The Guy Investigating the Claimed Politicized Hiring of a Special Counsel Insists that the Hiring of a Special Counsel Cannot Be Political

On Monday, both John Durham and Michael Sussmann submitted their motions in limine, which are filings to argue about what can be admitted at trial. They address a range of issues that I’ll cover in several posts:

Sussmann:

Durham wants to:

  • Admit witnesses’ contemporaneous notes of conversations with the FBI General Counsel
  • Admit emails referenced in the Indictment and other, similar emails (see this post)
  • Admit certain acts and statements (including the defendant’s February 2017 meeting with a government agency, his December 2017 Congressional testimony, and his former employer’s October 2018 statements to the media) as direct evidence or, alternatively, pursuant to Federal Rule of Evidence 404(b)
  • Exclude evidence and preclude argument concerning allegations of political bias on the part of the Special Counsel (addressed in this post)
  • Admit an October 31, 2016 tweet by the Clinton Campaign

I will link my discussions in serial fashion.


Here’s how John Durham moved to exclude any evidence that his team was ordered to produce results in time for the 2020 election, bullied witnesses, or treated Hillary Clinton as a more dangerous adversary than Russia.

The Government expects that defense counsel may seek to present evidence at trial and make arguments that depict the Special Counsel as politically motived or biased based on his appointment by the prior administration. Notwithstanding the patently untrue nature of those allegations, such matters are irrelevant to this case and would create a substantial danger of unfair prejudice, confusion, and delay. In particular, the government seeks to preclude the defendant from introducing any evidence or making any argument concerning the circumstances surrounding the appointment of the Special Counsel and alleged political bias on the part of the Special Counsel’s Office. Indeed, the defendant has foreshadowed some of these arguments in correspondence with the Special Counsel and others, and their assertions lack any valid basis.

Only relevant evidence is admissible at trial. Fed. R. Evid. 402. The definition of relevance is inclusive, see Fed. R. Evid. 401(a), but depends on the possibility of establishing a fact that “is of consequence in determining the action,” Fed. R. Evid. 401(b). Evidence is therefore relevant only if it logically relates to matters that are at issue in the case. E.g., United States v. O’Neal, 844 F. 3d 271, 278 (D.C. Cir. 2016); see Sprint/United Management Co. v. Mendelsohn, 552 U.S. 379, 387 (2008). The party seeking to introduce evidence bears the burden of establishing relevancy. Dowling v. United States, 493 U.S. 342, 351 n.3 (1990).

Here, the defendant is charged with making a false statement to the FBI General Counsel in violation of 18 U.S.C. § 1001. A jury will have to decide only whether the defendant knowingly and willfully made a materially false statement to the FBI General Counsel. Nothing more, nothing less. Baseless political allegations are irrelevant to the crime charged. See, e.g., United States v. Regan, 103 F. 3d 1072, 1082 (2d Cir. 1997) (claims of Government misconduct are “ultimately separate from the issue of [a defendant’s] factual guilt”); United States v. Washington, 705 F. 2d 489, 495 (D.C. Cir. 1983) (similar). Evidence or argument concerning these issues should therefore be excluded. See Fed. R. Evid. 402; see, e.g., O’Neal, 844 F,3d at 278; United States v. Stone, 19 CR 18 (D.D.C. Sept. 26, 2019) ECF Minute Order (granting the government’s motion in limine to exclude evidence or argument regarding alleged misconduct in the government’s investigation or prosecution of Roger Stone).

The only purpose in advancing these arguments would be to stir the pot of political polarization, garner public attention, and, most inappropriately, confuse jurors or encourage jury nullification. Put bluntly, the defense wishes to make the Special Counsel out to be a political actor when, in fact, nothing could be further from the truth.11 Injecting politics into the trial proceedings is in no way relevant and completely unjustified. See United States v. Gorham, 523 F. 2d 1088, 1097-1098 (D.C. Cir. 1975) (upholding trial court’s decision to preclude evidence relevant only to jury nullification); see also United States v. Rushin, 844 F. 3d 933, 942 (11th Cir. 2016) (same); United States v. Castro, 411 Fed. App’x 415, 420 (2d Cir. 2011) (same); United States v. Funches, 135 F.3d 1405, 1408-1409 (11th Cir. 1998) (same); United States v. Cropp, 127 F.3d 354, 358-359 (4th Cir. 1997). With respect to concerns about jury nullification, this Circuit has opined:

[Defendant’s] argument is tantamount to the assertion that traditional principles concerning the admissibility of evidence should be disregarded, and that extraneous factors should be introduced at trial to become part of the jury’s deliberations. Of course a jury can render a verdict at odds with the evidence and the law in a given case, but it undermines the very basis of our legal system when it does so. The right to equal justice under law inures to the public as well as to individual parties to specific litigation, and that right is debased when juries at their caprice ignore the dictates of established precedent and procedure.

Gorham, 523 F.2d at 1098. Even if evidence related to the defendant’s anticipated allegations had “marginal relevance” to this case (which it does not), the “likely (and presumably intended) effect” would be “to shift the focus away from the relevant evidence of [the defendant’s] wrongdoing” to matters that are, at most, “tangentially related.” United States v. Malpeso, 115 F. 3d 155, 163 (2d Cir. 1997) (upholding exclusion of evidence of alleged misconduct by FBI agent). For the foregoing reasons, the defendant should not be permitted to introduce evidence or make arguments to the jury about the circumstances surrounding the appointment of the Special Counsel and alleged political bias on the part of the Special Counsel.

11 By point of fact, the Special Counsel has been appointed by both Democratic and Republican appointed Attorneys General to conduct investigations of highly-sensitive matters, including Attorneys General Janet Reno, Michael Mukasey, Eric Holder, Jeff Sessions and William Barr. [my emphasis]

Durham stuck the section between an extended section arguing that Judge Christopher Cooper should treat the interlinked investigations — by those working for the Hillary campaign and those, working independently of the campaign, who believed Donald Trump presented a grave risk to national security — into Trump’s ties to Russia as a unified conspiracy and another section asking that Clinton Campaign tweets magnifying the Alfa Bank allegations be admitted, even though the argument to include them is closely related.

Even ignoring how Durham pitches this issue, the placement of this argument — smack dab in the middle of an effort to treat protected political speech he admits is not criminal like a criminal conspiracy — seems like a deliberate joke. All the more so coming from prosecutors who, with their conflicts motion,

stir[red] the pot of political polarization, garner[ed] public attention, and, most inappropriately, confuse[d potential] jurors

It’s pure projection, presented in the middle of just that kind of deliberately polarizing argument. From the moment the Durham team — which relied heavily on an FBI Agent who reportedly sent pro-Trump texts on his FBI phone — tried to enhance Kevin Clinesmith’s punishment for altering documents because he sent anti-Trump texts on his FBI phone, Durham has criminalized opposition to Trump.

And Durham himself made his hiring an issue by claiming that the guy who misrepresented his conflicts motion by using it to suggest that Sussmann and Rodney Joffe should be executed, Donald Trump, is a mere third party and not the guy who made him a US Attorney.

But it’s also misleading, for multiple reasons.

The initial bias in question pertains to covering up for Russia, not helping Republicans

Sussmann’s likely complaints at trial have little to do with the fact that Durham was appointed by a Republican. Rather, a key complaint will likely have to do with the fact that Durham was appointed as part of a sustained campaign to misrepresent the entire set of events leading up to the appointment of his predecessor as Special Counsel, Robert Mueller, by a guy who auditioned for the job of Attorney General based on his claims — reflecting his warped Fox News understanding of the investigation — that the confirmed outcome of that investigation was false.

You cannot separate Durham’s appointment from Billy Barr’s primary goal in returning as Attorney General to undermine the evidence of improper Trump ties to Russia. You cannot separate Durham’s appointment, in the same days as Mueller acquired key evidence in two investigations (the Egyptian bank donation and Roger Stone) that Barr subsequently shut down, from Barr’s attempt to undermine the past and ongoing investigation. You cannot separate Durham’s appointment from what several other DC District judges (Reggie Walton, Emmet Sullivan, and Amy Berman Jacksonthe latter, twice) have said was Barr’s improper tampering in the Russian investigation.

That is, Durham was appointed to cover-up Trump’s confirmed relationship with Russia, not to attack Democrats. But in order to cover up for Russia, Durham will, and has, attacked the Democrats who were first victimized by Russia for viewing Russia as a threat (though I believe that Republicans were victimized, too).

That bias has exhibited in the following ways, among others:

  • Treating concern about Trump’s solicitation of further hacks by Russia and his confirmed ties to Russian money laundering as a partisan issue, and not a national security issue (something Durham continues with this filing)
  • Treatment, in the Danchenko case, of Charles Dolan’s involvement in the most accurate report in the Steele dossier as more damning that the likely involvement of Dmitri Peskov in the most inflammatory reports that paralleled the secret communications with Dmitry Peskov that Trump and Michael Cohen lied to cover up
  • Insinuations from Andrew DeFilippis to Manos Antonakakis that it was inappropriate for DARPA to ask researchers to investigate ongoing Russian hacks during an election
  • A prosecutorial decision that risks making sensitive FISA information available to Russia that will, at the same time, signal that the FBI won’t protect informants against Russia

There are other indications that Durham has taken probable Russian disinformation that implicates Roger Stone as instead reliable evidence against Hillary.

Durham’s investigation into an investigation during an election was a key prop during an investigation

Another thing Durham may be trying to stave off is Sussmann calling Nora Dannehy as a witness to explain why she quit the investigation just before the election. Even assuming Durham could spin concerns about pressure to bring charges before an election, that pressure again goes to Billy Barr’s project.

When Durham didn’t bring charges, some of the same documents Durham was reviewing got shared with Jeffrey Jensen, whose team then altered several of them, at least one of them misleadingly, to present a false narrative about Trump’s opponent’s role in the investigation. Suspected fraudster Sidney Powell seems to have shared that false narrative with Donald Trump, who then used it in a packaged attack in the first debate.

This is one of the reasons why Durham’s submission of Bill Priestap’s notes in such a way as to obscure whether those notes have some of the same indices of unreliability as the altered filings in the Mike Flynn case matters.

In other words, Durham is claiming that scrutinizing the same kind of questions that Durham himself has been scrutinizing for years is improper.

The bullying

I find it interesting that Durham claims that, “the defendant has foreshadowed some of these arguments in correspondence with the Special Counsel and others,” without citing any. That’s because the only thing in the record is that Sussmann asked for evidence of Durham bullying witnesses to alter their testimony — in response to which Durham provided communications with April Lorenzen’s attorneys.

On December 10, 2021, the defense requested, among other things, all of the prosecution team’s communications with counsel for witnesses or subjects in this investigation, including, “any records reflecting any consideration, concern, or threats from your office relating to those individuals’ or their counsels’ conduct. . . and all formal or informal complaints received by you or others” about the conduct of the Special Counsel’s Office.” Although communications with other counsel are rarely discoverable, especially this far in advance of trial, the Government expects to produce certain materials responsive to this request later this week. The Government notes that it is doing so despite the fact that certain counsel persistently have targeted prosecutors and investigators on the Special Counsel’s team with baseless and polemical attacks that unfairly malign and mischaracterize the conduct of this investigation. For example, certain counsel have falsely accused the Special Counsel’s Office of leaking information to the media and have mischaracterized efforts to warn witnesses of the consequences of false testimony or false statements as “threats” or “intimidation.”

