How the Government Proved Their Case against John Podesta’s Hacker

/4 Comments/in , , , , /by

We’re almost seven years past the hack of the DNC, and self-imagined contrarians are still clinging to conspiracy theories about the attribution of that and related hacks. In recent weeks, both Matt Taibbi and Jeff Gerth dodged questions about the attribution showing Russia’s role in the hack-and-leak by saying that the Mueller indictment of twelve GRU officers would never be tested in court (even while, especially in Gerth’s case, relying on unsubstantiated claims in John Durham indictments from his two failed prosecutions).

And while’s it’s likely true that DOJ will never extradite any of those twelve men to stand trial, DOJ did successfully convict one of their co-conspirators on a different hack: the hack-and-trade conspiracy involving Vladimir Klyushin and accused John Podesta hacker, Ivan [Y]Ermakov.

(The Mueller indictment and Ermakov’s second US indictment, for hacking anti-doping agencies, transliterated his name with a Y, the Boston one does not.)

That trial provides a way to show how DOJ would prove the 2018 indictment if one of the twelve men charged ever wandered into a jurisdiction with an extradition treaty with the US.

As laid out at trial, between 2018 and 2020, the co-conspirators hacked two securities filing agencies, Toppan Merrill and Donnelly Financial, to obtain earnings statements in advance of their filing, then traded based off advance knowledge of earnings. Klyushin was one of seven people (two charged in a separate indictment, three who were clients of Klyushin’s company M-13) who did the trading. Ermakov didn’t trade under his own name. He may have been compensated for Klyushin’s side of the trades with a Moscow home and a Porsche. But at least as early as May 9, 2018, forensic evidence introduced at trial shows, an IP address at which Ermakov’s iTunes account had just gotten updates was used to steal some of the filings.

Ermakov did not show up in a courtroom in Boston to stand trial and Klyushin has launched a challenge to his conviction that rests entirely on a challenge to venue there. But the jury did convict Klyushin on the hacking charge along with the trading charges, meaning a jury has now found DOJ proved Ermakov’s hacking beyond a reasonable doubt.

And they did it using the same kind of evidence cited in the Mueller indictment.

The crime scene

Start with the crime scene: the servers of the two filing agencies victimized in the hack-and-trade, Toppan Merrill and Donnelly Financial.

According to the trial record, neither figured out they had been hacked on their own. As the FBI had tried to do for months beforehand in the case of the DNC, a government agency, the SEC, had to tell them about it. The SEC had seen a number of Russians making big, improbable stock trades from clients of the two filing agencies, all in the same direction, and wanted to know why. So it sent subpoenas to both companies.

As the DNC did with CrowdStrike in 2016, both filing agencies hired an outside incident response contractor — Kroll Cyber in the case of Toppan Merrill, Ankura in the case of Donnelly Financial — to conduct an investigation.

The lead investigators from those two contractors were the first witnesses at trial. Each explained how they had been brought in in 2019 and described what they found as they began investigating the available logs, which went back six months, a year, and two years, depending on the type and company. The witness from Kroll described finding signs of hacking in Toppan Merrill’s logs:

The Ankura witness described how they first found the account of employee Julie Soma had been compromised, then used the IP addresses associated with that compromise to find other employees whose accounts were used to download reports or other unauthorized activity.

In sum, the two incident response witnesses described providing the FBI with the forensic details of their investigation — precisely the same thing that CrowdStrike provided to FBI from the DNC hack. There’s not even evidence that they shared a full image of the filing agencies’ servers (though an FBI agent described going back to Donnelly to search for the domain names behind the intrusions that Kroll had found at Toppan Merrill), which was one of the first conspiracy theories about the DNC hack Republicans championed: that the FBI failed to adequately investigate the DNC hack because it didn’t insist on seizing the actual victim servers during the middle of an election.

The forensic evidence wasn’t the only evidence submitted at trial from the crime scene. One after another of the employees whose credentials had been misused testified. Each described why they normally accessed customer records, if at all, how and when they would normally access such records, and from what locations they might access corporate servers remotely, including their use of the corporate VPN. Julie Soma — the Donnelly employee whose credentials were used most often to download customer filings — described that she would never have done what was done in this case, download one after another filing from Donnelly customers in alphabetical order.

Q. Would you ever go from client to client and alphabetically access those types of documents?

A. No.

Both interview records from the Mueller investigation (one, two, three) and documents from the Michael Sussmann case show that the FBI did similar interviews in the DNC hack. The Douglass Mackey trial, too, featured witnesses describing how the Hillary campaign identified that attack on the campaign as well.

In proving their case against John Podesta’s hacker, DOJ presented witness testimony that eliminated insiders as the culprit.

Fingerprinting

Having established the forensic data tied to intruders through the incident response contractors, prosecutors then called FBI agents as witnesses to describe how — largely through the use of IP addresses obtained using subpoenas or pen registers and the materials found in the suspects’ iCloud accounts — they tied Klyushin’s company, M-13, to both the hacking and the trading.

The trading was fairly easy: the co-conspirators accessed the two online brokers used to execute the trades under their own names and from IP addresses tied to M-13. An SEC witness described in detail how trades always shortly followed hacks but preceded the public filing of earnings statements.

Tying M-13 to the hacking took a few more steps.

For the hacking conducted via the domains Kroll identified, the FBI first found the account that registered the domains. Each was registered under a different name, but each of the names were based on a Latvian-based email service and used similar naming conventions. Each had been accessed from the same set of 3 IP addresses.

For IPs that Kroll identified, the FBI found BitLaunch servers created by an account in the name of Andrea Neumann, which was controlled from one of the same IP addresses that had registered the domain names. The FBI got search warrants to obtain images of those BitLaunch servers.

Another IP address used to steal filings, several FBI agents explained, was from an Italian-run VPN, AirVPN. The FBI used a pen register to show that someone accessed AirVPN from the M-13 IP address during the same period when the AirVPN IP was stealing records from the filing companies. The FBI also showed that Klyushin had accessed his bank at the same time from that same IP address. The FBI also showed that eight common IP addresses had accessed Ermakov’s iTunes account and the AirVPN IP address (in this case, the access was not at the same time because the FBI only had a pen register on the VPN for two months in 2020). While FBI witnesses couldn’t show that the specific activity tied to an AirVPN IP at the victim companies tied back to M-13, they did show that both Klyushin and Ermakov routinely used AirVPN.

Plus there were the filing thefts — noted above — that were done on May 9, 2018 using the same IP address that, four minutes earlier, had downloaded an Apple update from Ermakov’s iTunes account. As I’ve noted repeatedly, before Ermakov was first indicted by Mueller, he had already left a smoking gun in the servers at Donnelly in the form of IP activity that the FBI obtained over a year later inside the US.

In fact, much of the evidence used to prove this case (particularly establishing the close relationship between the conspirators) came from Apple, including WhatsApp chats saved in Klyushin and other co-conspirators’ iCloud accounts. We know Mueller used the same source of evidence. In March of this year, emails stolen by hacktivists revealed, Apple informed another of the GRU officers charged in the DNC hack that the FBI had obtained material from his Apple account in April 2018, in advance of the Mueller indictment.

The indictment likely also relied on warrants served on Google, especially on Ermakov’s account. The Mueller indictment (as well as the later anti-doping one) attributes much of the reconnaissance conducted in advance of the hacks to Ermakov: the names of some victims; information on the DNC, the Democratic Party, and Hillary; how to use PowerShell (which would be used against Toppan Merrill); and CrowdStrike’s reporting on GRU tools. If he did this research via Google, it would all be accessible with a warrant served on the US tech company.

The getaway car

One pervasive conspiracy theory about the Mueller indictment stems from testimony that Shawn Henry gave to the House Intelligence Committee in December 2017, describing that Crowdstrike did not see the data exfiltrated from the DNC servers. Denialists claim that is proof that the information was never exfiltrated by the GRU hackers. The conspiracy theory is ridiculous in any case, since there were so many other Russian hacks involving so many other servers, including servers run by Google and Amazon that had a different kind of visibility on the hack (something that Henry alluded to in his testimony), and since the indictment describes that the DNC hackers destroyed logs to cover their tracks.

But the Klyushin trial featured testimony about a tool used in the hack-and-trade conspiracy that has a parallel in the DNC hack: the AMS panel, hidden behind an overseas middle server, which the Mueller indictment described this way:

X-Agent malware implanted on the DCCC network transmitted information from the victims’ computers to a GRU-leased server located in Arizona. The Conspirators referred to this server as their “AMS” panel. KOZACHEK, MALYSHEV, and their co-conspirators logged into the AMS panel to use X-Agent’s keylog and screenshot functions in the course of monitoring and surveilling activity on the DCCC computers. The keylog function allowed the Conspirators to capture keystrokes entered by DCCC employees. The screenshot function allowed the Conspirators to take pictures of the DCCC employees’ computer screens.

[snip]

On or about April 19, 2016, KOZACHEK, YERSHOV, and their co-conspirators remotely configured an overseas computer to relay communications between X-Agent malware and the AMS panel and then tested X-Agent’s ability to connect to this computer. The Conspirators referred to this computer as a “middle server.” The middle server acted as a proxy to obscure the connection between malware at the DCCC and the Conspirators’ AMS panel. On or about April 20, 2016, the Conspirators directed X-Agent malware on the DCCC computers to connect to this middle server and receive directions from the Conspirators.

[snip]

For example, on or about April 22, 2016, the Conspirators compressed gigabytes of data from DNC computers, including opposition research. The Conspirators later moved the compressed DNC data using X-Tunnel to a GRU-leased computer located in Illinois.

In the hack-and-trade conspiracy, the hackers set up a similar structure, using the servers given names like “developingcloud” and “finshopland” as reverse proxies, with a final server behind them all executing orders on the hacked servers at Toppan Merrill (and the implication is, Donnelly, though the forensics came from Toppan Merrill via Kroll). The “computers numbered 1 through 7” in what follows are the servers identified by Kroll stealing earnings filings from Toppan Merrill.

A. So this is a digital depiction of the servers that I examined on the right there, so they each have a number on them, 1 through 9.

Q. Let me focus you first on the computers numbered 1 through 7. Do you see them there?

A. Yes.

Q. Are they kind of in a sideways V configuration?

A. Yes.

Q. Okay. And what do computers 1 through 7 show on this Exhibit DDD?

A. They functioned as gatekeepers for the furthest machine to the right, server number 8.

Q. And when you say “gatekeeper,” is there a technical term for that?

A. Yes. So the technical term is a “reverse proxy.”

Q. Can you explain to the jury, in a easy for me to understand way, what a reverse proxy or gatekeeper is in this chart, 1 through 7.

A. Yes. So in this chart, it would function — so the seven that are in that V formation, they would pass traffic to server number 8, if it was coming from an infected machine; and if it was something else, it would send the traffic to some other website.

This structure would have made it impossible for Toppan Merrill to understand the source or function of the anomalous traffic on its servers because any attempt to do so would be redirected away from the control server.

But not the FBI, because they obtained images of the servers with a warrant.

The forensic witness describing this structure showed, command by command, that the forensic clues identified by Kroll on the Toppan Merrill servers were controlled via that final server running PowerShell (the same tool that Mueller alleged Ermakov researched during the DNC hacks in 2016).

Q. And is there something on this log that you found that tells you the name of the program that was running on the victim’s computer at Toppan Merrill?

A. Yes, the process name line, and that reads rdtevc.

Q. And is process another name for computer program?

A. Yes.

Q. So this is a log that shows that a program named RDTEVC was running on a Toppan Merrill computer, right?

A. Yes.

Q. But it’s stored in the hacker computer?

[snip]

Q. And what does PowerShell do? You can call it anything, right? You can call it RDTEVC?

A. That’s probably a randomly chosen name.

Q. But no matter what it’s called, what does it do?

A. So it allows it to be remotely controlled and accessed.

Q. Allows what to be remotely controlled and accessed?

A. The infected machine.

The same forensic expert explained that he didn’t find any downloads of stolen files.

But he also explained why.

He had also found secure tunnels, readily available but similar in function to a proprietary GRU tool Crowdstrike found in the DNC server. As he described, these would be used to transfer data in encrypted form, making it impossible to identify the content of the data while it was in transit.

Q. Mr. Uitto, are you familiar with the concept of exfiltration?

A. Yes.

Q. Big word, but what does it mean?

A. It means to steal data, take data.

Q. And in your review, did you find evidence — you told Mr. Nemtsev you didn’t find evidence of the taking of data from the victim computers to these particular hacker servers; is that right?

A. That’s right, but I did see secure tunnels that were created.

Q. So when you say there were secure tunnels, were you able to tell what was going through those secure tunnels?

A. No.

Q. Those were encrypted, right?

A. Yes.

Q. So you actually don’t know whether or not there was financial information in those tunnels?

A. That’s correct.

Q. Or sports scores or anything?

A. That’s correct.

Q. It’s encrypted.

A. Yes.

[snip]

Q. What role does encryption serve in this hacker architecture?

[snip]

A. Yes, so it can be used to hide data or information.

Q. So if it’s encrypted, we can’t know what’s being passed?

To prove the hack, you would have to — and FBI did, in both cases — prove that the stolen data made it to the end point.

This testimony is important for more than explaining where you’d need to look to find proof of a hack (at the end points). It shows the import of understanding not just the crime scene and those end points, but the infrastructure used to control the hack and exfiltrate the data. With both the hack-and-trade conspiracy and the hack of the DNC, the FBI got forensics about the victim from the incident response contractors, but they obtained the data from these external servers directly, with warrants.

The denialists looking for proof in the DNC server were focused on just the crime scene, but not what I’ve likened to a getaway car, one to which the FBI had direct access but Crowdstrike did not.

Follow the money

Another specialized kind of fingerprint prosecutors used to prove the case against Klyushin parallels the one in the Mueller indictment (and, really, virtually all hacking cases these days): the cryptocurrency trail. As the Mueller indictment explained, the hackers who targeted the DNC used the same cryptocurrency account to pay for different parts of their infrastructure, thereby showing they were all related.

The funds used to pay for the dcleaks.com domain originated from an account at an online cryptocurrency service that the Conspirators also used to fund the lease of a virtual private server registered with the operational email account [email protected]. The dirbinsaabol email account was also used to register the john356gh URL-shortening account used by LUKASHEV to spearphish the Clinton Campaign chairman and other campaign-related individuals.

