Archive for category: Mueller Probe

In April 2020, DOJ released the warrants from the Roger Stone investigation. With six of those, DOJ redacted broad swaths of the justifications behind the warrants, none of which were shared with him as part of his obstruction prosecution.

September 26, 2018: Mystery Twitter Account

September 27, 2018: Mystery Facebook and Instagram Accounts

September 27, 2018: Mystery Microsoft include Skype

September 27, 2018: Mystery Google

September 27, 2018: Mystery Twitter Accounts 2

October 5, 2018: Mystery Multiple Googles

All six were obtained by Patrick Myers, an FBI agent located in Pittsburgh, whereas almost all the warrants obtained before that were signed by agents located in DC (in earlier weeks, Myers had also obtained a warrant targeting a second account used by the GRU persona, Guccifer 2.0).

In his order releasing the warrants, Judge Christopher Cooper explained that all the redacted information (and so the information justifying these warrants) was redacted to protect, “the private information of non-parties, financial information, and non-public information concerning other pending criminal investigations.”

One of those warrants explicitly said that the government requested a gag on the provider involved (in that case, Twitter) because Roger Stone seemed not to understand the full extent of the investigation into him.

It does not appear that Stone is currently aware of the full nature and scope of the ongoing FBI investigation. Disclosure of this warrant to Stone could lead him to destroy evidence or notify others who may delete information relevant to the investigation.

In addition to the crimes for which Mueller declined to charge Stone (foreign donations) or of which he was convicted (witness tampering and obstructing an investigation), the warrant sought evidence of conspiracy (18 USC 371), two foreign agent laws (18 USC 951 and 22 USC 611), and computer hacking (18 USC 1030).

These warrants strongly suggest that in April 2020, as Bill Barr was making unprecedented efforts to limit Stone’s punishment for the crimes of which he had been convicted, DOJ continued to investigate whether Stone conspired with foreign entities — and given that a Guccifer 2.0 warrant is among this series, Russia would be that foreign entity — to engage in computer hacking.

That’s important background to the seizure from Trump’s office of document reflecting Executive Clemency for Stone that appears to have a link to a French President, possibly Emmanuel Macron.

If Stone were involved with the MacronLeaks operation on which the GRU teamed up with alt-Right figures in Stone’s orbit, it’s conceivable Trump secretly pardoned him to prevent him from being included in the indictment covering that operation.

Based on the FOIA exemptions in various versions of the Mueller Report released, the Stone investigation that continued after Mueller closed up shop appears to have been closed between September 18, 2020 and November 2, 2020. On the latter date — literally the day before the 2020 election — DOJ provided Jason Leopold a version of the Mueller Report with newly-unsealed passages. It revealed for the first time that, on page 178, a footnote modified the discussion in the body of the Report about whether Stone could be prosecuted for conspiring with Russia on computer hacking by explaining that Mueller had referred the issue to DC US Attorney’s Office for further investigation.

The Office determined that it could not pursue a Section 1030 conspiracy charge against Stone for some of the same legal reasons. The most fundamental hurdles, though, are factual ones.1279

1279 Some of the factual uncertainties are the subject of ongoing investigations that have been referred by this Office to the D.C. U.S. Attorney’s Office.

A version of the report released to Leopold on June 3, 2019 redacted that footnote because of an ongoing investigation. And a spreadsheet justifying all continued redactions released on September 18, 2020 seems to have redacted it too. The unredacted publication of it on November 2, 2020 suggests whatever investigation in Stone DOJ had been pursuing had been closed.

Stone’s wasn’t the only investigation that got shut down in the months before Donald Trump would lose the presidency. In that period, previously redacted references to investigations into two of Paul Manafort’s businesses, and an investigation into a suspected $10 million cash infusion during the 2016 election from an Egyptian state-owned bank were unsealed — though both were unsealed by the time of that September filing. There was even reference to a warrant for Erik Prince’s phone, suggesting any investigation into him had similarly been shut down.

