAM found on a computer possessed by Schulte.

But before that it was based on suspicions of contraband.

That stems, in significant part, from a search of the computer DOJ did in June, when Schulte turned it over claiming it had been dropped.

It hadn’t been dropped. It needed to be charged. Indeed, in the interminable motions filed today, Schulte treated plugging in a laptop as some kind of due process violation.

Plugging in a laptop should in no way compromise the privacy of a laptop. But it did raise real questions about the excuse Schulte offered in an attempt to get a second laptop (one he effectively got once trial started anyway).

Needless to say, his description of what happened with the BIOS password differs from the government’s, as provided last June.

First, with respect to the defendant’s discovery laptop, which he reported to be inoperable as of June 1, 2022 (D.E. 838), the laptop was operational and returned to Mr. Schulte by the end of the day on June 3, 2022. Mr. Schulte brought the laptop to the courthouse on the morning of June 3 and it was provided to the U.S. Attorney’s Office information technology staff in the early afternoon. It appears that the laptop’s charger was not working and, after being charged with one of the Office’s power cords, the laptop could be turned on and booted. IT staff discovered, however, that the user login for the laptop BIOS1 had been changed. IT staff was able to log in to the laptop using an administrator BIOS account and a Windows login password provided by the defendant. IT staff also discovery an encrypted 15-gigabyte partition on the defendant’s hard drive. The laptop was returned to Mr. Schulte, who confirmed that he was able to log in to the laptop and access his files, along with a replacement power cord. Mr. Schulte was admonished about electronic security requirements, that he is not permitted to enable or use any wireless capabilities on the laptop, and that attempting to do so may result in the laptop being confiscated and other consequences. Mr. Schulte returned to the MDC with the laptop. [my emphasis]

Here’s more background on all the funky things that happened with this laptop that led me to suspect something was going on last summer.

Anyway, the government claims it found a whole bunch of CSAM on Schulte’s computer. But there’s also something else going on.

We may find out reasonably soon. The impossibly dated filing from this week promised an update in a week, which (if the impossibly dated filing was actually dated March 21) might be Tuesday.

The Government expects to provide the Court with a supplemental status letter in approximately one week.

At the same time that CIA hacker Josh Schulte was allegedly finding a way to load CSAM onto his discovery laptop, the local FBI office’s CSAM servers were hacked.

That might be a crazy coincidence.

Update: DOJ filed an ex parte update today, which may or may not have to do with the CSAM investigation.

Remember: DOJ May Still Suspect Trump Is Hoarding Classified Documents

March 23, 2023/81 Comments/in 2020 Presidential Election, emptywheel, January 6 Insurrection /by emptywheel

When I wrote up initial reports of Christina Bobb’s first interview with investigators in the stolen documents case, I noted,

Bobb’s testimony will clarify for DOJ, I guess, about how broadly they need to get Beryl Howell to scope the crime-fraud exception.

Here we are five months later, and Beryl Howell has indeed, very predictably, scoped out the crime-fraud exception for Evan Corcoran’s testimony and the DC Circuit has refused Trump’s request of a stay to fight that ruling.

In fact, ABC reported a list of the things that Judge Howell ruled Evan Corcoran must share with Jack Smith’s prosecutors, the scope I predicted she’d draw up five months ago.

As you read it, keep in mind that DOJ likely suspects that Trump still is hoarding classified documents. I say keep that in mind, because these questions will help to pinpoint the extent to which Trump or Boris Epshteyn masterminded efforts last June to hide classified documents, which may help DOJ to understand whether someone has masterminded efforts to hide remaining classified documents since.

The six things Corcoran has been ordered to testify about, per ABC, are:

“[T]he steps [Corcoran] took to determine where documents responsive to DOJ’s May subpoena may have been located”
Why Corcoran “believed all documents with classification markings were held in Mar-a-Lago’s storage room”
“[T]he people involved in choosing Bobb as the designated custodian of records for documents that Trump took with him after leaving the White House, and any communications he exchanged with Bobb in connection with her selection”
“[W]hether Trump or anyone else in his employ was aware of the signed certification that was drafted by Corcoran and signed by Trump attorney Christina Bobb then submitted in response to the May 11 subpoena from the DOJ seeking all remaining documents with classified markings in Trump’s possession”
“[W]hether Trump was aware of the statements in the certification, which claimed a “diligent search” of Mar-a-Lago had been conducted, and if Trump approved of it being provided to the government”
What Corcoran “discussed with Trump in a June 24 phone call on the same day that the Trump Organization received a second grand jury subpoena demanding surveillance footage from Mar-a-Lago that would show whether anyone moved boxes in and out of the storage room

Questions 1 and 2 are a test of whether Corcoran wrote the declaration that Christina Bobb signed on June 3 in good faith. Given the fact that boxes were moved out of the storage room, it’s quite plausible that Corcoran did do a good faith search of the remaining boxes. So the answer to question 2 — why did he think all the classified documents were in that room? — will help pinpoint who has criminal liability for that obstructive act. Someone told him only to search the storage room and he took Jay Bratt to that storage room on June 3 and falsely (but likely unwittingly) told them that’s where all the classified documents would have been stored. Who told him that was true?

Questions 4 and 5 go to Trump’s awareness of the attempt to mislead DOJ on June 3. Did he know about the signed certification, and if so was Trump aware that Corcoran and Bobb had, between them, claimed the search of a storage room out of which boxes had been moved amounted to a diligent search? Since he reportedly ordered Walt Nauta to move boxes out of there, does that mean he knew the declaration was false?