[snip]

For example, between on or about March 14, 2016 and April 28, 2016, the Conspirators used the same pool of bitcoin funds to purchase a virtual private network (“VPN”) account and to lease a server in Malaysia. In or around June 2016, the Conspirators used the Malaysian server to host the dcleaks.com website. On or about July 6, 2016, the Conspirators used the VPN to log into the @Guccifer_2 Twitter account. The Conspirators opened that VPN account from the same server that was also used to register malicious domains for the hacking of the DCCC and DNC networks.

By following the money, prosecutors were able to show the jury how these pieces of infrastructure fit together.

In the case of the hack-and-trade, the conspirators did nothing fancy to launder the cryptocurrency used in the operation. The servers obtained in the name of Andrea Neumann were paid using three successive cryptocurrency accounts, each with different names but accessed from the same IP address. The third name was Wan Connie. An interlocked Wan Connie email account had been accessed from M-13’s IP address. So while the cryptocurrency itself couldn’t tie the conspirators to the hack, the interlocked infrastructure did.

The conspiracy

To prove the hack, prosecutors at trial showed how the FBI had used evidence from the crime scene, the “getaway” car, the money trail, and evidence obtained at the end point from iCloud accounts to tie the hack back to Ermakov personally and M-13 more generally. The biggest smoking gun came from matching the IP addresses to which Ermakov got his iTunes updates to the infrastructure used in the hack (or, in the case of the May 9, 2018 thefts, directly to someone exploiting Julie Soma’s stolen credentials.

All that was left in the Klyushin case was proving the conspiracy, showing that Klyushin and others had used this stolen information to make millions by trading in advance of earnings announcements. This would be the functional equivalent of tying the records stolen from Democrats (and some Republicans) to their release via Guccifer 2.0, dcleaks, and WikiLeaks.

At Klyushin’s trial, the government proved the conspiracy via two means: an SEC analyst presented a bunch of coma-inducing analysis showing how the trades attributed to online brokerage accounts that Klyushin and others had in their own names lined up with the thefts. The analyst explained that odds of seeing those trading patterns would be virtually impossible.

More spectacularly, prosecutors introduced Klyushin’s role with a bunch of pictures establishing that he was “besties” with Ermakov (and, eventually, that there were unencrypted and encrypted communications, along with a picture of Klyushin’s yacht, sent via Ermkaov to two guys in St. Petersburg who didn’t work for M-13 but who were making the same pattern of trades); I looked at some of that evidence here. One picture found in Klyushin’s account showed Ermakov, crashed on a chair, wearing an M-13 sticker, taken in the same period as some of the logs provided by Kroll showed hacking activity. About the only thing the FBI found in Ermakov’s iCloud account was the online brokerage account used to execute the insider trading, in Klyushin’s name, but that tied him to the trading side of the conspiracy.

As their trades began to attract attention, Ermakov and another M-13 employee attempted to craft cover stories, evidence of which prosecutors found via Apple. Prosecutors even introduced Threema chats in which Ermakov told Klyushin, his boss, not to share details about their trading clients or he might end up a defendant in a trial.

He did.

And at that trial, prosecutors were able to prove a hacking conspiracy against Klyushin using evidence and victim testimony from the crime scene, but also from other data readily available with a subpoena or warrant inside the US.

Update: Tweaked language describing secure tunnels.

The Long List of Reasons Why Potential Intimidation of Proud Boy Jurors Must Be Taken Seriously

/39 Comments/in , , , /by

Enrique Tarrio has already been investigated by a grand jury in Prettyman Courthouse for any role he had in threats to undermine a criminal prosecution.

That’s important background to Brandi’s report, at the end of her update on the Proud Boys trial, of how much of last week the trial was halted for a series of sealed hearings.

Apart from routine objections launched by the defense to even the most mundane of issues and separate from the unending series of motions for mistrial, last week featured a new and unwelcome variable: the sealed hearing.

A sealed hearing, or a hearing closed to the public and press, is typically held when sensitive or classified matters are being discussed by the parties. Trial days were stopped and started three times last week for sealed hearings that stretched for more than an hour. A press coalition moved to unseal proceedings on at least one of those days but was promptly denied by Judge Kelly for reasons he failed to describe on the record.

Though the exact reason was not disclosed by the court (nor would one expect it to be at this point), CNN reported that multiple sources said the sealed hearing was prompted after a juror raised concerns that she was being followed. Another juror has said they were “accosted” but no further details were available.

As CNN reported, a juror had become worried that someone was following her.

A juror told the court an individual came up to her outside of a Washington, DC, metro station and asked if she was a juror, multiple sources told CNN. The juror told court staff she had seen the same individual on several occasions and thought they might be following her.

Some jurors appear to be split on their views of the incidents, people familiar said. One juror told the judge he thought it was possible the interactions were random and it might have been someone experiencing homelessness in the area.

[snip]

When other jurors found out about the incident, they also began to look out for the individual and had taken at least one picture of the person, according to someone familiar with the matter.

Other jurors also told the court in sealed hearings this week that they had been “accosted,” one source told CNN, though it’s unclear to what extent.

But that report and some of the discussions I’ve seen elsewhere didn’t describe the list of reasons why such threats should be taken seriously.

First, there’s the fact that defendant Enrique Tarrio has already been investigated in this courthouse for his potential role in a threat against a judge. In 2019, Amy Berman Jackson put Roger Stone under oath and asked how he came to post an Instagram post of her with crosshairs on it. He blamed the “volunteers” who had made the meme — one of whom, he named, was Tarrio.

Amy Berman Jackson. How was the image conveyed to you by the person who selected it?

Stone. It was emailed to me or text-messaged to me. I’m not certain.

Q. Who sent the email?

A. I would have to go back and look. I don’t recognize. I don’t know. Somebody else uses my —

THE COURT: How big is your staff, Mr. Stone?

THE DEFENDANT: I don’t have a staff, Your Honor. I have a few volunteers. I also — others use my phone, so I’m not the only one texting, because it is my account and, therefore, it’s registered to me. So I’m uncertain how I got the image. I think it is conceivable that it was selected on my phone. I believe that is the case, but I’m uncertain.

THE COURT: So individuals, whom you cannot identify, provide you with material to be posted on your personal Instagram account and you post it, even if you don’t know who it came from?

THE DEFENDANT: Everybody who works for me is a volunteer. My phone is used by numerous people because it can only be posted to the person to whom it is registered.

[snip]

[AUSA] Jonathan Kravis. What are the names of the five or six volunteers that you’re referring to?

Stone. I would — Jacob Engles, Enrique Tarrio. I would have to go back and look

As CNN itself later reported, those whom Stone named were subpoenaed to testify about whether Stone had paid them to make threatening memes targeting his judge.

Tarrio, the leader of the Proud Boys, had been helping him ​with his social media, Stone said under oath, as had the Proud Boys’ Florida chapter founder Tyler Ziolkowski, who went by Tyler Whyte at the time; Jacob Engels, a Proud Boys associate who is close to Stone and identifies himself as a journalist in Florida; and another Florida man named Rey Perez, whose name is spelled Raymond Peres in the court transcript​.

A few days later, federal authorities tracked down the men and gave them subpoenas to testify to a grand jury, according to Ziolkowski, who was one of the witnesses.

Ziolkowski and the others flew to DC in the weeks afterwards to testify.

“They asked me about if I had anything to do about posting that. They were asking me if Stone has ever paid me, what he’s ever paid me for,” Ziolkowski told CNN this week. When he first received the subpoena, the authorities wouldn’t tell Ziolkowski what was being investigated, but a prosecutor later told him “they were investigating the picture and if he had paid anybody,” Ziolkowski said. He says he told the grand jury Stone never paid him, and that he hadn’t posted the photo.

So four years ago, in this very courthouse, Tarrio or his associates were questioned about the circumstances of any participation they had in threatening a judge.

That wasn’t the only role the Proud Boys had in Stone’s witness tampering in that case. The first contact that Randy Credico had with FBI agents investigating 2016 was not the highly publicized grand jury testimony to which he brought his comfort dog Bianca. It was a Duty to Warn contact earlier that summer after the FBI had identified credible threats against him. Those credible threats came from the gangs, including the Proud Boys, that Stone hung out with.

In entirely unrelated news, Credico posted pictures showing him in Moscow last week.

It didn’t end with Stone’s guilty verdict, either. After the verdict, Stone associates got leaked copies of the jury questionnaires. Mike Cernovich started hunting down details on the jurors to retroactively cast doubt on the judgment, and Trump joined in the effort to create a mob. In the wake of those efforts, the jurors expressed fear and some regret at having served.

ALL 12 OF the jurors in the Roger Stone case have expressed fear in court filings on Wednesday. They worry they will continue to be harassed and they fear for the safety of themselves and their families if their identities are revealed.

According to The National Law Journal, jurors cited tweets from President Trump and remarks from conspiracy theorist Alex Jones as the reason “the threats to the jurors’ safety and privacy persist” after the trial ended in November.

One juror wrote, “I try to stay away from danger, but now it seems like the danger is coming to me.”

The jurors are looking to thwart the legal efforts of right-wing conspiracy theorist Mike Cernovich, who is attempting to make public the pretrial questionnaires the jurors filled out. Those questionnaires include jurors’ private information and employment history. The supposed aim of the petition to release the questionnaires is to vet them for bias in hopes of getting a new trial for Stone.

Another juror wrote, “Given the current climate of polarization and harassment, I do not want to draw any attention to myself, my family, or my employer in any way, shape, or form. It is intimidating when the president of the United States attacks the foreperson of a jury by name.”

“I am frightened that someone could harm my family simply because I was summoned and then chosen to serve on the jury,” another juror wrote.

The efforts to intimidate have continued to this case. During a period when Zach Rehl was reportedly considering a plea, Tarrio sent messages to other Proud Boys about remaining loyal.

“The bigger problem with that is the guys that are in prison right now are holding on to hope that everybody is f—ing staying put because they didn’t do anything wrong,” Tarrio said. “The moment that they think one of the guys flipped, it throws everything off and it makes everybody turn on each other, and that’s what we are trying to f—ing avoid.”

Asked about the audio message, Tarrio told Reuters he was simply trying to stop members from speculating that anyone had decided to help prosecutors who are examining the deadly insurrection. “What I was trying to avoid is them turning against each other because of media stories,” he said.

Trial testimony showed that witnesses for the defense — in this case Fernando Alonzo — made threatening comments about Eddie Block for posting the video of the Proud Boys he shot on January 6. [Warning: he used an ableist slur against Block, who relies on a mobility scooter.]

Witnesses for other January 6 defendant have been harassed, as when one January 6 participant confronted Sergeant Aquilino Gonell during the trial of Kyle Fitzsimons on assault charges.

[January 6 participant Tommy] Tatum also tried to confront another officer, this one with the Capitol Police, in a courthouse elevator on Wednesday. He recorded and posted clips of both exchanges with the officers and identified himself outside the courthouse.

U.S. Capitol Police Sgt. Aquilino Gonell, who is also testifying in the trial, said that Tatum told him that he should be ashamed of himself in an exchange near the bathroom inside the courthouse on Wednesday. Shortly after, Tatum got into an expletive-laden confrontation with David Laufman, an attorney for Gonell, after he tried to get into an elevator with Gonell, Laufman and an NBC News reporter.

NBC News separately heard Tatum make negative comments inside the courthouse about how he believed Gonell was acting. Outside the courthouse, Tatum recorded himself accusing Gonell of committing perjury.

The confrontations with Gonell came before the conclusion of his testimony in the case against Fitzsimons, who is accused of assaulting Gonell inside the tunnel. Gonell’s cross-examination by Fitzsimons’ federal public defender will continue on Thursday morning.

“For Sgt. Gonell to be accosted like that, within the courthouse and while he remains a live witness at trial, was outrageous and amounts to witness intimidation that promptly should be addressed by the court as well as the FBI and the Department of Justice,” Laufman, who is representing Gonell pro bono, told NBC News on Wednesday night.

Finally, there are other key players in January 6 — most notably former Green Beret, Ivan Raiklin, who played a key role in Operation Pence Card, the effort to pressure Pence to overturn the election — who lurk around all events associated with January 6. Fellow Proud Boy Gabriel Garcia, in a recent bid to avoid pre-trial release sanctions for going to CPAC after he told Judge Amy Berman Jackson he was coming to DC to observe — among other things — the Proud Boys trial, claimed that he hung out with Raiklin at CPAC to formulate his defense.

While at CPAC, Mr. Garcia was working on his defense to these charges. Indeed, he asked Congressman M. Gaetz, who is from Mr. Garcia’s home state, how and when could his defense team access the 40,000 hours of unreleased video Capitol Police have. Also, he and his counsel met, and conferred extensively with, attorney Ivan Raiklin, whom they may retain for assistance and trial preparation. Mr. Raiklin had spoken to Mr. Garcia on March 2 at CPAC, and he told Mr. Garcia to return the next day with his counsel to discuss at length defense strategies, which they did.

Former Army Captain Garcia is one of the Proud Boys who, in exhibits submitted at trial (here, Gabriel PB), was issuing the most chilling threats in advance of January 6.

None of this makes things easier for Tim Kelly, as he tries to sustain this jury long enough to get through deliberations. It’s not yet clear whether the jurors, watching testimony about the extent to which Proud Boys using intimidation to protect their organization, are seeing shadows, or whether there’s a real attempt to intimidate jurors before they start deliberating.

But given the history of individuals directly associated with the defendants, the threat is not an idle one.

Donald Trump’s Dumbass Russia Binder

/54 Comments/in , , , , /by

There is some tie between Donald Trump’s effort — as one of his last acts as President — to declassify a binder of materials from the Crossfire Hurricane investigation and his hoarding of still-classified documents that could get him charged under the Espionage Act.

It’s not yet clear what that tie is, though.

On May 5 of last year, Kash Patel offered the declassification effort as an alibi, claiming Trump had declassified a bunch of materials, including not just the Crossfire Hurricane materials, but everything else discovered in boxes returned to NARA in January 2022. Kash’s claim would be included in the search affidavit for Mar-a-Lago and ultimately lead to his compelled testimony in the investigation.

Last fall, at a time when Alex Cannon and Eric Herschmann would have been under some scrutiny for their role in Stefan Passantino’s dubious legal advice to Cassidy Hutchinson, Maggie Haberman told a story in which the Trump lawyers heroically warned Trump about the risks of holding classified documents. That story claimed Trump had offered to swap the documents he did have for the Russian-related documents the former President believed NARA had.

It was around that same time that Mr. Trump floated the idea of offering the deal to return the boxes in exchange for documents he believed would expose the Russia investigation as a “hoax” cooked up by the F.B.I. Mr. Trump did not appear to know specifically what he thought the archives had — only that there were items he wanted.