And this set of filings reveals that Durham is still trying to force Rodney Joffe to testify against Sussmann, even though Joffe says his testimony will actually help Sussmann.

In other words, this may be a bid by Durham to prevent evidence of prosecutorial misconduct under the guise of maintaining a monopoly on the right to politicize the case.

Normally, arguments like this have great merit and are upheld.

But by making the argument, Durham is effectively arguing that the entire premise of his own investigation — an inquiry into imagined biases behind an investigation and later appointment of a Special Counsel — is illegitimate.

As we’ll see, what Judge Christopher Cooper is left with is nothing more than competing claims of conspiracy.

John Durham Is Hiding Evidence of Altered Notes

On Monday, both John Durham and Michael Sussmann submitted their motions in limine, which are filings to argue about what can be admitted at trial. They address a range of issues that I’ll cover in several posts:

Sussmann:

Durham wants to:

  • Admit witnesses’ contemporaneous notes of conversations with the FBI General Counsel
  • Admit emails referenced in the Indictment and other, similar emails (see this post)
  • Admit certain acts and statements (including the defendant’s February 2017 meeting with a government agency, his December 2017 Congressional testimony, and his former employer’s October 2018 statements to the media) as direct evidence or, alternatively, pursuant to Federal Rule of Evidence 404(b)
  • Exclude evidence and preclude argument concerning allegations of political bias on the part of the Special Counsel (addressed in this post)
  • Admit an October 31, 2016 tweet by the Clinton Campaign

I will link my discussions in serial fashion.


In John Durham’s bid to introduce notes from Bill Priestap and Trisha Anderson, he presented a color scan of Anderson’s notes [red annotation added]:

But he presented a black and white scan of Priestap’s notes [red annotation added]:

That’s important for two reasons. First, because blue sticky tabs were implicated in altered documents submitted in the Mike Flynn case. There was a blue sticky tab on another page of Priestap notes submitted in Flynn’s case.

There were what appear to be blue and red stickies visible on the original version of some Peter Strzok notes submitted in that case.

When the government ultimately confessed to adding dates (affirmatively misleading, in at least one case) to both that set of Strzok notes

And some Andrew McCabe notes

… The government claimed that the date added to some Andrew McCabe notes was added via a blue sticky — what sounds like the same sticky we saw in the Priestap notes.

In response to the Court and counsel’s questions, the government has learned that, during the review of the Strzok notes, FBI agents assigned to the EDMO review placed a single yellow sticky note on each page of the Strzok notes with estimated dates (the notes themselves are undated). Those two sticky notes were inadvertently not removed when the notes were scanned by FBI Headquarters, before they were forwarded to our office for production. The government has also confirmed with Mr. Goelman and can represent that the content of the notes was not otherwise altered.

Similarly, the government has learned that, at some point during the review of the McCabe notes, someone placed a blue “flag” with clear adhesive to the McCabe notes with an estimated date (the notes themselves are also undated). Again, the flag was inadvertently not removed when the notes were scanned by FBI Headquarters, before they were forwarded to our office for production. Again, the content of the notes was not otherwise altered. [my emphasis]

If that’s right, then whoever altered the McCabe notes altered them with the same kind of blue sticky note that appears on the Priestap notes that Durham wants to submit at trial.

Whether that date was added via blue sticky note has never been publicly tested. Rather than submitting unaltered versions of McCabe’s notes in the Flynn docket, DOJ — metadata suggests that Jocelyn Ballantine did this — simply digitally removed the date and a footer, effectively submitting a realtered exhibit in place of an altered one. So one cannot rule out that that date was written right onto the notes themselves. McCabe was being specifically prevented by DOJ from reviewing his original notes in the period, not even to prepare for Senate Judiciary Committee testimony, so he hasn’t been able to test that either.

That, by itself, suggests some of the alterations that were an issue in the Flynn docket were altered before they were shared with Jeffrey Jensen.

But that’s all the more interesting given a detail that Michael Sussmann included in his bid to exclude these notes. In Priestap’s grand jury testimony in this case, he testified he didn’t know why he wrote the “no specific client” comment on a slant, or why those notes were, “perhaps darker or thicker than some of the other notes.”

The Indictment characterizes the Priestap Notes as a contemporaneous record of Mr. Priestap’s conversation with Mr. Baker. See id. But beyond offering that they “looked like his writing and organizational style,” Mem. of Special Counsel’s June 2, 2021 Interview of E.W. Priestap, SCO-3500U-018701, at -01, Mr. Priestap said he “[doesn’t] remember why [he] wrote them down and who gave [him] the information,” E.W. Priestap’s June 3, 2021 Grand Jury Test., SCO-3500U-018746, at -98. Not only that, but Mr. Priestap “[does] not recall actually writing these notes,” id. at SCO-3500U-018815, nor can he confirm that the notes actually reflect any conversation he had with Mr. Baker, as opposed to a conversation he had with someone else, id. Indeed, Mr. Priestap “advised he did not remember Baker conveying to him the information about Sussmann,” Mem. of Special Counsel’s June 2, 2021 Interview of E.W. Priestap at SCO-3500U 018702, and was “not certain whether th[e] conversation reflected in the notes . . . was with Mr. Baker or maybe with someone else,” E.W. Priestap’s June 3, 2021 Grand Jury Test. at SCO3500U-018815. Mr. Priestap also has “[n]o idea” why the phrase “said not doing this for any client”—written diagonally to the side of the main body of the notes—was written at all, and could offer no explanation for why those words were “perhaps darker or thicker than some of the other notes.” Id. at SCO-3500U-018816.

The date in the January 24, 2017 Priestap notes is even more irregular — at cross-direction from his other notes on the page, and with uneven ink — and I have always wondered whether that date was added too.

And lo and behold, the Anderson notes also appear to have a sticky note right by the date (as annotated), albeit apparently a red one, though some of the tags on the Strzok notes were of a similar color. She also found aspects of her notes surprising.

Ms. Anderson’s notes (the “Anderson Notes”) include, on top, “Deputies Mtg. 9/19/16,” and then, after a redaction and under a second heading reading “9/19[/]16,” go on to state: “Sussman[n] Mtg w/ Baker” and “No specific client but group of cyber academics talked w/ him abt research,” followed by the phrase, “article this Friday – NYT/WaPo/WSJ.” Anderson Notes at SCO-3500U-000018. The relevant sentence fragment contains no subject revealing who had “[n]o specific client,” nor any other context for that phrase. Ms. Anderson, who was first asked about these notes by the Special Counsel over five years after they were written, has no meaningful memory of the notes or their context: she has only a “vague recollection” of discussing this topic with Mr. Baker and cannot “recall specifics.” Mem. of Special Counsel’s Jan. 5, 2022 Interview of T. Anderson, SCO-3500U-000087, at -88, -96. When shown the notes, Ms. Anderson stated that she had been “surprised” to learn about the “no specific client” phrase, and she “d[id] not now recall hearing from Baker his use” of that phrase; she could only assume that she got that phrase from Mr. Baker “because her notes reflect[ed] it.” Id. at -88.

Durham has only provided a partial scan of theses notes, hiding that the date, 9/19/16, appears earlier on the page, describing a different kind of meeting. That’s consistent with what the added date and the redaction on the McCabe notes did: It served to suggest that McCabe briefed the Flynn case to SSCI the day after Jim Comey was fired. Here, the September 19 date that appears next to the sticky is necessary for Durham’s case to claim that Anderson took these notes the same day of the meeting and not some time after that.

But why would Anderson date her notes twice?

According to a discovery filing in this case, Sussmann has reviewed redacted versions of the originals of the Priestap notes, which were still in the notebook Priestap took them in.

On October 13, 2021, the defense requested, among other things, to inspect the original notes that a former FBI Assistant Director of Counterintelligence took reflecting the defendant’s alleged false statement. The original notes were contained in a hard-bound notebook located at FBI Headquarters and contained extremely sensitive and highly classified information on a variety of topics and unrelated investigative matters. The Government immediately agreed to make the original notebook available to the defense in redacted form, and the defense conducted its review of the notebook on October 20, 2021.

But to test why all these notes have post-it notes on them and why the dates are so unreliable (and affirmatively misleading, in the case of the alteration in the January 5, 2017 Strzok notes), Sussmann would need to review all the notes together, probably with the assistance of the original authors.

It’s still not clear who altered the notes submitted in the Flynn docket, the extent of those alterations, or why the government is submitting exhibits with investigative stickies on them as evidence at trial. DOJ’s filing in the Flynn case blamed the misleading date on the Strzok notes on an FBI agent associated with the Jeffrey Jensen investigation (which would suggest that alteration post-dated Durham’s access to it), but it did not say who altered the McCabe notes.

But by showing that the blue sticky notes existed in Durham’s copy of the exhibits, Durham makes it clear some of the alterations exhibited in the Flynn docket happened before he shared the documents with Jensen’s investigation, if that’s how the notes got shared around.

The misleading date added to the Strzok notes ultimately was part of a packaged Trump attack on Joe Biden at the first debate, one that Sidney Powell, who has since been sanctioned for making fraudulent claims in an attempt to keep Trump in office, appears to have had a part in.

President Donald J. Trump: (01:02:22)
We’ve caught them all. We’ve got it all on tape. We’ve caught them all. And by the way, you gave the idea for the Logan Act against General Flynn. You better take a look at that, because we caught you in a sense, and President Obama was sitting in the office.

Given that even Chuck Grassley recognized the alteration added to the Strzok notes was incorrect, it’s hard to believe that was an innocent mistake.

And yet, 18 months later, DOJ is still trying to submit notes with all these investigative sticky notes as exhibits, without explaining why or how they appeared there.

And Durham’s choice to present the Priestap notes — with what appear to be the same blue sticky as appeared on his earlier notes, as well was the the blue sticky described to have been used to alter the McCabe notes — in black-and-white suggests he may know that’s a problem.

Michael Sussmann’s Lawyers Complain of “Wildly Untimely” Notices from John Durham [Updated, with Confirmation]

Republished given confirmation that Durham is trying to point to privilege claims to insinuate wrong-doing. 

On March 31, there was a combined motions and status hearing in the Michael Sussmann case. The parties started by arguing Sussmann’s motion to dismiss (response; reply) based on a claim his alleged lie was not material. Here’s my live-tweet of the hearing.

Judge Christopher Cooper observed that the dispute was “Well briefed and argued on both sides” and promised to rule quickly. But the odds are still really good that he’ll rule against Sussmann because the standard for materiality is so thin. So that argument was perhaps more interesting for a few details that came out in the process, such as that the claim is that Sussmann offered up that he had no client, and that in all the discovery Sussmann has received, there’s no evidence anyone every asked the source of the DNS data he shared with the government even while they repeatedly recognized that Sussmann was a lawyer for the DNC.