What made Stone’s case different, however, is that DOJ never told us what the investigation was about (indeed, two referrals that likely pertain to Stone were redacted in that November 2020 release, which they shouldn’t have been if the cases were really closed).

The most important referral from the Mueller investigation, then — the one that Billy Barr was hired to make go away — simply got deep-sixed sometime in the months when it looked like Trump would lose the election, with no explanation as to what the investigation even was. And, again, it appears to have happened between September 18 and November 2, 2020.

As it happens, DOJ rolled out an indictment against GRU on October 19, just 15 days before the election (and just 14 days before DOJ released the language pertaining to Stone). It covered six GRU attacks, though focused especially on the 2018 Olympic Destroyer attack on the Pyeongchang Olympics.

But it included, almost as a throwaway, GRU’s role in the 2017 MacronLeaks campaign. By description, it held just one of the charged individuals accountable for the spearphishing part of the MacronLeaks campaign: Anatoliy Kovalev, the one guy (as noted) also charged in the DNC hack.

Defendant ANATOLIY SERGEYEVICH KOVALEV was a Russian military intelligence officer assigned to Military Unit 74455. KOVALEV sent spearphishing emails targeting a wide variety of entities and individuals, including those associated with French local government entities, political parties, and campaigns; the 2018 Winter Olympics; the DSTL; and a Georgian media entity. KOVALEV also engaged in spearphishing campaigns for apparent personal profit, including campaigns targeting large Russian real estate companies, auto dealers, and cryptocurrency miners, as well as cryptocurrency exchanges located outside of Russia. KOVALEV is a charged defendant in federal indictment number 18-CR-215 in the District of Columbia. [my emphasis]

In the Mueller indictment of the GRU, Kovalev is described as the guy responsible for the hacking that targeted voting infrastructure — the kind of stuff that really could have affected the outcome, especially in North Carolina.

72. In or around July 2016, KOVALEV and his co-conspirators hacked the website of a state board of elections (“SBOE 1”) and stole information related to approximately 500,000 voters, including names, addresses, partial social security numbers, dates of birth, and driver’s license numbers.

[snip]

75. In or around October 2016, KOVALEV and his co-conspirators further targeted state and county offices responsible for administering the 2016 U.S. elections. For example, on or about October 28, 2016, KOVALEV and his co-conspirators visited the websites of certain counties in Georgia, Iowa, and Florida to identify vulnerabilities.

76. In or around November 2016 and prior to the 2016 U.S. presidential election, KOVALEV and his co-conspirators used an email account designed to look like a Vendor 1 email address to send over 100 spearphishing emails to organizations and personnel involved in administering elections in numerous Florida counties. The spearphishing emails contained malware that the Conspirators embedded into Word documents bearing Vendor 1’s logo.

The Olympic Destroyer indictment obtained weeks before the election held Kovalev (and the GRU) accountable for the spearphish and communications with some French participants.

27. From on or about April 3, 2017, through on or about May 3, 2017 (during the days leading up to the May 7, 201 7, presidential election in France), the Conspirators conducted seven spearphishing campaigns targeting more than 100 individuals who were members of now-President Macron’s “La Republique En Marche!” (“En Marche!”) political party, other French politicians and high-profile individuals, and several email addresses associated with local French governments. The topics of these campaigns included public security announcements regarding terrorist attacks, email account lockouts, software updates for voting machines, journalist scoops on political scandals, En Marche! press relationships, and En Marchel internal cybersecurity recommendations.

28. KOVALEV participated in some of these campaigns. For example, on or about April 21, 2017, KOVALEV developed and tested a technique for sending spearphishing emails themed around file sharing through Google Docs. KOVALEV then crafted a malware-laced document entitled “Qui_peut_parler_ aux journalists.docx” (which translates to “Who can talk to journalists”) that purported to list nine En Marche! staff members who could talk to journalists about the previous day’s terrorist attack on the Champs-Elysees in Paris. Later that day, the Conspirators used an email account that mimicked the name of then-candidate Macron’s press secretary to send a Google Docs-themed spearphishing email to approximately 30 En Marche! staff members or advisors, which purported to share this document.