Mr. Trump’s aides — recognizing that such a swap would be a non-starter since the government had a clear right to the material Mr. Trump had taken from the White House and the Russia-related documents held by the archives remained marked as classified — never acted on the idea.

The story doesn’t mention Cannon’s role in a fall 2021 inquiry to NARA about the Russian documents. Nor does it say that National Archives General Counsel Gary Stern told Cannon and Justin Clark that NARA had 2,700 undifferentiated documents, but that the binder Trump wanted declassified had been rendered a Federal Record when it got sent back to DOJ.

That’s what NARA told John Solomon on June 23, 2022 — that Trump’s lawyers had requested the binder in fall 2021 — in Stern’s first explanation for why NARA didn’t have the binder.

John, fyi, last fall Justin Clark, another PRA representative of President Trump, also asked us for a copy of this declassified binder. Upon conducting a search, we learned that the binder had been returned to the Department of Justice on January 20, 2021, per the attached memo from Chief of Staff Mark Meadows to the Attorney General, titled “Privacy Act Review of Certain Declassified Materials Related to the FBI’s Crossfire Hurricane Investigation.”

Accordingly, we do not have the binder containing the declassified records. As we explained to Justin, what we were able to locate is a box that contains roughly 2700 undifferentiated pages of documents with varying types of classification and declassification markings, but we could not be certain of the classification status of any of the information in the box. We are therefore obligated under Executive Order 13526 to treat the contents of the box as classified at the TS/SCI level.

Then on August 9 and again on August 10 last year, immediately following the search on Mar-a-Lago, Solomon asked for all correspondence between Cannon and NARA up until days before the search.

Gary, John: My research indicates there may be a new wrinkle to the Russian declassified documents. As part of my authorized access, I would like to see all correspondence between NARA and attorney Alex Cannon between December 2020 and July 31, 2022. I think the information will have significant value to the public regarding current events. Can that be arranged?

[snip]

Checking back on this. It’s time sensitive from a news perspective. Can you accommodate?

Stern, no dummy, likely recognized that this information would not just have news value, but would also have value to those under criminal investigation; he responded with lawyerly caution. As NARA representative for Trump, he explained, Solomon was only entitled to access Presidential records — those that predate January 20, 2021 — and communications between Cannon and NARA post-dated all that. But, Stern helpfully noted, Cannon was cc’ed on the request for the Russian binder.

It’s important to clarify that, as a designated PRA representative of President Trump, you may receive access to the Presidential records of the Trump Administration that have been transferred to NARA, which date from January 20, 2017 to January 20, 2021.

Alex Cannon has represented President Trump on PRA matters (along with Justin Clark) only since the summer of 2021, principally with respect to the notification and review process in response to special access requests. Accordingly, there would not be any Trump Presidential records between NARA and Alex Cannon.

FYI, in my June 23 email to you (which is below within this email thread), I noted that “last fall Justin Clark, another PRA representative of President Trump, also asked us for a copy of this declassified binder.” Alex Cannon was cc’d on Justin’s request and our response. I am not aware of any other communications that would exist between NARA and Alex about this matter. [my emphasis]

That would be the only communications “about this matter,” seemingly distinguishing the Russian binder from the missing Presidential records.

At the time Maggie was distracting the chattering classes with the swap story, ABC had a very thorough story that revealed some of what Stern had explained to Solomon last year. That story suggests the month-long focus on the Russian binder had led overall compliance with the Presidential Records Act to be lacking. As Hutchinson tells it, it was worse, with 10 to 15 NSC staffers madly copying classified documents in the last days Trump was in office, with two sets of four copies — one still classified, one less sensitive — circulating to who knows where.

The tie between the Russian documents and the documents Trump stole may be no more than the alibi Kash tried to use them as, an attempt to claim that the limited declassification was instead a blanket effort. Perhaps it was also a failed effort to use Kash and Solomon as moles to figure out what NARA got back. Or perhaps some of these materials madly copied at the last moment were among the classified documents Trump took with him. Perhaps some of those materials were among the still-classified documents Trump took and hoarded in a storage closet with a shitty lock.

But that tie is one of the reasons I read the version of the binder released earlier this year in response to a Judicial Watch FOIA closely (release 1, release 2).

That is one dumbass binder. If you’re going to expose yourself and your assistants to Espionage Act prosecution, this is one dumbass document to do so over.

Having reviewed it — even with great familiarity with the unending ability of certain frothers to get ginned up over these things — I cannot believe how many people remain obsessed about this document.

The document, as released to Judicial Watch, is little more than a re-release of a bunch of files that have already been released. Perhaps the only released documents I hadn’t read closely before were memorializations that Andy McCabe wrote of conversations he had in the wake of Jim Comey’s firing with and about Trump, including the one that described Rod Rosenstein offering to wear a wire to meetings at the White House.

And because DOJ subjected the documents to a real Privacy Act review, unlike declassifications effectuated by Director of National Intelligence John Ratcliffe when Kash babysat him as his Chief of Staff, a number of the documents actually are more redacted than previous versions, something that will no doubt be a topic of exciting litigation going forward.

Mark Meadows ordered DOJ to do a Privacy Act review and as a result great swaths of documents were withheld, page after page of b6/b7C exemptions as well as b7D ones to shield confidential information.

Here’s what got released to Judicial Watch, along with links to the previous releases of the documents:

The Bruce Ohr 302s are the only documents that include much newly released materials, mostly reflecting Igor Danchenko’s subsequent public identification. Both the candidate briefing and the Carter Page FISA application include significantly more redaction (and those are not the only interesting new redactions); given the redactions, it doesn’t look like Trump contemplated disseminating any Page material that was sequestered by the FISA Court, which would have been legally problematic no matter what Trump ordered, but references to the sequestration were all redacted.

As noted above as Requests 1, 5, 6, 14, and 17, there were five things Trump asked for that were still pending at DOJ when Trump left office. Two of those are identified: A request for materials on Perkins Coie lawyers, which (DOJ informed Trump) had no tie to Crossfire Hurricane, and a request for details on an August 2016 meeting involving Bruce Ohr, Andrew Weissmann, and one other person “concerning Russia or Trump.”

There were a number of communications between Ohr, Weissmann, and others later in 2016, including communications potentially relating to an effort to flip Dmitry Firtash, as well as October 2016 communications between Ohr and McCabe. But the jumbled timeline of Ohr’s communications has often been used to insinuate that the Crossfire Hurricane team learned of the Steele allegations earlier in the investigation than the September 19 that DOJ IG reflects. In any case, some of these meetings likely touched on Oleg Deripaska and some might touch on the suspected Egyptian donation Trump used to stay in the race past September 2016, not the dossier.

Between other then-pending requests and big chunks of withheld information (I’ve noted the biggest chunks above, but it would be around 300 pages total), there are things I would have expected to see in this binder that are not there. For example, almost none of the material released as part of DOJ’s attempt to undermine the Flynn investigation (links to which are in this post) is included here. Most of that stuff constitutes information that would never normally be released. It was egregiously misrepresented by Barr’s DOJ. Some of the files were altered. If these were requested, I can think of a number of reasons it would take DOJ a while to provide the materials. Even still, though, the materials didn’t persuade Emmet Sullivan to overturn Flynn’s prosecution, and documents left out of this bunch — such as Flynn’s later 302s, including some where he obviously told the same lies he had told in January 2017, would easily rebut any claims Trump might offer with the Flynn documents.

The documentation showing Strzok learning of a Russian intelligence product claiming not very damning things about Hillary is not in here. That, too, is something that would never have been released with a normal DNI not being led around by Kash Patel and it’s one that would take DOJ a good deal of time to clear. But as I laid out here, the report came after Trump had already demonstrably started pursuing files stolen by Russia. By the time Hillary purportedly decided to call out Trump for encouraging the Russian hack, Trump was encouraging the Russian hack.

Given that Mike Rogers’ 302 from the Mueller investigation is included here, you’d expect those of Trump’s other top intelligence officials to be included as well. Dan Coats and Mike Pompeo were interviewed in the weeks after Rogers. Coats’ aide Mike Dempsey and NSA Deputy Director Rick Ledgett were also interviewed about Trump’s March 2017 effort to get the IC to deny he had a role in Russian interference, as was Trump’s one-time briefer Edward Gistaro (Gistaro was interviewed a second time in 2018, in an interview treated as TS/SCI, which likely pertained to his involvement in briefing at Mar-a-Lago during the transition). Details of these interviews show up in the Mueller Report, and his request only helps to make Trump look more guilty.

It doesn’t include materials released as part of the failed Sussmann and Danchenko prosecutions. But like Barr’s effort to overturn the Flynn prosecution, none of that evidence sustained Trump’s conspiracy theories either. Indeed, during a bench conference in the Danchenko trial, Durham fought hard to keep the substance of the discussions — ostensibly about energy investments — between Sergei Millian and George Papadopoulos starting in July 2016 out of the trial because, “it certainly sounds creepy.” The Sussmann trial showed how justified people were in wondering about Trump’s Russia ties in the wake of his “Russia are you listening” comment. It provided a glimpse of how time-consuming being a victim of a nation-state hack had been for Hillary in 2016. Durham even demonstrated that FBI badly screwed up the Alfa Bank investigation. When subjected to the rules of evidence, none of Trump’s hoax claims hold up.

The point is, nothing in this binder — particularly as released — supports Trump’s claims that the investigation into him wasn’t independently predicated and didn’t lead to really damning information implicating at least five of his top aides and his own son.

Trump keeps trying to collect some set of evidence that will make go away the far more damning ties to Russia that his National Security Advisor, his Coffee Boy, his personal lawyer, his campaign manager, and his rat-fucker all lied to hide. And in this case, it may have led Trump to do something far dumber, to defy a subpoena and hoard highly classified documents.

Which possibility only makes the dumbass Russia binder even more of a dumbass Russian binder.

“That’s How … You End Up as a Defendant in a Court Room:” Some Days in the Life of a Named-and-Shamed Former GRU Hacker, Ivan Ermakov

/5 Comments/in , , , /by

In early 2018, Ivan [Y]Ermakov,* one of the hackers alleged to have stolen John Podesta’s emails two years earlier, was living it up.

For his April 10 birthday that year, he went on a stunning heli-ski trip with his future co-conspirator, Vladislav Klyushin (Ermakov is on the left in this picture, Klyushin, on the right and in the Featured Image picture).

In summer 2018, they were enjoying the Sochi World Cup together, too.

Just days after this trip to Sochi, however, on July 13, 2018, Robert Mueller would indict Ermakov, along with eleven of his former GRU colleagues, for hacking the DNC, DCCC, Hillary Clinton, election vendors, and registration websites, as well as orchestrating the release of the stolen files.

By the time of that first indictment against him — the first of three known indictments against the Russian hacker so far — Ermakov had already made one of the fatal slip-ups that would form part of the proof against Klyushin at trial, this time for a hack-and-trade scam. On May 9, 2018, Yermakov received three updates from his Apple iTunes account to the IP address 119.204.194.11. Just four minutes later, someone using that IP address downloaded an SEC filing using credentials stolen from a Donnelly Financial employee named Julie Soma. That download occurred hours before the report would be publicly filed with the SEC, one of dozens of such thefts of SEC filings that formed the basis of the hacking and securities fraud charges against the men.

So months before Mueller’s indictment alerted Ermakov that the FBI had discovered who he was and that they believed he was one of the hackers behind the 2016 hack, he had already left proof in US-based servers that would tie to him to a follow-up crime, the hack-and-insider trading conspiracy for which Klyushin was convicted in February.

Klyushin has challenged the verdict, largely based on a technical challenge to the venue of the charges in Massachusetts.

Per trial testimony, Ermakov left those tell-tale forensic tracks four months before Klyushin would first get involved in the hack-and-trade scheme, in August 2018. The scheme was doomed from the start — at least, it would be doomed if any of the identified co-conspirators traveled to a jurisdiction that would extradite to the US, as Klyushin did in March 2021.

In fact, there’s something curious about that.

One thing submitted as evidence at trial was a picture of a May 22, 2017 Reuters article reporting the US sentence for Ukrainian hacker Vadym Iermolovych, one of ten people prosecuted for a hack-and-trade conspiracy similar to the one for which Klyushin was convicted.

According to the FBI agent who introduced the exhibit, the picture itself was taken in August 2018. Someone printed out the article and packaged it up in a plastic folder over a year after the fact. That suggests Klyushin was in discussion with a very well-connected friend about the possibility of such charges in the same month that Klyushin first got involved in the scheme.

The possibility of prosecution hung over the conspiracy from the start.

Thanks to Klyushin’s promiscuous storage of damning evidence in his iCloud account, from which many of the pictures and chats in this post were obtained by the FBI, the Klyushin case offers an unprecedented public glimpse into the effect that US indictments against nation-state hackers like Ermakov might have on one of the target’s lives. In Ermakov’s case, it didn’t stop him from hacking US targets. Indeed, it’s possible that others used the indictments to pressure Ermakov to use his hacking skills for them.

Since 2014, DOJ has been indicting nation-state hackers in what have always been assumed to be name-and-shame documents, indictments that would never lead to trial. Indeed, that’s what the two earlier indictments of Ermakov have always been assumed to be: a public accusation that would never lead to Ermakov’s imprisonment. The wisdom of indicting nation-state hackers has never been obvious. Yevgeniy Prigozhin’s exploitation of his own name-and-shame indictment has revealed the potential perils of the policy. And Russian denialists brush off the July 2018 indictment charging Ermakov and others with the election year hack (as Matt Taibbi did in his recent congressional testimony), arguing that since the indictment will never be tested at trial, it could be mere government propaganda.

At least in the case of the 2016 Russian operation, the indictment has done little to persuade denialists, who simply refuse to read about the many places where the hackers left evidence.

In a follow-up, I’ll show how DOJ proved their case against Klyushin using the same kind of evidence they used in the earlier indictments against Ermakov and his colleagues, largely metadata and content obtained from US-based and a few foreign servers. DOJ may never get a chance to prove the first two indictments against Ermakov, but using the same investigative techniques, they did prove the case against Ermakov’s co-conspirator, Klyushin.

This case, where a sealed complaint ultimately led to the trial of one co-conspirator of a hacker previously charged, also provides a glimpse of what happened after one nation-state hacker got name-and-shamed in the US.