We don’t think Baker or anyone else at FBI ever asked, btw, where’d this info come from. If source mattered so much, you’d think someone would have said, where’d this come from, how’d they get it.

Both details would help Sussmann defeat a materiality claim at trial, but Cooper can’t take it into account.

It was in the status discussion where things got more interesting. Cooper asked why he hadn’t seen any 404(b) notices (which is notice that the government wants to use otherwise incriminating information to prove its case in chief, often to prove motive), and AUSA Andrew DeFilippis said they had provided it to the defense. Sussmann’s lawyer, Sean Berkowitz, described that they were going to file motions in limine about the notices, but observed that “one was untimely,” meaning Durham’s team missed the March 18 deadline.

DeFilippis then asked for extra time to deal with Sussmann’s CIPA 5 motion, which is where he asks for classified information to be declassified to use at trial. Sussmann had little problem with that.

Then Berkowitz complained about an expert the government just informed Sussmann they wanted to call — an FBI agent whose primary purpose would be to explain the DNS and Tor technologies at the core of the tip Sussmann shared with the FBI. Cooper quipped, “aren’t we going to have the jury understand the technical” aspects of the trial, and suggested he, himself, needed such a tutorial as well. Berkowitz noted that that deadline had passed weeks ago and the late notice didn’t give Sussmann enough time to qualify their own expert to respond.

The real issue, it soon became clear, was that the government wants to reserve the right to use this witness to rebut any claim Sussmann would make that the data was “real.” DeFilippis argued they need to be able to rebut Sussmann’s claim that the allegation he made was “unsupported.” “That’s different,” Judge Cooper noted, “than whether the data was accurate.”

It’s clear, based on what DeFilippis said, that he intends to conflate accurate data — a real, still unexplained anomaly — with an unpersuasive hypothesis about what that anomaly might be. DeFilippis countered that if the data were “cherry picked or fabricated” — neither of which he has charged — then it might suggest a motive for Sussmann to lie. But Berkowitz argued that the only thing that matters it that Sussmann believed the data was accurate. Importantly, Durham’s indictment falsely suggests that Sussmann was privy to some of the researchers discussion about this.

Berkowitz’s frustration with all that was nothing compared to his fury that, just the night before, prosecutors had told them that they intended to use a motion in limine (which is supposed to deal with what evidence can and cannot be introduced at trial) to try to breach privilege claims that various witnesses have made. As Cooper noted, that’s not a motion in limine, it’s a motion to compel.

Berkowitz: We learned last night that SC is challenging privilege. Only last night we learned they do intend to challenge privilege in motion in limine. Wildly untimely. Implicates underlying case.

DeFilippis: We’ve been working with asserted privilege holders. Those holders would be Tech Executive-1, Clinton campaign, another political organization. We have tried to understand theory of privilege. Unable to get comfort. We now intend to call witnesses from [Fusion] and [Perkins Coie].

Cooper: Not a motion in limine, it is a motion to compel.

Berkowitz: This issue is an issue that has been discussed for well over a year. Honestly to only now bring it up, 6 weeks before trial. Violations of due process, we’re going to get new info, it’s an ambush.

It’s really hard to view this as anything but a stunt to try to save Durham’s conspiracy theories.

In a normal situation involving a big law firm like Perkins Coie, well-lawyered people associated with the Hillary campaign (because of PC’s role as Sussmann’s former employer, Hillary and the DNC would count as separate entities), as well as Fusion GPS (which has been fighting similar issues from Russian oligarchs for years now), such privilege claims would take at least three months to work out.

For sake of comparison, John Eastman’s privilege fight, for a legal argument with none of the formal retainer agreements like those PC has, for emails inappropriately stored on Chapman University’s cloud, in which there’s substantive evidence — now affirmed by a judge — that Eastman himself has criminal exposure, has been going on since January 20, and it is nowhere near done.

As Berkowitz notes, the trial is six weeks away.

The most likely outcome of this effort would either be a delay of the trial and/or some inconclusive outcome, which Durham would undoubtedly use to sow more conspiracy theories without charging them, pointing to Democrats’ defense of privilege to insinuate the privilege claims must hide some proof of conspiracy.

But it looks all the more intentional given the now-famous delayed waiver motion Durham went through in February. The waivers covered by Durham’s filing include several of the witnesses he has belatedly said he wants to pierce privilege now:

  • Whether Perkins Coie (which Latham represented along with Sussmann in the Durham investigation) knew how Sussmann was billing his time
  • Perkins Coie’s past claims about the DNC’s activities
  • The advice Kathryn Ruemmler gave Sussmann when Kash Patel raised his meeting with the FBI in a December 2017 HPSCI appearance
  • What Latham told a PR firm regarding public statements about the meeting in 2018

That is, more than six weeks before telling Sussmann that, after not formally attempting to pierce privilege in the last year, Durham now wants to do so, Durham made Sussmann waive any conflict with all the privileged relationships that Durham wants to pierce.

As I noted at the time, Durham was asking Sussmann to waive conflicts even without having pierced privilege.

Latham also provided Perkins Coie advice regarding a PR statement that, Durham admits, he’s not been able to pierce the privilege of and he knows those who made the statement had no knowledge that could implicate the statement in a conspiracy.

He’s now trying to do that. It’s really hard to believe that’s a coinkydink.

And unlike the attorney-client waiver used in the Paul Manafort case, Durham is not citing independent proof that Sussmann lied to his lawyers. Unlike the waiver with Eastman or with Michael Cohen’s hush payments, Durham is not citing participation in a conspiracy.

This is still a false statements case that Durham is sure, absent the evidence to charge it, is a conspiracy. And now at the last minute, he’s attempting to salvage that conspiracy.

Update: A motion in limine from Sussmann confirms I was totally right about Durham’s ploy. He wants to submit privilege logs to the jury — privilege logs to which Sussmann is not the privilege holder and therefore is helpless to waive — to insinuate that he’s covering something up.

Again, there can be no mistake as to the purpose for the Special Counsel’s tactics here. The animating theory of the Special Counsel’s Indictment is that, in meeting with the FBI and Agency-2, Mr. Sussmann sought to conceal that he was secretly working on behalf of the Clinton Campaign and Mr. Joffe. Lacking actual evidence of Mr. Sussmann’s guilt, the Special Counsel seeks instead to convict Mr. Sussmann by insinuating to the jury that such evidence must exist— by inviting them to draw the inference that, because Mr. Sussmann’s alleged clients and co-conspirators have chosen to withhold information relating to the very same relationship the Special Counsel alleges they and Mr. Sussmann sought to conceal, that information must be inculpatory.

Permitting the Special Counsel to prejudice Mr. Sussmann and to shirk his burden of proof by leading the jury to an adverse inference would be impermissible under any circumstance. But it is particularly egregious here, because Mr. Sussmann is not the privilege holder. The Special Counsel’s tactics would accordingly penalize Mr. Sussmann for another party’s invocation of their own right to assert the privilege, a decision that was not his to make. Convicting him on the basis of such fundamentally unfair circumstances would amount to a miscarriage of justice.

Durham Prosecutor Andrew DeFilippis Confirmed to Rodney Joffe He May Continue Indefinitely

On Monday, both John Durham and Michael Sussmann submitted their motions in limine, which are filings to argue about what can be admitted at trial. They address a range of issues that I’ll cover in several posts:

Sussmann:

Durham wants to:

  • Admit witnesses’ contemporaneous notes of conversations with the FBI General Counsel
  • Admit emails referenced in the Indictment and other, similar emails (see this post)
  • Admit certain acts and statements (including the defendant’s February 2017 meeting with a government agency, his December 2017 Congressional testimony, and his former employer’s October 2018 statements to the media) as direct evidence or, alternatively, pursuant to Federal Rule of Evidence 404(b)
  • Exclude evidence and preclude argument concerning allegations of political bias on the part of the Special Counsel (addressed in this post)
  • Admit an October 31, 2016 tweet by the Clinton Campaign

I will link my discussions in serial fashion.


In a motion to dismiss, Michael Sussmann just requested that Judge Christopher Cooper give Special Counsel Durham a choice: either immunize Rodney Joffe, or dismiss the case.

Sussmann wants to call Joffe to provide exculpatory testimony.

Mr. Joffe would offer critical exculpatory testimony, including that: (1) Mr. Sussmann and Mr. Joffe agreed that information should be conveyed to the FBI and to Agency-2 to help the government, not to benefit Mr. Joffe; (2) the information was conveyed to the FBI to provide a heads up that a major newspaper was about to publish a story about links between Alfa Bank and the Trump Organization; (3) in response to a later request from Mr. Baker, Mr. Sussmann conferred with Mr. Joffe about sharing the name of that newspaper before Mr. Sussmann told Mr. Baker that it was The New York Times; (4) the researchers and Mr. Joffe himself held a good faith belief in the analysis that was shared with the FBI, and Mr. Sussmann accordingly and reasonably believed the data and analysis were accurate; and (5) contrary to the Special Counsel’s entire theory, Mr. Joffe was neither retained by, nor did he receive direction from, the Clinton Campaign.

But after Joffe’s lawyer Steven Tyrell received Sussmann’s trial subpoena, he asked Andrew DeFilippis if he remained a subject of the investigation — more than five years after his last action in this case — DeFilippis stated that he continued to chase vague claims about the YotaPhone allegations shared in the February 9, 2017 meeting with the CIA.

On March 31, the day after receipt of the subpoena, I spoke by telephone with representatives of the Office of Special Counsel (“OSC”) in an effort to obtain sufficient information from which I could assess and advise my client whether he has a credible fear of prosecution. I then explained that I had requested an update because my client had received your trial subpoena. Given the impending trial date, I stated that we wished to inform you as soon as possible whether Mr. Joffe intends to invoke his Fifth Amendment rights if called to testify. I indicated that Mr. Joffe has a desire to testify, but he has concerns about doing so ifhe is a subject of the OSC’s investigation. In response, Mr. Defilippis confirmed that Mr. Joffe remains a subject of the investigation (as he has been since our first contact with the OSC fifteen months ago). I then asked if Mr. DeFilippis could explain what basis remains for Mr. Joffe’s possible prosecution. Rather than provide any additional information to aid in our assessment of the risk of prosecution, Mr. Defilippis stated that in his view, Mr. Joffe’s status in the investigation was sufficient to establish a good faith basis to invoke the privilege against self-incrimination. Mr. Defilippis further stated that OSC did not want to get into any more detail, and presumed that Latham would understand if Mr. Joffe decided to invoke.