Question 3 is more interesting though: The fact that Corcoran wouldn’t sign the certification himself is testament that he had doubts about the search he did himself or, at least, that someone knew enough to protect him. Per reporting from after she spoke to investigators the first time (see this post), Boris Epshteyn contacted Bobb the night before the search to serve the role she played.

She told them that another Trump lawyer, Boris Epshteyn, contacted her the night before she signed the attestation and connected her with Mr. Corcoran. Ms. Bobb, who was living in Florida, was told that she needed to go to Mar-a-Lago the next day to deal with an unspecified legal matter for Mr. Trump.

When she showed up the next day, Bobb complained that she didn’t know Corcoran, which is one of the reasons she wisely caveated the document before signing it.

“Wait a minute — I don’t know you,” Ms. Bobb replied to Mr. Corcoran’s request, according to a person to whom she later recounted the episode. She later complained that she did not have a full grasp of what was going on around her when she signed the document, according to two people who have heard her account.

And Bobb wasn’t the custodian of records. Someone decided to have someone unaffiliated with the Office of the Former President sign as custodian of records, thereby protecting Trump’s legal entity — the one served with the subpoena — from liability for the inadequate response.

She was, however, someone who — like Boris Epshteyn — likely has significant exposure for January 6, and even (per her testimony to January 6 Committee) witnessed Trump’s call to Brad Raffensperger.

But either Corcoran knew or suspected his own search was inadequate, or someone built in plausible deniability for him. DOJ may find out which it was on Friday.

As noted, this may help DOJ understand what has happened since Bobb’s initial testimony. Reports of her testimony came in the same days as initial reports that DOJ had told Trump they believed he still had classified records. Both Bloomberg and NYT described the tensions that arose among Trump’s lawyers as a result, with some objecting to any further certification.

Christopher M. Kise, who suggested hiring a forensic firm to search for additional documents, according to the people briefed on the matter.

But other lawyers in Mr. Trump’s circle — who have argued for taking a more adversarial posture in dealing with the Justice Department — disagreed with Mr. Kise’s approach. They talked Mr. Trump out of the idea and have encouraged him to maintain an aggressive stance toward the authorities, according to a person familiar with the matter.

That was in October. In November, Merrick Garland appointed Jack Smith. In late November, Trump hired Tim Parlatore to do the search Kise had recommended over a month earlier. The search found, and returned to DOJ, two documents with classification markings found in a separate storage facility.

But even as Trump lawyers were dribbling out details of the result of that search, they were hiding at least two more details: that a Trump aide had been carting around — and had uploaded via the cloud — White House schedules that included once-classified information. And, Parlatore’s searchers had discovered, there was another empty classified folder on Trump’s bedside table that hadn’t been discovered in the August search. Whether willful or not, both likely show that additional documents with classification markers were brought back to Mar-a-Lago after the August search.

Since the time in December DOJ tried to hold Trump in contempt for refusing to comply with the May subpoena, they have chased down the box of schedules and the computer to which they were uploaded and subpoenaed the extra empty classified folder. They have interviewed the people who did the search, as well as the lawyers that Boris Epshteyn was giving orders. Significantly, they also interviewed Alina Habba, whose own search of Mar-a-Lago for documents responsive to Tish James’ subpoena had obvious gaps, most notably the storage closet full of documents where a bunch of classified documents were being stored. And finally, after five months, they will answer the questions first made obvious after Bobb’s initial interview in October: what Trump told Corcoran to get him to do an inadequate search.

Which brings me to Question 6: What Trump said to Corcoran after he received a subpoena for security footage that Trump knew — but Corcoran may not have known — showed Walt Nauta moving boxes that would thereby be excluded from the search Corcoran had done in May and June. Since this was a call, it may well be one of the things about which Corcoran took notes or even a recording that he later transcribed. Also recall that there was a discrepancy as to the date of the subpoena (as well as whether Trump greeted Jay Bratt and others when they were at MAL) when the search was originally revealed last year, a discrepancy that led me to suspect DOJ first served a subpoena on Trump’s office and only then served a subpoena on Trump Organization. June 24 may have been the first date that Corcoran became aware that his representations about the search for documents was incomplete.

Here’s the point, though. Trump played a shell game in advance of the search that Corcoran did last summer. Alina Habba’s declaration, on its face, reflects a shell game. There’s reason to believe — given the box containing additional documents marked classified and the empty classified folder — that Trump played another shell game when Parlatore’s investigators searched in November and December. And Howell reportedly also approved a crime-fraud waiver for Jennifer Little, a lawyer representing Trump in conjunction with the Georgia investigation.

If Corcoran does testify tomorrow, it may crystalize DOJ’s understanding of that shell game, at least. Not only will that help DOJ understand if another shell game, one involving Parlatore, managed to hide still more documents in November and December. But it may help to understand any other shell games Trump engaged in in NY and GA.

It may also finally provide the basis to hold Trump in contempt for withholding further documents.

Columbia Journalism Review–and Now Columbia School of Journalism–Have a Russian Intelligence Problem

Links

The Testimony Jack Smith Gets This Week Builds on Work from Over a Year Ago

The Espionage Act Evidence WaPo Spins as Obstruction Evidence

Trump’s People Have Attempted to Cover Up That He Cheated to Cover Up Cheating in 2016 at Least Six Times

Donald Trump, Accused Criminal

The Yahoos in Brazil Identified in Sergey Cherkasov’s Complaint

Donald Trump’s Dumbass Russia Binder

“That’s How … You End Up as a Defendant in a Court Room:” Some Days in the Life of a Named-and-Shamed Former GRU Hacker, Ivan Ermakov

On Joshua Schulte’s Alleged Substantial Amount of CSAM … and Other Contraband

Remember: DOJ May Still Suspect Trump Is Hoarding Classified Documents

Interesting links

Pages