It’s not clear from the trial record when Ermakov left the GRU or who his formal employer was before he joined Klyushin’s M-13, an information services company with ties to Putin’s office that offered, among its services, pen testing.

The FBI found a contact card for Igor Sladkov, with whom Ermakov may have started the hack-and-trade scheme at least as early as October 2017, in Ermakov’s own iCloud account, one of the only interesting pieces of evidence they found there. It was dated November 16, 2016, just over a week after Donald Trump got elected with Ermakov’s help. Sladkov — whose iCloud OpSec was just as shoddy as Klyushin’s — had a bunch of photos of Ermakov in his iCloud account, including the hacker’s passport, a 2016 picture of Ermakov sitting before an enormous plate of some animal flesh, and a picture from Ermakov’s 2018 ski trip, as well as a picture of Klyushin’s yacht that Ermakov had shared.

Before trial, Klyushin’s team argued that Ermakov never worked for Klyushin’s company, bolstering the claim with a chat from May 2019 in which Ermakov bitched about his job to Klyushin and a certificate from the Russian tax service claiming that [Y]Ermakov never worked at M-13.

But days after that chat, per another pre-trial filing, Ermakov spoke longingly of being able to travel like Klyushin could. Klyushin responded that he would get Ermakov new identity papers so the two could travel to Europe together, but not — Klyushin conceded — London or America. Klyushin seemingly used that discussion as background to press Ermakov to get back to work, with the implication being he should get back to the hack-and-trade scheme.

That is, Ermakov appears to have included Klyushin in the hack-and-trade scheme while still working for someone else. And Klyushin seems to have used his promise to help Ermakov mitigate the risks created by those earlier indictments to pressure Ermakov to keep hacking. If that’s right, the vulnerability created by the earlier indictments gave Klyushin leverage to get Ermakov to keep hacking.

But Ermakov did eventually join M-13, at least informally. The government introduced an M-13 employee list reflecting Ermakov’s participation in specific project at trial. And they submitted a picture, from December 2019, showing Ermakov with an M-13 sticker, within days of the time when a staging server similar to the one used in the 2016 hack of the Democrats was set up.

Klyushin may have even incorporated Sladkov into M-13. The FBI found a proposal for a data analysis service, dated September 4, 2019, which M-13 would introduce on October 28, 2020, as well as encrypted communications from an M-13 chat application, in Sladkov’s iCloud account.

Klyushin fought hard to exclude one of the most telling pieces of evidence that the hacking scheme came to be tied to M-13 — the four Porsches that, Klyushin bragged to an investor, he had bought for himself, Ermakov, and one other co-conspirator with the proceeds of the insider trading.

But this currency — expensive gifts — seems to have been at least part of the way Erkamov was compensated for his role in the scheme.

Ermakov did not engage in any trading himself. Instead, two men in St. Petersburg, two associated with M-13 (including Klyushin himself), and three clients of M-13, profited off documents [Y]Ermakov seems to have stolen.

But in addition to the Porsche, on August 17, 2020, ten days before the delivery of the Porsches, Ermakov took possession of a Moscow house worth millions, the loan agreement for which Klyushin reportedly ripped up. Months earlier, Klyushin had tied paying for the house with continued hacking — which, Klyushin joked, amounted to just turning on the computer and thinking about making money.

Ermakov was effectively printing money for Klyushin, and his reward was that house.

In September 2020, the hack-and-trade scheme would be shut down for good.

Throughout the time it was going, however, those co-conspirators knew of the indictment against Ermakov. Sladkov downloaded Ermakov’s wanted poster from the FBI website on October 5, 2018, just a day after Ermakov was charged in the 2016 hack-and-leak of anti-doping agencies while Ermakov was still a GRU officer.

And on October 4, 2020, Klyushin took a screencap of Ermakov’s wanted poster from the FBI website.

By the time Klyushin took this screencap, the victim filing agencies had finally shut down Ermakov’s access to the site, after eight months of trying. Perhaps Klyushin was contemplating what that would mean or how it had happened? According to trial evidence, DOJ didn’t identify the hack-and-trade scheme by tracking what Ermakov was doing. Rather, the investigation started when the SEC started tracking some large-scale trading by a bunch of Russians together, then asked the filing agencies if they had been hacked. At least according to the public record, the involvement of Ermakov was disclosed only after working backwards from the forensic evidence. But in October 2020, Klyushin may have considered the risks of entering into a hack-and-trade scheme with a hacker whose habits were already known within the FBI.

By then it was too late. Indeed, Ermakov had already warned his boss about his shoddy OpSec. On July 18, 2019, Kluyshin asked Ermakov and the other M-13 co-conspirator Nikolai Rumiantcev how the hack-and-trade was going. He included pictures of two of the M-13 investors. In response, Ermakov warned his boss that that kind of OpSec is the kind of thing that would land him as a defendant in a courtroom.

Q. Okay, thank you. And now can we move to 3980, please. And this date is?

A. This is July 18 of 2019.

Q. Would you begin with 3980.

A. “Vladislav Klyushin: So what did we earn today?”

Q. And then there’s an attachment?

A. Correct.

Q. And then he says what?

A. Ermakov responds: “About 350 and another 350 in the mind. Sasha the most among the rest. “Klyushin: Our comrades are wondering.”

MR. FRANK: Could we stop right there, and I realize it’s hard, Ms. Lewis, because we’re in the Excel, but could you please display Exhibits 52 and Exhibit 50.

Q. Those are the attachments, Special Agent. Have you had an opportunity to review those?

A. Yes.

Q. Who’s depicted in Exhibits 52 and 50?

A. On the left, 52 is Sergey Uryadov. On the right is Boris Varshavksiy in Exhibit 50.

MR. FRANK: I offer 52 and 50. (Exhibits 50 and 52 received in evidence.)

Q. Okay. So those are the two attachments Mr. Klyushin has just transmitted in the chat?

A. Yes.

Q. Can we go back to the chat and pick up where we left off. So Mr. Klyushin says, “What did we earn today? Our comrades are wondering.” Could you continue, please, at 3987.

A. After sending those pictures we just looked at, Ermakov replies: “Vlad, you are exposing our organization. This is bad.” Nikolai Rumiantcev: Vlad, stop sending to Threema.” Klyushin replies, “So sorry.” “Ermakov: And that’s how they get you and you end up as a defendant in a courtroom.”

Q. How does Mr. Klyushin respond?

A. Klyushin responds, “Removed. Open a chat with us already. “Ermakov: Go ahead and create. It was a bad move now. “Klyushin: Sorry. Did a dumb thing. “Rumiantcev: I suggest to recreate the chat with the deletion of attachments in Threema, or switch to ours if ready. “Klyushin: I will delete this one on my end.”

Klyushin did delete this chat. Rumiantcev left it in his iCloud account, where the FBI found it.

At the time, the men appear to have been shifting their trading discussions to the encrypted M-13 chat application found in all their iCloud accounts, finally taking measures to cover their tracks going forward, over eighteen months into the hack-and-trade conspiracy. Going forward, those working with Ermakov might not exhibit the kind of abysmal OpSec that produced abundant trial evidence against his co-conspirator. Maybe they learned their lesson, and they’ll be able to exploit Ermakov’s skill more safely going forward.

It remains to be seen whether the prosecution of Klyushin, with his ties to high even higher ranking Russians, does more than hold him accountable for millions in fraudulent trades. But that may have little effect on the life of John Podesta’s suspected hacker.

* The government has used two different transliterations for [Y]Ermakov’s last name. In 2018, they used the one that aids in pronunciation. In 2021, they used the direct transliteration from the Cyrillic. Because evidence submitted at Klyushin’s trial uses the initials “IE” to refer to Ermakov, I’ll adopt that spelling here.

KT McFarland Likened Trump’s Transition Interventions to the Iran October Surprise

/30 Comments/in , , /by

In an FBI interview on September 14, 2017, KT McFarland likened Mike Flynn’s transition period interference with Obama policy to Richard Nixon’s Chennault Affair and what she called Reagan’s “purported dealings with Iran to free American hostages.”

Based on her study of prior presidential transitions, McFarland believed the sorts of things Flynn did were not unusual. She cited Richard Nixon’s involvement in Vietnam War peace talks and Ronald Reagan’s purported dealings with Iran to free American hostages during their transitions as precedent for proactive foreign policy engagements by an incoming administration. Most incoming administrations did similar things. No “red light” or “alarm bells” went off in her head when she head what Flynn was doing. The President-elect made his support for Israel very clear during the campaign and contrasted his position with President Obama, who he believed had not treated Israel fairly.

To be clear: She was only talking about Flynn’s request of Russia, on December 22, to help stave off a UN vote condemning Israeli illegal settlements. At that point in September 2017, she was still claiming not to remember the calls Flynn made on December 29 to undermine Obama’s sanctions on Russia itself. She wouldn’t unforget those calls until after Flynn pled guilty a month and a half later.

But to the extent that she was happy to acknowledge that Trump’s National Security Advisor — her boss — was undermining US policy, she rationalized it by comparing it to Nixon and Reagan’s efforts to undermine US policy for political gain.

Only, it wasn’t just Flynn involved in undermining Obama’s foreign policy. Records from Mueller’s investigation show the following sequence on December 22:

  • 6:02AM: A “senior advisor to a Republican Senator” writes McFarland, cc’ing Flynn and others, warning that the UNSC was “voting to condemn Israeli settlements at 10a.m.” yet Obama was silent
  • 8:46AM: Flynn and Kushner speak for four minutes
  • 8:53AM: Flynn calls Sergei Kislyak, then calls a representative of the Egyptian government and speaks to him for four minutes
  • 8:59AM Flynn speaks to Kislyak for three minutes
  • Flynn had “several additional” calls with the representative of the Egyptian government
  • Egypt delayed the vote

When the President’s son-in-law read a draft statement from Egypt noting that Abdel Fattah El-Sisi had spoken with Trump that day and had “agreed to lay the groundwork … to drive the establishment of a true peace between the Arabs and the Israelis,” Kushner asked whether they could alter the statement. “Can we make it clear that Al Sisi reached out to DJT so it doesn’t look like we reached out to intercede?” He then falsely claimed, on an email with others like Reince Priebus that, “This happens to be the true fact pattern and better for this to be out there.”

Only it wasn’t the true fact pattern. Flynn had reached out. Not Sisi.

Indeed, this incident was probably the start of Kushner’s Abraham Accords, which in turn probably relates to why the Saudis paid Kushner $2 billion after he left the White House.

And it wasn’t just Flynn involved. Flynn made all these calls from Mar-a-Lago. After Egypt delayed the vote, McFarland bragged that Flynn, “had worked it all day with trump from Mara lago.” [my emphasis]

Trump was involved too.

That December 22 transcript was withheld from those released in 2020. But on a later call with Kislyak — the one where he asked Kislyak to hold off on sanctions — analysts suggested “he may be using a speaker phone.” Had Flynn used a speaker phone on December 22, when he was in Mar-a-Lago with Trump, Trump would have been on that call as well.

The next day, McFarland bragged still some more. She suggested Flynn should leak to the press about,

the crucial role [he] played in working your contacts built up over the decades to get administration ambush Israel headed off. You worked the phones with Japanese Russians Egyptians Spanish etc and reversed a sure defeat for Israel by kerry/Obama/susan rice/samantha power cabal.

In 2016, McFarland wanted Flynn to get credit in the press that he had undermined US policy to help Israel. In 2017, she rationalized doing so because Nixon and Reagan had done similar things in their day.

I raise all this not just because I wonder whether Bill Barr killed the investigation into whether Egypt kept Trump’s campaign alive in September 2016 with a $10 million donation.

I raise all this because NYT, on the verge of Jimmy Carter’s death, has finally revealed who reached out to Iran to get them to hold Americans hostage longer to help Reagan win the White House.

It was former Texas Governor John Connolly.

It was 1980 and Jimmy Carter was in the White House, bedeviled by a hostage crisis in Iran that had paralyzed his presidency and hampered his effort to win a second term. Mr. Carter’s best chance for victory was to free the 52 Americans held captive before Election Day. That was something that Mr. Barnes said his mentor was determined to prevent.

His mentor was John B. Connally Jr., a titan of American politics and former Texas governor who had served three presidents and just lost his own bid for the White House. A former Democrat, Mr. Connally had sought the Republican nomination in 1980 only to be swamped by former Gov. Ronald Reagan of California. Now Mr. Connally resolved to help Mr. Reagan beat Mr. Carter and in the process, Mr. Barnes said, make his own case for becoming secretary of state or defense in a new administration.

What happened next Mr. Barnes has largely kept secret for nearly 43 years. Mr. Connally, he said, took him to one Middle Eastern capital after another that summer, meeting with a host of regional leaders to deliver a blunt message to be passed to Iran: Don’t release the hostages before the election. Mr. Reagan will win and give you a better deal.

Then shortly after returning home, Mr. Barnes said, Mr. Connally reported to William J. Casey, the chairman of Mr. Reagan’s campaign and later director of the Central Intelligence Agency, briefing him about the trip in an airport lounge.

At that moment of history, when Reagan won a victory in part thanks to Connally’s sacrifice of Americans’ freedom, KT McFarland was at the height of her credibility on foreign policy, fresh off going ABD in a PhD program. With the new Republican regime, she worked first for Texas Senator John Tower on the Senate Armed Services Committee, then for Cap Weinberger at DOD.

KT McFarland, who derives any foreign policy credibility to that moment created by an effort to harm US policy for political gain, likened what Trump did to what Reagan had done before.

Judge Unseals Details on Cooperating Witness in Douglass Mackey Case

/22 Comments/in , , , /by

The government was just forced to reveal that it has a cooperating witness against Douglass Mackey, the far right troll who tried to help Trump win in 2016 by tricking Hillary voters into texting their vote instead of casting it legally. The cooperating witness will testify against Mackey, whose trial starts on March 16.

The documents were all made available today:

The charge against Mackey accuses him of conspiring with four other people. As Luke O’Brien laid out when Mackey was arrested in 2021, three of Mackey’s co-conspirators were readily identifiable.

HuffPost can report that one co-conspirator is a prominent alt-right botmaster who goes by “Microchip” and was instrumental in making pro-Trump and anti-Hillary Clinton hashtags and content go viral on Twitter during the 2016 election. A fascist accelerationist who has expressed admiration for Adolf Hitler and Nazism, Microchip claims to have been involved in the early spread of the QAnon conspiracy cult and repeatedly told this reporter that his goal was to destroy the United States.