I then stated to Mr. DeFilippis that more than five years has elapsed since the events that are described in the indictment against your client and the OSC’s related public filings, including the September 19, 2016, meeting with the FBI and the February 9, 201 7, meeting with , and asked what other basis the OSC might have to charge Joffe with criminal conduct. Mr. Defilippis replied in general terms that while it was fair to say that the Alfa-related allegations tied back to Sussmann’s September 19, 2016 meeting, the Yota phone-related allegations continued to “percolate through various branches of the government and around the private sector after that date, in various forms.” Defilippis further noted that certain fraud statutes have longer than a five-year limitations period, although he did not specify what statutes might be implicated by the events in question. Beyond that, Mr. Defilippis was unwilling to comment further. In light of Mr. Defilippis’ unwillingness to provide additional information, I asked whether he ever envisioned an end to my client’ status as a subject of the OSC’s investigation, and if so, when that might be. Mr. Defilippis indicated that he was unable to put an end date on the investigation at this point, and that it would depend upon various factors, including the conduct in question and the applicability of various limitations periods. [my emphasis]

According to Sussmann attorney Sean Berkowitz, just weeks ago, Durham was pressuring Joffe to testify against Sussmann.

Third, given the Special Counsel’s repeated entreaties to Mr. Joffe to cooperate in the Special Counsel’s investigation against Mr. Sussmann, including only weeks ago, the Special Counsel’s refusal to confer immunity on Mr. Joffe, and the Special Counsel’s insistence that Mr. Joffe continues to face criminal exposure, seems to be not only retaliatory, but tantamount to a “deliberate[] deni[al] [of] ‘immunity for the purpose of withholding exculpatory evidence and gaining a tactical advantage through such manipulation.’” Ebbers, 458 F.3d at 119 (citation omitted). As in Smith, “[i]f the witness were guilty of [the threatened offenses], he should have been charged with those offenses whether he testified or not. The [Special Counsel is] obviously threatening the witness to stop him from testifying-even truthfully.” Simmons, 670 F.2d at 369 (describing Smith, 478 F.2 at 979).

The message is clear: John Durham will keep his investigation open indefinitely so he can threaten to prosecute anyone for testimony that doesn’t confirm his preconceived prior beliefs, even on things that make the strained Sussmann charge look conventional by comparison.

Durham doesn’t want truthful testimony. He wants testimony that will bolster his conspiracy theories. And he’s willing to continue indefinitely to get it.

Before John Durham’s Originator-1, There Was a Claimed BGP Hijack

In this post, I described that “Phil,” the guy I went to the FBI about because I suspected he had a role in the Guccifer 2.0 persona, had a role in the Alfa Bank story. As noted, Phil’s provable role in pushing the Alfa Bank story in October 2016 was minor and would have no effect on the false statement charge — for an alleged lie told in September 2016 — against Michael Sussmann. But because of Durham’s sweeping materiality claims, it might have an impact on discovery.

It has to do with the theory that Alfa Bank has about the DNS anomalies, a theory that Durham seems to share: that the data was faked.

As Alfa laid out in its now abandoned John Doe lawsuits, it claims that the anomalous DNS traffic that Michael Sussmann shared with the FBI in September 2016 was faked. The bank appears to believe not just that the data was faked, but that April Lorenzen is involved in some way. For example, it describes that Tea Leaves and “two accomplices” were sources for Franklin Foer (though elsewhere, the lawsuit claims that Tea Leaves was pointed to the data by the unknown John Doe defendants).

Durham seems even more sure that Lorenzen is the culprit. For example, he always refers to the data as “purported.” He refers to Lorenzen as “Originator-1” rather than “Data Scientist-1” or “Tea Leaves,” insinuating she fabricated the data. And when Sussmann asked for all evidence indicating that Durham had bullied witnesses, Durham provided emails involving Lorenzen’s lawyers.

Alfa Bank might be excused for imagining that Lorenzen is the primary culprit to have fabricated the data. According to Krypt3ia, when Alfa asked him for his communications, he only had one email, with a different journalist, to share. They quite clearly don’t understand that someone else was involved in publicizing these claims.

Durham doesn’t have the same excuse.

That’s because DOJ – of which Durham remains a part – knows at least some of the details about “Phil” that I laid out in my last post. Because they would have checked Twitter to vet some of my most basic claims, they almost certainly obtained the Twitter DMs (or at least the metadata) showing that Phil brokered the tie between Krypt3ia and the NYT.

To be clear: I have no evidence that Phil altered the DNS records. I’m agnostic about what caused the anomaly (though am convinced that the experts involved believe the anomaly is real, even if they offer varying explanations for the cause). But Durham has made the source of the anomaly an issue to bolster his claims about materiality. And, as Sussmann noted in a recent filing, “Much as the Special Counsel may now wish to ignore the allegations in the Indictment, he is bound by them.” So, it seems, Durham’s on the hook for telling Sussmann if DOJ knows of anyone else involved in pushing the Alfa Bank story who could be a possible culprit for fabricating the data, especially if that person was known to have clandestinely signed a comment, “Guccifer 2.0.”

Phil probably faked a BGP hijack

The fact that Phil alerted the NYT to the Russian proxy of Lorenzen’s data matters not just because he had, months earlier, claimed to work for an FSB-led company and, even before that, claimed to have been coerced by Russian intelligence at an overseas meeting before the known DNC operation started.

It also matters because (I believe) Phil faked an Internet routing record in the same month the Alfa/Trump/Spectrum anomalies started.

In May 2016, Phil shared what he claimed was a traceroute of a request to my site, an Internet routing record that is different than but related to the DNS records at the heart of the Alfa Bank story. The screencap he sent me purported to show that a request to my site had been routed through (to the best of my memory) some L3 routers in Chicago, to Australia, back to those L3 switches, to my site. Phil was claiming to show me proof that someone had diverted requests to my site overseas along the way – what is known as a BGP hijack. Phil showed this to me in the wake and context of a DDOS attack that had brought my site down for days, an attack which led me to rebuild my site, change hosts, and add Cloudflare DDOS protection.

May 2016, the month Phil showed me what I believe to be a faked traceroute, is the same month the anomalous traffic involving Alfa Bank, Spectrum Health, and a Trump-related server started.

Phil used that traceroute to claim that the US intelligence community was diverting and spying on traffic to my website.

The claim made no sense. The only thing that diverting my traffic would get spies is access to my readers’ metadata, which would be readily accessible via easier means, including with a subpoena to my host provider. Aside from a bunch of drafts that I’ve decided didn’t merit publication, there’s no non-public content on my site. I was not competent (and did not ask others) to assess the validity of the screencap itself, but I considered it unreliable because it didn’t show the query or originating IP address behind the record, which would be needed to test its provenance.

I don’t have that original traceroute (I replaced my phone not long after he sent it). But in June 2016 he shared a reverse DNS look-up related to my site that wasn’t altered but in which Phil invoked the earlier one.

I corrected him in this case – this IP address was readily explainable; it was Cloudflare (which Phil surely knew). But Phil nevertheless repeated his earlier claim that “they” were hijacking my traffic.

When I said that Phil had been tracking how requests to my site worked for some time before he left a comment signed [email protected] in July 2016, this weeks-long exchange is what I was referring to. He had, effectively, been watching as I added Cloudflare protection to my site.

These screencaps show that Phil, who months later would play a role in pushing the Alfa Bank story, was using DNS records — real and possibly faked — as a prop in a false story.

Phil tracked DOD contracts closely

That’s not the only detail that DOJ may know about that Durham should consider before insinuating that Lorenzen is the most likely culprit if this data was fabricated. DOJ may know that Phil tracked DOD contracts very closely. That’s important because it explains how Phil could have learned researchers would be looking closely at DNS records.

For years, I’ve believed that the Alfa-Trump-Spectrum Health effort was disinformation, because so much of what came out that year was and because I viewed the Spectrum Health stuff to be such a reach. My belief it might be disinformation only grew stronger when I discovered the focus on Spectrum Health, with its link to Erik Prince’s sister’s spouse, came just after Prince had asked Roger Stone about his efforts to reach out to WikiLeaks.

Certainly, Putin exploited the allegations afterwards to his advantage. He used them to push Alfa Bank’s Petr Aven to take a primary role in reaching out to Trump during the transition, at least as recounted in the Mueller Report.

According to Aven, at his Q4 2016 one-on-one meeting with Putin,981 Putin raised the prospect that the United States would impose additional sanctions on Russian interests, including sanctions against Aven and/or Alfa-Bank.982 Putin suggested that Aven needed to take steps to protect himself and Alfa-Bank.983

981 At the time of his Q4 2016 meeting with Putin, Aven was generally aware of the press coverage about Russian interference in the U.S. election. According to Aven, he did not discuss that topic with Putin at any point, and Putin did not mention the rationale behind the threat of new sanctions

Aven even used Richard Burt, one of the people scrutinized by the Fusion and DNS research, to reach out to Trump, effectively pursuing precisely the back channel between Alfa and Trump that Fusion suspected months earlier.

The relevant part of Aven’s interview is redacted, so it’s not clear whether Aven mentioned that Alfa Bank had been a key focus of the interference allegations. But that’s the presumptive subtext: along with the Steele dossier, the DNS anomaly – both of which, in several lawsuits since, Aven or Alfa have claimed were “gravely damaging” – raised suspicions about Alfa Bank and made it more likely the bank would be sanctioned than had been the case previously.

And before the bank did get sanctioned last month, Alfa was using the DNS anomaly to conduct a lawfare campaign to learn how the US uses DNS tracking to thwart hacks (one wonders if Putin ordered that campaign, like he personally ordered Aven to reach out to Trump). That campaign even got a bunch of frothy right-wingers to decry efforts to prevent and detect nation-state hacks on the US. So at the very least, Russia has exploited the Alfa-Trump allegations to great benefit, one measure of whether something could be deliberate disinformation.

But as I’ve talked to people who’ve tried to figure out what the anomaly was – including experts who believed it did reflect real communication as well as some who didn’t – they always explained that seeding disinformation in such a fashion would be useless. That’s because you couldn’t ensure that any disinformation you planted would be seen. That is, unlike the Steele dossier, which was being collected by an Oleg Deripaska associate and shared with the press (and for which there’s far more evidence Russia used it to plant disinformation), you could never expect the disinformation to be noisy enough to attract the desired attention.

In the years since the original story, how researchers who found the anomalous data obtained the DNS data has driven a lot of the hostility behind it. The researchers have tried to hide where they got the data for proprietary and cybersecurity reasons. John Durham has alleged there was some legal impropriety behind using it, even when used (as the researchers understood they were doing) to research ongoing nation-state hacks. And Alfa Bank was using lawfare to try to find out as much about the means by which this DNS traffic was observed by cybersecurity experts as possible. The full story of how the researchers accessed the data has yet to be reported, but as I understand it, there’s more complexity to the question than initially made out or than has made it into Durham’s court filings. That complexity would make it even harder to anticipate where DNS researchers were looking. So, multiple experts told me, it would be crazy to imagine anyone would have thought to seed disinformation in DNS records expecting it’d get picked up via those collection points in 2016, because no one would have expected anyone was observing all those collection points.

If a Fancy Bear shits in the DNS woods but there’s no one there to see it, did it really happen?

But there was, in fact, a way to anticipate it might get seen.

As the Sussmann indictment vaguely alluded to and this NYT story laid out in detail, researchers found the DNS anomalies in the context of preparing a bid for a DARPA research contract.

The involvement of the researchers traces back to the spring of 2016. DARPA, the Pentagon’s research funding agency, wanted to commission data scientists to develop the use of so-called DNS logs, records of when servers have prepared to communicate with other servers over the internet, as a tool for hacking investigations.