29. From on or about April 12, 2017, until on or about April 26, 2017, a GRU-controlled social media account communicated with various French individuals offering to provide them with internal documents from En Marche! that the user(s) of the account claimed to possess.

But it professed utter and complete ignorance about how the stolen documents started to get leaked.

30. On or about May 3 and May 5, 2017, unidentified individuals began to leak documents purporting to be from the En Marche! campaign’s email accounts.

But they weren’t unidentified, at least not all of them! As a DFIR report released 15-months before this indictment laid out, while there was a Latvian IP address that hadn’t been publicly identified at that point (one the FBI surely had some ability to unpack), the American alt-right, including Stone associate Jack Posobiec, made the campaign go viral, all in conjunction with WikiLeaks.

First there was a rumor spread from that Latvian IP to 4Chan to William Craddick to Jack Posobiec.

Last but not least came the “#MacronGate” rumor. Two hours before the final televised debate between Macron and Le Pen, on Wednesday, May 3, at 7:00 p.m.,41 a user with a Latvian IP address posted two fake documents on 4chan. The documents suggested that Macron had a company registered in Nevis, a small Caribbean island, and a secret offshore bank account at the First Caribbean Bank, based in the Cayman Islands. Again, the rumor itself was not entirely new. Macron himself had seen it coming. More than two weeks earlier on TV he warned that this type of rumor was likely to appear: “This week, you will hear ‘Mr. Macron has a hidden account in a tax haven, he has money hidden at this or that place.’ This is totally false, I always paid all my taxes in France and I always had my accounts in France.”42 What was new this time, however, was the release of two documents supposedly proving this rumor. The user who posted the two documents on 4chan did it purposefully on the evening on the final televised debate to attract more attention, and even suggested a French hashtag: “If we can get #MacronCacheCash trending in France for the debates tonight, it might discourage French voters from voting Macron”43.

Then the rumor spread on Twitter. The 4chan link was first posted by Nathan Damigo, founder of the American neo-Nazi and white-supremacist group Identity Evropa, and was further circulated by William Craddick, founder of Disobedient Media and notorious for his contribution to the Pizzagate conspiracy theory that targeted the US Democratic Party during the 2016 American presidential campaign. The first real amplifier was Jack Posobiec—an American alt-right and pro-Trump activist with 111,000 followers at the time: his tweet was retweeted almost 3,000 times. Only after 10:00 p.m. did the rumor begin to spread in French, mostly through far-right accounts using the #MacronCacheCash hashtag. The first tweets in French seemed to have been automatically translated from English.44

[snip]

The same user with the Latvian IP address who posted the fake documents on Wednesday announced on Friday morning that more were coming, promising, “We will soon have swiftnet logs going back months and will eventually decode Macron’s web of corruption.”49 Those responsible for #MacronGate thereby provided evidence that they were the same people responsible for the #MacronLeaks that were released later that day.

Then there were the leaked files themselves, which followed the same pattern: an anonymous leak to Craddick to Posobiec to WikiLeaks.

The files were initially posted on Archive.org, an online library site, supposedly in the morning63 (the time of first release on the website cannot be determined, as these original threads have since been deleted). At 7:59 p.m., the links to the threads were posted on PasteBin, a file-sharing site, under the name “EMLEAKS.” At 8:35 p.m., they were shared on 4chan. Then came their appearance on Twitter: Craddick was again the first to share the link to the PasteBin dump at 8:47 p.m., quickly followed by Jack Posobiec at 8:49 p.m., who provided a link to the 4chan thread with, for the first time, the hashtag #MacronLeaks.64 Contrary to what would later become a widespread misconception, Posobiec was not the first to tweet, Craddick was. However, Posobiec was the first to use the hashtag that would lend its name to the entire operation, hence the confusion. Posobiec’s tweet and hashtag was retweeted eighty-seven times within five minutes. He later said he had been alerted to the incoming dump by the user with a Latvian IP address who had posted the #MacronGate fake documents two days prior: “The same poster of the financial documents said to stay tuned tomorrow for a bigger story–so I pretty much spent the next 24 hours hitting refresh on the site.”65