Another of Mackey’s co-conspirators is Anthime “Baked Alaska” Gionet, a pro-Trump white nationalist who was arrested on Jan. 16 for his involvement in storming the Capitol on Jan. 6. Gionet also participated in the deadly white nationalist “Unite the Right” rally in Charlottesville, Virginia, in 2017. (A New York Times story reported Wednesday afternoon that Gionet was a co-conspirator, citing a source close to the investigation, and HuffPost can confirm that reporting based on the Twitter ID cited in the complaint.)

HuffPost was able to link the Twitter IDs in the complaint to Gionet and Microchip through previously collected Twitter data, interviews and evidence left by both extremists on other websites. In direct messages with this reporter last year, Microchip also confirmed that he was using the Twitter account associated with the user ID listed in the complaint.

The user ID for a third co-conspirator belongs to a pro-Trump far-right activist who goes by “Nia” and has a long history of spreading disinformation on Twitter. HuffPost has not yet been able to identify the fourth co-conspirator.

The fourth was not.

As the government laid out in its motion, at some point, the cooperating witness pled guilty to the same crime charged against Mackey, a violation of the Ku Klux Klan Act. Since then, he has been cooperating with the government on other investigations, presumably targeting the far right.

The CW has pleaded guilty to a violation of 18 U.S.C. § 241 and entered into a cooperation agreement with the government. The government expects that the evidence at trial will show that the CW had communications with the defendant and other relevant persons over the internet through the use of Twitter, including communications discussing the creation and dissemination of deceptive images concerning the time, place, and manner by which voters could cast a vote in the 2016 presidential election. In particular, the CW participated in direct-message groups that included the defendant and others. In all instances, the CW used an online moniker for these communications and did not reveal his or her true identity, face, or likeness to the defendant or the other participants in the groups.

The government intends at trial to introduce the CW’s communications as exhibits and to question the CW concerning them and the CW’s understanding of the purpose of the deceptive images discussing the time, place, and manner of voting, among other related online activities. The CW has advised that apart from the CW’s family, a former girlfriend. and possibly one or two former business associates, no one is aware that the CW is in fact the user of the relevant internet monikers. As far as the government is aware, the CW’s true identity has never been publicly associated with any of the online monikers used by the CW on Twitter or other social media, notwithstanding the efforts of investigative journalists who have attempted to learn the CW’s identity.

In addition, since entering into the cooperation agreement, the CW has provided assistance to the FBI in other criminal investigations beyond the scope of this case. The CW is presently involved in multiple, ongoing investigations and other activities in which he or she is using assumed internet names and “handles” that do not reveal his or her true identity. The CW has not interacted with any witness, subject, or target in these investigations and activities on a face-to-face basis, and the government has no reason to think that the CW’s true identity has been compromised as a result of this work.

The government provides no other details about the CW (though Mackey’s reply refers to him as male), but it does go out of the way to note that the person had not flipped by 2016, I guess to avoid any possibility Republicans will claim this was part of Crossfire Hurricane.

For the avoidance of doubt, the CW was not cooperating with the government at any point before or during 2016.

The government noted in its reply, the technical proficiency of those who might suspect they were being investigated is such that revealing his identity might make him the target of harassment and cyber attacks.

The fact of the CW’s cooperation is sure to be seen by many in that community as a profound betrayal, with the result that, at a minimum, online harassment is bound to follow the CW should his or her identity become a matter of public record. That harassment can have negative consequences in and of itself. In addition, to claim that intense online attacks do not endanger a person’s physical safety is to ignore the reality of our current world, as evinced in common newspaper headlines. See, e.g., Sheera Frenkel, The Storming of Capitol Hill Was Organized on Social Media, N.Y. TIMES, Jan. 6, 2021, available at https://www.nytimes.com/2021/01/06/us/politics/protesters-storm-capitol-hillbuilding.html; Eric Lipton, Man Motivated by “Pizzagate” Conspiracy Theory Arrested in Washington Gunfire, N.Y. TIMES, Dec. 5, 2016, available at https://www.nytimes.com/2016/12/05/us/pizzagate-comet-ping-pong-edgar-maddisonwelch.html. It is simply (and regrettably) a fact of the times that many acts of politically motivated violence in current society arise from campaigns of online harassment.

Beyond the risk to the CW, the potential consequences include the disruption of the CW’s ongoing work with the FBI. It is certainly true that the nature of this work is online and anonymous, but, if the CW’s name and location were to become known, the CW would become a target for all who believe that they might be under investigation (whether they are or not). Given the technical proficiency of those with whom the CW associates, it is not difficult to envision multiple scenarios in which the CW’s online work could be jeopardized by way of a cyberattack (at a minimum).

While it doesn’t say so, those two past incidences in which online trolling led to violence — January 6 and PizzaGate — are both other instances in which Mackey’s other co-conspirators and those in the same network were involved. Indeed, co-conspirator Baked Alaska is currently serving time for his role in the January 6 attack.

Unsurprisingly, the government provides no details about how long this cooperation has been going on — but it presumably started before Mackey was arrested in 2021. Which is likely to make a lot of right wingers awfully nervous.

Trophy Documents: The Entire Point Was to Make FBI Obedient

/68 Comments/in , , , , /by

Those who didn’t follow John Durham’s trials closely undoubtedly missed the parade of scarred FBI personnel whose post-Crossfire Hurricane vulnerability Durham attempted to exploit to support his invented claims of a Clinton conspiracy.

Sure, lots of people wrote about Jim Baker’s inability to provide credible answers about the meeting he had with Michael Sussmann in September 2016. Fewer wrote about the credible case that Sussmann’s attorneys made that a prior Durham-led investigation into Baker — for sharing arguably classified information with a reporter in an attempt to forestall publication of a story — made Baker especially quick to cooperate with Durham in 2020. Fewer wrote about Baker’s description of the stress of Jim Jordan’s congressional witch hunts.

It sucked because the experience itself, sitting in the room being questioned the way that I was questioned, was, as a citizen of the United States, upsetting and appalling, to see members of Congress behaving the way that they were behaving. It was very upsetting to me.

[snip]

It sucked because my friends had been pilloried in public, my friends and colleagues had been pilloried in public, improperly in my view; that we were accused of being traitors and coup plotters. All of this was totally false and wrong.

Such a circus was the kind of thing that might lead someone like Baker to prefer the “order” of a prosecutor chasing conspiracy theories, someone whose memory was seared by the firing of Jim Comey.

[Sean Berkowitz]. And this is a pretty terrible experience as well. Right?

A. It’s more orderly.

Q. (Gestured with hand to ear.)

A. This is more orderly. It’s terrible but orderly.

Q. And you’re doing the best you can. Right, sir?

A. Yes, sir.

Q. But it’s hard to remember events from a long time ago, 1snre sez

A. It depends on what the event is. I remember Jim Comey being fired, for example. That’s a long time ago and I have a clear recollection of that. So it depends on what you’re talking about.

But Baker wasn’t the only one who discussed the years of scrutiny. Counterintelligence Special Agent Ryan Gaynor, who worked in DC on the Russian investigations during 2016, described how in October 2020, after he revealed to Durham’s team that he knew a DNC lawyer had brought in the Alfa Bank tip, Durham’s team told him they were no longer treating him as a witness, but as a subject of the investigation.

A. Yeah. There were two thoughts. The first one was that I felt like I had woefully ill prepared for the meeting, because I didn’t know what the meeting was honestly going to be about with this investigation.

The second thought was that I was in significant peril, and it was very concerning as a DOJ employee to be told that now the Department of Justice is interested in looking at you as a subject instead of a witness.

Sussmann lawyer Michael Bosworth got Gaynor to explain that after he told a story more to Durham’s liking, he was moved back to the status of witness.

During his testimony, Curtis Heide (who played a key role in the George Papadopoulos investigation) explained how the FBI Inspection Division investigation into Crossfire Hurricane Agents, including him, remained pending, 6 years after the events in question. He noted that, three years after the DOJ IG Report, he was still being investigated even though he, “didn’t author any of the affidavits or any of the materials related to the applications in question.”

The same was true in the Danchenko case. Brian Auten, a key intelligence analyst on Crossfire Hurricane, described how, after having met with agents from DOJ IG four times, having done a long report for FBI’s Internal Affairs Division, and having met with the Senate Judiciary Committee — all with no concerns raised about his own conduct — the first time he met with Durham’s team, he was told he was a subject of the investigation. After Auten gave testimony that confirmed Danchenko’s reliability — seriously damaging his case — Durham himself raised investigations that undermined his own witness’ testimony.

Q. Do you recall that there was a reporter that the OIG had written concerning the Carter Page FISAs?

A. Yes.

Q. And how would you characterize that report?

A. The report was quite extensive and it discussed characterizing a number of errors and omissions.

Q. And with respect to the errors and omissions, were they tick-tacky kinds of omissions or were they significant omissions and errors that had been committed?

A. I believe the OIG described them as significant.

Q. And then with respect to the investigation done by the OIG, separate and apart from that, would it be a fair statement that you and your colleagues were under investigation by the inspection division by the FBI?

A. Yes.

Q. And would it be a fair statement that your conduct in connection with that is, you, yourself, based on the investigation done by the inspection division of the FBI, have some issues, correct?

A. I — be a little bit more specific. I’m sorry. I don’t — I have issues?

Q. Isn’t it, in fact, true that you’ve been recommended for suspension as the result of the conduct?

A. It is currently under appeal.

That line of testimony immediately preceded a hilarious failed attempt from Durham to get Auten to agree that George Papadopoulos was simply a young man with no contact to Trump who was only investigated for his suspect Israeli ties, not for his Russian ties. But it was a palpable example of the way that Trump’s minions used criminalizing FBI investigations into Trump as a way to create a makebelieve world that negates real evidence of Trump’s corruption.

About the only two FBI agents who weren’t portrayed as somehow tainted by the events of 2016 in Durham’s two failed prosecutions were two agents who fucked up investigations: Scott Hellman, who correctly told a junior agent that she would face zero repercussions of she botched the Alfa Bank investigation, and Ryan James, an FBI agent who started his career in Connecticut, who nevertheless failed to pull the evidence necessary to test Sergei Millian’s claims.

Durham rewarded the incompetence that served his purpose and attempted to criminalize what he considered the wrong answers or at least to use the threat of adverse consequences to invent a false record exonerating Trump.

And Durham came in after Jim Comey, Peter Strzok, Andrew McCabe, and Bruce Ohr had already been fired, and Lisa Page, with Strzok, deliberately humiliated on a global stage serially. He came in and exploited the uncertain status — the Inspection Division review left pending while Durham worked — of everyone involved. Such efforts didn’t end with the conclusive acquittals debunking Durham’s theories of conspiracy. Since then, Jim Baker has been dragged back through the mud — publicly and in Congress — as part of Twitter Files, Chuck Grassley passed on “whistleblower” complaints about Auten identifying Russian disinformation as such, and Timothy Thibault was publicly berated because some of the same so-called whistleblowers feeding Jim Jordan shit had complained to Chuck Grassley he was discouraging GOP conspiracy theories about Hunter Biden.

It was never just Strzok and McCabe. The entire Republican Party has relentlessly focused on punishing anyone involved in the Trump investigation, using both unofficial and official channels. When Trump promised “retribution” the other day at CPAC, this kind of relentless effort to criminalize any check on Trump’s behavior is what he was talking about.

That kind of background really helps to understand the WaPo story that described Washington Field Office FBI agents quaking at the prospect of searching Donald Trump’s beach resort.

[P]rosecutors learned FBI agents were still loath to conduct a surprise search. They also heard from top FBIofficials that some agents were simply afraid: They worried takingaggressive steps investigatingTrump could blemish or even end their careers, according to somepeople with knowledge of the discussions. One official dubbed it “the hangover of Crossfire Hurricane,” a reference to the FBI investigation of Russia’s interference in the 2016 presidential election and possible connections to the Trump campaign, the people said. As president, Trump repeatedly targeted some FBI officials involved in the Russiacase.

[snip]

FBI agents on the case worried the prosecutors were being overly aggressive. They found it worrisome, too, that Bratt did not seem to think it mattered whether Trump was the official subject of the probe. They feared any of these features might not stand up to scrutiny if an inspector general or congressional committee chose to retrace the investigators’ steps, according to the people.

Since I wrote my piece wondering whether the FBI hesitation gave Trump the chance to steal 47 documents, Strzok himself, Joyce Vance, and Jennifer Rubin have weighed in.

Rubin, I think, adopts the position of someone who hasn’t followed the plight of all the people not named Strzok who were targeted for investigating Donald Trump. She attributes the reluctance to investigate Trump (and the intelligence failures leading up to January 6, which I’ll return to) to Wray.

After a debacle of this magnitude, that sort of passivity should alarm all Americans. Imagine if, after the terrorist attacks of Sept. 11, 2001, the national security community did not evaluate how it missed the telltale signs of an imminent attack. The failure of leadership in the Jan. 6 case is inexcusable. Yet Wray has never been held to account for this delinquency.

[snip]

[O]ne is left wondering why the FBI seems disinclined to stand up to right-wing authoritarian movements and figures. Whatever the reason, the pattern reveals an unmistakable lack of effective leadership. And that in turn raises the question:Why is Wray still there?

It is absolutely the case that Wray did far too little to protect FBI agents in the face of Trump’s attacks. Wray created the opportunity for pro-Trump FBI agents and Durham to criminalize investigating Trump. I think Wray attempted to avoid rocking the boat at all times, which led the FBI to fail in other areas (including the investigation of Brett Kavanaugh). Though I’m also cognizant that if Wray had been fired during the Trump administration, he might have been replaced by someone like Kash Patel, and having a Trump appointee in charge right now may provide cover for the ongoing investigations into Trump.

But you could fire Wray tomorrow and not eliminate the effects of this bureaucratic discipline, the five year process to teach everyone in the FBI that investigating Trump can only lead to career disaster, if not criminal charges.

Also under Wray, though, the Bureau had already increased its focus on domestic terrorism, with key successes both before and after January 6. Steven D’Antuono, the chief voice of reluctance to search Mar-a-Lago, presided over the really troubled but ultimately successful effort to prevent a kidnapping attempt targeting Gretchen Whitmer, a plot that arose out of anti-lockdown protests stoked by Trump (though unusually, D’Antuono let a subordinate take credit for the arrests).

I think the specific failures in advance of January 6 lay elsewhere. Wray has not done enough in the aftermath to understand the FBI’s failures, but FBI has also been overwhelmed with the case load created by the attack. But, as I hope to return to, I think the specific failure in advance of January 6 lies elsewhere.