DARPA identified Georgia Tech as a potential recipient of funding and encouraged researchers there to develop examples. Mr. Antonakakis and Mr. Dagon reached out to Mr. Joffe to gain access to Neustar’s repository of DNS logs, people familiar with the matter said, and began sifting them.

Separately, when the news broke in June 2016 that Russia had hacked the Democratic National Committee’s servers, Mr. Dagon and Ms. Lorenzen began talking at a conference about whether such data might uncover other election-related hacking.

The DOD bidding process provided public notice that DARPA was asking researchers to explore multiple ways, including DNS traffic, to attribute persistent hacking campaigns in real time.

The initial DARPA RFP was posted on April 22, 2016, ten days before the anomalous traffic started but well after the Russian hacking campaign had launched (documents FOIAed by the frothers reveal that the project was under discussion for months before that). This RFP provided a way for anyone who tracked DOD contracts closely to know that people would be looking and the announcement itself included DNS records and network infrastructure among its desired measurements. Depending on the means by which DARPA communicated about the contract, it might also provide a way to find out who would be looking and how and where they would be looking, though as I understand it, the team at Georgia Tech would have been an obvious choice in any case.

Phil tracked DOD contracts very closely. In September 2016, for example, he sent me a text alerting me to a new Dataminr contract just 66 minutes after I published a post about the company (I later wrote up the contract).

Phil also told me, verbally, he was checking what contracts DOD had with one of the US tech companies for which a back door was exposed in summer 2016. He claimed he was doing so to see how badly the government had fucked itself with its failure to disclose the vulnerability. By memory (though I am not certain), I believe it was Juniper Networks, in the wake of the Shadow Brokers release of an NSA exploit targeting the company.

And even on top of Phil’s efforts to convince me that the DNC hack wasn’t done by APT 28, DOJ has other evidence that Phil tracked APT attribution efforts closely, even using official government resources to do so. So it would be unsurprising if he had taken an interest in a contract on APT attribution in real time.

Durham may have access to some or all of this

Durham insinuates the DNS records are faked and he appears to want to blame Lorenzen for faking them. But he may be ignoring evidence in DOJ’s possession that someone else who, I’ve now confirmed, played at least a minor role in pushing the Alfa Bank story was using Internet routing records, possibly faked, to support a false story in May 2016.

To be sure: while I know the investigation into Phil continued at least the better part of a year after my FBI interview about him, any feedback I’ve gotten about that investigation has been deliberately vague. So aside from the obvious things – like the Twitter records that would show Phil’s DMs with Krypt3ia and Nicole Perloth – I can’t be sure what is in DOJ’s possession.

I don’t even know whether the 302 from my FBI interview would mention Phil’s pitch of the Alfa Bank story to me. It was on a list of the things I had intended to describe in that interview. But I didn’t work from the list in the interview itself and I have no affirmative memory of having mentioned it. If I did, it would have amounted to me saying little more than, “he also was pushing the Alfa Bank story.”

That said, unless the FBI agents were epically incompetent, my 302 should mention Alfa Bank, because I’m absolutely certain I raised this post and its emphasis on the inclusion of Alfa Bank in an alarming April 2017 BGP hijack.

And in fact, there’s a way Durham could have found out about Phil’s role in the Alfa Bank story independent of my FBI interview. Of just two people in the US government with whom I shared some of the Alfa Bank-related texts I exchanged with Phil (both were Republicans), one was centrally involved in the investigations that fed into the Durham investigation. If this stuff matters, Durham should ask why several of his key source investigations didn’t focus on it.

Durham should know that Phil had a role in the Alfa Bank story.

And given his insinuations in the indictment that Lorenzen fabricated DNS data in May 2016, making the insinuation part of his materiality claims, Durham may be obligated to tell Michael Sussmann that DOJ already knows of someone who was pushing the Alfa Bank story who used DNS data to tell a false story in May and June 2016.

The Alfa Bank Dark Net at Noon

Before its John Doe nuisance lawsuits got shut down by Vladimir Putin’s invasion of Ukraine, Alfa Bank made several claims that led me to chase down a minor – but potentially important – part of the Alfa Bank story.
Someone totally uninvolved in the Michael Sussman/Fusion/April Lorenzen effort played a role in making their efforts public in 2016: “Phil,” the guy about whom I went to the FBI in 2017. As I told the FBI, I suspected he had played a role in the Guccifer 2.0 and Shadow Brokers operations.

This post will focus on what Alfa Bank got wrong. A follow-up post will look at why, if John Durham made the same error, it may matter for the Michael Sussmann case.

Someone exposes Tea Leaves’ research via Krypt3ia

At issue is this post on the eponymously-named InfoSec blog Krypt3ia. As the post describes, someone tipped Krypt3ia off to a WordPress site and a purported i2p site (also called an “eepsite”) that laid out a version of the claims that Michael Sussmann had shared with the FBI and the NYT in September 2016.

Those claims are at the heart of the false statement charge against Sussmann.

Along with the basic allegations about weird DNS look-ups between servers from Alfa Bank and Spectrum Health and a Trump marketing server, those sites also revealed that after the NYT called Alfa Bank for comment about the DNS anomaly in September 2016, the Trump DNS address changed. This is the digital equivalent of someone changing their phone number after discovering they were being surveilled. The seeming response by Trump to the NYT call to Alfa for comment has always been regarded as the smoking gun showing human acknowledgement of the communications (a report from Alfa Bank attempted, unpersuasively, to contest that).

By connecting to a Russian-hosted proxy service, the Krypt3ia post about all this added an element of Russian mystery to the story. But that’s it. The post offered no other new content.

The Krypt3ia post is more important for the function it played than its content. Krypt3ia’s post served to make the contents of a publicly available but difficult to find i2p site – believed to be created by data scientist April Lorenzen, but written under the pseudonym Tea Leaves – accessible.

In response to tips from source(s) of his, Krypt3ia focused attention on a series of communications, none tied in his post to a then-identified person. First, someone alerted him to the WordPress site. That site spoke of Tea Leaves as a third person; there was never a pretense that it was Tea Leaves or Lorenzen. Krypt3ia learned of that WordPress site because someone approached Krypt3ia, purportedly asking for help finding an incomplete i2p address listed in the post.

I caught wind of the site when someone asked me to look at an i2p address that they couldn’t figure out and once I began to read the sites [sic] claims I thought this would be an interesting post.

That tip led Krypt3ia to find what was actually a proxy allowing access to a real i2p site – the one that injected an air of Russian mystery to the story.

First off, the i2p address in the WordPress site is wrong from the start. Once I dug around I found that the real address was gdd.i2p.xyz which is actually a site hosted on a server in Moscow on Marosnet.

That led Krypt3ia to ask whether anyone at NYT wanted to verify the claim that Trump Organization seemingly took action after NYT called Alfa.

I also have to wonder about this whole allegation that a NYT reporter asked about this.

Say, any of you NYT’s people out there care to respond?

Ask and you shall receive! Someone–as I lay out below, I have confirmed that this was “Phil”–put Krypt3ia in touch with a NYT reporter.

First off, someone in my feed put me in touch with the NYT and a reporter has confirmed to me that what the site says about NYT reaching out and asking about the connections, then the connections going bye bye is in fact true.

[snip]

The biggest takeaway is that the NYT confirmed that they asked the question and shit happened. They are still looking into it.

In an update, someone purporting to be Tea Leaves responded to Krypt3ia via an untraceable Tutanota email account, and in response, Krypt3ia posed a bunch of questions, only to get no answer. That non-answer was a key reason why Krypt3ia later treated the allegations as a fraud – an opinion that Alfa Bank, at least, used to bolster their own claims of fraud.

As Krypt3ia mused in real time, it seemed that the entire point of the tips he was receiving was focusing attention on the allegations themselves. Except, if your goal was to release a story that might swing an election, it was a really weird way of doing so.

One does wonder though just who might be trying this tac to attempt to cause Donny trouble. It seems a half assed attempt at best or perhaps they were not finished with it yet.. But then why the tip off email to someone who then got in touch with me? Someone I spoke to about this alluded to maybe that was the plan, for me to blog about this from the start..

[snip]

I have to say it though, these guys are trying to get the word out but in a strange way. I mean this eepsite is now hosted in Czechoslovakia, staying with the Baltic flavor but why not broadcast this more openly? Why does the WordPress site have the wrong address to start and then the other eepsite disappears after a little poking and prodding?

There are at least four unattributed or unattributable communications that appeared in this post: an email to someone who, in turn, got in touch with Krypt3ia; a tip about the WordPress site (presumably from the person who got the email) and through it to the i2p gateway; the contact with the unnamed NYT reporter; and the email from someone claiming to be Tea Leaves via a service that made it impossible to prove it was the person who originally adopted that pseudonym.

Notably, this all happened between October 5, 2016 – before the Podesta drop and the DHS attribution of the DNC hack to Russia – and the days after it. Krypt3ia was checking out the i2p proxy on October 7, at 3:08PM ET – less than half an hour before DHS would release an unprecedented attribution statement, followed shortly by the Access Hollywood video, followed shortly by the first Podesta email drop. Krypt3ia wrote his post the following day.

i2p sites aren’t supposed to get noticed

To understand why using Krypt3ia to get noticed is so weird, you need to understand a little about i2p.

i2p is a network like Tor that provides obscurity and security. Even today, it’s far less accessible than Tor (and was even more so in 2016). Krypt3ia could credibly access it, but I couldn’t have. Reporter Eric Lichtblau or Fusion GPS’ Laura Seago probably couldn’t have either. Normally you need either a special browser or a gateway to to access an eepsite. Importantly, the public DNS routing information that was at the heart of the project that discovered the Alfa Bank anomalies doesn’t exist for i2p. You can’t just Google for a site.

If data scientist April Lorenzen put her research on an i2p site, as alleged, she may have done so to limit who noticed it and her role in it.

It didn’t work out that way.

(Note, because the Durham investigation remains ongoing, I am not contacting her or her lawyers for comment or others who are obviously still the focus of Durham’s investigation.)

Krypt3ia didn’t link directly to her i2p site at first. He started by linking a gateway, which would be accessible to mere mortals who don’t have an i2p browser or technical prowess. His second link may have been a different gateway – again, a link readily accessible to people without using special software. It was one of these links that got sent around by journalists and researchers.

That’s what I mean about content versus function: Krypt3ia added no new content to this story. He did, however, make parts of it accessible to people – like reporters – who would otherwise never have found it.

A comment purportedly from Lorenzen sent to Krypt3ia’s site, playing on Tea Leaves’ name, expressed (or feigned) surprise at finding what the email called a mirror (but which was a proxy).