So far, this conversation was exclusively Anglophone. This makes it clear that the hashtag #MacronLeaks was launched and spread in the United States, by the American alt-right. It was WikiLeaks that internationalized the spread, at 9:31 p.m., by tweeting: “#MacronLeaks: A significant leak. It is not economically feasible to fabricate the whole. We are now checking parts,” with a link to the files on PasteBin. Only then came the first French amplifiers, who happened to be Le Pen supporters

MacronLeaks was, openly and proudly, a joint venture between the GRU, far right influencers in Stone’s immediate orbit, and WikiLeaks. It was an attempt to repeat the 2016 miracle that elected Donald Trump, by supporting the Russian-supporting Marine Le Pen by damaging Macron.

There’s something unusual about the indictment, too. Alone among the indictments obtained by the Pittsburgh US Attorney’s office that month (October 2020), it was the single one signed in wet blue ink by the US Attorney, Scott Brady. Both the copy released by DOJ and the one docketed in PACER also lacked a jury foreperson’s signature.

Admittedly, most of the indictments WDPA obtained that month were fairly podunk crimes that wouldn’t need heightened security: a fentanyl dealer, a cocaine dealer, two unhoused men charged with theft, an aggravated assault, manufacturing a controlled substance, Social Security fraud, VA benefit fraud, all were signed in black ink, at least some of them electronically. But a child sexual trafficking indictment and a CSAM possession indictment, both originally filed under seal, also bear the foreperson’s signature and that black ink signature. Even a ransomware indictment rolled out nationally on October 15 — which would have the same kind of international sensitivities and national coordination as the GRU indictment — had a normal jury foreperson’s signature.

While Brady was not a surprising choice for US Attorney in Pittsburgh (he had previously been an AUSA), he was perhaps the most politicized of Trump’s US Attorneys. He’s the guy whom Barr put in charge of ingesting the dirt on Hunter Biden that Rudy Giuliani was getting from suspected Russian agents.

To be clear: There’s no public allegation that Stone had anything to do with MacronLeaks, though HateWatch places him at a Milo Yiannopoulos party where MacronLeaks appears to have come up, after the leaks but before the French election. I’m not saying that Stone was involved in the MacronLeaks operation.

But the response to the Stone reference in the subpoena receipt has assumed that the Stone reference cannot be related to the French President reference, all assumptions made by journalists that never covered the ongoing aspects into whether Stone conspired with Russia on a hack. If Trump did issue his rat-fucker a secret pardon for follow-on cooperation with Russian hackers, though, it would explain a number of things about the aftermath of the Mueller investigation, including what happened to the investigation into whether Stone conspired with Russia on hacking campaigns.

For his part, Trump included a bit of a tirade about the Stone reference in his motion for a Special Master last night.

In addition, did the affiant to the warrant fairly disclose any pretextual “dual” purpose at work in obtaining the warrant? For example, the Receipt for Property largely fails to identify seized documents with particularity, but it does refer to the seizure of an item labelled “Executive Grant of Clemency re: Roger Jason Stone, Jr.” Aside from demonstrating that this was an unlawful general search, it also suggests that DOJ simply wanted the camel’s nose under the tent so they could rummage for either politically helpful documents or support other efforts to thwart President Trump from running again, such as the January 6 investigation.

This is legally and politically nonsensical. If the pardon is the known pardon, then it’s not politically damaging at all. If it’s a real pardon of any kind — as a pardon written on a cocktail napkin arguably would be — then it’s a Presidential Record and squarely within the scope of the warrant (which permits seizure of any Presidential record created during Trump’s term). If the information about the French President is part of the document and appears to be sensitive, then it would qualify as a likely classified document. If the pardon were found in Trump’s safe next to his leatherbound box of TS/SCI documents, then it would be covered by the proximal search protocol laid out in the warrant. The pardon was legally seized.

Trump’s claims are nonsensical. But they’re also the the kind of squealing that invites further attention to what the clemency document really is.