Whatever the merit in blaming Wray for FBI’s failure to prepare for January 6, there’s a bigger problem with Rubin’s attempt to blame him on the MAL search. Strzok sketched out in great detail something I had seen, too. The dispute about searching Trump’s house wasn’t between the FBI and DOJ. It wasn’t just what Vance and Strzok both describe as a fairly normal dispute between the FBI and DOJ with the former pushing the latter to be more aggressive.

It was between the WFO on one side and DOJ and FBI HQ on the other.

[A] careful reading of the Post’s reporting (insofar as the reporting is complete) reveals this was not so much a conflict between DOJ and the FBI as much as a conflict between DOJ and FBI headquarters, on the one hand, and the management of the FBI’s Washington Field Office, on the other.

Indeed, a key part of the drama surrounding the pre-August search meeting described by the WaPo involved the conflict between FBI General Counsel Jason Jones — whom WaPo makes a point of IDing as a Wray confidant, thereby marking him as Wray’s surrogate in this fight — and WFO Assistant Director Steven D’Antuono.

Jason Jones, the FBI’s general counsel who isconsidered a confidant of FBI Director Christopher A.Wray, agreed the team had sufficient probable cause to justify a searchwarrant.

[snip]

Jones, the FBI’s general counsel, said he planned to recommend to Deputy FBI Director Paul Abbate that the FBI seek a warrant for the search, the people said. D’Antuono replied that he would recommend that they not.

This, then, was partly a fight within FBI, one in which Wray’s surrogate sided with prosecutors.

Strzok makes a compelling argument that this story may have come from pushback necessitated by people at WFO floating bullshit claims, not dissimilar from — Strzok doesn’t say this, but I will — the leak by right wing agents to Devlin Barrett about the Clinton Foundation investigation in advance of the 2016 election, which led Andrew McCabe to respond in a way that ultimately gave Trump the excuse he wanted to fire him.

Indeed, Strzok’s post includes a well-deserved dig on the WaPo’s claim about, “the fact that mistakes in prior probes of Hillary Clinton … had proved damaging to the FBI,” an unsubstantiated claim I also called out.

[E]ven journalists can be imprecise or inaccurate. The Post’s article isn’t, for example, the type of comprehensive accounting you’d get in a report produced by an Inspector General, who can compile the statements of everyone involved and review and compare those statements to the written record in all its various forms.

Strzok right suggests that DOJ IG’s Report disproved WaPo’s claim about the Hillary investigation, but he seems to have forgotten that the DOJ IG Report into McCabe’s response on the Clinton Foundation didn’t fully air the FBI spox’s exculpatory testimony.

All of which is to say that, in the same way that WFO agents have an understandable visceral concern about getting involved in an investigation targeting Trump, people at HQ might have an equally visceral concern about stories seeded to Devlin Barrett alleging internal conflict that might create some flimsy excuse for firing.

But there’s something still unexplained about the WaPo story. Vance notes, as I did, that D’Antuono may have given Trump the opportunity to steal 47 documents.

[T]he delay couldn’t be undone. We still don’t know whether that resulted in the permanent loss of classified material. It did result in a delay in the timeline for making prosecutive decisions, ultimately extending the investigation into the period where Trump announced his 2024 candidacy, leading to the appointment of a special counsel to continue the investigation and determine whether to prosecute.

But Vance still accepts WaPo’s specious claim about timing, the claim that the delay (from June to August) in searching Trump’s resort led the investigation to bump up against a Trump campaign announcement that would surely have happened earlier had Trump not gotten an injunction. There’s nothing to support that temporal argument, and the public record on the injunction (which, again, lasted until almost a month after Jack Smith’s appointment) disproves it.

The timing issue is one of many reasons why I keep thinking about this earlier Devlin Barrett story, one that did bump up against the appointment of a Special Counsel. On November 14, the day before Trump formalized his 2024 run and so four days before the appointment of Jack Smith, Barrett and WaPo’s Mar-a-Lago Trump whisperer, Josh Dawsey, published a story suggesting that maybe Trump shouldn’t be charged because he just stole a bunch of highly classified documents to keep as trophies.

Federal agents and prosecutors have come to believe former president Donald Trump’s motive for allegedly taking and keeping classified documents was largely his ego and a desire to hold on to the materials as trophies or mementos, according to people familiar with the matter.

As part of the investigation, federal authorities reviewed the classified documents that were recovered from Trump’s Mar-a-Lago home and private club, looking to see if the types of information contained in them pointed to any kind of pattern or similarities, according to these people, who spoke on the condition of anonymity to discuss an ongoing investigation.

That review has not found any apparent business advantage to the types of classified information in Trump’s possession, these people said. FBI interviews with witnesses so far, they said, also do not point to any nefarious effort by Trump to leverage, sell or use the government secrets. Instead, the former president seemed motivated by a more basic desire not to give up what he believed was his property, these people said.

[snip]

The analysis of Trump’s likely motive in allegedly keeping the documents is not, strictly speaking, an element of determining whether he or anyone around him committed a crime or should be charged with one. Justice Department policy dictates that prosecutors file criminal charges in cases in which they believe a crime was committed and the evidence is strong enough to lead to a conviction that will hold up on appeal. But as a practical matter, motive is an important part of how prosecutors assess cases and decide whether to file criminal charges.

As I showed, that story, like this one, simply ignored stuff in the public record, including:

  • Trump’s efforts, orchestrated in part by investigation witness Kash Patel, to release documents about the Russian investigation specifically to serve a political objective
  • The report, from multiple outlets, that Jay Bratt told Trump’s lawyers that DOJ believes Trump still has classified documents
  • Details about classified documents interspersed with a Roger Stone grant of clemency and messages — dated after Trump left the White House — from a pollster, a book author, and a religious leader; both sets of interspersed classified documents were found in Trump’s office
  • The way Trump’s legal exposure would expand if people like Boris Epshteyn conspired to help him hoard the documents or others like Molly Michael accessed the classified records

Since then, other details have become clear. Not only was that story written after DOJ told Trump they believed he still had some classified documents, but it was written in the period between the time Trump considered letting the FBI do a consensual search and the time he hired people to do the search for him, a debate inside the Trump camp that parallels the earlier investigative fight between WFO and DOJ. Indeed, when DOJ alerted Trump’s lawyers in October that they believed Trump still had classified documents, that may have reflected WFO winning the debate they had lost before the August search: to let Trump voluntarily comply.

That’s important background to where we are now. Trump’s team has misrepresented to the press how cooperative they have been since. First, Trump’s people misleadingly claimed that Beryl Howell had decided not to hold Trump in contempt (rather than just deferred the decision) and Trump lied to the press for several months, hiding the box with documents marked classified and the additional empty classified folder. Those public lies should only make investigators wonder what Trump continues to hide.

We know Trump blew off the subpoena that WFO agents were sure would work in June, and there’s good reason to believe DOJ finds Trump’s more recent claims of cooperation to be suspect as well.

So let’s go back to that earlier Devlin story. As I noted at the time, I don’t dispute that the most classified documents have the appearance of trophies, but that’s because of the Time Magazine covers they were stored with, not because of any halfway serious scrutiny of Trump’s potential financial goals. Particularly given the presence of 43 empty classified folders in the leatherbound box along with the most sensitive documents, no thorough investigator could rule out Trump already monetizing certain documents, particularly given Trump and Jared Kushner’s financial windfalls from the Saudi government, particularly given the way that Trump’s Bedminster departure coincided with Evan Corcoran’s turnover of classified documents, particularly given that the woman who carted a box including some marked classified around various offices had been in Bedminster with Trump during the summer. I don’t dispute that’s still a likely explanation for some — but in no way all — of the documents, but no competent investigator could have made that conclusion by November 14, when Devlin published the story.

Unless Devlin’s sources — perhaps the same or similar to the sources who know that WFO agents were cowed by the treatment of Crossfire Hurricane agents — were working hard to avoid investigating those potential financial ties.

Unless the timing of the story reflected an attempt to win that dispute, only to be preempted by the appointment of Jack Smith. The earlier dispute could not have been impacted by the appointment of Jack Smith. If there was a later dispute about how to make sure Trump wasn’t still hoarding classified documents, though, it almost certainly was.

Someone decided to leak a story to Devlin Barrett suggesting that investigators had already reached a conclusion about Trump’s motive, even though as the story acknowledged, “even the nonclassified documents” — better described as documents without classification marks that not only hadn’t been reviewed yet, which could have included unmarked classified information — “taken in the search may include relevant evidence.” (Note, these are the same unclassified documents that, the recent story  describes D’Antuono, insanely from an investigative standpoint, scoffing at collecting because, “We are not the presidential records police.”) Devlin’s sources decided to leak that story at a time when DOJ was trying to figure out how to get the remaining documents from Trump, and yet his sources presented a working conclusion that it didn’t matter if DOJ got the remaining documents: it had already been decided, Devlin’s sources told him, that Trump was just a narcissist fighting to keep his trophies from time as President and probably that shouldn’t be prosecuted anyway.

The story of the earlier dispute is alarming because it confirms that WFO agents remain cowed in the face of the prospect of investigating Trump, as some did even six years ago. The later story, though, is alarming because leaks to Devlin have a habit of creating political firestorms that are convenient for Trump. But it is alarming because it suggests even after the August search proved the WFO agents’ efforts to draw premature conclusions wrong, someone still decided to make — and force, by leaking to Devlin Barrett — some premature conclusions in November, an effort that genuinely was thwarted by the appointment of Jack Smith.

Douglass Mackey Allegedly Aimed to Depress Black Turnout in Pennsylvania

/4 Comments/in , /by

The government and the defense team for Douglass Mackey, the Twitter troll accused of conspiring to convince Hillary Clinton voters to throw away their vote in 2016, are fighting over what evidence will come in at trial, which is currently scheduled to start on March 16.

As I have laid out, campaigns like the one Mackey is alleged to have conducted with people including Anthime “Baked Alaska” Gionet, are the reason why the FBI sends Twitter lists of accounts lying about the place or means of voting: The FBI is trying to stop systematic attempts to dupe people out of exercising their right to vote.

Indeed, several times in 2016, Twitter suspended Mackey for lying about the election. “[I]t was because I posted a meme that told Hillary supporters they could text to vote. Lol,” he said in one of the messages the government is seeking to introduce.

In his own filing, Mackey cited the Twitter Files claiming it proves Twitter sometimes gets it wrong when suspending people.

The Mackey case presents some challenging legal questions, and if he is convicted, he’ll presumably appeal on First Amendment grounds.

At issue in the evidentiary dispute are comments Mackey or his alleged co-conspirators made in 2015 and 2016 about how he understood his trolling.

Even in 2015, Mackey understood the power he wielded with his trolling, because of the loyalty of his troll army.

“I have the personality and the ability to convince people now” (DM, Nov. 23, 2015)

“This identity is very powerful. I have something great going on.” (DM, Jan 7, 2016)

“I am going to start preparing myself mentally, spiritually, and physically, to be a leader. . . . I never asked or wanted to be a leader, but so many people are asking it of me, so I feel a responsibility” (DM Jan 11, 2016)

“I have like the most loyal army on twitter. I can get anything I want photoshopped in one hour. I have people offering to do web design for me. My Twitter account is just exploding” (DM Jan 28, 2016)

“It’s like at any one time there is an army of 100 of my followers ready to swarm.” (DM, Aug. 1, 2016)

The government also wants to introduce descriptions of how to deploy that troll army: repetition is key. (Note, it’s not clear whether all of these are Mackey, or whether they come from his alleged co-conspirators, not all of whom have been identified.)

“We can hijack hashtags with memes” (DM, Jan 26, 2016)

“It should be done as a coordinated effort. With the goal of trending.” (DM, May 9, 2016)

“Please help me trend #InTrumpsAmerica. New hashtag starting now” (DM, May 12, 2016)

“Repetition is key…. Repeat it again and again. I just tweeted it. Memes would also be good.” (DM, June 22, 2016)

“Please contribute a tweet to #KaineAndUnable2016, maybe we can trend it.” (DM, July 23, 2016)

“I would say use fewer hashtags, maybe only use one hashtag, and a simple, short message. Other than that, you’re doing everything right. I will keep retweeting you.” (DM, Oct 5, 2016)

“We’re going to need serious memetics to derail the coming mainstream narrative…get on it, folks” (Tweet, June 6, 2016)

“I am looking for roughly half a dozen photoshop experts who wish to join a team, please respond to this tweet with why you are qualified.” (Tweet, July 1, 2016)

The most interesting detail — particularly given Mackey’s ties to people like Jack Posobiec and, through him, to people like Roger Stone — is how closely Mackey’s understanding of the 2016 presidential race matched the Trump campaign’s.

“Hillary’s team is in a panic because black voter turnout in Ohio and Florida primaries was down 40 percent.” (Tweet, Mar 19, 2016)

“All of these polls assume the electorate will be 52 or 53 percent female, while all data indicates female turnout will be lackluster.” (Tweet, July 25, 2016) 7

“One way to depress turnout is to use meme magic to make not voting for Hillary a cool way for young POCs and progressives to ‘protest.’” (Tweet, July 29, 2016)

“A 25 year old latino progressive will probably never vote for Trump, but we can depress her enough to stay home, or vote for Jill or Gary.” (Tweet, July 29, 2016)

“Very few persuadable voters remain. A lot of what we are doing is just keeping our own team fired up, and trying to demoralize other team.” (Tweet, July 31, 2016)

“Obviously, we can win Pennsylvania. The key is to drive up turnout with non-college whites, and limit black turnout.” (Tweet, Nov 2, 2016)

To be clear: Mackey wouldn’t have needed inside information to understand that one way to suppress turnout for Hillary would be to get them to vote for Jill Stein instead of Hillary. That was all openly discussed. Even the claim that “obviously we can win Pennsylvania,” while not the consensus before the election, was embraced by MAGA trolls in advance of the election.

But in August, the prospect of winning Pennsylvania was, according to Rick Gates, “fools gold” because “Trump was unlikely to win there.” And Mackey was part of a network that could have learned of the campaign’s decision to go for fools gold.

Even as self-described reverse Russian chauvinist Matt Taibbi continues to aggressively disinform people about the point of FBI’s interest in combatting election disinformation, the Mackey trial may make clear how easy it was to match such disinformation efforts to the strategy of the campaign.

Sure, it was just trolling, albeit fairly sophisticated trolling. But its means and manner were perfectly tailored to enhance Trump’s campaign strategy.

The Biden Administration Staved Off Russia’s First Round of InfoWar on Ukraine, But How about the Second?