Thank you to https://krypt3ia .wordpress.com for pointing out a possible mirror of this (the original, what you are reading, http://gdd.i2p). We did not know about gdd.i2p.xyz until hearing about it from Krypt3ia. So we did a little research and see that i2p.xyz has been around for years and appears to mirror a lot of *.i2p sites. *i2p.xyz probably functions as an alternative for everybody that doesn’t have the skills to reach an i2p site :)

Next question, why would somebody first mirror – and then drop their mirror – of our http://gdd.i2p website. The following is just speculation: maybe normally i2p.xyz just mirrors everything but oops! Something hot – drop the mirror. I don’t know. I didn’t try to visit it. Mirrors of course could choose to alter content and measure who visits. We have no such opportunity to see who is visiting our real i2p site.

Whoever wrote the email, it emphasized how the proxy was different from the “real i2p site:” The proxy “functions as an alternative for everybody who that doesn’t have the skills to reach an i2p site,” but it also can “measure who visits” whereas a “real i2p site” cannot.

Whatever the story behind the Krypt3ia post, it had the effect of making it clear that researchers who believed they could find hackers by looking at public DNS data couldn’t hide what they were doing, even on networks designed to be untrackable. It had the effect of making it clear their efforts to look for Russian hackers in DNS data had been seen.

Alfa Bank alleges the Krypt3ia notice is part of an imagined conspiracy targeting the bank

It also appears to have convinced Alfa Bank that Krypt3ia was a key cog in the publication of this story. Their lawsuit claimed that,

The scientists and researchers who obtained the nonpublic DNS data deliberately leaked portions of that data to other scientists and researchers and, ultimately, to the media.

Depositions in the Alfa Bank lawsuit make it clear that Alfa believed (presumably because of those characteristics about i2p) that Fusion GPS must have been behind the effort to alert Krypt3ia to the research site and, via his post, to alert the public.

In a February 10 bid to overcome privilege claims that Fusion GPS’ Laura Seago had previously made, Alfa Bank lawyer Margaret Krawiec argued that Seago must have breached any privilege by sharing information from the publicly posted Tea Leaves information. Krawiec’s logic was that someone internal to the privilege claims asserted by Perkins Coie must have told Seago where the i2p site was, because otherwise there would be no way she could find it.

Krawiec: So, your honor, let me jump in there because one of the things that happened is that we were trying to understand how it was that Ms. Seago knew that this data had been published on the internet because it was published in an obscure place in the internet by this Tea Leaves that I told you about.

And then what Fusion did was – so we asked about that. We said, “How did you know where to look for that data? Who told you?” Cut off, instruction not to answer, privileged. But guess what they did with those links of that data? They took that data that someone told them because no one would have known to find it where it was unless someone told them.

And they wouldn’t tell us who told them or how they found it, but then they took all those links – the supposed public source research – and disseminated it to seven or eight media outlets saying you have to check this out. This is big stuff.

Fusion’s lawyer Joshua Levy countered that the link and the site itself were public.

Levy: If you – if you take the example that Alfa-Bank’s lawyer just presented to the Court, the link that someone at Fusion had circulated to a reporter, that link is a link to the internet. It’s a publicly available link, right?

The link – it’s, it’s like sending a New York Times article to a reporter at the Washington Post. Have you – have you seen this article? You should look at it. It’s interesting. Here’s a link. It happens to do with the subject matter which (indiscernible) is fascinated, [sic] but it’s a publicly available link.

Ms. Seago may have had communications internally at Fusion about that link. Those are privileged communications, but the link itself is available online for the Court, for me, for Ms. Krawiec. It’s public. There’s, there’s nothing confidential about that link.

Alfa’s lawyer responded by arguing that because an i2p site was so difficult to find, Seago’s knowledge of its location must have come from privileged information, and because she subsequently shared a link to a gateway with journalists, she had waived privilege.

Krawiec: Your Honor, I can tell you that where this link was when it was on the internet, you, myself, Mr. Levy, no one could have found that by doing a basic Google search. They were instructed where to find it in this obscure location.

And all we were trying to understand is who instructed them because the person who posted it was Tea Leaves, the anonymous computer scientist who had this computer data.

Alfa’s lawyer argued, not unreasonably, that because Tea Leaves’ site could not have been discovered by a Google search, someone connected to Tea Leaves must have told Fusion where it was, and because Fusion, in turn, shared a link to it, any privilege around Fusion’s discussions about Tea Leaves had therefore been breached.

Alfa’s focus on how Tea Leaves’ i2p site became public continued during a February 14 deposition of Peter Fritsch. In it, Alfa raised an email from Seago to Fritsch describing that Krypt3ia had become aware of Tea Leaves’ work, in response to which questions Fritsch pled the Fifth. By the time Krypt3ia posted, it seems likely, Fusion already knew April Lorenzen was involved.

But in the Seago hearing, Fusion lawyer Joshua Levy stated clearly that, “Our client didn’t move that specific communication –” pushing Tea Leaves’ information (from the context, it’s unclear to me whether this was a link directly to a gateway to Tea Leaves i2p site or one that involved Krypt3ia). Elsewhere Levy explained that Mark Hosenball had sent the link to Fusion which, in turn, sent it out to other journalists.

Fusion’s claims are consistent with them knowing of Lorenzen’s work before the Krypt3ia post, but having nothing to do with the Krypt3ia post and/or public links directly to Lorenzen’s site.

“Phil” hooked Krypt3ia up with the NYT

Alfa Bank seems to doubt Fusion’s denials that they were behind all those levels of notice to Krypt3ia.

I have no idea who first alerted Krypt3ia to the WordPress site or the i2p site, and he says he doesn’t remember who did. I do know who hooked him up with the NYT.

As I noted when I criticized this story in 2016, I was pitched the Alfa Bank story, like the NYT. But unlike the NYT, I was not pitched it by the people Durham is trying to put in jail like Sussmann, the researchers, or Fusion GPS. I was pitched it by the guy whom I’ve referred to by the pseudonym “Phil,” the person I went to the FBI about in 2017. (This is a pseudonym and he has not been charged by DOJ.)

Not only did he pitch me on it, but he told me he was the one to have hooked Krypt3ia up with the NYT reporter.

The rest of our exchange is below…

The claim that Phil had introduced Krypt3ia to a NYT reporter was credible. At the time I knew of several NYT reporters he claimed to have ties to (at Phil’s request, I had introduced him to one of them, and I’ve confirmed his contacts with others since). He also publicly interacted with Krypt3ia on Twitter.

But I had never checked whether Phil had really introduced the NYT to Krypt3ia until the Alfa Bank filing that blamed that tie on Fusion.

Nicole Perloth has confirmed it was Phil. As she described, Phil basically pushed Krypt3ia on her. “Nicole: Krypt is a person who can be an invaluable resource on this,” specifically addressing Krypt3ia‘s expertise on the dark web, even while asking her to keep him (Phil) updated on when the story would be published.

When I asked Krypt3ia if it was possible that the same person alerted him to the i2p site as had connected him to a NYT journalist, he said he did not remember.

Do you know if the person who connected you with the NYT reporter was the same was the one who pointed out the mirror? As per your post? Or don’t you remember?

Honestly don’t remember. Did not take notes or anything, thought it all bullshit and some kind of game of disinformation.

Whether or not Phil had a role in first tipping Krypt3ia off to the i2p proxy, he had a role in making the NYT aware of a series of moving versions of that site, starting with the one in Russia.

Importantly, this is not the only attempt to broker these allegations that remains publicly unexplained. There’s another unexplained package of these allegations – a “mediafire” package first posted on Reddit – raised in the Alfa suit that Fusion disclaimed credit for.

At least one person pushing this story was (as far as I know) completely unrelated to the efforts Durham and Alfa have focused on. Given that April Lorenzen used a pseudonym for her efforts, it would have been easy to hijack those efforts. So until April Lorenzen certifies that all the communications posted under the name “Tea Leaves” out there are hers (including the comment attached to a Tutanota email in Krypt3ia’s post), neither should anyone assume she’s responsible for all of them.

Alfa Bank believed that the public notice of the Tea Leaves i2p site was proof that Fusion, and only Fusion, was dealing these allegations. The opposite is the case.

To be sure: that might have mattered if Vladimir Putin’s invasion hadn’t killed the Alfa Bank lawsuit. But Phil’s role in the Krypt3ia post doesn’t much matter to the Sussmann indictment. Sussmann’s alleged lie was on September 19, 2016, 16 days before the communications leading to the Krypt3ia post started. Nothing Phil did on October 8 and thereafter, it seems, could affect that alleged lie.

That said, Durham’s sprawling single-count indictment does include allegations about Sussmann’s outreach to the press that post-dates Phil’s involvement and may rely on it. Most notably, a paragraph describing that Sussmann emailed Lichtblau on October 10 encouraging him to send an opinion piece criticizing the NYT for its Trump coverage mentions that, “At or around that time, and according to public sources, [Lichtblau] was working on an article concerning the [Alfa Bank] allegations, but [Lichtblau’s] editors at [NYT] had not yet authorized publication of the article.” [my emphasis] Krypt3ia’s comment, “the NYT confirmed that they asked the question and shit happened. They are still looking into it” – a comment that indirectly involved Phil – is one of those public sources.

At the time, Phil was pushing a NYT article more aggressively than what Durham describes Sussmann doing, and he played at least some role in the public sources that reported NYT was working on an article.

So Phil’s involvement adds an important detail about how these claims were made public in the weeks leading up to the election, but none of that changes whether or not Sussmann lied to cover up Hillary and/or Rodney Joffe’s role in all this.

Update: I’ve corrected the post to reflect that the original site, hosted in Russia, was a proxy, not a mirror. Thanks to @i2p at geti2p.net for the corrections starting in this exchange.

Texts

The following includes all the Signal texts included in the exchange regarding the Alfa Bank DNS anomalies.

Two comments on these texts: I’m not sure what I meant in the text sent on October 9 at 10:51AM. I suspect I mistyped. I suspect I was trying to explain Betsy and Dick DeVos’ traditional role in the Republican party – money – was less urgent to Trump in October 2016 than some kind of credible Republican policy platform. 

I stand by everything else I said in these texts, though admit my observation about the adversity between UAE and Russia turned out to be hilariously and epically wrong, particularly as it pertained to Prince.

Whinger Verbs: To Investigate … To Prosecute … To Indict

Because Alvin Bragg chose not to prosecute Donald Trump, the whingers are out again complaining about Merrick Garland, who last I checked was an entirely different person.

I’ve copied the “Key January 6 posts” from my post showing what reporting on the January 6 investigation — rather than simply fear-mongering to rile up CNN viewers or your Patreon readers — really looks like below.

But for now I’d like to talk about the language the whingers — those complaining that Merrick Garland hasn’t shown people who aren’t looking what DOJ is doing. It’s telling.

Take this post from David Atkins that opines, accurately, that “Refusing to Prosecute Trump Is a Political Act,” but which stumbles in its sub-head — “The evidence is clear. It’s time to prosecute the former president, and Merrick Garland shouldn’t wait.” — and then completely collapses when it asserts that there are just two possible reasons why Merrick Garland has not “prosecuted” Trump.

But there is a deeper question as to why Attorney General Merrick Garland and the DOJ have not prosecuted Trump. No one at the department is talking on the record, but there are only two possible answers—neither of which is satisfactory.