/88 Comments/in , /by

As I’ve noted (most recently in my series on Jeff Gerth’s error-ridden screed about “Russiagate” [sic]), Russian denialists cling to the John Solomon report, from the period when he and Rudy Giuliani were chumming up people like Dmitry Firtash, that Konstantin Kilimnik was really a State Department source, which — they fancy — proves he was not a Russian spy.

The actual communications between Kilimnik and people at State show him attempting to stovepipe shoddy propaganda to his State contacts, not offering useful information.

But a potentially more telling example of Kilimnik’s contacts with State are his description, after going out to drinks with John Kerry’s then-Chief of Staff, Jonathan Finer, just before Klimnik traveled to New York to meet with Paul Manafort about the election, that “Finer or whatever the fuck is his name,” was, “In total space.”

On the evening of May 6, 2016, Kilimnik’s communications suggest he met for “off the record” drinks with Department of State employees.368 Kilimnik was frustrated by this meeting, stating that he met “Finer or whatever the fuck is his name. In total space.”369

Patten said he understood “[i]n total space” to mean “in outer space” and.therefore not well informed on issues involving Ukraine. Patten Tr., p. 79; FBI, FD-302, Patten 5/22/2018.

In 2016, Paul Manafort’s handler was pissed that Finer wasn’t buying his bullshit about Ukraine.

Which is why I find these passages, from Politico’s oral history of the events leading up to Russia’s expanded invasion of Ukraine, a good place to start reading it. Finer — now Biden’s Deputy National Security Adviser — described bringing allies around to preparing for Russia’s attack by “bombarding them” with so much information they could no longer ignore evidence of Russia’s likely attack.

AMANDA SLOAT: It got to the point where we had to say to the Europeans, “Fine, we can agree to disagree analytically, but let’s start planning as if we are right. If we are right, then we’re in a good place because we’ve got all our planning. If you’re right, that’s the best possible outcome because then there’s not going to be an invasion — at best, this will have just been a waste of time.”

JON FINER: We eventually brought people around by bombarding them with information that you could not ignore.

More importantly, Finer — the guy who, Kilimnik scoffed, was “in total space” about Ukraine — described how Biden’s team preempted Russia’s efforts to use disinformation to justify their attack.

JON FINER: There was a very high likelihood that Russia would use disinformation — which is a fancy word for lies — to create some pretext for invading. By putting out information well in advance of their inevitable attempts to create this justification, we thought that we would be able to discredit any attempt by Russia to portray this as a just war.

If you haven’t already, I highly recommend you set some time aside to read the whole thing. It’s a remarkable account of American efforts to do what’s right.

It’s also an expression of the auspicious collection of people in place for the fight against Ukraine. At various times, I’ve thought about how lucky the US was to have lifelong diplomat Bill Burns at CIA, to have no-drama Avril Haines at DNI, to have an expert like Tony Blinken at State. This piece provides a glimpse of how well they all worked together, little over a year after taking over from the shambolic Trump Administration.

As Burns — who spent over thirty years at State — described, this is the way government is supposed to work.

BILL BURNS: It’s the way government should work, in my opinion. The president set a very clear sense of direction. There was a shared understanding of the problem and coordination amongst the principals. Broadly speaking, the U.S. government performed the way it should perform in a situation like that.

There are specific details I’ll likely return to: comments suggesting the US withdrawal from Afghanistan was a necessary step before Putin would launch the invasion, descriptions from deputy NSA for international economics Daleep Singh and Deputy Attorney General Lisa Monaco about how they’re targeting corrupt oligarchs.

But the most salient comments are about something that has already gotten a lot of coverage: the decision to declassify a great deal of information to undercut Russia’s information advantage.

EMILY HORNE: Many of the senior policymakers who were in and still are in the administration remember vividly seeing these intel streams in 2014 and then seeing what had been predicted come to life. There was this feeling of: “We knew this was coming, but we couldn’t say so because it was classified.” People remember that frustration and felt that we couldn’t let that happen a second time. All the conditions were there for us to try something new and bold, but risky. It was a gamble that this would work.

JAKE SULLIVAN: We convened a meeting of our team to talk through a strategy of downgrade [declassification], and then I engaged directly with the senior most people in the intelligence community about how we could do this.

BILL BURNS: The president made the decision to declassify some of our intelligence relatively early on, which is always a complicated choice to make. Along with my colleagues in the intelligence community, the DNI and others, I believe strongly that it was the right choice. I had seen too many instances where Putin had created false narratives that we never caught up to.

AVRIL HAINES: I remember quite clearly when [the president] directed me to do this. I have this sense of “OK, we’ve got to figure out how to do this in a way that protects sources and methods and understand what it is that we’re trying to achieve here.” It became a real team sport. How do we do this in a way that allows us to protect what we hold dearest?

JAKE SULLIVAN: What we would do is send to [the intelligence community] in classified form the things that we wanted to be able to say, they would tell us what could be declassified, and what couldn’t. We would take what they declassified and put it out. That began in early December and became a central feature of our approach through the beginning of the invasion — and since.

[snip]

GEN. PAUL NAKASONE: People are always asking, “Hey, did you ever think you’d be releasing your most sensitive intelligence to the American public?” I thought to myself, “Little bit of change.” But what I really think: “This is the nation’s intelligence. This isn’t an agency or the intelligence community’s or anyone else’s intelligence. When it benefits our national security, why do we not do that?”

JOHN KIRBY: I think this is one of the most valuable lessons that we have learned from a communications perspective — the real benefit to downgrading intelligence and making it public. You can really affect the decision-making process of a potential adversary. We were beating Putin’s lie to the punch, and we know that by doing so we got inside his decision-making loop.

Between this and extensive efforts to avoid the invasion, which have gotten less focus, this represented several departures from the poisonous secrecy of “the Deep State” in the decades leading up to it. Those complaining about “the Deep State” likely won’t notice, though, since they’re re-reading a debunked Sy Hersh story for the fourth time.

The oral history doesn’t address several questions I have about US efforts to anticipate and undercut Russia’s information war.

While the piece talks a lot about increased intelligence sharing, it doesn’t discuss the extent to which increased information sharing is a factor in the large number of spy networks — in Europe — that have been rolled up in recent years, starting before the invasion but accelerating since, as WaPo recently laid out.

Over the past year, as Western governments have ramped up weapons deliveries to Ukraine and economic sanctions against Moscow, U.S. and European security services have been waging a parallel if less visible campaign to cripple Russian spy networks. The German case, which also involved the arrest of a senior official in the BND, Germany’s foreign intelligence service, followed roll-ups of suspected Russian operatives in the Netherlands, Norway, Sweden, Austria, Poland and Slovenia.

The moves amount to precision strikes against Russian agents still in Europe after the mass expulsion of more than 400 suspected Russian intelligence officers from Moscow’s embassies across the continent last year.

U.S. and European security officials caution that Russia retains significant capabilities but said that its spy agencies have sustained greater damage over the past year than at any time since the end of the Cold War.

Russia laid the groundwork for this invasion for years, and it seems Europe is only now reversing some of Russia’s efforts behind it.

But what hasn’t been rolled back — and where this oral history seems overly optimistic — is a Russian backed network of propagandists who have gotten louder with the anniversary of the war.

No one has gotten louder than Tucker Carlson, who seems to be making support for Russia a litmus test in his support for 2024. In his anniversary special, he made the following baseless claims:

  • There was no proof that Russia hacked the DNC (Tucker alters the timeline by a month to sustain this claim); the Democrats weren’t even hacked.
  • The investigation into Trump was all a hoax.
  • If the Ukraine war continues, the US will lose.
  • Biden never mentioned the costs on the support for Ukraine.
  • Biden is censoring information about the war.
  • Zelenskyy is a destroyer who wants US troops to fight.
  • Ukraine is “the least free place in all of Europe, which is why it’s Joe Biden’s favorite place.”
  • Biden was elected in a sketchy election and has never had a majority of support in this country, so he has no legitimacy (Tucker made no mention of Trump’s failure to ever get majority support).
  • Extremism (he doesn’t say terrorism) will have been caused by neglect.
  • Bolsonaro and Trump are moderates.
  • The Biden Administration blew up the Nord Stream pipeline.

This is Tucker doing what he balked at doing during the transition, until he grew desperate to stave off the “demonic force” that is Trump: undermining the legitimate President of the US. This is Tucker simply making stuff up about Russia’s attack on the US in 2016, taking the already baseless claims of denialists and pushing them five steps further.

He’s doing it, of course, while mining exclusive access of footage to the most sensitive spaces in the Capitol.

I think Tucker is right about one thing: Biden sounds overly optimistic. Because the Republican Party — and a large number of horseshoe leftists — would rather Russia win this war than let him succeed. And that’s a harder information battle to win.

“Wink:” Where Jeff Gerth’s “No There, There” in the Russian Investigation Went

/32 Comments/in , , /by

On July 28, 2017, Robert Mueller’s investigators served two warrants on the company (probably Rackspace) that hosted Paul Manafort’s DMP emails to obtain Manafort, Rick Gates, and Konstantin Kilimnik’s company emails.

Mueller obtained several things with that warrant that remain unresolved. Those are just some of the many things about the Russian investigation — the one Jeff Gerth claims had no there, there — that remain unanswered, four years after Mueller closed up shop.

Manafort’s lies about the plan to carve up Ukraine

One thing Mueller obtained with that warrant would have been an email Manafort sent Konstantin Kilimnik on April 11, 2016, “How do we get whole” with Oleg Deripaska, Manafort asked. The email showed that Manafort was using his position as the “free” campaign manager for Donald Trump to fix his legal and financial woes.

Another was an email Kilimnik wrote, but did not send, on December 8, 2016, but which Manafort knew to and did read, a “foldering” technique to prevent interception also used by terrorists. The email referenced a plan to carve up Ukraine that Kilimnik had first pitched to Manafort on August 2, 2016.

Russians at the very top level are in principle not against this plan and will work with the BG to start the process of uniting DNR and LNR into one entity, with security issues resolved (i.e. Russian troops withdrawn, radical criminal elements eliminated). The rest will be done by the BG and his people.

[snip]

All that is required to start the process is a very minor ‘wink’ (or slight push) from DT saying ‘he wants peace in Ukraine and Donbass [sic] back in Ukraine’ and a decision to be a ‘special representative’ and manage this process.

The email — and a text Kilimnik sent around the same time — talked about “recreating old friendship” with Deripaska at an in-person meeting. Less than a month later, Manafort flew to Madrid and met with a different Deripaska associate.

Six years later, we don’t know the fate of Manafort’s efforts to “get whole” with Deripaska, to recreate that old friendship.

It’s something that Manafort promised to tell Mueller’s prosecutors on September 13, 2018, when he entered into a plea agreement that averted a damaging trial during the election season. But it’s something that, Judge Amy Berman Jackson found, Manafort lied to hide from prosecutors in the ensuing weeks. We know that the last thing on Manafort’s schedule before he met with Kilimnik on August 2, 2016 was a meeting with Trump and Rudy Giuliani. We know that during the period when Manafort was lying to hide what happened with this plan to carve up Ukraine, his lawyer was speaking regularly with Trump’s lawyer, Rudy Giuliani. We know that during the period when Rudy Giuliani was seeking campaign assistance from Ukraine, he was consulting with Manafort. We know that Trump tried to coerce Volodymyr Zelenskyy to enter into a quid pro quo on July 25, 2019, but was caught by a whistleblower. We know that Bill Barr went to extraordinary lengths to protect Rudy Giuliani from any consequences for his dalliance with Russian agents in Ukraine.

We know that on December 24, 2020, Donald Trump pardoned Manafort, rewarding him for his lies. Yesterday, a judge in Florida approved a $3 million fine to settle Manafort’s failure to reveal the money he earned from working in Ukraine, money Manafort got to keep as a result of Trump’s pardon.

SDNY alleges that even as Manafort was lying about his plans with Kilimnik in September 2018, a different Deripaska associate was cultivating recently retired FBI Special Agent in Charge Charles McGonigal, someone who could tell him about what DOJ was learning (or not learning) from Manafort. We know that Seth DuCharme, who played a key role in Barr’s efforts to protect Rudy, now represents McGonigal.

We know that after Trump’s efforts to exploit dirt from Ukraine failed and Joe Biden became President, Russia expanded its invasion of Ukraine, trying to achieve by force what it attempted to achieve by coercing Trump’s “free” campaign manager and his personal attorney.

When I wrote the last installment of my series demonstrating the false claims about “Russiagate” made by Jeff Gerth, I wrote a long passage (included below) that showed what Mueller was discovering in August 2017, a period when Gerth falsely claimed prosecutors had determined there was “no there, there” to Trump’s ties to Russia.

There was not only a lot there, where Gerth never bothered to look. In fact, the “there, there” remains unresolved and raw, six years later.

The investment in Michael Cohen

Take the investigation into Michael Cohen. One thing Mueller would discover in August 2017 is that Trump Organization was not fully complying with subpoenas, at least not subpoenas from Congress. As I noted in my piece, Mueller almost certainly obtained an email with an August 1, 2017 warrant that showed Michael Cohen had direct contact with the Kremlin during the campaign. The email also showed, Mueller would learn once Felix Sater and Cohen began to explain this to investigators, that Cohen and Trump were willing to do business with a former GRU officer and sanctioned banks in pursuit of an impossibly lucrative real estate deal in Moscow. The email obtained in August 2017 was proof that Trump was publicly lying about his ongoing pursuit of business in Russia. And for two more years, Trump kept that secret from the American public. That entire time, Russia knew he was lying to the American people. Russia knew, the American public did not.

Mueller got that email by asking Microsoft, not Trump Organization, for the email. But shortly after Mueller did so, Microsoft made it far harder to obtained enterprise emails without notifying Microsoft’s client. There are other questions about missing records — such as a letter Trump sent to then Deputy Prime Minister Sergei Prikhodko — that might have been answered with more records from Trump Organization.

There’s also the matter of the big infusion of money — more than $400,000 over the course of a few months — that Cohen got from a Columbus Nova, in investment fund controlled by Russian oligarch Viktor Vekselberg. Mueller investigated whether the money had some tie to the different Ukrainian peace deal that Felix Sater got Cohen to bring to the White House.

It didn’t. As Cohen explained to Mueller in 2018, he got the money to explain how Trump worked to Andrew Intrater, who claimed to be looking to spend money on an infrastructure project in the US.

The pitch was to assist in Columbus Nova’s infrastructure fund. [redacted] invests in several different areas. At the time, there were discussions of significant foreign investment interest dedicated to U.S. infrastructure.

[snip]

In Cohen’s discussions with [Intrater] Cohen did not provide any non-public information. Cohen was not selling non-public information. Cohen could assist [Intrater] because Cohen understood Trump and what Trump was looking for.

But the payment, while legal, remains dodgy as hell.

Republicans, certainly, don’t want to talk about it. When Mark Meadows accused Cohen of omitting his contracts with foreign companies at his 2019 testimony before the Oversight Committee, Trump’s future Chief of Staff made no mention of Columbus Nova.

Mr. MEADOWS. Mr. Cohen, I’m going to come back to the question I asked before, with regards to your false statement that you submitted to Congress. On here, it was very clear, that it asked for contracts with foreign entities over the last two years. Have you had any foreign contract with foreign entities, whether it’s Novartis or the Korean airline or Kazakhstan BTA Bank? Your testimony earlier said that you had contracts with them. In fact, you went into detail——

Mr. COHEN. I believe it talks about lobbying. I did no lobbying. On top of that they are not government——

Mr. MEADOWS. In your testimony — I’m not asking about lobbying, Mr. Cohen.

Mr. COHEN. They are not government agencies. They are privately and——

Mr. MEADOWS. Do you have—do you have foreign contracts——

Mr. COHEN [continuing]. publicly traded companies.

Nor did Republicans include Nova in the FARA referral they sent to DOJ.

But Viktor Vekselberg was among the oligarchs Treasury would sanction in in 2018, along with Deripaska and Alexandr Torshin, and he was among the first people hit with expanded sanctions last year, after the invasion.

A December 2018 article about those payments to Cohen and the sanctions against Vekselberg was likely the article that Vekselberg associate Vladimir Voronchenko was sharing in 2018, which was cited as proof he knew of the sanctions, in his indictment for maintaining Vekselberg’s US properties in his own name after Vekselberg was sanctioned. Today, the government started the process of seizing Vekselberg’s US properties.

And questions about whether Vekselberg is influencing politics through his cousin, Intrater, have been renewed amid disclosures about Intrater’s big funding for the imposter Congressman George Santos.

“Sort of a spy deal going on”

Then there’s the matter of Julian Assange, whose extradition remains hung up at the final approval stage.

When Candace Owens confronted Trump about why he didn’t pardon Assange last year, he got really defensive, folding his arms. He explained, seemingly referring to Assange and probably referencing the Vault 7 and Vault 8 releases of stolen CIA hacking tools, “in one case, you have sort of a spy deal going on … there were some spying things, and there were some bad things released that really set us back and really hurt us with what they did.”

But Twitter DMs Mueller obtained with the first August 2017 warrant targeting Roger Stone showed that, in the wake of Mike Pompeo’s designation of WikiLeaks as a non-state intelligence service in the wake of that release, Stone and Assange discussed a pardon. On June 4, 2017, Stone said, “I don’t know of any crime you need to be pardoned for.” On June 10, Stone told Assange, “I am doing everything possible to address the issues at the highest level of government.”

Nine days later, on June 19, 2017, Trump ordered Corey Lewandowski to order Jeff Sessions to limit the investigation to prospective meddling from Russian, an order that — had Lewandowski obeyed — would have had the effect of shutting down the entire investigation, including that into Assange’s role in the hack-and-leak.

Texts obtained from Stone much later would show that he and Randy Credico discussed asylum for Assange on October 3, 2016 — before WikiLeaks started releasing the John Podesta emails.

And Credico had set Stone up to discuss the pardon with Margaret Kunstler by November 15, 2016.

Stone claimed to be pursuing a pardon for Assange at least through early 2018. It was only after Mueller asked Trump about such pardon discussions in September 2018 that Don Jr’s close friend Arthur Schwartz told Cassandra Fairbanks the pardon wouldn’t happen.

Those pardon discussions are just one of the things that Stone held over Trump’s head to ensure he’d never do prison time.

Stone kept a notebook of all the conversations he had with Trump during the 2016 election. He may have brought it with him to a meeting he had with Trump in December 2016.

After the win, STONE tried a full court press in order to get a meeting with TRUMP. [redacted] eventually set up a meeting with TRUMP and STONE in early December 2016 on the 26th floor of Trump Tower. TRUMP didn’t want to take the meeting with STONE. TRUMP told BANNON to be in the meeting and that after 5 minutes, if the meeting hadn’t concluded, to throw STONE out. STONE came in with a book he wrote and possibly had a folder and notes. [full sentence redacted] TRUMP didn’t say much to STONE beyond “Thanks, thanks a lot.”. To BANNON, this reinforced STONE [redacted] After five to six minutes, the meeting was over and STONE was out. STONE was [redacted] due to the fact that during the meeting TRUMP just stared.

After Stone was convicted of lying to cover up the real nature of his contacts with Russia during the election, he lobbied for a pardon by claiming, repeatedly and publicly, that prosecutors offered him a deal if he would reveal the content of the phone conversations he had with Trump during the election.

On December 23, 2020, Stone got that pardon. Four days later, Stone and Trump spoke about January 6 at Mar-a-Lago. That same day, also at Mar-a-Lago, Kimberly Guilfoyle, started the planning for Trump to speak (at that point, the plan included a march to the Capitol).

Earlier this month, DOJ included Stone’s contacts with Proud Boy Dan Scott at a January 3 Florida rally in Scott’s statement of offense for attempting to obstruct the January 6 vote certification. It included Stone’s ties to various Oath Keepers as part of the proof DOJ used to prosecute Stewart Rhodes of sedition.

“The boss is aware”

It took an extra week for prosecutors in the Mike Flynn case to get approval for his sentencing memo in early 2020. So senior officials at DOJ had to have approved of the explanation of why Flynn’s lies about calling the Russian Ambassador to undermine Obama’s sanctions on Russia were serious. “Any effort to undermine the recently imposed sanctions, which were enacted to punish the Russian government for interfering in the 2016 election,” the memo explained, “could have been evidence of links or coordination between the Trump Campaign and Russia.”

From the time that Mueller’s team obtained KT McFarland’s transition device and email on August 25, 2017, they had reason to believe Flynn’s calls with the Russian Ambassador were a group affair, not (as Trump had claimed) simply Flynn’s doing. McFarland’s emails showed that before Flynn called Kislyak, he had received an email from Tom Bossert reporting on what Lisa Monaco told him about Russia’s response to the sanctions, immediately after which he spoke to McFarland from his hotel phone for 11 minutes.

Mueller came pretty close to concluding that was why Flynn intervened with the Russian Ambassador, too. “Some evidence suggests that the President knew about the existence and content of Flynn’s calls when they occurred,” the Mueller Report explained in laying out reasons why Trump might have wanted to fire Jim Comey. “[B]ut the evidence is inconclusive and could not be relied upon to establish the President’s knowledge.” That’s because, after first denying that such calls happened at all, KT McFarland ultimately claimed not to remember telling Trump about the calls and Steve Bannon claimed not to remember discussing it with Flynn.

That was the conclusion Mueller reached in early 2019, a conclusion that already didn’t account for the fact that Flynn called the Russian Ambassador from a hotel phone, not his cell, or that he admitted that he and McFarland had deliberately written a text to cover up the contact. But the following year, in his effort to protect Trump, Bill Barr and other Republicans made available multiple pieces of evidence that make Trump’s knowledge of Flynn’s contacts more clear.

For example, after the House Intelligence Committee transcripts came out in 2020, it became clear that the White House had used Steve Bannon’s two appearances, with the assistance of Devin Nunes, to script certain answers. One of those answers denied continuing to discuss how to end sanctions against Russia after the inauguration. That scripting process happened between the time Flynn pled guilty and the time Bannon first denied remembering knowing of the sanctions discussion. Effectively, the White House scripted Bannon to deny knowledge of those sanction discussions in December 2016.

Then, in September 2020, as part of his efforts to justify overturning the prosecution of Flynn, Barr released the interview report from FBI agent Bill Barnett, who reportedly sent pro Trump texts on his FBI issued phone. It described how, after refusing to take part in that part of the Flynn investigation four different times, he nevertheless, “decided to work at the SCO hoping his perspective would keep them from ‘group think.'” He described being told that “was the only person who believed MCFARLAND was not holding back the information about TRUMP’s knowledge of [the sanction discussions].” He then asked a series of questions that would provide space for a denial: “BARNETT asked questions such as ‘Do you know that as a fact or are you speculating?’ and ‘Did you pass information from TRUMP to FLYNN?'”

Importantly, Barnett claimed it was “astro projection” that Trump directed Flynn’s contacts with the Ambassador.

He said that even after John Ratcliffe declassified the evidence that Mueller could never have used in the investigation, but which proved it wasn’t projection at all: the transcripts of Flynn’s calls with then-Ambassador Kislyak. They reveal that in the call on December 31, 2016, which Kislyak made to tell Flynn that “our conversation was also taken into account in Moscow” when Putin decided not to retaliate against the US for its sanctions, Flynn told Kislyak that “the boss is aware” of a plan to speak the day after Trump would be inaugurated. That would only be possible had Flynn either told Trump directly or had McFarland passed it along.

Once Barr came in, Flynn attempted to unwind all the things he had said to Mueller, directly contradicting multiple sworn statements. Just weeks after DOJ noted the centrality of Flynn’s lies to the question of whether Trump attempted to reverse sanctions just after Russia helped get him elected, Barr, too, joined the process of attempting to reverse the impact of the things Flynn had admitted to under oath. That effort extended to introducing notes with added, incorrect dates that Trump used in an effort to blame Biden for the investigation into Flynn. “We caught you,” Trump claimed to Biden in a prepared debate attack about the investigation that showed how his team first contacted Obama’s team to learn what they knew of the Russian response to sanctions, minutes before they called Russia to undermine those sanctions.

On November 25, Trump pardoned Flynn not just for his lies about the calls to the Russian Ambassador and working for Türkiye, but for any lies he told during the period he was reneging on his plea agreement. That same week, Flynn and Sidney Powell were in South Carolina together plotting ways to undermine Joe Biden’s election. Three weeks later, they would pitch Trump on a plan to seize the voting machines so he could stay in office.

When Bill Barr wrote his corrupt memo claiming there was no evidence that Trump obstructed the Mueller investigation, he was silent about the topic he had admitted, three times, would amount to obstruction: those pardon dangles. Those pardons aren’t just proof that Trump obstructed the investigation, stripping prosecutors of the leverage they might use to get Paul Manafort, Roger Stone, and Mike Flynn to tell the truth. But they’re also some of the most compelling proof that the secrets Stone and Manafort kept would have confirmed the suspicions that Trump coordinated with Russia in an attack on US democracy.

Update, 3/14: Corrected that Mueller closed up shop four years ago, not three. Time flies!

Links

CJR’s Error at Word 18

The Blind Spots of CJR’s “Russiagate” [sic] Narrative

Jeff Gerth’s Undisclosed Dissemination of Russian Intelligence Product

Jeff Gerth Declares No There, Where He Never Checked

“Wink:” Where Jeff Gerth’s “No There, There” in the Russian Investigation Went

My own disclosure statement

An attempted reconstruction of the articles Gerth includes in his inquiry

A list of the questions I sent to CJR

Just days earlier, on July 28, 2017, DOJ had already established probable cause to arrest George Papadopoulos for false statements and obstructing the investigation. His FBI interviews in the days after August 2 would go to the core questions of the campaign’s knowledge and encouragement of Russia’s interference. On August 11, Papadopoulos described, but then backed off certainty about, a memory of Sam Clovis getting upset when Papadopoulos told Clovis “they,” the Russians, have Hillary’s emails. On August 19, Papadopoulos professed to be unable to explain what his own notes planning a September 2016 meeting in London with the “Office of Putin” meant.

The investigation into Paul Manafort, too, was only beginning to take steps that would reveal suspect ties to Russia. Also on July 28, for example, DOJ obtained the first known warrant including conspiracy among the charges under investigation, and the first known warrant listing the June 9 meeting within the scope of the investigation. On August 17, DOJ would show probable cause to obtain emails from Manafort’s business involving ManafortGates, and Konstantin Kilimnik that would (among other things) show damning messages sent between Manafort and Kilimnik using the foldering technique, likely including Manafort’s sustained involvement in a plan to carve up Ukraine that started on August 2, 2016 (which Gerth omits from his description of that meeting).

Similarly, Mueller was still collecting evidence explaining why Flynn might have lied about his calls with Sergey Kislyak. On August 25, Mueller obtained a probable cause warrant to access devices owned by the GSA showing that Flynn had coordinated his calls with other transition officials, including those with Trump at Mar-a-Lago, when he called Kislyak to undermine Obama’s sanctions against Russia.

Plus, Mueller was just beginning to investigate at least two Trump associates that Rosenstein would include in an expanded scope in October 2017. On July 18, Mueller would obtain a probable cause warrant that built off Suspicious Activity Reports submitted to Treasury. That first known warrant targeting Michael Cohen never mentioned the long-debunked allegations about Cohen in the Steele dossier. Instead, the warrant affidavit would cite five deposits in the first five months of 2017 from Viktor Vekselberg’s Renova Group, totaling over $400K, $300K in payments from Korean Aerospace Industries, and almost $200K from Novartis, all of which conflicted with Cohen’s claim that the bank account in question would focus on domestic clients. On August 1, Mueller would obtain a probable cause warrant for Cohen’s Trump Organization emails from Microsoft. Mueller did so using a loophole that Microsoft would sue to close shortly afterwards, a move which likely stymied the investigation into a suspected $10 million donation to Trump, via an Egyptian bank, that kept him in the race in September 2016. That warrant for Trump Organization emails likely obtained Cohen’s January 2016 contact with the Kremlin – the one not turned over, to Congress at least, in response to a subpoena – a contact that Cohen would lie to Congress about four week later.

On August 7, Mueller used a probable cause warrant to obtain Roger Stone’s Twitter content, which revealed a mid-October 2016 exchange with WikiLeaks that disproved the rat-fucker’s public claims that he had never communicated with WikiLeaks during the campaign (a fact that Gerth gets wrong in the less than 1% of his series he dedicates to Stone). It also revealed that the day after the election, WikiLeaks assured Stone via DM that “we are now more free to communicate.” Those communications would, in one week (the subsequent investigation showed), turn into pardon discussions, which provides important background to the June 2017 Twitter DMs Stone had with Julian Assange, obtained with that August warrant, about “doing everything possible to address [Assange’s] issues at the highest level of Government.”