It is possible that prosecutors do not believe there is enough evidence against Trump to convince a jury of his guilt. I’m not a lawyer, but this seems somewhat difficult to believe.

[snip]

The second possibility is that the Department of Justice hasn’t prosecuted Trump because of political pressure. Again, this is speculation. But if Garland is succumbing to either internal or external pressure to avoid charging Trump out of fears of civil conflict, or the appearance of political motivation, that would be a grave error—not prosecutorial discretion but prosecutorial dereliction. Allowing fears of violent reprisals to derail a prosecution would be a grave injustice.

Atkins is wrong about the reasons. I wrote here about why the ten acts of obstruction Mueller identified are almost universally misrepresented by whingers, in part because Billy Barr did real damage to those charges (as he did to other ongoing investigations), and in part because the ten acts that existed in March 2019 are not the acts of obstruction that exist today.

We know part of why Trump hasn’t been charged for political crimes: because Trump ensured the FEC remained dysfunctional and Republicans have voted not to pursue them (something that whingers might more productively spend their time pursuing).

It seems nutty to suggest that Trump should be “prosecuted” already for taking classified documents to Mar-a-Lago when that was referred just weeks ago. It’s also worth considering whether it would be easier to prosecute Trump for obstruction for these actions, tied to one of his other malfeasance, and then consider where investigations related to that malfeasance already exist.

Bizarrely, Atkins doesn’t consider it a possibility that it would take Merrick Garland’s DOJ more than 380 days to prosecute the former President. It took months to just wade through Stewart Rhodes’ Signal texts. It has taken 11 months, so far, to conduct a privilege review of Rudy’s phones (for which DOJ obtained a warrant on Lisa Monaco’s first day on the job). DOJ has six known cooperators in the Oath Keeper case (at least four with direct ties to Roger Stone) and one known cooperator in the Proud Boys case (and likely a bunch more we don’t know about). Particularly in the Oath Keeper investigation, DOJ has been rolling people up serially. But that process has taken longer because of COVID, discovery challenges, and the novelty of the crime.

But that goes to Atkins’ curious choice of the word “prosecute” here. I generally use the verb to refer to what happens after an indictment — the years long process of rebuffing frivolous legal challenges, but for an organized crime network, “prosecute” might also mean working your way up from people like militia members guarding your rat-fucker to the militia leaders planning with your rat-fucker to the rat-fucker to the crime boss.

I think what Atkins actually means, though, is “indict,” or “charge.” But his entire post betrays a fantasy where one can simply arrest a white collar criminal in the act after he has committed the act.

What whingers often say, though, is they want Garland to “investigate” Trump. Then they list a bunch of things — like cooperating witnesses or grand jury leaks or raids or indictments — that we’ve already seen, and insist we would see those things if there were an investigation but take from that that there’s not an investigation even though we see the things that they say we would see if there were an investigation.

Whinger brain confuses me sometimes.

The point, though, is that the language whingers use to describe what they imagine is Garland’s inaction or cowardice (none of these people have done the work to figure out whether that’s really the case), is designed to be impossible. That makes it necessarily an expression of helplessness, because their demand is actually that Trump be disappeared from the political scene tomorrow, and that’s hasn’t happened with multiple investigations implicating him, it sure as hell won’t happen if and when he is indicted, and it wouldn’t happen during a hypothetical extended period during which Trump is prosecuted.

Indeed, I’ve lost count of the number of people who tell me Bannon hasn’t been indicted, even though Bannon has been indicted. It’s just that he’s entitled to due process and in many ways being indicted provides him a way to play the victim.

There are multiple investigations implicating close Trump associates and the January 6 investigation is absolutely designed to incorporate Trump, if DOJ manages to continue building from the crime scene backwards. But that’s not actually what people want. None of these verbs — to investigate, to indict, to prosecute — are the ones that whingers are really hoping to see.

And the verbs they’re hoping to see — perhaps “neutralize” or “disappear” — are not ones that happen as part of due process.

And none of the due process verbs — “investigate,” “indict,” “prosecute” — are likely to work unless people at the same time think of things like “discredit.”


Key January 6 posts

The Structure of the January 6 Assault: “I will settle with seeing [normies] smash some pigs to dust”

DOJ Is Treating January 6 as an Act of Terrorism, But Not All January 6 Defendants Are Terrorists

While TV Lawyers Wailed Impotently, DOJ Was Acquiring the Communications of Sidney Powell, Rudy Giuliani, and (Probably) Mark Meadows

Why to Delay a Mark Meadows Indictment: Bannon Is Using His Contempt Prosecution to Monitor the Ongoing January 6 Investigation

The Eight Trump Associates Whom DOJ Is Investigating

January 6 Is Unknowable

“I’m Just There to Open the Envelopes:” The Select Committee and DOJ Investigations Converge at Mike Pence

Why It Would Be Counterproductive To Appoint a Special Counsel to Investigate January 6

DOJ’s Approximate January 6 Conspiracies

Easy Cases: Why Austin Sarat’s Argument That Trump Should Not Be Prosecuted Is Wrong

How a Trump Prosecution for January 6 Would Work

Judge Mehta’s Ruling that Donald Trump May Have Aided and Abetted Assaults on Cops Is More Important Than His Conspiracy Decision

“Fill the Silence:” On Obstruction, Listen to DOJ and Merrick Garland

John Durham Keeps Chasing Possible Russian Disinformation

Yesterday, the two sides in the Michael Sussmann case submitted the proposed jury questions they agree on and some they disagree on.

Durham objects to questions about security clearances and educational background (presumably Durham wants to make it harder for Sussmann to get people who understand computers and classification on the jury).

Sussmann objects to questions about April Lorenzen’s company and Georgia Tech.

He also objects to a question that assumes, as fact, that the Hillary campaign and the DNC “promoted” a “collusion narrative.”

I suspect Sussmann’s objections to these questions are about direct contact. For all of Durham’s heaving and hollering, while Sussmann definitely met with Fusion GPS, of the researchers, the indictment against Sussmann only shows direct contact with David Dagon. Everything else goes through Rodney Joffe. Plus, a document FOIAed by the frothy right shows that Manos Antonakakis believes what is portrayed in the indictment is at times misleading and other times false, which I assume he’ll have an opportunity to explain at trial.

As regards the campaign, as I already noted, when Sussmann asked Durham what proof the Special Counsel had that he was coordinating with the campaign, Durham pointed to Marc Elias’ contacts with the campaign and, for the first time (over a month after the indictment), decided to interview a Clinton staffer.

Sussmann will probably just argue that Durham’s plan to invoke these things simply reflects Durham’s obstinate and improper treatment of a single false statement charge as a conspiracy the Special Counsel didn’t have the evidence to charge.

But Durham’s inclusion of it makes me suspect that Durham wants to use an intelligence report that even at the time analysts noted, “The IC does not know the accuracy of this allegation or the extent to which the Russian intelligence analysis may reflect exaggeration or fabrication.” Nevertheless, John Ratcliffe, who has a history of exaggeration for career advancement, declassified, unmasked Hillary’s name, and then shared with Durham.

If Durham does intend to use this, though, it would likely mean Durham would have to share parts of the Roger Stone investigation file with Sussmann. That’s because the report in question ties the purported Clinton plan to Guccifer 2.0.

And as the FBI later discovered, there was significant evidence that Roger Stone had been informed of the Guccifer 2.0 persona before it went public.

That information, along with a bunch of other things revealed about Stone’s activities before this Russian report, suggest the Russian report may actually be an attempt to protect Stone, one that anticipated Stone’s claims in the days after the report that Guccifer 2.0 was not Russian.

Unless Durham finds a way to charge conspiracy in the next two months, Judge Christopher Cooper would do well to prevent Durham from continuing his wild conspiracy theorizing. Because it’s not clear Durham knows where the strings he is pulling actually lead.

The Collective Response to Russia’s Ukraine Invasion

Yesterday, the government rolled out two hacking indictments from last year as part of its effort to use legal documents to expose Russian spying operations. While the indictments are important speaking documents, I realized from the response that the subset of journalists who focus primarily on cybersecurity were unaware that this effort was part of a larger effort to demonstrate Russia’s spying that DOJ (and, surely, other agencies of the IC) have been pursuing since the Russian invasion.

So I wanted to start collecting all instances here as a way to see the entire package of what DOJ is doing. I’ll try to keep this up-to-date.

February 22, 2022: Treasury sanctions Russian banks

Individual targets include Denis Aleksandrovich Bortnikov, Petr Mikhailovich Fradkov, Vladimir Sergeevich Kiriyenko.

(press release)

February 24, 2022: Treasury sanctions Russian banks

Targets include Sberbank, VTB, Gazprom, Rostelecom, Alfa Bank, Sergei Sergeevich Ivanov, Andrey Patrushev, Ivan Sechin (the latter sons of key oligarchs).

(press release)

February 25, 2022: Treasury sanctions Putin and Sergei Lavrov

(press release)

February 28, 2022: Treasury sanctions Kirill Dmitriev

Targets include Dmitriev and RDIF.

(press release)

US expels 12 Russian diplomats at UN.

March 3, 2022: Treasury sanctions key Putin cronies

Targets include Alisher Burhanovich Usmanov, Nikolay Petrovich Tokarev, Yevgeniy Prigozhin and their families.

(press release)

March 3, 2022: US v. Jack Hanick

November 4, 2021 sealed indictment against a former Fox employee who helped sanctioned oligarch Konstantin Malofeyev set up some media outlets to push Russian propaganda. Hanick was arrested in the UK on February 3, 2022 and is being extradited. (press release; my post)

SDNY 21-cr-676

March 7, 2022: US v. Elena Branson

March 7, 2022 complaint against the one-time chair of the Russian Community Council of the USA. Branson attempted to set up meetings with Trump. (press release; my post)

SDNY 22-mj-2178

March 11, 2022: Treasury sanctions Oligarchs

Targets include Dmitri Peskov and his family, Viktor Feliksovich Vekselberg, and the VTB board.

(press release)

March 14, 2022: US v. Andrey Muraviev

September 17, 2020 indictment against the funder for Lev Parnas’ cannabis donations, Andrey Murviev. The S2 indictment is otherwise identical to the S1 indictment obtained the same day, though with Muraviev identified. (press release; my post)

SDNY 19-cr-725

March 17, 2022: Treasury creates task force to target Oligarchs

(press release)

March 18, 2022: Baltic states expel diplomats

Baltic states expel 10 diplomats.

March 24, 2021: Treasury sanctions targeting industrial base

Sanctions targeting military industrial complex, Duma members, Herman Oskarovich Gref.

(press release)

March 24, 2022: US v. Evgeny Viktorovich Gladkikh

June 29, 2021 indictment against Evgeny Gladkikh for Triton hacking operations targeting refineries and other energy facilities

(press release)

DC 21-cr-442

March 24, 2022: US v. Pavel Aleksandrovich Akulov

August 26, 2021 indictment against three FSB officers working as part of the Dragonfly or Berzerk Bear hacking group for targeting ICS systems.

(press release)

KS 21-cr-20047

March 29, 2022: Europeans expel diplomats

Ireland expels 4 “diplomats.”

Lithuania expels

March 31, 2022: Treasury focuses on sanctions-evasion network

Treasury adds sanctions against companies used to evade sanctions, four key Russian tech companies, and the head of the organization for which Gladkikh works, TsNIIKhM’s General Director, Sergei Alekseevich Bobkov and itsDeputy General Director, Konstantin Vasilyevich Malevanyy.

April 4, 2022: FBI and Spanish authorities freeze Viktor Vekselberg’s yacht, Tango

FBI and Spanish authorities freeze Viktor Vekselberg’s yacht, Tango, for sanction violations and money laundering efforts to evade those sanctions.

Also Germany expels 40 “diplomats” and France expels 35.

April 5: Dmitry Pavlov and Hydra Market

DOJ charged Dmitry Pavlov and, with German assistance, shut down the Hydra Market to which he leased a server.

(press release)

April 6: Semion Meogilevich, Konstantin Malofeyev, additional sanctions on Sberbank, Alfa Bank, and Putin, Medvedev, and Lavrov’s families, Cyclops Blink

Department of State offers a $5 million reward for information leading to Semion Mogilevich’s arrest.

FBI wanted poster

DOJ charged Konstantin Malofeyev under the mirror charges to those against Jack Hanick.

(press release)

The White House added sanctions to Sberbank and Alfa Bank, added new restrictions on US investments in Russia, and added family members of Putin, Medvedev, and Lavrov’s families.

(press release)

DOJ rolled out the shut-down, in March, of the Cyclops Blink botnet run by Sandworm.

March 18 warrant

March 23 warrant

(press release)

April 14: Aleksandr Mikhaylovich Babakov

(press release)

Indictment

April 20: Malofeyev’s network

Treasury sanctions Malofeyev’s family, sanctions-evasion, and influence networks

(press release)

April 26: Sandworm

State offers a $10 million reward for six hackers involved in the Sandworm NotPetya attack.

(press release)

May 5: Pursuant to a US warrant, Fiji seizes Oligarch Suleiman Kerimov’s yacht

Fiji seized the $300 million yacht pursuant to a US based warrant.

(press release)

September 30: Treasury sanctions a ton of Duma and Federation members

These sanctions were prepared as a response to Russia’s claim to have annexed additional parts of Ukraine.

John Durham’s Top Prosecutor, Andrew DeFilippis, Allegedly Miffed that DARPA Investigated Guccifer 2.0

Vladimir Putin’s invasion of Ukraine and the sanctions imposed as a result has led lawyers in the US to drop the now-sanctioned Alfa Bank and its owners, leading to the dismissal of the John Doe, BuzzFeed, and Fusion GPS lawsuits filed by Alfa Bank or its owners. That has, for now, brought an end to a sustained Russian effort to use lawfare to discover “U.S. cybersecurity methods and means” (as some of Alfa’s targets described the effort).

But the dismissal of the Alfa Bank suits hasn’t halted the effort to expose US cybersecurity efforts in the guise of pursuing right wing conspiracy theories. Both Federalist Faceplant Margot Cleveland and “online sleuths” goaded, in part, by Sergei Millian have picked up where Alfa Bank left off. In recent days, for example, documents obtained via a Federalist FOIA to Georgia Tech exposed the members of a cybersecurity sharing group, including a bunch at Three-Letter Agencies, which has little news value but plenty of intelligence value to America’s adversaries (these names were released even while someone — either Georgia Tech or the Federalist — chose to redact the contact information for Durham’s investigators, some of which is otherwise public).

Even while doing her part to make America less safe (raising the perennial question of who funds the Federalist), Cleveland has continued to do astounding work misrepresenting Durham’s investigation. From the same FOIA release, she published a document in which research scientist Manos Antonakakis described that chief Durham AUSA Andrew DeFilippis insinuated to him that it was abusive for DARPA to try to discover the network behind the Guccifer 2.0 persona.

Finally, I will leave you with an anecdote and a thought. During one of my interviews with the Special Counsel prosecutor, I was asked point blank by Mr. DeFilippis, “Do you believe that DARPA should be instructing you to investigate the origins of a hacker (Guccifer_2.0) that hacked a political entity (DNC)?” Let that sync for a moment, folks. Someone hacked a political party (DNC, in this case), in the middle of an election year (2016), and the lead investigator of DoJ’s special council would question whether US researchers working for DARPA should conduct investigations in this matter is “acceptable”! While I was tempted to say back to him “What if this hacker hacked GOP? Would you want me to investigate him then?”, I kept my cool and I told him that this is a question for DARPA’s director, and not for me to answer.

Assuming this is an accurate description, this is a shocking anecdote, a betrayal of US national security.

It suggests that Durham’s lead prosecutor doesn’t believe the government should throw its most innovative research at a hostile nation-state attack while that nation-state is attempting to influence an election. Sadly, though, it’s not surprising.

It is consistent with things we’ve seen from Durham’s team throughout. It’s consistent with Durham’s treatment of a loose tie between an indirect and unwitting Steele dossier source and the Hillary campaign as a bigger threat than multiple ties to Russian intelligence (or Dmitry Peskov’s office, which knew that Michael Cohen and Donald Trump were lying about the former’s secret communications with Peskov’s office). It is consistent with Durham’s more recent suggestion that the victim of such a nation-state attack must wait until after an election to report a tip that might implicate her opponent.

I almost feel like DeFilippis will eventually say Hillary should have just laid back and enjoyed being hacked in 2016.

DeFilippis, and Durham generally, have consistently treated Hillary as a far graver threat than Russia, even now, even as Russia conducts a barbaric invasion of a peaceful democracy.

But Antonakakis’ anecdote is all the more troubling because it suggests that DeFilippis seems to misunderstand what happened with the DARPA contract in question in 2016. The Enhanced Attribution RFP’s description of the hacking campaigns it was targeting — “multiple concurrent independent malicious cyber campaigns, each involving several operators” — pretty obviously aims to tackle Advanced Persistent Threats, of which APT 28 and 29 (both of which targeted the DNC) were among the most pressing in 2016. DARPA presumably didn’t ask Antonakakis to focus on Guccifer 2.0 — a persona which didn’t exist when the contract was put up for bid in April 2016, much less in the months earlier when it was originally conceived. Rather, by description, they were asking bidders to look at APTs, and looking at APT 28 would have happened to include looking at Guccifer 2.0, the DNC hack, and a number of hacks elsewhere in the US and the world.  The reason DARPA would ask Georgia Tech to look at APT 28 is because APT 28 was hacking a lot of targets in the time period, all of which provided learning sets for a researcher like Antonakakis. DeFilippis, then, seems miffed that the APT that DARPA wanted to combat happened to be one of two that targeted Hillary.

That’s a choice Russia made, not DARPA.

While I think Cleveland did serious damage with some of her releases, I’m glad she released this document because it provides a way for Michael Sussmann to make DeFilippis’ troubling views on national security a central issue at trial, something that normally is difficult to do.

It also provided Cleveland another opportunity to faceplant in spectacular trademark Federalist fashion. Cleveland used this document to rile up the frothers by suggesting this is proof that Durham is investigating the DNC attribution.

Exclusive: Special Counsel’s Office Is Investigating The 2016 DNC Server Hack

The U.S. Department of Defense tasked the same Georgia Tech researcher embroiled in the Alfa Bank hoax with investigating the “origins” of the Democratic National Committee hacker, according to an email first obtained by The Federalist on Wednesday. That email also indicates the special counsel’s office is investigating the investigation into the DNC hack and that prosecutors harbor concerns about the DOD’s decision to involve the Georgia Tech researcher in its probe.

[snip]

The public storyline until now had been that CrowdStrike, the cybersecurity firm Sussmann hired in April 2016, had concluded Russians had hacked the DNC server, and that the FBI, which never examined the server, concurred in that conclusion. Intelligence agencies and former Special Counsel Robert Mueller likewise concluded that Russian agents were behind the DNC hack, but with little public details provided.

It now appears that DARPA had some role in that assessment, or rather Antonakakis did on behalf of DARPA, which leads to a whole host of other questions, including whether DARPA had access to the DNC server and data and, if so, from whom did the DOD’s research arm get that access? Was it Sussmann?

There’s no reason to believe this and every reason to believe that — as I said — DeFilippis is pissed that DARPA prioritized their research on a target that was badly affecting national security (and not just in US, but also in allied countries) in 2016, one that happened to attempt to help Trump get elected.

But look how many errors Faceplant’s Cleveland made in the process:

Cleveland repeats the Single Server Fallacy, imagining that the DNC, DCCC, and Hillary had just one server between them to be hacked and all the servers that got hacked were in the possession of one of those victims. That’s, of course, ridiculous. The server that GRU hacked to get John Podesta’s emails belonged to Google. The server that GRU hacked to get Hillary’s analytics belonged to AWS. There was a staging server in AZ; I have been told that the FBI seized at least one US-based server that did not belong to the DNC (that server is why the frothy right’s focus on what Shawn Henry testified to HPSCI is so painfully ignorant — because it ignores that the FBI had access to servers that Henry did not that did show exfiltration).

Cleveland apparently doesn’t know that FBI knew who was hacking the DNC when they warned them starting in September 2015 they were being hacked. The FBI’s awareness of that not only explains why APT 29 and 28 would have been included in DARPA’s targets for EA, but proves that the government was tracking these hacking groups above and beyond the attack on Hillary. This was never just a reaction to the election year hack.

Cleveland claims Mueller’s attribution of the DNC hack to the GRU provided “little public details,” when in fact the Mueller Report showed 29 sources other than CrowdStrike, including:

  • Gmail
  • Linked-In
  • Microsoft
  • Facebook
  • Twitter
  • WordPress
  • ActBlue
  • AWS
  • AOL
  • Smartech Corporation
  • URL shortening service
  • Bitcoin exchanges
  • VPN services

According to Mueller’s report, all these sources also corroborated the GRU attribution. And Mueller’s list doesn’t include a number of other known entities that corroborated the attribution, including NSA and Dutch intelligence, which couldn’t be named in a public DOJ document. Mueller’s list doesn’t include Georgia Tech either, but it wouldn’t need to, because there was so much other evidence.

The Mueller Report described obtaining almost 500 warrants, but the released list — from which FBI’s Cyber Division successfully withheld those pertaining to the GRU investigation — only includes around 370-400 warrants (based on an 156 pages of warrants with roughly three per page), suggesting there may be 100 warrants tied to the GRU attribution alone.

By the time Antonakakis started looking at the DNC hack as part of EA, multiple entities, including several Infosec contractors, non-US intelligence services, and non-governmental entities like tech giants (including at least three of the ones on Mueller’s list), had plenty of evidence that the Guccifer 2.0 campaign was run by the APT 28. Including Guccifer 2.0 as part of the research set would simply be part of the existing targeting of a dangerous APT.

But apparently neither DeFilippis nor Cleveland understand that 2016 was part of an ongoing identified threat to US national security.

One thing Putin did in 2016 was to use disinformation to train the frothy right to favor Russia more than fellow Americans from the opposing party. Even as Russia attacks Ukraine, that still seems to be true.